From c98f55b4549ca7c8168d238cdbc71855e8a9938b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 12 Aug 2020 13:42:55 -0400
Subject: [PATCH] feat: tests for password change

---
 test/user.js | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/test/user.js b/test/user.js
index 3029cf6e5b..8c9ac683c2 100644
--- a/test/user.js
+++ b/test/user.js
@@ -816,6 +816,32 @@ describe('User', function () {
 			});
 		});
 
+		it('should not let user change another user\'s password', async function () {
+			const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' });
+			const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: regularUserUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
+		it('should not let user change admin\'s password', async function () {
+			const adminUid = await User.create({ username: 'adminpwdchange', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+			const uid = await User.create({ username: 'changeadminpwd2', password: '123456' });
+
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: adminUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
 		it('should change username', function (done) {
 			socketUser.changeUsernameEmail({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '123456' }, function (err) {
 				assert.ifError(err);