From 0150b972780cfa39cce58003a92f0f5b9909fb10 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <post@kennjacobsen.dk>
Date: Mon, 31 Dec 2018 15:02:59 +0100
Subject: [PATCH] Show password change validation errors at the correct fields
 (#3918)

* Show password change validation errors at the correct password fields + remove the redundant "Could not reset password, errors: " message text

* Explicitly find the user instead of mapping it.
---
 src/Umbraco.Web/Editors/PasswordChanger.cs | 37 ++++++++++++++--------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/Umbraco.Web/Editors/PasswordChanger.cs b/src/Umbraco.Web/Editors/PasswordChanger.cs
index 7be14d27d1..266af76454 100644
--- a/src/Umbraco.Web/Editors/PasswordChanger.cs
+++ b/src/Umbraco.Web/Editors/PasswordChanger.cs
@@ -100,7 +100,7 @@ namespace Umbraco.Web.Editors
                 {
                     var errors = string.Join(". ", resetResult.Errors);
                     _logger.Warn<PasswordChanger>(string.Format("Could not reset user password {0}", errors));
-                    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Could not reset password, errors: " + errors, new[] { "resetPassword" }) });
+                    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult(errors, new[] { "resetPassword" }) });
                 }
 
                 return Attempt.Succeed(new PasswordChangedModel());
@@ -120,21 +120,30 @@ namespace Umbraco.Web.Editors
                 return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password cannot be changed without the old password", new[] { "oldPassword" }) });
             }
 
-            if (passwordModel.OldPassword.IsNullOrWhiteSpace() == false)
+            //get the user
+            var backOfficeIdentityUser = await userMgr.FindByIdAsync(savingUser.Id);
+            if (backOfficeIdentityUser == null)
             {
-                //if an old password is suplied try to change it
-                var changeResult = await userMgr.ChangePasswordAsync(savingUser.Id, passwordModel.OldPassword, passwordModel.NewPassword);
-                if (changeResult.Succeeded == false)
-                {
-                    var errors = string.Join(". ", changeResult.Errors);
-                    _logger.Warn<PasswordChanger>(string.Format("Could not change user password {0}", errors));
-                    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Could not change password, errors: " + errors, new[] { "oldPassword" }) });
-                }
-                return Attempt.Succeed(new PasswordChangedModel());
+                //this really shouldn't ever happen... but just in case
+                return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password could not be verified", new[] { "oldPassword" }) });
             }
-
-            //We shouldn't really get here
-            return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Could not change password, invalid information supplied", new[] { "value" }) });
+            //is the old password correct?
+            var validateResult = await userMgr.CheckPasswordAsync(backOfficeIdentityUser, passwordModel.OldPassword);
+            if(validateResult == false)
+            {
+                //no, fail with an error message for "oldPassword"
+                return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Incorrect password", new[] { "oldPassword" }) });
+            }
+            //can we change to the new password?
+            var changeResult = await userMgr.ChangePasswordAsync(savingUser.Id, passwordModel.OldPassword, passwordModel.NewPassword);
+            if (changeResult.Succeeded == false)
+            {
+                //no, fail with error messages for "password"
+                var errors = string.Join(". ", changeResult.Errors);
+                _logger.Warn<PasswordChanger>(string.Format("Could not change user password {0}", errors));
+                return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult(errors, new[] { "password" }) });
+            }
+            return Attempt.Succeed(new PasswordChangedModel());
         }
 
         /// <summary>