Merge pull request #16681 from tntwist/fix-new-password

fix(): ensure new password is different from current password

modules/account/src/Volo.Abp.Account.Application.Contracts/Volo/Abp/Account/ChangePasswordInput.cs

@@ -1,11 +1,16 @@
-using System.ComponentModel.DataAnnotations;
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Localization;
+using Volo.Abp.Account.Localization;
 using Volo.Abp.Auditing;
 using Volo.Abp.Identity;
 using Volo.Abp.Validation;
 
 namespace Volo.Abp.Account;
 
-public class ChangePasswordInput
+public class ChangePasswordInput : IValidatableObject
 {
     [DisableAuditing]
     [DynamicStringLength(typeof(IdentityUserConsts), nameof(IdentityUserConsts.MaxPasswordLength))]
@@ -15,4 +20,17 @@ public class ChangePasswordInput
     [DisableAuditing]
     [DynamicStringLength(typeof(IdentityUserConsts), nameof(IdentityUserConsts.MaxPasswordLength))]
     public string NewPassword { get; set; }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (CurrentPassword == NewPassword) 
+        {
+            var localizer = validationContext.GetRequiredService<IStringLocalizer<AccountResource>>();
+
+            yield return new ValidationResult(
+                localizer["NewPasswordSameAsOld"],
+                new[] { nameof(CurrentPassword), nameof(NewPassword) }
+            );
+        }
+    }
 }

modules/account/src/Volo.Abp.Account.Blazor/Pages/Account/AccountManage.razor.cs

@@ -48,6 +48,12 @@ public partial class AccountManage
             return;
         }
 
+        if (ChangePasswordModel.CurrentPassword == ChangePasswordModel.NewPassword) 
+        {
+            await UiMessageService.Warn(L["NewPasswordSameAsOld"]);
+            return;
+        }
+
         await ProfileAppService.ChangePasswordAsync(new ChangePasswordInput
         {
             CurrentPassword = ChangePasswordModel.CurrentPassword,

modules/account/test/Volo.Abp.Account.Application.Tests/Volo/Abp/Account/ProfileAppService_Tests.cs

@@ -4,6 +4,7 @@ using Microsoft.Extensions.DependencyInjection;
 using NSubstitute;
 using Shouldly;
 using Volo.Abp.Users;
+using Volo.Abp.Validation;
 using Xunit;
 
 namespace Volo.Abp.Account;
@@ -72,6 +73,27 @@ public class ProfileAppService_Tests : AbpAccountApplicationTestBase
         result.Name.ShouldBe(input.Name);
     }
 
+    [Fact]
+    public async Task ChangePasswordAsync_FailsForSamePassword()
+    {
+        //Arrange
+        _currentUser.Id.Returns(_testData.UserJohnId);
+        _currentUser.IsAuthenticated.Returns(true);
+
+        //Act
+        var ex = await _profileAppService.ChangePasswordAsync(new()
+        {
+            CurrentPassword = "SomePassword123!",
+            NewPassword = "SomePassword123!"
+        }).ShouldThrowAsync<AbpValidationException>();
+
+        //Assert
+        ex.ValidationErrors.ShouldNotBeEmpty();
+        var firstError = ex.ValidationErrors[0];
+        firstError.MemberNames.ShouldContain(nameof(ChangePasswordInput.CurrentPassword));
+        firstError.MemberNames.ShouldContain(nameof(ChangePasswordInput.NewPassword));
+    }
+
     private static string CreateRandomEmail()
     {
         return CreateRandomString() + "@abp.io";