From fa06c5cd4bfdd00b1367f064a1232640cea01201 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sat, 30 May 2020 19:50:33 +0200
Subject: [PATCH] make sure user cannot reuse the old password

---
 app/auth/views/reset_password.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/auth/views/reset_password.py b/app/auth/views/reset_password.py
index f2cea4f6..ee21683b 100644
--- a/app/auth/views/reset_password.py
+++ b/app/auth/views/reset_password.py
@@ -42,9 +42,14 @@ def reset_password():
 
     if form.validate_on_submit():
         user = reset_password_code.user
+        new_password = form.password.data
 
-        user.set_password(form.password.data)
+        # avoid user reusing the old password
+        if user.check_password(new_password):
+            error = "You cannot reuse the same password"
+            return render_template("auth/reset_password.html", form=form, error=error)
 
+        user.set_password(new_password)
         flash("Your new password has been set", "success")
 
         # this can be served to activate user too