Merge branch…

Merge branch 'security-10-6-users-can-update-their-password-without-entering-current-password' into 'security-10-6' [10.6] No longer allow password change without previous password being provided See merge request gitlab/gitlabhq!2385

Merge branch…
8cc9a238 · Filipa Lacerda · Mayra Cabrera · c3a8df63 · 8cc9a238 · 8cc9a238
Commit 8cc9a238 authored May 09, 2018 by Filipa Lacerda Committed by Mayra Cabrera May 25, 2018
3 changed files
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -83,8 +83,6 @@ class ProfilesController < Profiles::ApplicationController
      :linkedin,
      :location,
      :name,
-      :password,
-      :password_confirmation,
      :public_email,
      :skype,
      :twitter,

--- a/changelogs/unreleased/security-10-6-users-can-update-their-password-without-entering-current-password.yml
+++ b/changelogs/unreleased/security-10-6-users-can-update-their-password-without-entering-current-password.yml
+---
+title: Prevent user passwords from being changed without providing the previous password
+merge_request:
+author:
+type: security
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -3,6 +3,19 @@ require('spec_helper')
 describe ProfilesController, :request_store do
  let(:user) { create(:user) }

+  describe 'POST update' do
+    it 'does not update password' do
+      sign_in(user)
+
+      expect do
+        post :update,
+             user: { password: 'hello12345', password_confirmation: 'hello12345' }
+      end.not_to change { user.reload.encrypted_password }
+
+      expect(response.status).to eq(302)
+    end
+  end
+
  describe 'PUT update' do
    it 'allows an email update from a user without an external email address' do
      sign_in(user)