From 59432fae0a0f60454f6f9538e8644bf96be40c92 Mon Sep 17 00:00:00 2001
From: Lanre Adelowo <yo@lanre.wtf>
Date: Sat, 21 Jul 2018 22:08:52 +0100
Subject: [PATCH] make sure users that don't have to view the form get
 redirected

---
 modules/context/auth.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/context/auth.go b/modules/context/auth.go
index 66d19a898..58cdc2cac 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -40,9 +40,16 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 			}
 
 			// prevent infinite redirection
+			// also make sure that the form cannot be accessed by
+			// users who don't need this
 			if ctx.Req.URL.Path == setting.AppSubURL+"/user/change_password" {
+				if !ctx.User.MustChangePassword {
+					ctx.Redirect(setting.AppSubURL + "/")
+				}
 				return
-			} else if ctx.User.MustChangePassword {
+			}
+
+			if ctx.User.MustChangePassword {
 				ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 				ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
 				ctx.Redirect(setting.AppSubURL + "/user/change_password")