From 1139eee2adf51cf8cdbade3b5296422ef9e031b4 Mon Sep 17 00:00:00 2001
From: kolaente <konrad@kola-entertainments.de>
Date: Thu, 4 Oct 2018 07:53:45 +0200
Subject: [PATCH] Improved update password method to ask the current password

---
 REST-Tests/users.http                 | 13 +++++++++++++
 routes/api/v1/user_update_password.go | 16 ++++++++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/REST-Tests/users.http b/REST-Tests/users.http
index a082437f034..e47d492985a 100644
--- a/REST-Tests/users.http
+++ b/REST-Tests/users.http
@@ -8,4 +8,17 @@ Authorization: Bearer {{auth_token}}
 GET http://localhost:8080/api/v1/users?s=3
 Authorization: Bearer {{auth_token}}
 
+###
+
+## Update password
+
+POST http://localhost:8080/api/v1/user/password
+Authorization: Bearer {{auth_token}}
+Content-Type: application/json
+
+{
+  "old_password": "1234",
+  "new_password": "1234"
+}
+
 ###
\ No newline at end of file
diff --git a/routes/api/v1/user_update_password.go b/routes/api/v1/user_update_password.go
index 55a9a478ca5..3c619c902af 100644
--- a/routes/api/v1/user_update_password.go
+++ b/routes/api/v1/user_update_password.go
@@ -8,7 +8,8 @@ import (
 
 // UserPassword holds a user password. Used to update it.
 type UserPassword struct {
-	Password string `json:"password"`
+	OldPassword string `json:"old_password"`
+	NewPassword string `json:"new_password"`
 }
 
 // UserChangePassword is the handler to change a users password
@@ -47,14 +48,21 @@ func UserChangePassword(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
 	}
 
+	// Check the current password
+	if _, err = models.CheckUserCredentials(&models.UserLogin{Username:doer.Username,Password:newPW.OldPassword}); err != nil {
+		if models.IsErrUserDoesNotExist(err) {
+			return echo.NewHTTPError(http.StatusNotFound, "The user does not exist.")
+		}
+		return c.JSON(http.StatusUnauthorized, models.Message{"Wrong password."})
+	}
+
 	// Update the password
-	err = models.UpdateUserPassword(&doer, newPW.Password)
-	if err != nil {
+	if err = models.UpdateUserPassword(&doer, newPW.NewPassword); err != nil {
 		if models.IsErrUserDoesNotExist(err) {
 			return echo.NewHTTPError(http.StatusNotFound, "The user does not exist.")
 		}
 
-		models.Log.Error("Error updating a users password, user: %d", doer.ID)
+		models.Log.Error("Error updating a users password, user: %d, err: %s", doer.ID, err)
 		return echo.NewHTTPError(http.StatusInternalServerError, "An error occurred.")
 	}