Force user to provide old password in order to change it

This commit is contained in:
Dmitriy Zaporozhets 2013-09-24 10:48:36 +03:00
parent 0630be3828
commit 642398285d
4 changed files with 59 additions and 19 deletions

View file

@ -33,7 +33,14 @@ class ProfilesController < ApplicationController
end end
def update_password def update_password
params[:user].reject!{ |k, v| k != "password" && k != "password_confirmation"} params[:user].select! do |key, value|
%w(current_password password password_confirmation).include?(key.to_s)
end
unless @user.valid_password?(params[:user][:current_password])
redirect_to account_profile_path, alert: 'You must provide a valid current password'
return
end
if @user.update_attributes(params[:user]) if @user.update_attributes(params[:user])
flash[:notice] = "Password was successfully updated. Please login with it" flash[:notice] = "Password was successfully updated. Please login with it"

View file

@ -57,16 +57,25 @@
.tab-pane#tab-password .tab-pane#tab-password
%fieldset.update-password %fieldset.update-password
%legend Password %legend Password
- if current_user.ldap_user?
%h3.nothing_here_message Not available for LDAP user
- else
= form_for @user, url: update_password_profile_path, method: :put do |f| = form_for @user, url: update_password_profile_path, method: :put do |f|
%div %div
%p.slead After a successful password update you will be redirected to login page where you should login with your new password %p.slead
You must provide current password in order to change it.
%br
After a successful password update you will be redirected to login page where you should login with your new password
-if @user.errors.any? -if @user.errors.any?
.alert.alert-error .alert.alert-error
%ul %ul
- @user.errors.full_messages.each do |msg| - @user.errors.full_messages.each do |msg|
%li= msg %li= msg
.control-group .control-group
= f.label :password = f.label :current_password, class: 'cgreen'
.controls= f.password_field :current_password, required: true
.control-group
= f.label :password, 'New password'
.controls= f.password_field :password, required: true .controls= f.password_field :password, required: true
.control-group .control-group
= f.label :password_confirmation = f.label :password_confirmation

View file

@ -11,6 +11,12 @@ Feature: Profile
Then I change my contact info Then I change my contact info
And I should see new contact info And I should see new contact info
Scenario: I change my password without old one
Given I visit profile account page
When I try change my password w/o old one
Then I should see a missing password error message
And I should be redirected to account page
Scenario: I change my password Scenario: I change my password
Given I visit profile account page Given I visit profile account page
Then I change my password Then I change my password

View file

@ -22,8 +22,17 @@ class Profile < Spinach::FeatureSteps
@user.twitter.should == 'testtwitter' @user.twitter.should == 'testtwitter'
end end
step 'I try change my password w/o old one' do
within '.update-password' do
fill_in "user_password", with: "222333"
fill_in "user_password_confirmation", with: "222333"
click_button "Save"
end
end
step 'I change my password' do step 'I change my password' do
within '.update-password' do within '.update-password' do
fill_in "user_current_password", with: "123456"
fill_in "user_password", with: "222333" fill_in "user_password", with: "222333"
fill_in "user_password_confirmation", with: "222333" fill_in "user_password_confirmation", with: "222333"
click_button "Save" click_button "Save"
@ -32,12 +41,17 @@ class Profile < Spinach::FeatureSteps
step 'I unsuccessfully change my password' do step 'I unsuccessfully change my password' do
within '.update-password' do within '.update-password' do
fill_in "user_current_password", with: "123456"
fill_in "user_password", with: "password" fill_in "user_password", with: "password"
fill_in "user_password_confirmation", with: "confirmation" fill_in "user_password_confirmation", with: "confirmation"
click_button "Save" click_button "Save"
end end
end end
step "I should see a missing password error message" do
page.should have_content "You must provide a valid current password"
end
step "I should see a password error message" do step "I should see a password error message" do
page.should have_content "Password doesn't match confirmation" page.should have_content "Password doesn't match confirmation"
end end
@ -110,6 +124,10 @@ class Profile < Spinach::FeatureSteps
current_path.should == new_user_session_path current_path.should == new_user_session_path
end end
step 'I should be redirected to account page' do
current_path.should == account_profile_path
end
step 'I click on my profile picture' do step 'I click on my profile picture' do
click_link 'profile-pic' click_link 'profile-pic'
end end