Improved password handling when saving a user

CHANGELOG.md

@@ -1,6 +1,8 @@
 # v1.7.10
 ## mm/dd/2021
 
+1. [](#improved)
+    * Improved password handling when saving a user
 1. [](#bugfix)
     * Ignore errors when using `set_time_limit` in `Archiver` and `GPM\Response` classes [#3023](https://github.com/getgrav/grav/issues/3023)
     * Fixed `Folder::move()` deleting the folder if you move folder into itself, created empty file instead

system/src/Grav/Common/Flex/Types/Users/UserObject.php

@@ -538,13 +538,18 @@ class UserObject extends FlexObject implements UserInterface, Countable
             }
         }
 
-        $password = $this->getProperty('password');
-        if (null !== $password) {
-            $this->unsetProperty('password');
-            $this->unsetProperty('password1');
-            $this->unsetProperty('password2');
+        $password = $this->getProperty('password') ?? $this->getProperty('password1');
+        if (null !== $password && '' !== $password) {
+            $password2 = $this->getProperty('password2');
+            if (!\is_string($password) || ($password2 && $password !== $password2)) {
+                throw new \RuntimeException('Passwords did not match.');
+            }
+
             $this->setProperty('hashed_password', Authentication::create($password));
         }
+        $this->unsetProperty('password');
+        $this->unsetProperty('password1');
+        $this->unsetProperty('password2');
 
         // Backwards compatibility with older plugins.
         $fireEvents = $this->isAdminSite() && $this->getFlexDirectory()->getConfig('object.compat.events', true);

system/src/Grav/Common/User/DataUser/User.php

@@ -131,11 +131,18 @@ class User extends Data implements UserInterface
             }
 
             // if plain text password, hash it and remove plain text
-            $password = $this->get('password');
-            if ($password) {
+            $password = $this->get('password') ?? $this->get('password1');
+            if (null !== $password && '' !== $password) {
+                $password2 = $this->get('password2');
+                if (!\is_string($password) || ($password2 && $password !== $password2)) {
+                    throw new \RuntimeException('Passwords did not match.');
+                }
+
                 $this->set('hashed_password', Authentication::create($password));
-                $this->undef('password');
             }
+            $this->undef('password');
+            $this->undef('password1');
+            $this->undef('password2');
 
             $data = $this->items;
             if ($username === $data['username']) {