U4-10361 - Creating new member when `AllowManuallyChangingPassword="false"` - can't set a password

Created by Sebastiaan Janssen 28 Aug 2017, 13:37:22 Updated by Sebastiaan Janssen 01 Sep 2017, 12:47:14

Subtask of: U4-9609

See: https://our.umbraco.org/forum/extending-umbraco-and-using-the-api/87391-creating-new-members-password-is-stored-as-plain-text

In short: when allowManuallyChangingPassword is false you can't do something like: memberService.SavePassword(member, "test123456"); since you need to provide the old password. But it's a new member, so no old password.


Shannon Deminick 29 Aug 2017, 02:08:04

PR: https://github.com/umbraco/Umbraco-CMS/pull/2155

  • The method IMemberService.SavePassword is not used anywhere in the Core codebase and generally speaking should be avoided. The razor snippets use the MembershipHelper to register a member. This method will be obsoleted in 7.8 when members are controlled by ASP.NET Identity APIs like users are today
  • The logic behind IMemberService.SavePassword has been updated (this logic uses membership provider APIs) to be able to work for creating a new Member only if that member was created without a password. The logic will still continue to work of AllowManuallyChangingPassword is true
  • When a new member is created and no password is specified, the member's password that is stored in the database will be prefixed with a special string which is consistent with how users work too, this allows us to definitively know if a member was created without a password. This logic will also be used in 7.8 with the ASP.NET Identity APIs
  • Have added unit tests to show how this works

Priority: Normal

Type: Bug

State: Fixed

Assignee: Sebastiaan Janssen

Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.6.6

Sprint: Sprint 66

Story Points: