From 846b7d24307ee460f52e30778d799dc9807023e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 12 Aug 2020 22:09:22 -0400
Subject: [PATCH] refactor: change pwd change logic

add one more test
---
 src/user/profile.js | 18 ++++++------------
 test/user.js        | 13 +++++++++++++
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/user/profile.js b/src/user/profile.js
index 38a8083648..8bddfc873f 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -278,24 +278,18 @@ module.exports = function (User) {
 		if (meta.config['password:disableEdit'] && !isAdmin) {
 			throw new Error('[[error:no-privileges]]');
 		}
-		let isAdminOrPasswordMatch = false;
+
 		const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
 
 		if (!isAdmin && !isSelf) {
 			throw new Error('[[user:change_password_error_privileges]]');
 		}
 
-		if (
-			(isAdmin && !isSelf) || // Admins ok
-			(!hasPassword && isSelf)	// Initial password set ok
-		) {
-			isAdminOrPasswordMatch = true;
-		} else {
-			isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
-		}
-
-		if (!isAdminOrPasswordMatch) {
-			throw new Error('[[user:change_password_error_wrong_current]]');
+		if (isSelf && hasPassword) {
+			const correct = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
+			if (!correct) {
+				throw new Error('[[user:change_password_error_wrong_current]]');
+			}
 		}
 
 		const hashedPassword = await User.hashPassword(data.newPassword);
diff --git a/test/user.js b/test/user.js
index 8f8f30c177..e848202bb6 100644
--- a/test/user.js
+++ b/test/user.js
@@ -860,6 +860,19 @@ describe('User', function () {
 			assert(correct);
 		});
 
+		it('should not let admin change their password if current password is incorrect', async function () {
+			const adminUid = await User.create({ username: 'adminforgotpwd', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+
+			let err;
+			try {
+				await socketUser.changePassword({ uid: adminUid }, { uid: adminUid, newPassword: '654321', currentPassword: 'wrongpwd' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_wrong_current]]');
+		});
+
 		it('should change username', function (done) {
 			socketUser.changeUsernameEmail({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '123456' }, function (err) {
 				assert.ifError(err);