diff --git a/public/language/en-GB/user.json b/public/language/en-GB/user.json index b010898322..73bce4498a 100644 --- a/public/language/en-GB/user.json +++ b/public/language/en-GB/user.json @@ -81,6 +81,7 @@ "change-password": "Change Password", "change-password-error": "Invalid Password!", "change-password-error-wrong-current": "Your current password is not correct!", + "change-password-error-same-password": "Your new password matches your current password, please use a new password.", "change-password-error-match": "Passwords must match!", "change-password-error-privileges": "You do not have the rights to change this password.", "change-password-success": "Your password is updated!", diff --git a/src/user/profile.js b/src/user/profile.js index 9d65037bbe..e9c751e40f 100644 --- a/src/user/profile.js +++ b/src/user/profile.js @@ -317,6 +317,9 @@ module.exports = function (User) { if (!correct) { throw new Error('[[user:change-password-error-wrong-current]]'); } + if (data.currentPassword === data.newPassword) { + throw new Error('[[user:change-password-error-same-password]]'); + } } const hashedPassword = await User.hashPassword(data.newPassword); diff --git a/test/user.js b/test/user.js index 25c0ddc6f0..9b7fc88f18 100644 --- a/test/user.js +++ b/test/user.js @@ -776,6 +776,18 @@ describe('User', () => { assert(correct); }); + it('should not let user change their password to their current password', async () => { + const uid = await User.create({ username: 'changepasswordsame', password: '123456' }); + await assert.rejects( + apiUser.changePassword({ uid: uid }, { + uid: uid, + newPassword: '123456', + currentPassword: '123456', + }), + { message: '[[user:change-password-error-same-password]]' }, + ); + }); + it('should not let user change another user\'s password', async () => { const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' }); const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });