Merge remote-tracking branch 'origin/develop' into activitypub

test/api.js

@@ -575,8 +575,15 @@ describe('API', async () => {
 					const reloginPaths = ['GET /api/user/{userslug}/edit/email', 'PUT /users/{uid}/password', 'DELETE /users/{uid}/sessions/{uuid}'];
 					if (reloginPaths.includes(`${method.toUpperCase()} ${path}`)) {
 						({ jar } = await helpers.loginUser('admin', '123456'));
-						const sessionIds = await db.getSortedSetRange('uid:1:sessions', 0, -1);
-						const sessObj = await db.sessionStoreGet(sessionIds[0]);
+						let sessionIds = await db.getSortedSetRange('uid:1:sessions', 0, -1);
+						let sessObj = await db.sessionStoreGet(sessionIds[0]);
+						if (!sessObj) {
+							// password changed so login with new pwd
+							({ jar } = await helpers.loginUser('admin', '654321'));
+							sessionIds = await db.getSortedSetRange('uid:1:sessions', 0, -1);
+							sessObj = await db.sessionStoreGet(sessionIds[0]);
+						}
+
 						const { uuid } = sessObj.meta;
 						mocks.delete['/users/{uid}/sessions/{uuid}'][1].example = uuid;
 

test/user.js

@@ -776,6 +776,18 @@ describe('User', () => {
 			assert(correct);
 		});
 
+		it('should not let user change their password to their current password', async () => {
+			const uid = await User.create({ username: 'changepasswordsame', password: '123456' });
+			await assert.rejects(
+				apiUser.changePassword({ uid: uid }, {
+					uid: uid,
+					newPassword: '123456',
+					currentPassword: '123456',
+				}),
+				{ message: '[[user:change-password-error-same-password]]' },
+			);
+		});
+
 		it('should not let user change another user\'s password', async () => {
 			const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' });
 			const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });