Fix user password handling in Admin CP

DaneEveritt · DaneEveritt · commit dd54c5abb1c2 · 2018-02-07T21:13:40.000-06:00
diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php
@@ -161,7 +161,6 @@ public function store(UserFormRequest $request)
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
-     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
      */
     public function update(UserFormRequest $request, User $user)
     {
diff --git a/app/Services/Users/UserUpdateService.php b/app/Services/Users/UserUpdateService.php
@@ -58,8 +58,10 @@ public function __construct(
      */
     public function handle(User $user, array $data): Collection
     {
-        if (array_has($data, 'password')) {
+        if (! empty(array_get($data, 'password'))) {
             $data['password'] = $this->hasher->make($data['password']);
+        } else {
+            unset($data['password']);
         }
 
         if ($this->isUserLevel(User::USER_LEVEL_ADMIN)) {
diff --git a/tests/Unit/Services/Users/UserUpdateServiceTest.php b/tests/Unit/Services/Users/UserUpdateServiceTest.php
@@ -41,20 +41,38 @@ public function setUp()
     }
 
     /**
-     * Test that the handle function does not attempt to hash a password if no password is passed.
+     * Test that the handle function does not attempt to hash a password if no
+     * password is provided or the password is null.
+     *
+     * @dataProvider badPasswordDataProvider
      */
-    public function testUpdateUserWithoutTouchingHasherIfNoPasswordPassed()
+    public function testUpdateUserWithoutTouchingHasherIfNoPasswordPassed(array $data)
     {
         $user = factory(User::class)->make();
         $this->revocationService->shouldReceive('getExceptions')->withNoArgs()->once()->andReturn([]);
         $this->repository->shouldReceive('update')->with($user->id, ['test-data' => 'value'])->once()->andReturnNull();
 
-        $response = $this->getService()->handle($user, ['test-data' => 'value']);
+        $response = $this->getService()->handle($user, $data);
         $this->assertInstanceOf(Collection::class, $response);
         $this->assertTrue($response->has('model'));
         $this->assertTrue($response->has('exceptions'));
     }
 
+    /**
+     * Provide a test data set with passwords that should not be hashed.
+     *
+     * @return array
+     */
+    public function badPasswordDataProvider(): array
+    {
+        return [
+            [['test-data' => 'value']],
+            [['test-data' => 'value', 'password' => null]],
+            [['test-data' => 'value', 'password' => '']],
+            [['test-data' => 'value', 'password' => 0]],
+        ];
+    }
+
     /**
      * Test that the handle function hashes a password if passed in the data array.
      */

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,6 @@ public function store(UserFormRequest $request)`
`161`	`161`	`*`
`162`	`162`	`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
`163`	`163`	`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
`164`		`- * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException`
`165`	`164`	`*/`
`166`	`165`	`public function update(UserFormRequest $request, User $user)`
`167`	`166`	`{`
Original file line number	Diff line number	Diff line change
`@@ -58,8 +58,10 @@ public function __construct(`
`58`	`58`	`*/`
`59`	`59`	`public function handle(User $user, array $data): Collection`
`60`	`60`	`{`
`61`		`- if (array_has($data, 'password')) {`
	`61`	`+ if (! empty(array_get($data, 'password'))) {`
`62`	`62`	`$data['password'] = $this->hasher->make($data['password']);`
	`63`	`+ } else {`
	`64`	`+ unset($data['password']);`
`63`	`65`	`}`
`64`	`66`
`65`	`67`	`if ($this->isUserLevel(User::USER_LEVEL_ADMIN)) {`