Merge branch '28938-password-change-workflow-for-admins' into 'master'

Changes the password change workflow for admins. Closes #28938 See merge request !13901

Merge branch '28938-password-change-workflow-for-admins' into 'master'
Changes the password change workflow for admins. Closes #28938 See merge request !13901
a768e1b7 · Sean McGivern · bf4ec606 · 0ffa4772 · a768e1b7 · a768e1b7
3 changed file
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -117,11 +117,14 @@ class Admin::UsersController < Admin::ApplicationController
    user_params_with_pass = user_params.dup

    if params[:user][:password].present?
-      user_params_with_pass.merge!(
+      password_params = {
        password: params[:user][:password],
-        password_confirmation: params[:user][:password_confirmation],
-        password_expires_at: Time.now
-      )
+        password_confirmation: params[:user][:password_confirmation]
+      }
+
+      password_params[:password_expires_at] = Time.now unless changing_own_password?
+
+      user_params_with_pass.merge!(password_params)
    end

    respond_to do |format|
@@ -167,6 +170,10 @@ class Admin::UsersController < Admin::ApplicationController

  protected

+  def changing_own_password?
+    user == current_user
+  end
+
  def user
    @user ||= User.find_by!(username: params[:id])
  end

--- a/changelogs/unreleased/28938-password-change-workflow-for-admins.yml
+++ b/changelogs/unreleased/28938-password-change-workflow-for-admins.yml
+---
+title: Changes the password change workflow for admins.
+merge_request: 13901
+author:
+type: fixed
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -150,6 +150,18 @@ describe Admin::UsersController do
        post :update, params
      end

+      context 'when the admin changes his own password' do
+        it 'updates the password' do
+          expect { update_password(admin, 'AValidPassword1') }
+            .to change { admin.reload.encrypted_password }
+        end
+
+        it 'does not set the new password to expire immediately' do
+          expect { update_password(admin, 'AValidPassword1') }
+            .not_to change { admin.reload.password_expires_at }
+        end
+      end
+
      context 'when the new password is valid' do
        it 'redirects to the user' do
          update_password(user, 'AValidPassword1')
@@ -158,15 +170,13 @@ describe Admin::UsersController do
        end

        it 'updates the password' do
-          update_password(user, 'AValidPassword1')
-
-          expect { user.reload }.to change { user.encrypted_password }
+          expect { update_password(user, 'AValidPassword1') }
+            .to change { user.reload.encrypted_password }
        end

        it 'sets the new password to expire immediately' do
-          update_password(user, 'AValidPassword1')
-
-          expect { user.reload }.to change { user.password_expires_at }.to(a_value <= Time.now)
+          expect { update_password(user, 'AValidPassword1') }
+            .to change { user.reload.password_expires_at }.to be_within(2.seconds).of(Time.now)
        end
      end

@@ -184,9 +194,8 @@ describe Admin::UsersController do
        end

        it 'does not update the password' do
-          update_password(user, 'invalid')
-
-          expect { user.reload }.not_to change { user.encrypted_password }
+          expect { update_password(user, 'invalid') }
+            .not_to change { user.reload.encrypted_password }
        end
      end

@@ -204,9 +213,8 @@ describe Admin::UsersController do
        end

        it 'does not update the password' do
-          update_password(user, 'AValidPassword1', 'AValidPassword2')
-
-          expect { user.reload }.not_to change { user.encrypted_password }
+          expect { update_password(user, 'AValidPassword1', 'AValidPassword2') }
+            .not_to change { user.reload.encrypted_password }
        end
      end
    end