fix: #12754, throw if currentPwd == newPwd

public/language/en-GB/user.json

@@ -81,6 +81,7 @@
 	"change-password": "Change Password",
 	"change-password-error": "Invalid Password!",
 	"change-password-error-wrong-current": "Your current password is not correct!",
+	"change-password-error-same-password": "Your new password matches your current password, please use a new password.",
 	"change-password-error-match": "Passwords must match!",
 	"change-password-error-privileges": "You do not have the rights to change this password.",
 	"change-password-success": "Your password is updated!",

src/user/profile.js

@@ -317,6 +317,9 @@ module.exports = function (User) {
 			if (!correct) {
 				throw new Error('[[user:change-password-error-wrong-current]]');
 			}
+			if (data.currentPassword === data.newPassword) {
+				throw new Error('[[user:change-password-error-same-password]]');
+			}
 		}
 
 		const hashedPassword = await User.hashPassword(data.newPassword);

test/user.js

@@ -776,6 +776,18 @@ describe('User', () => {
 			assert(correct);
 		});
 
+		it('should not let user change their password to their current password', async () => {
+			const uid = await User.create({ username: 'changepasswordsame', password: '123456' });
+			await assert.rejects(
+				apiUser.changePassword({ uid: uid }, {
+					uid: uid,
+					newPassword: '123456',
+					currentPassword: '123456',
+				}),
+				{ message: '[[user:change-password-error-same-password]]' },
+			);
+		});
+
 		it('should not let user change another user\'s password', async () => {
 			const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' });
 			const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });