From b3d5ba6f9013052dfe51fb03ce3e2088d7da3be5 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 3 Dec 2017 01:11:22 +0800
Subject: [PATCH] Fix missing password length check when change password
 (#3039)

* fix missing password length check when change password

* add tests for change password
---
 modules/test/context_tests.go |  4 ++-
 routers/user/setting.go       |  4 ++-
 routers/user/setting_test.go  | 68 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 routers/user/setting_test.go

diff --git a/modules/test/context_tests.go b/modules/test/context_tests.go
index da15b64395..887446d716 100644
--- a/modules/test/context_tests.go
+++ b/modules/test/context_tests.go
@@ -34,7 +34,9 @@ func MockContext(t *testing.T, path string) *context.Context {
 	macaronContext.Data = map[string]interface{}{}
 	return &context.Context{
 		Context: &macaronContext,
-		Flash:   &session.Flash{},
+		Flash: &session.Flash{
+			Values: make(url.Values),
+		},
 	}
 }
 
diff --git a/routers/user/setting.go b/routers/user/setting.go
index bd2c923b70..a2f32e3e19 100644
--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@@ -222,7 +222,9 @@ func SettingsSecurityPost(ctx *context.Context, form auth.ChangePasswordForm) {
 		return
 	}
 
-	if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
+	if len(form.Password) < setting.MinPasswordLength {
+		ctx.Flash.Error(ctx.Tr("auth.password_too_short", setting.MinPasswordLength))
+	} else if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
 		ctx.Flash.Error(ctx.Tr("settings.password_incorrect"))
 	} else if form.Password != form.Retype {
 		ctx.Flash.Error(ctx.Tr("form.password_not_match"))
diff --git a/routers/user/setting_test.go b/routers/user/setting_test.go
new file mode 100644
index 0000000000..72b1b83143
--- /dev/null
+++ b/routers/user/setting_test.go
@@ -0,0 +1,68 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package user
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/auth"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestChangePassword(t *testing.T) {
+	oldPassword := "password"
+	setting.MinPasswordLength = 6
+
+	for _, req := range []struct {
+		OldPassword string
+		NewPassword string
+		Retype      string
+		Message     string
+	}{
+		{
+			OldPassword: oldPassword,
+			NewPassword: "123456",
+			Retype:      "123456",
+			Message:     "",
+		},
+		{
+			OldPassword: oldPassword,
+			NewPassword: "12345",
+			Retype:      "12345",
+			Message:     "auth.password_too_short",
+		},
+		{
+			OldPassword: "12334",
+			NewPassword: "123456",
+			Retype:      "123456",
+			Message:     "settings.password_incorrect",
+		},
+		{
+			OldPassword: oldPassword,
+			NewPassword: "123456",
+			Retype:      "12345",
+			Message:     "form.password_not_match",
+		},
+	} {
+		models.PrepareTestEnv(t)
+		ctx := test.MockContext(t, "user/settings/security")
+		test.LoadUser(t, ctx, 2)
+		test.LoadRepo(t, ctx, 1)
+
+		SettingsSecurityPost(ctx, auth.ChangePasswordForm{
+			OldPassword: req.OldPassword,
+			Password:    req.NewPassword,
+			Retype:      req.Retype,
+		})
+
+		assert.EqualValues(t, req.Message, ctx.Flash.ErrorMsg)
+		assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
+	}
+}