UPC · frankiejol · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026 · Copilot
diff --git a/lib/Ravada/Auth/SQL.pm b/lib/Ravada/Auth/SQL.pm
@@ -556,10 +556,9 @@ Arguments: password
 
 =cut
 
-sub change_password {
-    my $self = shift;
-    my $password = shift or die "ERROR: password required\n";
-    my ($force_change_password) = @_;
+sub change_password($self, $password, $force_change_password=0) {
+    die "ERROR: password required\n"
+    if !defined $password || !length($password);
 
     _init_connector();
 
@@ -570,14 +569,18 @@ sub change_password {
     }
 
     my $sth;
-    if (defined($force_change_password)) {
-        $sth= $$CON->dbh->prepare("UPDATE users set password=?, change_password=?"
-            ." WHERE name=?");
-        $sth->execute(sha1_hex($password), $force_change_password ? 1 : 0, $self->name);
-    } else {
-        my $sth= $$CON->dbh->prepare("UPDATE users set password=?"
-            ." WHERE name=?");
-        $sth->execute(sha1_hex($password), $self->name);
+    $sth= $$CON->dbh->prepare("UPDATE users "
+        ." set password=?, change_password=?, password_expiration_date=?"
+            ." WHERE id=?");
+    $sth->execute(sha1_hex($password), ($force_change_password or 0) ,0, $self->id);
+
+    # Keep the in-memory user data in sync with the database after a password change.
+    if (exists $self->{_data} && ref($self->{_data}) eq 'HASH') {
+        # Safely unlock and relock the hash if it is locked.
+        eval { unlock_hash(%{ $self->{_data} }) };
+        $self->{_data}->{change_password}           = ($force_change_password or 0);
+        $self->{_data}->{password_expiration_date}  = 0;
+        eval { lock_hash(%{ $self->{_data} }) };
     }
 }
 

diff --git a/t/mojo/40_security_policy.t b/t/mojo/40_security_policy.t
@@ -21,7 +21,6 @@ my $SECONDS_TIMEOUT = 15;
 my $t;
 
 my $URL_LOGOUT = '/logout';
-my ($USERNAME, $PASSWORD) = (user_admin->name, "$$ $$");
 my $SCRIPT = path(__FILE__)->dirname->sibling('../script/rvd_front');
 
 $ENV{MOJO_MODE} = 'devel';
@@ -31,6 +30,8 @@ like($connector->{driver} , qr/mysql/i) or BAIL_OUT;
 
 $Test::Ravada::BACKGROUND=1;
 
+my ($USERNAME, $PASSWORD) = (user_admin->name, "$$ $$");
+
 $t = Test::Mojo->new($SCRIPT);
 $t->ua->inactivity_timeout(900);
 $t->ua->connect_timeout(60);

diff --git a/t/user/50_admin.t b/t/user/50_admin.t
@@ -48,6 +48,19 @@ sub test_default_admin {
     eval { $user2= Ravada::Auth::login('admin','admin');};
     like($@, qr/Password expired/, "Expected error message");
     ok(!$user2);
+
+    $user->password_expiration_date(time+300);
+    eval { $user2= Ravada::Auth::login('admin','admin');};
+    ok($user2);
+
+    my $p = "newnew";
+    $user2->change_password($p);
+
+    eval { $user2= Ravada::Auth::login('admin',$p);};
+    ok($user2);
+    is($user2->password_expiration_date(),0);
+    is($user2->password_will_be_changed(),0);
+
 }
 
 ################################################################