When must_change_password is true the user must pick a genuinely new password. Added a verify_password check against the existing hash before accepting the new value, raising BusinessRuleViolation if they match.
kitos
kitos