Merge branch 'security-users-can-update-their-password-without-entering-current-password' into 'master'

[Master] No longer allow password change without previous password being provided See merge request gitlab/gitlabhq!2383
author: Mayra Cabrera <mcabrera@gitlab.com> 2018-05-29 18:41:33 +0000
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-05-29 18:41:33 +0000
commit: 33f4f161a1a417c17fc4c6d18e4dc01c33945ab5 (patch)
tree: cef725cc18d86e75a8b06bdc9781cd6d9ced6521 /spec
parent: 046cc6011a4a5e10950d1d9d69ea500aba905e7b (diff)
parent: 8417f74f23a75020a14f39d939c4dd1cc5419d07 (diff)
download: gitlab-ce-33f4f161a1a417c17fc4c6d18e4dc01c33945ab5.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index c621eb69171..4530a301d4d 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -3,6 +3,19 @@ require('spec_helper')
 describe ProfilesController, :request_store do
   let(:user) { create(:user) }
 
+  describe 'POST update' do
+    it 'does not update password' do
+      sign_in(user)
+
+      expect do
+        post :update,
+             user: { password: 'hello12345', password_confirmation: 'hello12345' }
+      end.not_to change { user.reload.encrypted_password }
+
+      expect(response.status).to eq(302)
+    end
+  end
+
   describe 'PUT update' do
     it 'allows an email update from a user without an external email address' do
       sign_in(user)
author	Mayra Cabrera <mcabrera@gitlab.com>	2018-05-29 18:41:33 +0000
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-05-29 18:41:33 +0000
commit	33f4f161a1a417c17fc4c6d18e4dc01c33945ab5 (patch)
tree	cef725cc18d86e75a8b06bdc9781cd6d9ced6521 /spec
parent	046cc6011a4a5e10950d1d9d69ea500aba905e7b (diff)
parent	8417f74f23a75020a14f39d939c4dd1cc5419d07 (diff)
download	gitlab-ce-33f4f161a1a417c17fc4c6d18e4dc01c33945ab5.tar.gz