Now change password directly need the current password

2014-07-30 15:42:34 +02:00 · 2014-07-30 15:42:34 +02:00 · e163282351
parent 64a517a83a
commit e163282351
1 changed files with 10 additions and 2 deletions
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@ -20,8 +20,10 @@ from django.db.models.loading import get_model
 from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django.contrib.auth import logout, login, authenticate
+from django.contrib.auth.hashers import make_password
 from django.utils.translation import ugettext_lazy as _

+
 from rest_framework.response import Response
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import IsAuthenticated, AllowAny
@ -142,13 +144,19 @@ class UsersViewSet(ModelCrudViewSet):
        """
        self.check_permissions(request, "change_password", None)

+        current_password = request.DATA.get("current_password")
        password = request.DATA.get("password")
+        if not current_password:
+            raise exc.WrongArguments(_("Current password parameter needed"))

        if not password:
-            raise exc.WrongArguments(_("Incomplete arguments"))
+            raise exc.WrongArguments(_("New password parameter needed"))

        if len(password) < 6:
-            raise exc.WrongArguments(_("Invalid password length"))
+            raise exc.WrongArguments(_("Invalid password length at least 6 charaters needed"))
+
+        if not request.user.check_password(current_password):
+            raise exc.WrongArguments(_("Invalid current password"))

        request.user.set_password(password)
        request.user.save(update_fields=["password"])