From c04b214910548f00624624eb156c8877719648d4 Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Fri, 27 Feb 2015 13:47:43 -0500
Subject: [PATCH] FEATURE: don't allow username and email to be the same

---
 .../discourse/controllers/create-account.js.es6          | 9 ++++++++-
 config/locales/client.en.yml                             | 1 +
 config/locales/server.en.yml                             | 1 +
 lib/validators/password_validator.rb                     | 2 ++
 spec/components/validators/password_validator_spec.rb    | 7 +++++++
 test/javascripts/controllers/create-account-test.js.es6  | 2 ++
 6 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/controllers/create-account.js.es6 b/app/assets/javascripts/discourse/controllers/create-account.js.es6
index 6f0c04ce0..03dc3d4f6 100644
--- a/app/assets/javascripts/discourse/controllers/create-account.js.es6
+++ b/app/assets/javascripts/discourse/controllers/create-account.js.es6
@@ -317,12 +317,19 @@ export default DiscourseController.extend(ModalFunctionality, {
       });
     }
 
+    if (!this.blank('accountEmail') && this.get('accountPassword') === this.get('accountEmail')) {
+      return Discourse.InputValidation.create({
+        failed: true,
+        reason: I18n.t('user.password.same_as_email')
+      });
+    }
+
     // Looks good!
     return Discourse.InputValidation.create({
       ok: true,
       reason: I18n.t('user.password.ok')
     });
-  }.property('accountPassword', 'rejectedPasswords.@each'),
+  }.property('accountPassword', 'rejectedPasswords.@each', 'accountUsername', 'accountEmail'),
 
   fetchConfirmationValue: function() {
     var createAccountController = this;
diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml
index f4a78849c..80cc8e970 100644
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@@ -515,6 +515,7 @@ en:
         too_short: "Your password is too short."
         common: "That password is too common."
         same_as_username: "Your password is the same as your username."
+        same_as_email: "Your password is the same as your email."
         ok: "Your password looks good."
         instructions: "At least %{count} characters."
 
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 3431c329d..0fa0f7694 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -293,6 +293,7 @@ en:
             password:
               common: "is one of the 10000 most common passwords. Please use a more secure password."
               same_as_username: "is the same as your username. Please use a more secure password."
+              same_as_email: "is the same as your email. Please use a more secure password."
             ip_address:
               signup_not_allowed: "Signup is not allowed from this account."
         color_scheme_color:
diff --git a/lib/validators/password_validator.rb b/lib/validators/password_validator.rb
index 5bfa2e810..cb7cb457e 100644
--- a/lib/validators/password_validator.rb
+++ b/lib/validators/password_validator.rb
@@ -10,6 +10,8 @@ class PasswordValidator < ActiveModel::EachValidator
       record.errors.add(attribute, :too_short, count: SiteSetting.min_password_length)
     elsif record.username.present? && value == record.username
       record.errors.add(attribute, :same_as_username)
+    elsif record.username.present? && value == record.email
+      record.errors.add(attribute, :same_as_email)
     elsif SiteSetting.block_common_passwords && CommonPasswords.common_password?(value)
       record.errors.add(attribute, :common)
     end
diff --git a/spec/components/validators/password_validator_spec.rb b/spec/components/validators/password_validator_spec.rb
index 484db2782..cc328421f 100644
--- a/spec/components/validators/password_validator_spec.rb
+++ b/spec/components/validators/password_validator_spec.rb
@@ -79,6 +79,13 @@ describe PasswordValidator do
       validate
       expect(record.errors[:password]).to be_present
     end
+
+    it "adds an error when password is the same as the email" do
+      @password = "pork@chops.com"
+      record.email = @password
+      validate
+      expect(record.errors[:password]).to be_present
+    end
   end
 
   context "password not required" do
diff --git a/test/javascripts/controllers/create-account-test.js.es6 b/test/javascripts/controllers/create-account-test.js.es6
index 8aca55f68..ab3244915 100644
--- a/test/javascripts/controllers/create-account-test.js.es6
+++ b/test/javascripts/controllers/create-account-test.js.es6
@@ -28,6 +28,7 @@ test('passwordValidation', function() {
 
   var controller = subject();
   controller.set('passwordRequired', true);
+  controller.set('accountEmail',      'pork@chops.com');
   controller.set('accountUsername',   'porkchops');
   controller.set('prefilledUsername', 'porkchops');
 
@@ -45,4 +46,5 @@ test('passwordValidation', function() {
   testInvalidPassword('', undefined);
   testInvalidPassword('x', I18n.t('user.password.too_short'));
   testInvalidPassword('porkchops', I18n.t('user.password.same_as_username'));
+  testInvalidPassword('pork@chops.com', I18n.t('user.password.same_as_email'));
 });