From 6c0a66cf49ef71ad8ee12ba4888e1ebc477e4b0e Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Tue, 22 Mar 2016 23:06:29 +0000
Subject: [PATCH] Users: In `edit_user()` check for a blank password when
 adding a user.

Props wesleye, gitlost, adamsilverstein.
Fixes #35715.

git-svn-id: https://develop.svn.wordpress.org/trunk@37059 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/user.php | 18 ++++++---
 tests/phpunit/tests/user.php   | 67 ++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+), 6 deletions(-)

diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index 005266860a..d92d2aebc6 100644
--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@@ -113,7 +113,6 @@ function edit_user( $user_id = 0 ) {
 		$errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) );
 	}
 
-	/* checking the password has been typed twice */
 	/**
 	 * Fires before the password and confirm password fields are checked for congruity.
 	 *
@@ -125,13 +124,20 @@ function edit_user( $user_id = 0 ) {
 	 */
 	do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) );
 
-	/* Check for "\" in password */
-	if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) )
-		$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
+	// Check for blank password when adding a user.
+	if ( ! $update && empty( $pass1 ) ) {
+		$errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter a password.' ), array( 'form-field' => 'pass1' ) );
+	}
 
-	/* checking the password has been typed twice the same */
-	if ( $pass1 != $pass2 )
+	// Check for "\" in password.
+	if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) ) {
+		$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
+	}
+
+	// Checking the password has been typed twice the same.
+	if ( ( $update || ! empty( $pass1 ) ) && $pass1 != $pass2 ) {
 		$errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in both password fields.' ), array( 'form-field' => 'pass1' ) );
+	}
 
 	if ( !empty( $pass1 ) )
 		$user->user_pass = $pass1;
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index 07ae540425..bb14876a31 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -1132,4 +1132,71 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertTrue( $was_admin_email_sent );
 		$this->assertFalse( $was_user_email_sent );
 	}
+
+	/**
+	 * Checks that calling edit_user() with no password returns an error when adding, and doesn't when updating.
+	 *
+	 * @ticket 35715
+	 */
+	function test_edit_user_blank_pw() {
+		$_POST = $_GET = $_REQUEST = array();
+		$_POST['role'] = 'subscriber';
+		$_POST['email'] = 'user1@example.com';
+		$_POST['user_login'] = 'user_login1';
+		$_POST['first_name'] = 'first_name1';
+		$_POST['last_name'] = 'last_name1';
+		$_POST['nickname'] = 'nickname1';
+		$_POST['display_name'] = 'display_name1';
+
+		// Check new user with missing password.
+		$response = edit_user();
+
+		$this->assertInstanceOf( 'WP_Error', $response );
+		$this->assertEquals( 'pass', $response->get_error_code() );
+
+		// Check new user with password set.
+		$_POST['pass1'] = $_POST['pass2'] = 'password';
+
+		$user_id = edit_user();
+		$user = get_user_by( 'ID', $user_id );
+
+		$this->assertInternalType( 'int', $user_id );
+		$this->assertInstanceOf( 'WP_User', $user );
+		$this->assertEquals( 'nickname1', $user->nickname );
+
+		// Check updating user with empty password.
+		$_POST['nickname'] = 'nickname_updated';
+		$_POST['pass1'] = $_POST['pass2'] = '';
+
+		$user_id = edit_user( $user_id );
+
+		$this->assertInternalType( 'int', $user_id );
+		$this->assertEquals( 'nickname_updated', $user->nickname );
+
+		// Check updating user with missing second password.
+		$_POST['nickname'] = 'nickname_updated2';
+		$_POST['pass1'] = 'blank_pass2';
+		$_POST['pass2'] = '';
+
+		$response = edit_user( $user_id );
+
+		$this->assertInstanceOf( 'WP_Error', $response );
+		$this->assertEquals( 'pass', $response->get_error_code() );
+		$this->assertEquals( 'nickname_updated', $user->nickname );
+
+		// Check updating user with empty password via `check_passwords` action.
+		add_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ), 10, 2 );
+		$user_id = edit_user( $user_id );
+		remove_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ) );
+
+		$this->assertInternalType( 'int', $user_id );
+		$this->assertEquals( 'nickname_updated2', $user->nickname );
+	}
+
+	/**
+	 * Check passwords action for test_edit_user_blank_pw().
+	 */
+	function action_check_passwords_blank_pw( $user_login, &$pass1 ) {
+		$pass1 = '';
+	}
 }