From 17bc82765bce7c44be7689f017242a2b59e47a74 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Wed, 14 Nov 2018 00:32:42 +0000
Subject: [PATCH] FEATURE: Log password changes in UserHistory (#6600)

---
 app/controllers/users_controller.rb    |  5 +++++
 app/models/user_history.rb             |  3 ++-
 spec/requests/users_controller_spec.rb | 16 ++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2153f47b78f..5a25f7c4e52 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -497,6 +497,11 @@ class UsersController < ApplicationController
           Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
           secure_session["password-#{token}"] = nil
           secure_session["second-factor-#{token}"] = nil
+          UserHistory.create!(
+            target_user: @user,
+            acting_user: @user,
+            action: UserHistory.actions[:change_password]
+          )
           logon_after_password_reset
         end
       end
diff --git a/app/models/user_history.rb b/app/models/user_history.rb
index 1aaf9c8dfc4..4bd4887ac49 100644
--- a/app/models/user_history.rb
+++ b/app/models/user_history.rb
@@ -82,7 +82,8 @@ class UserHistory < ActiveRecord::Base
       removed_unsuspend_user: 63,
       post_rejected: 64,
       merge_user: 65,
-      entity_export: 66
+      entity_export: 66,
+      change_password: 67
     )
   end
 
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 106cf80e932..bc43a1d77fb 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -235,6 +235,22 @@ describe UsersController do
         expect(response).to redirect_to(wizard_path)
       end
 
+      it "logs the password change" do
+        user = Fabricate(:admin)
+        UserAuthToken.generate!(user_id: user.id)
+        token = user.email_tokens.create(email: user.email).token
+        get "/u/password-reset/#{token}"
+
+        expect do
+          put "/u/password-reset/#{token}", params: { password: 'hg9ow8yhg98oadminlonger' }
+        end.to change { UserHistory.count }.by (1)
+
+        entry = UserHistory.last
+
+        expect(entry.target_user_id).to eq(user.id)
+        expect(entry.action).to eq(UserHistory.actions[:change_password])
+      end
+
       it "doesn't invalidate the token when loading the page" do
         user = Fabricate(:user)
         user_token = UserAuthToken.generate!(user_id: user.id)