Merge pull request #927 from reasonerjt/update-salt

update salt when updating password

src/common/dao/user.go

@@ -137,11 +137,12 @@ func ChangeUserPassword(u models.User, oldPassword ...string) (err error) {
 	o := GetOrmer()
 
 	var r sql.Result
+	salt := utils.GenerateRandomString()
 	if len(oldPassword) == 0 {
 		//In some cases, it may no need to check old password, just as Linux change password policies.
-		r, err = o.Raw(`update user set password=?, salt=? where user_id=?`, utils.Encrypt(u.Password, u.Salt), u.Salt, u.UserID).Exec()
+		r, err = o.Raw(`update user set password=?, salt=? where user_id=?`, utils.Encrypt(u.Password, salt), salt, u.UserID).Exec()
 	} else {
-		r, err = o.Raw(`update user set password=?, salt=? where user_id=? and password = ?`, utils.Encrypt(u.Password, u.Salt), u.Salt, u.UserID, utils.Encrypt(oldPassword[0], u.Salt)).Exec()
+		r, err = o.Raw(`update user set password=?, salt=? where user_id=? and password = ?`, utils.Encrypt(u.Password, salt), salt, u.UserID, utils.Encrypt(oldPassword[0], u.Salt)).Exec()
 	}
 
 	if err != nil {

src/ui/api/user_test.go

@@ -354,6 +354,16 @@ func TestUsersUpdatePassword(t *testing.T) {
 		assert.Equal(200, code, "Get users status should be 200")
 		testUser0002.Password = password.NewPassword
 		testUser0002Auth.Passwd = password.NewPassword
+		//TODO: verify the new password takes effect
+	}
+	//case 6: update user2 password setting the new password same as the old
+	password.NewPassword = password.OldPassword
+	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+	if err != nil {
+		t.Error("Error occured while change user profile", err.Error())
+		t.Log(err)
+	} else {
+		assert.Equal(200, code, "When new password is same as old, update user password status should be 200")
 	}
 }