From b2cc966da3a6bcc925035e12a950e636847326f8 Mon Sep 17 00:00:00 2001
From: Riccardo Tempesta <info@riccardotempesta.com>
Date: Sat, 28 Apr 2018 21:49:49 +0200
Subject: [PATCH 1/2] Fix issue #14895 - Change Password warning message appear
 two times The password change notice was a sticky message activated by
 admin_user_authenticate_after event. The password change page requires the
 current user password and thus triggering admin_user_authenticate_after while
 saving. One message was added every time the user was saved.

---
 app/code/Magento/User/Model/User.php                      | 2 ++
 app/code/Magento/User/Observer/Backend/AuthObserver.php   | 8 ++++++--
 .../Observer/Backend/TrackAdminNewPasswordObserver.php    | 3 ++-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/code/Magento/User/Model/User.php b/app/code/Magento/User/Model/User.php
index 2a7d43008f2ad..d711220441aaf 100644
--- a/app/code/Magento/User/Model/User.php
+++ b/app/code/Magento/User/Model/User.php
@@ -47,6 +47,8 @@ class User extends AbstractModel implements StorageInterface, UserInterface
     /** @deprecated */
     const XML_PATH_RESET_PASSWORD_TEMPLATE = 'admin/emails/reset_password_template';
 
+    const MESSAGE_ID_PASSWORD_EXPIRED = 'magento_user_password_expired';
+
     /**
      * Model event prefix
      *
diff --git a/app/code/Magento/User/Observer/Backend/AuthObserver.php b/app/code/Magento/User/Observer/Backend/AuthObserver.php
index bc5d6af615f13..70530c5be7263 100644
--- a/app/code/Magento/User/Observer/Backend/AuthObserver.php
+++ b/app/code/Magento/User/Observer/Backend/AuthObserver.php
@@ -149,7 +149,7 @@ public function execute(EventObserver $observer)
     /**
      * Update locking information for the user
      *
-     * @param \Magento\User\Model\User $user
+     * @param User $user
      * @return void
      */
     private function _updateLockingInformation($user)
@@ -195,10 +195,14 @@ private function _checkExpiredPassword($latestPassword)
                 $myAccountUrl = $this->url->getUrl('adminhtml/system_account/');
                 $message = __('It\'s time to <a href="%1">change your password</a>.', $myAccountUrl);
             }
+
+            // Avoid duplicating the message
+            $this->messageManager->getMessages()->deleteMessageByIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED);
+
             $this->messageManager->addNoticeMessage($message);
             $message = $this->messageManager->getMessages()->getLastAddedMessage();
             if ($message) {
-                $message->setIdentifier('magento_user_password_expired')->setIsSticky(true);
+                $message->setIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED)->setIsSticky(true);
                 $this->authSession->setPciAdminUserIsPasswordExpired(true);
             }
         }
diff --git a/app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php b/app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php
index 09605372df181..059879ab9613f 100644
--- a/app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php
+++ b/app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php
@@ -8,6 +8,7 @@
 
 use Magento\Framework\Event\Observer as EventObserver;
 use Magento\Framework\Event\ObserverInterface;
+use Magento\User\Model\User;
 
 /**
  * User backend observer model for passwords
@@ -74,7 +75,7 @@ public function execute(EventObserver $observer)
             $passwordHash = $user->getPassword();
             if ($passwordHash && !$user->getForceNewPassword()) {
                 $this->userResource->trackPassword($user, $passwordHash);
-                $this->messageManager->getMessages()->deleteMessageByIdentifier('magento_user_password_expired');
+                $this->messageManager->getMessages()->deleteMessageByIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED);
                 $this->authSession->unsPciAdminUserIsPasswordExpired();
             }
         }

From cfe58e16b5159f97fbf8b1246a6e5d75caaaf9e0 Mon Sep 17 00:00:00 2001
From: Riccardo Tempesta <info@riccardotempesta.com>
Date: Sun, 29 Apr 2018 17:26:18 +0200
Subject: [PATCH 2/2] Single call for getMessages()
 app/code/Magento/User/Test/Unit/Observer/Backend/AuthObserverTest.php is
 checking for a single getMessages() call

---
 app/code/Magento/User/Observer/Backend/AuthObserver.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/code/Magento/User/Observer/Backend/AuthObserver.php b/app/code/Magento/User/Observer/Backend/AuthObserver.php
index 70530c5be7263..c7a1a69f7ce84 100644
--- a/app/code/Magento/User/Observer/Backend/AuthObserver.php
+++ b/app/code/Magento/User/Observer/Backend/AuthObserver.php
@@ -196,11 +196,13 @@ private function _checkExpiredPassword($latestPassword)
                 $message = __('It\'s time to <a href="%1">change your password</a>.', $myAccountUrl);
             }
 
-            // Avoid duplicating the message
-            $this->messageManager->getMessages()->deleteMessageByIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED);
+            $messages = $this->messageManager->getMessages();
+
+            // Remove existing messages with same ID to avoid duplication
+            $messages->deleteMessageByIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED);
 
             $this->messageManager->addNoticeMessage($message);
-            $message = $this->messageManager->getMessages()->getLastAddedMessage();
+            $message = $messages->getLastAddedMessage();
             if ($message) {
                 $message->setIdentifier(User::MESSAGE_ID_PASSWORD_EXPIRED)->setIsSticky(true);
                 $this->authSession->setPciAdminUserIsPasswordExpired(true);