users: refactor change password page.

* Fix users being redirected back to the change password page after
  successfully changing their password.
* Move passwords controller out of /maintenance/ namespace.
* Add tests.

app/controllers/maintenance/user/passwords_controller.rb

@@ -1,9 +0,0 @@
-module Maintenance
-  module User
-    class PasswordsController < ApplicationController
-      def edit
-        @user = CurrentUser.user
-      end
-    end
-  end
-end

app/controllers/passwords_controller.rb

@@ -0,0 +1,31 @@
+class PasswordsController < ApplicationController
+  before_action :member_only
+  respond_to :html, :xml, :json
+
+  def edit
+    @user = User.find(params[:user_id])
+    check_privilege(@user)
+
+    respond_with(@user)
+  end
+
+  def update
+    @user = User.find(params[:user_id])
+    check_privilege(@user)
+
+    @user.update(user_params)
+    flash[:notice] = @user.errors.none? ? "Password updated" : @user.errors.full_messages.join("; ")
+
+    respond_with(@user, location: @user)
+  end
+
+  private
+
+  def check_privilege(user)
+    raise User::PrivilegeError unless user.id == CurrentUser.id || CurrentUser.is_admin?
+  end
+
+  def user_params
+    params.require(:user).permit(%i[old_password password password_confirmation])
+  end
+end

app/views/maintenance/user/passwords/edit.html.erb

@@ -1,13 +0,0 @@
-<% page_title "Change Password" %>
-
-<div id="c-maintenance-user-passwords">
-  <div id="a-edit">
-    <h1>Change Password</h1>
-
-    <%= edit_form_for @user do |f| %>
-      <%= f.input :old_password, :as => :password, :input_html => {:autocomplete => "off"} %>
-      <%= f.input :password, :label => "New password", :input_html => {:autocomplete => "off"} %>
-      <%= f.button :submit, "Submit" %>
-    <% end %>
-  </div>
-</div>

app/views/passwords/edit.html.erb

@@ -0,0 +1,14 @@
+<% page_title "Change Password" %>
+
+<div id="c-passwords">
+  <div id="a-edit">
+    <h1>Change Password</h1>
+
+    <%= edit_form_for(@user, url: user_password_path(@user)) do |f| %>
+      <%= f.input :old_password, as: :password, hint: "Re-enter your current password." %>
+      <%= f.input :password, label: "New password", hint: "Must be at least 5 characters long." %>
+      <%= f.input :password_confirmation, label: "Confirm new password" %>
+      <%= f.submit "Save" %>
+    <% end %>
+  </div>
+</div>

config/routes.rb

@@ -246,7 +246,7 @@ Rails.application.routes.draw do
   end
   resources :users do
     resources :favorite_groups, controller: "favorite_groups", only: [:index], as: "favorite_groups"
-    resource :password, :only => [:edit], :controller => "maintenance/user/passwords"
+    resource :password, only: [:edit, :update]
     resource :api_key, :only => [:show, :view, :update, :destroy], :controller => "maintenance/user/api_keys" do
       post :view
     end

test/functional/passwords_controller_test.rb

@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class PasswordsControllerTest < ActionDispatch::IntegrationTest
+  context "The passwords controller" do
+    setup do
+      @user = create(:user, password: "12345")
+    end
+
+    context "edit action" do
+      should "work" do
+        get_auth edit_user_password_path(@user), @user
+        assert_response :success
+      end
+    end
+
+    context "update action" do
+      should "work" do
+        put_auth user_password_path(@user), @user, params: { user: { old_password: "12345", password: "abcde", password_confirmation: "abcde" } }
+
+        assert_redirected_to user_path(@user)
+        assert_equal(nil, User.authenticate(@user.name, "12345"))
+        assert_equal(@user, User.authenticate(@user.name, "abcde"))
+      end
+    end
+  end
+end