From 296655542dd191abb3f840f3998d85f9c5b64759 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 2 Nov 2020 20:07:39 -0800
Subject: [PATCH] Added comments

---
 app/Http/Controllers/ProfileController.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php
index d1a6306b69..ae283cd25a 100755
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@@ -157,6 +157,14 @@ class ProfileController extends Controller
                 $validator->errors()->add('current_password', trans('validation.hashed_pass'));
             }
 
+            // This checks to make sure that the user's password isn't the same as their username,
+            // email address, first name or last name (see https://github.com/snipe/snipe-it/issues/8661)
+            // While this is handled via SaveUserRequest form request in other places, we have to do this manually
+            // here because we don't have the username, etc form fields available in the profile password change
+            // form.
+
+            // There may be a more elegant way to do this in the future.
+
             if (($request->input('password') == $user->username) ||
                 ($request->input('password') == $user->email) ||
                 ($request->input('password') == $user->first_name) ||