When a Forum User maintains data in his profile and does not fill the two password fields, the password is set to NULL in the database. This leads to outlock this user from the forum.
This is especially annoying because lost Password Form is also not working!
The user does receive the email reset password, but after clicking it, he is asked to login, which requires to input the password, but this password has been lost or resetted by the malicious profile settings form!
Hmm I am unable to reproduce the issue (of setting the password to null). Heres what I tried -
* Registering a user with password 'test' - this was added to the db
* Editing the users profile (with not setting anything in the password field)
* Editing the users profile in the cms (with not setting anything in the password).
Looking at the code also has empty() checks to ensure that passwords could not be set to nothing. Saying that I think this area needs some unit tests to ensure I'm not missing something or an edge case. It is the edit profile form on the front end which is setting the password to null correct?
Yes - the Front-End profile editor - i just tested the behaviour again - i only changed the signature and left the password fields empty - after submit the Password is NULL in the database. i could reset the password with the profile form within the same session by filling the two password fields. You can just test it on http://icybolt.de/larp-forum/ - just create an account - log in and change your signature - when you log out you can no more login because your password is NULL in the database.
I think it's because the 2.4 version, when u do this $member = DataObject::get_by_id('Member', $data['ID']); , it return NULL on the password data, if i print out the dataobject, there are two password displayed, one is null, the other is the current password, the problem is, it get the first one so on $form->dataFieldByName("Password")->setValue($member->Password);, it set a null value.