magento
diff --git a/‎app/code/Magento/User/Model/ResourceModel/User.php
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/User/Model/ResourceModel/User.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/User/Model/User.php
Lines changed: 31 additions & 4 deletions b/‎app/code/Magento/User/Model/User.php
Lines changed: 31 additions & 4 deletions
diff --git a/‎app/code/Magento/User/Observer/Backend/CheckAdminPasswordChangeObserver.php
Lines changed: 0 additions & 82 deletions b/‎app/code/Magento/User/Observer/Backend/CheckAdminPasswordChangeObserver.php
Lines changed: 0 additions & 82 deletions
diff --git a/‎app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/User/Test/Unit/Model/UserTest.php
Lines changed: 100 additions & 0 deletions b/‎app/code/Magento/User/Test/Unit/Model/UserTest.php
Lines changed: 100 additions & 0 deletions
@@ -539,7 +539,7 @@ public function getOldPasswords($user, $retainLimit = 4)
         $userId = (int)$user->getId();
         $table = $this->getTable('admin_passwords');
 
-        // purge expired passwords, except that should retain
+        // purge expired passwords, except those which should be retained
         $retainPasswordIds = $this->getConnection()->fetchCol(
             $this->getConnection()
                 ->select()
@@ -556,7 +556,7 @@ public function getOldPasswords($user, $retainLimit = 4)
         }
         $this->getConnection()->delete($table, $where);
 
-        // now get all remained passwords
+        // get all remaining passwords
         return $this->getConnection()->fetchCol(
             $this->getConnection()
                 ->select()
 
@@ -256,9 +256,9 @@ protected function _getValidationRulesBeforeSave()
     }
 
     /**
-     * Validate customer attribute values.
-     * For existing customer password + confirmation will be validated only when password is set
-     * (i.e. its change is requested)
+     * Validate admin user data.
+     *
+     * Existing user password confirmation will be validated only when password is set
      *
      * @return bool|string[]
      */
@@ -272,8 +272,35 @@ public function validate()
             return $validator->getMessages();
         }
 
-        return true;
+        return $this->validatePasswordChange();
+    }
+
+    /**
+     * Make sure admin password was changed.
+     *
+     * New password is compared to at least 4 previous passwords to prevent setting them again
+     *
+     * @return bool|string[]
+     */
+    protected function validatePasswordChange()
+    {
+        $password = $this->getPassword();
+        if ($password && !$this->getForceNewPassword() && $this->getId()) {
+            $errorMessage = __('Sorry, but this password has already been used. Please create another.');
+            // Check if password is equal to the current one
+            if ($this->_encryptor->isValidHash($password, $this->getOrigData('password'))) {
+                return [$errorMessage];
+            }
 
+            // Check whether password was used before
+            $passwordHash = $this->_encryptor->getHash($password, false);
+            foreach ($this->getResource()->getOldPasswords($this) as $oldPasswordHash) {
+                if ($passwordHash === $oldPasswordHash) {
+                    return [$errorMessage];
+                }
+            }
+        }
+        return true;
     }
 
     /**
 
@@ -71,7 +71,7 @@ public function __construct(
     }
 
     /**
-     * Save new admin password
+     * Save current admin password to prevent its usage when changed in the future.
      *
      * @param EventObserver $observer
      * @return void
@@ -81,7 +81,7 @@ public function execute(EventObserver $observer)
         /* @var $user \Magento\User\Model\User */
         $user = $observer->getEvent()->getObject();
         if ($user->getId()) {
-            $password = $user->getNewPassword();
+            $password = $user->getCurrentPassword();
             $passwordLifetime = $this->observerConfig->getAdminPasswordLifetime();
             if ($passwordLifetime && $password && !$user->getForceNewPassword()) {
                 $passwordHash = $this->encryptor->getHash($password, false);
 
@@ -610,4 +610,104 @@ public function testIsResetPasswordLinkTokenExpiredIsNotExpiredToken()
         $this->userDataMock->expects($this->once())->method('getResetPasswordLinkExpirationPeriod')->willReturn(1);
         $this->assertFalse($this->model->isResetPasswordLinkTokenExpired());
     }
+
+    public function testCheckPasswordChangeEqualToCurrent()
+    {
+        /** @var $validatorMock \Magento\Framework\Validator\DataObject|\PHPUnit_Framework_MockObject_MockObject */
+        $validatorMock = $this->getMockBuilder('Magento\Framework\Validator\DataObject')
+            ->disableOriginalConstructor()
+            ->setMethods([])
+            ->getMock();
+        $this->validatorObjectFactoryMock->expects($this->once())->method('create')->willReturn($validatorMock);
+        $this->validationRulesMock->expects($this->once())
+            ->method('addUserInfoRules')
+            ->with($validatorMock);
+        $validatorMock->expects($this->once())->method('isValid')->willReturn(true);
+
+        $newPassword = "NEWmYn3wpassw0rd";
+        $oldPassword = "OLDmYn3wpassw0rd";
+        $this->model->setPassword($newPassword)
+            ->setId(1)
+            ->setOrigData('password', $oldPassword);
+        $this->encryptorMock->expects($this->once())
+            ->method('isValidHash')
+            ->with($newPassword, $oldPassword)
+            ->willReturn(true);
+        $result = $this->model->validate();
+        $this->assertInternalType('array', $result);
+        $this->assertCount(1, $result);
+        $this->assertContains("Sorry, but this password has already been used.", (string)$result[0]);
+    }
+
+    public function testCheckPasswordChangeEqualToPrevious()
+    {
+        /** @var $validatorMock \Magento\Framework\Validator\DataObject|\PHPUnit_Framework_MockObject_MockObject */
+        $validatorMock = $this->getMockBuilder('Magento\Framework\Validator\DataObject')
+            ->disableOriginalConstructor()
+            ->setMethods([])
+            ->getMock();
+        $this->validatorObjectFactoryMock->expects($this->once())->method('create')->willReturn($validatorMock);
+        $this->validationRulesMock->expects($this->once())
+            ->method('addUserInfoRules')
+            ->with($validatorMock);
+        $validatorMock->expects($this->once())->method('isValid')->willReturn(true);
+
+        $newPassword = "NEWmYn3wpassw0rd";
+        $newPasswordHash = "new password hash";
+        $oldPassword = "OLDmYn3wpassw0rd";
+        $this->model->setPassword($newPassword)
+            ->setId(1)
+            ->setOrigData('password', $oldPassword);
+        $this->encryptorMock->expects($this->once())
+            ->method('isValidHash')
+            ->with($newPassword, $oldPassword)
+            ->willReturn(false);
+
+        $this->encryptorMock->expects($this->once())
+            ->method('getHash')
+            ->with($newPassword, false)
+            ->willReturn($newPasswordHash);
+
+        $this->resourceMock->expects($this->once())->method('getOldPasswords')->willReturn(['hash1', $newPasswordHash]);
+
+        $result = $this->model->validate();
+        $this->assertInternalType('array', $result);
+        $this->assertCount(1, $result);
+        $this->assertContains("Sorry, but this password has already been used.", (string)$result[0]);
+    }
+
+    public function testCheckPasswordChangeValid()
+    {
+        /** @var $validatorMock \Magento\Framework\Validator\DataObject|\PHPUnit_Framework_MockObject_MockObject */
+        $validatorMock = $this->getMockBuilder('Magento\Framework\Validator\DataObject')
+            ->disableOriginalConstructor()
+            ->setMethods([])
+            ->getMock();
+        $this->validatorObjectFactoryMock->expects($this->once())->method('create')->willReturn($validatorMock);
+        $this->validationRulesMock->expects($this->once())
+            ->method('addUserInfoRules')
+            ->with($validatorMock);
+        $validatorMock->expects($this->once())->method('isValid')->willReturn(true);
+
+        $newPassword = "NEWmYn3wpassw0rd";
+        $newPasswordHash = "new password hash";
+        $oldPassword = "OLDmYn3wpassw0rd";
+        $this->model->setPassword($newPassword)
+            ->setId(1)
+            ->setOrigData('password', $oldPassword);
+        $this->encryptorMock->expects($this->once())
+            ->method('isValidHash')
+            ->with($newPassword, $oldPassword)
+            ->willReturn(false);
+
+        $this->encryptorMock->expects($this->once())
+            ->method('getHash')
+            ->with($newPassword, false)
+            ->willReturn($newPasswordHash);
+
+        $this->resourceMock->expects($this->once())->method('getOldPasswords')->willReturn(['hash1', 'hash2']);
+
+        $result = $this->model->validate();
+        $this->assertTrue($result);
+    }
 }