fix: prevent user from setting same password on forced reset (#37652)

Co-authored-by: UmakanthKaspa <kaspaumakanth1999@gmail.com>

frappe/core/doctype/user/user.py

@@ -36,7 +36,7 @@ from frappe.utils import (
 )
 from frappe.utils.data import sha256_hash
 from frappe.utils.html_utils import sanitize_html
-from frappe.utils.password import check_password, get_password_reset_limit
+from frappe.utils.password import check_password, get_password_reset_limit, is_password_reused
 from frappe.utils.password import update_password as _update_password
 from frappe.utils.user import get_system_managers
 from frappe.website.utils import get_home_page, is_signup_disabled
@@ -929,6 +929,14 @@ def update_password(
 	else:
 		user = res["user"]
 
+	if is_password_reused(user, new_password):
+		frappe.throw(
+			_(
+				"New password cannot be the same as your current password. Please choose a different password."
+			),
+			title=_("Invalid Password"),
+		)
+
 	logout_all_sessions = cint(logout_all_sessions) or frappe.get_system_settings("logout_on_password_reset")
 	_update_password(user, new_password, logout_all_sessions=cint(logout_all_sessions))
 

frappe/utils/password.py

@@ -80,6 +80,24 @@ def remove_encrypted_password(doctype, name, fieldname="password"):
 	frappe.db.delete("__Auth", {"doctype": doctype, "name": name, "fieldname": fieldname})
 
 
+def is_password_reused(user, pwd, doctype="User", fieldname="password"):
+	"""Return True if pwd matches the stored password for user, else False."""
+	result = (
+		frappe.qb.from_(Auth)
+		.select(Auth.password)
+		.where(
+			(Auth.doctype == doctype)
+			& (Auth.name == user)
+			& (Auth.fieldname == fieldname)
+			& (Auth.encrypted == 0)
+		)
+		.limit(1)
+		.run(as_dict=True)
+	)
+
+	return bool(result and passlibctx.verify(pwd, result[0].password))
+
+
 def check_password(user, pwd, doctype="User", fieldname="password", delete_tracker_cache=True):
 	"""Checks if user and password are correct, else raises frappe.AuthenticationError"""