BUGFIX Keep Member.PasswordEncryption setting on empty passwords

This will prevent empty passwords to set the encryption to 'none', which in turn will store any subsequent password changes in cleartext. Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2024-10-22 12:05:37 +00:00 · 2013-01-06 21:20:02 +01:00 · 2013-01-06 21:20:02 +01:00 · 30096ee730
commit 30096ee730
parent d51e0bc2ec
2 changed files with 19 additions and 11 deletions
--- a/security/Security.php
+++ b/security/Security.php
@ -829,17 +829,8 @@ class Security extends Controller {
 	 * @see set_password_encryption_algorithm()
 	 */
 	public static function encrypt_password($password, $salt = null, $algorithm = null, $member = null) {
-		if(
-			// if the password is empty, don't encrypt
-			strlen(trim($password)) == 0  
-			// if no algorithm is provided and no default is set, don't encrypt
-			|| (!$algorithm)
-		) {
-			$algorithm = 'none';
-		} else {
 		// Fall back to the default encryption algorithm
 		if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
-		} 
 		
 		$e = PasswordEncryptor::create_for_algorithm($algorithm);

--- a/tests/security/MemberTest.php
+++ b/tests/security/MemberTest.php
@ -115,6 +115,23 @@ class MemberTest extends FunctionalTest {
 		Security::set_password_encryption_algorithm($origAlgo);
 	}

+	public function testKeepsEncryptionOnEmptyPasswords() {
+		$member = new Member();
+		$member->Password = 'mypassword';
+		$member->PasswordEncryption = 'sha1_v2.4';
+		$member->write();
+		
+		$member->Password = '';
+		$member->write();
+		
+		$this->assertEquals(
+			$member->PasswordEncryption, 
+			'sha1_v2.4'
+		);
+		$result = $member->checkPassword('');
+		$this->assertTrue($result->valid());
+	}
+	
 	public function testSetPassword() {
 		$member = $this->objFromFixture('Member', 'test');
 		$member->Password = "test1";