#86299 by pwolanin, neochief, fwalch, thePanz, et al: Security hardening: Add 'current password' field to 'change password form'.

1 files changed, 29 insertions, 0 deletions

diff --git a/modules/user/user.test b/modules/user/user.test
index 374a7fced..f3387069d 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -1396,5 +1396,34 @@ class UserEditTestCase extends DrupalWebTestCase {
     variable_set('user_pictures', 1);
     $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
     $this->assertRaw(t('The name %name is already taken.', array('%name' => $edit['name'])));
+
+    // Test that the error message appears when attempting to change the mail or
+    // pass without the current password.
+    $edit = array();
+    $edit['mail'] = $this->randomName() . '@new.example.com';
+    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
+    $this->assertRaw(t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => t('E-mail address'))));
+
+    $edit['current_pass'] = $user1->pass_raw;
+    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
+    $this->assertRaw(t("The changes have been saved."));
+
+    // Test that the user must enter current password before changing passwords.
+    $edit = array();
+    $edit['pass[pass1]'] = $new_pass = $this->randomName();
+    $edit['pass[pass2]'] = $new_pass;
+    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
+    $this->assertRaw(t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => t('Password'))));
+
+    // Try again with the current password.
+    $edit['current_pass'] = $user1->pass_raw;
+    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
+    $this->assertRaw(t("The changes have been saved."));
+
+    // Make sure the user can log in with their new password.
+    $this->drupalLogout();
+    $user1->pass_raw = $new_pass;
+    $this->drupalLogin($user1);
+    $this->drupalLogout();
   }
 }