# HG changeset patch
# User Martin Bornhold <martin@rhodecode.com>
# Date 2016-07-22 10:57:51
# Node ID 930b0a4d7a2571b3f8bc1ca23845582c7b497b87
# Parent  5cfdb31bf841ee6e6380acb63c01d12cd0c6bf20

auth: Fix password_changed function, fixes #4043.

Never repot a changed password for default or anonymous users.

If anonymous access is disabled we don't get the default user here so we
also have to check if it is the anonymous user. In both cases (default user
and anonymous user) we can skip the password change check and return False.

diff --git a/rhodecode/lib/utils.py b/rhodecode/lib/utils.py
--- a/rhodecode/lib/utils.py
+++ b/rhodecode/lib/utils.py
@@ -958,8 +958,10 @@ class PartialRenderer(object):
 
 
 def password_changed(auth_user, session):
-    if auth_user.username == User.DEFAULT_USER:
+    # Never report password change in case of default user or anonymous user.
+    if auth_user.username == User.DEFAULT_USER or auth_user.user_id is None:
         return False
+
     password_hash = md5(auth_user.password) if auth_user.password else None
     rhodecode_user = session.get('rhodecode_user', {})
     session_password_hash = rhodecode_user.get('password', '')