FEATURE: Log password changes in UserHistory (#6600)

app/controllers/users_controller.rb

@@ -497,6 +497,11 @@ class UsersController < ApplicationController
           Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
           secure_session["password-#{token}"] = nil
           secure_session["second-factor-#{token}"] = nil
+          UserHistory.create!(
+            target_user: @user,
+            acting_user: @user,
+            action: UserHistory.actions[:change_password]
+          )
           logon_after_password_reset
         end
       end

app/models/user_history.rb

@@ -82,7 +82,8 @@ class UserHistory < ActiveRecord::Base
       removed_unsuspend_user: 63,
       post_rejected: 64,
       merge_user: 65,
-      entity_export: 66
+      entity_export: 66,
+      change_password: 67
     )
   end
 

spec/requests/users_controller_spec.rb

@@ -235,6 +235,22 @@ describe UsersController do
         expect(response).to redirect_to(wizard_path)
       end
 
+      it "logs the password change" do
+        user = Fabricate(:admin)
+        UserAuthToken.generate!(user_id: user.id)
+        token = user.email_tokens.create(email: user.email).token
+        get "/u/password-reset/#{token}"
+
+        expect do
+          put "/u/password-reset/#{token}", params: { password: 'hg9ow8yhg98oadminlonger' }
+        end.to change { UserHistory.count }.by (1)
+
+        entry = UserHistory.last
+
+        expect(entry.target_user_id).to eq(user.id)
+        expect(entry.action).to eq(UserHistory.actions[:change_password])
+      end
+
       it "doesn't invalidate the token when loading the page" do
         user = Fabricate(:user)
         user_token = UserAuthToken.generate!(user_id: user.id)