diff --git a/flask_security/core.py b/flask_security/core.py index dfb49ac..9ec4284 100644 --- a/flask_security/core.py +++ b/flask_security/core.py @@ -116,6 +116,7 @@ _default_messages = { 'INVALID_PASSWORD': ('Invalid password', 'error'), 'PASSWORDLESS_LOGIN_SUCCESSFUL': ('You have successfuly logged in.', 'success'), 'PASSWORD_RESET': ('You successfully reset your password and you have been logged in automatically.', 'success'), + 'PASSWORD_IS_THE_SAME': ('Your new password must be different than your previous password.', 'error'), 'PASSWORD_CHANGE': ('You successfully changed your password.', 'success'), 'LOGIN': ('Please log in to access this page.', 'info'), 'REFRESH': ('Please reauthenticate to access this page.', 'info'), diff --git a/flask_security/forms.py b/flask_security/forms.py index e43ffd0..57ebb3e 100644 --- a/flask_security/forms.py +++ b/flask_security/forms.py @@ -22,7 +22,7 @@ from flask_login import current_user from werkzeug.local import LocalProxy from .confirmable import requires_confirmation -from .utils import verify_and_update_password, get_message +from .utils import verify_and_update_password, get_message, encrypt_password # Convenient reference _datastore = LocalProxy(lambda: current_app.extensions['security'].datastore) @@ -275,4 +275,7 @@ class ChangePasswordForm(Form, PasswordFormMixin): if not verify_and_update_password(self.password.data, current_user): self.password.errors.append(get_message('INVALID_PASSWORD')[0]) return False + if self.password.data.strip() == self.new_password.data.strip(): + self.password.errors.append(get_message('PASSWORD_IS_THE_SAME')[0]) + return False return True diff --git a/tests/configured_tests.py b/tests/configured_tests.py index a1213d8..0cc9031 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -474,6 +474,16 @@ class ChangePasswordTest(SecurityTest): self.assertNotIn('You successfully changed your password', r.data) self.assertIn('Password must be at least 6 characters', r.data) + def test_change_password_same_as_previous(self): + self.authenticate() + r = self._post('/change', data={ + 'password': 'password', + 'new_password': 'password', + 'new_password_confirm': 'password' + }, follow_redirects=True) + self.assertNotIn('You successfully changed your password', r.data) + self.assertIn('Your new password must be different than your previous password.', r.data) + def test_change_password_success(self): data = { 'password': 'password',