Hi team,
While migrating users from a foreign system into the Member table, a bug surfaced in the way password hashes are handled.
It seems Security::encrypt_password() doesn't differentiate between:
1. plaintext passwords needing hashing for the first time (`Salt` is NULL)
2. hashed but unsalted passwords (`Salt` is empty string '')
This can be fixed in:
sapphire/security/Security.php#842
by changing:
$salt = ($salt) ? $salt : $e->salt($password);
to:
$salt = isset ($salt) ? $salt : $e->salt($password);
Cheers, Matt