When editing a user the password always gets saved, even if the password is blank. If I edit a user and only make a minor change (like enabling the personal contact form), the empty password gets saved as well, and shouldn't.

The user module does not update the password, and I believe it is because of this code starting at line 112 in the user_save function:

      if ($key == 'pass' && !empty($value)) {
        $query .= "$key = '%s', ";
        $v[] = md5($value);
      }

Comments

Bèr Kessels’s picture

Component: sql_auth_update » sql_auth_update
Assigned: Unassigned » Bèr Kessels

Assigning to myself for the time being.