Add a requirement for the current password to change the user's password or email address

test/test_api_usage.py

@@ -172,14 +172,14 @@ class TestCSRFFailure(ApiTestCase):
 
     # Make sure a simple post call succeeds.
     self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool'))    
+                         data=dict(password='newpasswordiscool', current_password='password'))    
 
     # Change the session's CSRF token.
     self.setCsrfToken('someinvalidtoken')
     
     # Verify that the call now fails.
     self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool'),
+                         data=dict(password='newpasswordiscool', current_password='password'),
                          expected_code=403)
 
 
@@ -325,8 +325,28 @@ class TestChangeUserDetails(ApiTestCase):
   def test_changepassword(self):
     self.login(READ_ACCESS_USER)
     self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool'))
+                         data=dict(password='newpasswordiscool', current_password='password'))
     self.login(READ_ACCESS_USER, password='newpasswordiscool')
+
+  def test_changepassword_invalidpasswor(self):
+    self.login(READ_ACCESS_USER)
+    self.putJsonResponse(User,
+                         data=dict(password='newpasswordiscool', current_password='notcorrect'),
+                         expected_code=400)
+
+  def test_changeeemail(self):
+    self.login(READ_ACCESS_USER)
+
+    self.putJsonResponse(User,
+                         data=dict(email='test+foo@devtable.com', current_password='password'))
+
+  def test_changeeemail_invalidpassword(self):
+    self.login(READ_ACCESS_USER)
+
+    self.putJsonResponse(User,
+                         data=dict(email='test+foo@devtable.com', current_password='notcorrect'),
+                         expected_code=400)
+
     
   def test_changeinvoiceemail(self):
     self.login(READ_ACCESS_USER)