Error message is not set if the current password is incorrect while changing password

[mesaugat]

While changing the password if the user does not input his/her current password correctly it just redirects to change-password route. How are we supposed to know what happened? How can we set some error messages before redirection for this case?

if (!$bcrypt->verify($oldPass, $currentUser->getPassword())) {
    return false;
}

https://github.com/ZF-Commons/ZfcUser/blob/1.x/src/ZfcUser/Service/User.php#L117-L119

Similar situation for change-email: https://github.com/ZF-Commons/ZfcUser/blob/1.x/src/ZfcUser/Service/User.php#L138-L140

[Rockstar04]

https://github.com/ZF-Commons/ZfcUser/blob/1.x/src/ZfcUser/Authentication/Adapter/Db.php#L118-L127

This looks like the issue with the code here. Line 124 should handle hashing the password....

What exact version of ZFCUser are you seeing this with? This is potentially a very big issue from a data security standpoint, aside from the fact that the user can no longer log in.

[mesaugat]

@Rockstar04 That is not what I am talking about. So let's say you are logged-in and changing your password via change password form: 1) You input your new password 2) You input your new password again 3) But you input your old password (current password) incorrectly

This will result a redirect to zfcuser/changepassword route when you submit the form. I think we should be triggering an event or set some error messages when this happens so that when it redirects we know what went wrong.

[Rockstar04]

Yup, I had multiple issues open and commented on the wrong one (meant to comment that on #611)... Go me! Sorry about that