Merge branch 'security-10-8-users-can-update-their-password-without-entering-current-password' into 'security-10-8'

[10.8] No longer allow password change without previous password being provided See merge request gitlab/gitlabhq!2388
author: Filipa Lacerda <filipa@gitlab.com> 2018-05-09 17:34:43 +0300
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-05-25 18:43:56 +0300
commit: 8a93917b7e2f61d38d1dc7f6fc14a11c3ad7b73a (patch)
tree: 1888080ab1392d7823d2ff4c6a86c16a10444457 /spec
parent: 21a8d61d5ca820e61ab9c8dcef48a7169683077e (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index c621eb69171..35b42be2e3d 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -3,6 +3,19 @@ require('spec_helper')
 describe ProfilesController, :request_store do
   let(:user) { create(:user) }
 
+  describe 'POST update' do
+    it 'does not update password' do
+      sign_in(user)
+
+      expect do
+        post :update,
+          user: { password: 'hello12345', password_confirmation: 'hello12345' }
+      end.not_to change { user.reload.encrypted_password }
+
+      expect(response.status).to eq(302)
+    end
+  end
+
   describe 'PUT update' do
     it 'allows an email update from a user without an external email address' do
       sign_in(user)
author	Filipa Lacerda <filipa@gitlab.com>	2018-05-09 17:34:43 +0300
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-05-25 18:43:56 +0300
commit	8a93917b7e2f61d38d1dc7f6fc14a11c3ad7b73a (patch)
tree	1888080ab1392d7823d2ff4c6a86c16a10444457 /spec
parent	21a8d61d5ca820e61ab9c8dcef48a7169683077e (diff)