From b876ea360d76989762672f1275c31f611302db73 Mon Sep 17 00:00:00 2001
From: Tan Jiang <jiangd@vmware.com>
Date: Mon, 24 Oct 2016 13:40:19 +0800
Subject: [PATCH 1/2] update salt when updating password

---
 src/common/dao/user.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/common/dao/user.go b/src/common/dao/user.go
index 49011ada0..765a504db 100644
--- a/src/common/dao/user.go
+++ b/src/common/dao/user.go
@@ -137,11 +137,12 @@ func ChangeUserPassword(u models.User, oldPassword ...string) (err error) {
 	o := GetOrmer()
 
 	var r sql.Result
+	salt := utils.GenerateRandomString()
 	if len(oldPassword) == 0 {
 		//In some cases, it may no need to check old password, just as Linux change password policies.
-		r, err = o.Raw(`update user set password=?, salt=? where user_id=?`, utils.Encrypt(u.Password, u.Salt), u.Salt, u.UserID).Exec()
+		r, err = o.Raw(`update user set password=?, salt=? where user_id=?`, utils.Encrypt(u.Password, salt), salt, u.UserID).Exec()
 	} else {
-		r, err = o.Raw(`update user set password=?, salt=? where user_id=? and password = ?`, utils.Encrypt(u.Password, u.Salt), u.Salt, u.UserID, utils.Encrypt(oldPassword[0], u.Salt)).Exec()
+		r, err = o.Raw(`update user set password=?, salt=? where user_id=? and password = ?`, utils.Encrypt(u.Password, salt), salt, u.UserID, utils.Encrypt(oldPassword[0], u.Salt)).Exec()
 	}
 
 	if err != nil {

From 64562b8f839d4f75b44592ace33b8fddd00c3bf2 Mon Sep 17 00:00:00 2001
From: Tan Jiang <jiangd@vmware.com>
Date: Mon, 24 Oct 2016 17:16:18 +0800
Subject: [PATCH 2/2] add test case to cover new password and old password are
 the same

---
 src/ui/api/user_test.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/ui/api/user_test.go b/src/ui/api/user_test.go
index 7ea546990..7d0caa95b 100644
--- a/src/ui/api/user_test.go
+++ b/src/ui/api/user_test.go
@@ -354,6 +354,16 @@ func TestUsersUpdatePassword(t *testing.T) {
 		assert.Equal(200, code, "Get users status should be 200")
 		testUser0002.Password = password.NewPassword
 		testUser0002Auth.Passwd = password.NewPassword
+		//TODO: verify the new password takes effect
+	}
+	//case 6: update user2 password setting the new password same as the old
+	password.NewPassword = password.OldPassword
+	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+	if err != nil {
+		t.Error("Error occured while change user profile", err.Error())
+		t.Log(err)
+	} else {
+		assert.Equal(200, code, "When new password is same as old, update user password status should be 200")
 	}
 }