From 30096ee73091074474a5831c0f60e02e65b72a30 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Sun, 6 Jan 2013 21:20:02 +0100
Subject: [PATCH] BUGFIX Keep Member.PasswordEncryption setting on empty
 passwords

This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
---
 security/Security.php         | 13 ++-----------
 tests/security/MemberTest.php | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/security/Security.php b/security/Security.php
index 9bc78516f..936e74b4f 100644
--- a/security/Security.php
+++ b/security/Security.php
@@ -829,17 +829,8 @@ class Security extends Controller {
 	 * @see set_password_encryption_algorithm()
 	 */
 	public static function encrypt_password($password, $salt = null, $algorithm = null, $member = null) {
-		if(
-			// if the password is empty, don't encrypt
-			strlen(trim($password)) == 0  
-			// if no algorithm is provided and no default is set, don't encrypt
-			|| (!$algorithm)
-		) {
-			$algorithm = 'none';
-		} else {
-			// Fall back to the default encryption algorithm
-			if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
-		} 
+		// Fall back to the default encryption algorithm
+		if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
 		
 		$e = PasswordEncryptor::create_for_algorithm($algorithm);
 
diff --git a/tests/security/MemberTest.php b/tests/security/MemberTest.php
index 4879fa764..0d56aa122 100644
--- a/tests/security/MemberTest.php
+++ b/tests/security/MemberTest.php
@@ -114,6 +114,23 @@ class MemberTest extends FunctionalTest {
 		
 		Security::set_password_encryption_algorithm($origAlgo);
 	}
+
+	public function testKeepsEncryptionOnEmptyPasswords() {
+		$member = new Member();
+		$member->Password = 'mypassword';
+		$member->PasswordEncryption = 'sha1_v2.4';
+		$member->write();
+		
+		$member->Password = '';
+		$member->write();
+		
+		$this->assertEquals(
+			$member->PasswordEncryption, 
+			'sha1_v2.4'
+		);
+		$result = $member->checkPassword('');
+		$this->assertTrue($result->valid());
+	}
 	
 	public function testSetPassword() {
 		$member = $this->objFromFixture('Member', 'test');