Remove password and password_confirmation from whitelisted params in ProfilesController to prevent password from being changed without previous password being provided

3 files changed, 18 insertions, 2 deletions

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index ac71f72e624..9f5ad23a20f 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController
       :linkedin,
       :location,
       :name,
-      :password,
-      :password_confirmation,
       :public_email,
       :skype,
       :twitter,
diff --git a/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml
new file mode 100644
index 00000000000..824fbd41ab8
--- /dev/null
+++ b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent user passwords from being changed without providing the previous password
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index c621eb69171..4530a301d4d 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -3,6 +3,19 @@ require('spec_helper')
 describe ProfilesController, :request_store do
   let(:user) { create(:user) }
 
+  describe 'POST update' do
+    it 'does not update password' do
+      sign_in(user)
+
+      expect do
+        post :update,
+             user: { password: 'hello12345', password_confirmation: 'hello12345' }
+      end.not_to change { user.reload.encrypted_password }
+
+      expect(response.status).to eq(302)
+    end
+  end
+
   describe 'PUT update' do
     it 'allows an email update from a user without an external email address' do
       sign_in(user)