Problem/Motivation

Given that the password history constraint is added to a policy, when creating a new user outside the user add form (e.g. during a webtest using drupalCreateUser(), or potentially other methods that do not use the UI), the password hash is not inserted in the database for the user. I suspect the same issue would occur when updating user passwords through means not using the UI, since it's looking for specific $_POST variables.

Proposed resolution

Add a check during the insert password hash function to allow the hash to be set (e.g. ignore if $_POST variables are set) when users are new (perhaps adding a second boolean argument to indicate when a user is new). As for updating the user password outside of the UI, I haven't run into that particular use case, so I don't have any suggestions for that.

Remaining tasks

Discuss, write a patch.

User interface changes

None.

API changes

None.

Data model changes

None.

Comments

mroycroft created an issue. See original summary.

Kristen Pol’s picture

Kristen Pol
she/her
Primary language English
Location Santa Cruz, CA, USA
CreditAttribution: Kristen Pol at Salsa Digital for govCMS (Australian Government Department of Finance) commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: +Needs steps to reproduce

Thanks to everyone for the work on this issue.

I'm going through all the 8.x issues.

As the 8.x is no longer supported, I'm postponing this issue for now and need feedback as to whether or not this issue is relevant to 4.0.x.

If it is, please reopen and change the version, make sure the issue summary is clear and complete, including concrete steps to reproduce, and reroll the patch. If it's not, please close.

If there is no response to this in a month addressing the above, it can be closed.