2 files changed, 31 insertions, 12 deletions

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 38e68d30..496ed9ca 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -37,6 +37,12 @@ class Admin_Users_Controller extends Controller {
       $valid = false;
     }
 
+    if ($form->add_user->password->value &&
+        $form->add_user->password->value != $form->add_user->password2->value) {
+      $form->add_user->password2->add_error("mistyped", 1);
+      $valid = false;
+    }
+
     if ($valid) {
       $user = user::create(
         $name, $form->add_user->full_name->value, $form->add_user->password->value);
@@ -106,6 +112,12 @@ class Admin_Users_Controller extends Controller {
       }
     }
 
+    if ($form->edit_user->password->value &&
+        $form->edit_user->password->value != $form->edit_user->password2->value) {
+      $form->edit_user->password2->add_error("mistyped", 1);
+      $valid = false;
+    }
+
     if ($valid) {
       $user->name = $new_name;
       $user->full_name = $form->edit_user->full_name->value;
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index a285b32d..811e3a2d 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -28,19 +28,26 @@ class Users_Controller extends REST_Controller {
     $form = user::get_edit_form($user);
     $form->edit_user->password->rules("-required");
     if ($form->validate()) {
-      // @todo: allow the user to change their name
-      // @todo: handle password changing gracefully
-      $user->full_name = $form->edit_user->full_name->value;
-      if ($form->edit_user->password->value) {
-        $user->password = $form->edit_user->password->value;
-      }
-      $user->email = $form->edit_user->email->value;
-      $user->url = $form->edit_user->url->value;
-      $user->save();
+      if ($form->edit_user->password->value &&
+          $form->edit_user->password->value != $form->edit_user->password2->value) {
+        $form->edit_user->password2->add_error("mistyped", 1);
+        print json_encode(
+          array("result" => "error",
+                "form" => $form->__toString()));
+      } else {
+        // @todo: allow the user to change their name
+        $user->full_name = $form->edit_user->full_name->value;
+        if ($form->edit_user->password->value) {
+          $user->password = $form->edit_user->password->value;
+        }
+        $user->email = $form->edit_user->email->value;
+        $user->url = $form->edit_user->url->value;
+        $user->save();
 
-      print json_encode(
-        array("result" => "success",
-              "resource" => url::site("users/{$user->id}")));
+        print json_encode(
+          array("result" => "success",
+                "resource" => url::site("users/{$user->id}")));
+      }
     } else {
       print json_encode(
         array("result" => "error",