Validate password length

We can't do this using the ValidatesBeforeSave trait because the password has been hashed by then. Instead, we must validate the original password as it comes in.
2025-02-21 10:42:46 +08:00 · 2015-08-31 12:38:15 +09:30 · 2015-08-31 12:38:15 +09:30 · 9b5b97ff63
commit 9b5b97ff63
parent 81e0ac7f90
1 changed files with 19 additions and 0 deletions
--- a/framework/core/src/Core/Users/User.php
+++ b/framework/core/src/Core/Users/User.php
@ -32,6 +32,7 @@ use Flarum\Core\Support\Locked;
 use Flarum\Core\Support\VisibleScope;
 use Flarum\Core\Support\EventGenerator;
 use Flarum\Core\Support\ValidatesBeforeSave;
+use Flarum\Core\Exceptions\ValidationException;

 /**
 * @todo document database columns with @property
@ -149,6 +150,8 @@ class User extends Model
    {
        $user = new static;

+        $this->assertValidPassword($password);
+
        $user->username  = $username;
        $user->email     = $email;
        $user->password  = $password;
@ -225,6 +228,8 @@ class User extends Model
     */
    public function changePassword($password)
    {
+        $this->assertValidPassword($password);
+
        $this->password = $password;

        $this->raise(new UserPasswordWasChanged($this));
@ -232,6 +237,20 @@ class User extends Model
        return $this;
    }

+    /**
+     * Validate password input.
+     *
+     * @param string $password
+     * @return void
+     * @throws \Flarum\Core\Exceptions\ValidationException
+     */
+    protected function assertValidPassword($password)
+    {
+        if (strlen($password) < 8) {
+            throw new ValidationException(['password' => 'Password must be at least 8 characters']);
+        }
+    }
+
    /**
     * Set the password attribute, storing it as a hash.
     *