FIX Ensure changing a password to blank is validated

2021-06-17 12:05:20 +12:00 · 2021-06-17 12:05:20 +12:00 · 7ed7ad0254
parent d5e4493851
commit 7ed7ad0254
3 changed files with 15 additions and 5 deletions
--- a/src/Security/Member.php
+++ b/src/Security/Member.php
@ -875,7 +875,7 @@ class Member extends DataObject
        if ($this->Email) {
            $this->Email = trim($this->Email);
        }
-        
+
        // If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
        // Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
        // but rather a last line of defense against data inconsistencies.
@ -1705,8 +1705,8 @@ class Member extends DataObject
        $valid = parent::validate();
        $validator = static::password_validator();

-        if (!$this->ID || $this->isChanged('Password')) {
-            if ($this->Password && $validator) {
+        if ($validator) {
+            if ((!$this->ID && $this->Password) || $this->isChanged('Password')) {
                $userValid = $validator->validate($this->Password, $this);
                $valid->combineAnd($userValid);
            }
--- a/src/Security/MemberPassword.php
+++ b/src/Security/MemberPassword.php
@ -53,6 +53,6 @@ class MemberPassword extends DataObject
    public function checkPassword($password)
    {
        $encryptor = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
-        return $encryptor->check($this->Password, $password, $this->Salt, $this->Member());
+        return $encryptor->check($this->Password ?? '', $password, $this->Salt, $this->Member());
    }
 }
--- a/tests/php/Security/MemberTest.php
+++ b/tests/php/Security/MemberTest.php
@ -1593,7 +1593,7 @@ class MemberTest extends FunctionalTest

        $this->assertSame('Johnson', $member->getLastName(), 'getLastName should proxy to Surname');
    }
-    
+
    public function testEmailIsTrimmed()
    {
        $member = new Member();
@ -1601,4 +1601,14 @@ class MemberTest extends FunctionalTest
        $member->write();
        $this->assertNotNull(Member::get()->find('Email', 'trimmed@test.com'));
    }
+
+    public function testChangePasswordToBlankIsValidated()
+    {
+        // override setup() function which setMinLength(0)
+        PasswordValidator::singleton()->setMinLength(8);
+        // 'test' member has a password defined in yml
+        $member = $this->objFromFixture(Member::class, 'test');
+        $result = $member->changePassword('');
+        $this->assertFalse($result->isValid());
+    }
 }