From 563ad75a2828b2d272b5c0c610aa9267edc25063 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Mon, 3 Dec 2012 15:10:43 +0100
Subject: [PATCH] Ensure that no empty password can be set

Previously the ACP form would have set the password to an empty string.
---
 wcfsetup/install/files/lib/data/user/UserEditor.class.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/data/user/UserEditor.class.php b/wcfsetup/install/files/lib/data/user/UserEditor.class.php
index 92271d7cc6..1fdbbbc99f 100644
--- a/wcfsetup/install/files/lib/data/user/UserEditor.class.php
+++ b/wcfsetup/install/files/lib/data/user/UserEditor.class.php
@@ -62,7 +62,7 @@ class UserEditor extends DatabaseObjectEditor implements IEditableCachedObject {
 	 */
 	public function update(array $parameters = array()) {
 		// update salt and create new password hash
-		if (isset($parameters['password'])) {
+		if (isset($parameters['password']) && $parameters['password'] !== '') {
 			$parameters['salt'] = StringUtil::getRandomID();
 			$parameters['password'] = StringUtil::getDoubleSaltedHash($parameters['password'], $parameters['salt']);
 			
@@ -72,6 +72,9 @@ class UserEditor extends DatabaseObjectEditor implements IEditableCachedObject {
 			$this->salt = $parameters['salt'];
 			$this->accessToken = $parameters['accessToken'];
 		}
+		else {
+			unset($parameters['password'], $parameters['salt'], $parameters['accessToken']);
+		}
 		
 		parent::update($parameters);
 	}
-- 
2.20.1