Ask user for old password when changing password

This is accomplished by using PasswordChangeForm instead of SetPasswordForm.

This adds extra security, as without this commit, an attacker that has access to
a user's session at one point in time will be able to change the user's password
and gain permanent access.

CHANGELOG.txt

@@ -7,6 +7,7 @@ Changelog
  * Moved lesser-user actions in the page explorer into a 'More' dropdown
  * Added a hook `register_page_listing_buttons` for adding action buttons to the page explorer
  * Added a hook `insert_global_admin_js` for inserting custom JavaScript throughout the admin backend (Tom Dyson)
+ * Use `PasswordChangeForm` when user changes their password, requiring the user to enter their current password (Matthijs Melissen)
 
 
 1.4.1 (17.03.2016)

CONTRIBUTORS.rst

@@ -116,6 +116,7 @@ Contributors
 * Juha Kujala
 * Eirik Krogstad
 * Rob Moorman
+* Matthijs Melissen
 
 Translators
 ===========

docs/releases/1.5.rst

@@ -16,6 +16,7 @@ Minor features
  * Moved lesser-user actions in the page explorer into a 'More' dropdown
  * Added a hook :ref:`register_page_listing_buttons` for adding action buttons to the page explorer
  * Added a hook :ref:`insert_global_admin_js` for inserting custom JavaScript throughout the admin backend (Tom Dyson)
+ * Use `PasswordChangeForm` when user changes their password, requiring the user to enter their current password (Matthijs Melissen)
 
 
 Upgrade considerations

wagtail/wagtailadmin/tests/test_account_management.py

@@ -206,6 +206,7 @@ class TestAccountSection(TestCase, WagtailTestUtils):
         """
         # Post new password to change password page
         post_data = {
+            'old_password': 'password',
             'new_password1': 'newpassword',
             'new_password2': 'newpassword',
         }

wagtail/wagtailadmin/views/account.py

@@ -4,7 +4,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import views as auth_views
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.forms import SetPasswordForm
+from django.contrib.auth.forms import PasswordChangeForm
 from django.http import Http404
 from django.shortcuts import redirect, render
 from django.utils.translation import ugettext as _
@@ -49,7 +49,7 @@ def change_password(request):
 
     if can_change_password:
         if request.POST:
-            form = SetPasswordForm(request.user, request.POST)
+            form = PasswordChangeForm(request.user, request.POST)
 
             if form.is_valid():
                 form.save()
@@ -58,7 +58,7 @@ def change_password(request):
                 messages.success(request, _("Your password has been changed successfully!"))
                 return redirect('wagtailadmin_account')
         else:
-            form = SetPasswordForm(request.user)
+            form = PasswordChangeForm(request.user)
     else:
         form = None