make sure user cannot reuse the old password

2020-05-30 19:50:33 +02:00 · 2020-05-30 19:50:33 +02:00 · fa06c5cd4b
parent 1e00ea300a
commit fa06c5cd4b
1 changed files with 6 additions and 1 deletions
--- a/app/auth/views/reset_password.py
+++ b/app/auth/views/reset_password.py
@ -42,9 +42,14 @@ def reset_password():

    if form.validate_on_submit():
        user = reset_password_code.user
+        new_password = form.password.data

-        user.set_password(form.password.data)
+        # avoid user reusing the old password
+        if user.check_password(new_password):
+            error = "You cannot reuse the same password"
+            return render_template("auth/reset_password.html", form=form, error=error)

+        user.set_password(new_password)
        flash("Your new password has been set", "success")

        # this can be served to activate user too