diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 0b6a7e1d2..8857bdaa0 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -167,7 +167,7 @@ def create_account(self, **kw):
c.form = F.registration_form
return dict()
- def _validate_hash(self, hash):
+ def _validate_hash(self, hash) -> M.User:
login_url = config.get('auth.login_url', '/auth/')
if not hash:
redirect(login_url)
@@ -206,7 +206,12 @@ def set_new_password(self, hash=None, pw=None, pw2=None):
if not provider.forgotten_password_process:
raise wexc.HTTPNotFound()
user = self._validate_hash(hash)
- enforce_hibp_password_check(provider, pw, f'/auth/forgotten_password/{hash}')
+ restart_url = f'/auth/forgotten_password/{hash}'
+ enforce_hibp_password_check(provider, pw, restart_url)
+
+ if provider._validate_password(user, pw):
+ flash('Your old and new password should not be the same', 'error')
+ redirect(restart_url)
user.set_password(pw)
user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 7309495c9..3ca7741d0 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -1743,6 +1743,17 @@ def test_password_reset(self, gen_message_id, sendsimplemail):
assert 'New Password:' in r
assert 'New Password (again):' in r
form = r.forms[0]
+ form['pw'] = form['pw2'] = 'foo' # old password
+ with h.push_config(config, **{'auth.min_password_len': 3}):
+ r = form.submit()
+ print(r)
+ if r.status == 200:
+ assert [] == r.html.findAll(attrs={'class': 'fielderror'})
+ assert 'Your old and new password should not be the same' in self.webflash(r)
+ r = r.follow()
+
+ # fill it out correctly
+ form = r.forms[0]
form['pw'] = form['pw2'] = new_password = '154321'
with td.audits(r'Password changed \(through recovery process\)', user=True):
# escape parentheses, so they would not be treated as regex group