From 816c25ac3233ec011f0eaeff42917e8f33d81495 Mon Sep 17 00:00:00 2001
From: Jari Voutilainen <jari.voutilainen@iki.fi>
Date: Wed, 10 Feb 2016 14:47:35 +0200
Subject: [PATCH 1/5] #2870: require password when changing email

---
 ckan/controllers/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 299c424a51c..85b80b52c11 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -323,7 +323,7 @@ def _save_edit(self, id, context):
             context['message'] = data_dict.get('log_message', '')
             data_dict['id'] = id
 
-            if data_dict['password1'] and data_dict['password2']:
+            if (data_dict['password1'] and data_dict['password2']) or data_dict['email']:
                 identity = {'login': c.user,
                             'password': data_dict['old_password']}
                 auth = authenticator.UsernamePasswordAuthenticator()

From 279e23b282aaef489aa5bac49841580c9f6334ac Mon Sep 17 00:00:00 2001
From: Jari Voutilainen <jari.voutilainen@iki.fi>
Date: Thu, 11 Feb 2016 12:13:50 +0200
Subject: [PATCH 2/5] fixed pep8

---
 ckan/controllers/user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 85b80b52c11..4fcd7699b57 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -323,7 +323,8 @@ def _save_edit(self, id, context):
             context['message'] = data_dict.get('log_message', '')
             data_dict['id'] = id
 
-            if (data_dict['password1'] and data_dict['password2']) or data_dict['email']:
+            if (data_dict['password1'] and data_dict['password2']) \
+                    or data_dict['email']:
                 identity = {'login': c.user,
                             'password': data_dict['old_password']}
                 auth = authenticator.UsernamePasswordAuthenticator()

From 7b1d6a9d03c8d87d96e504d75a45df87d4c8d439 Mon Sep 17 00:00:00 2001
From: Jari Voutilainen <jari.voutilainen@iki.fi>
Date: Mon, 22 Feb 2016 09:14:23 +0200
Subject: [PATCH 3/5] check modification of email address

---
 ckan/controllers/user.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 4fcd7699b57..7005665b5b2 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -323,8 +323,10 @@ def _save_edit(self, id, context):
             context['message'] = data_dict.get('log_message', '')
             data_dict['id'] = id
 
+            email_changed = data_dict['email'] != c.userobj.email
+            
             if (data_dict['password1'] and data_dict['password2']) \
-                    or data_dict['email']:
+                    or email_changed:
                 identity = {'login': c.user,
                             'password': data_dict['old_password']}
                 auth = authenticator.UsernamePasswordAuthenticator()

From 157174f4f34ac5f840d0d1e5e67b3cc99a4b3dc4 Mon Sep 17 00:00:00 2001
From: Jari Voutilainen <jari.voutilainen@iki.fi>
Date: Mon, 22 Feb 2016 10:45:01 +0200
Subject: [PATCH 4/5] should have checked pep8 again

---
 ckan/controllers/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 7005665b5b2..80cfb5a1df4 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -324,7 +324,7 @@ def _save_edit(self, id, context):
             data_dict['id'] = id
 
             email_changed = data_dict['email'] != c.userobj.email
-            
+
             if (data_dict['password1'] and data_dict['password2']) \
                     or email_changed:
                 identity = {'login': c.user,

From f4c31b28efcfd94221cd058c206446dff027d346 Mon Sep 17 00:00:00 2001
From: Jari Voutilainen <jari.voutilainen@iki.fi>
Date: Thu, 10 Mar 2016 13:59:46 +0200
Subject: [PATCH 5/5] added some tests

---
 ckan/tests/controllers/test_user.py | 31 +++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/ckan/tests/controllers/test_user.py b/ckan/tests/controllers/test_user.py
index b7e8fe7bdb8..fc3198ff74f 100644
--- a/ckan/tests/controllers/test_user.py
+++ b/ckan/tests/controllers/test_user.py
@@ -246,6 +246,37 @@ def test_edit_user(self):
         assert_equal(user.about, 'new about')
         assert_equal(user.activity_streams_email_notifications, True)
 
+    def test_email_change_without_password(self):
+
+        app = self._get_test_app()
+        env, response, user = _get_user_edit_page(app)
+
+        form = response.forms['user-edit-form']
+
+        # new values
+        form['email'] = 'new@example.com'
+
+        # factory returns user with password 'pass'
+        form.fields['old_password'][0].value = 'wrong-pass'
+
+        response = webtest_submit(form, 'save', status=200, extra_environ=env)
+        assert_true('Old Password: incorrect password' in response)
+
+    def test_email_change_with_password(self):
+        app = self._get_test_app()
+        env, response, user = _get_user_edit_page(app)
+
+        form = response.forms['user-edit-form']
+
+        # new values
+        form['email'] = 'new@example.com'
+
+        # factory returns user with password 'pass'
+        form.fields['old_password'][0].value = 'pass'
+
+        response = submit_and_follow(app, form, env, 'save')
+        assert_true('Profile updated' in response)
+
     def test_perform_reset_for_key_change(self):
         password = 'password'
         params = {'password1': password, 'password2': password}