Fixes to password validation

src/Model/Behavior/UserBehavior.php

@@ -11,6 +11,7 @@
 
 use Burzum\UserTools\Model\PasswordAndTokenTrait;
 use Burzum\UserTools\Model\UserValidationTrait;
+use Cake\Auth\AbstractPasswordHasher;
 use Cake\Auth\PasswordHasherFactory;
 use Cake\Core\Configure;
 use Cake\Datasource\EntityInterface;
@@ -67,6 +68,7 @@ class UserBehavior extends Behavior {
 			'password' => 'password',
 			'email' => 'email',
 			'passwordCheck' => 'confirm_password',
+			'oldPassword' => 'old_password',
 			'lastAction' => 'last_action',
 			'lastLogin' => 'last_login',
 			'role' => 'role',
@@ -202,7 +204,7 @@ public function updateLastActivity($userId = null, $field = 'last_action', $opti
 	 * @return string Hash
 	 */
 	public function hashPassword($password) {
-		return $this->passwordHasher()->hash($password);
+		return $this->getPasswordHasher()->hash($password);
 	}
 
 	/**
@@ -681,8 +683,29 @@ public function sendNewPassword($email, $options = []) {
 	 *
 	 * @return \Cake\Auth\AbstractPasswordHasher Password hasher instance
 	 * @throws \RuntimeException If password hasher class not found or it does not extend AbstractPasswordHasher
+	 * @deprecated Use getPasswordHasher() instead
 	 */
 	public function passwordHasher() {
+		return $this->getPasswordHasher();
+	}
+
+	/**
+	 * Sets a password hasher object
+	 *
+	 * @param \Cake\Auth\AbstractPasswordHasher $passwordHasher
+	 * @return void
+	 */
+	public function setPasswordHasher(AbstractPasswordHasher $passwordHasher) {
+		$this->_passwordHasher = $passwordHasher;
+	}
+
+	/**
+	 * Return password hasher object
+	 *
+	 * @return \Cake\Auth\AbstractPasswordHasher Password hasher instance
+	 * @throws \RuntimeException If password hasher class not found or it does not extend AbstractPasswordHasher
+	 */
+	public function getPasswordHasher() {
 		if ($this->_passwordHasher) {
 			return $this->_passwordHasher;
 		}

src/Model/UserValidationTrait.php

@@ -148,7 +148,7 @@ public function validationConfirmPassword(Validator $validator) {
 	 *
 	 * @param \Cake\Validation\Validator $validator
 	 * @return \Cake\Validation\Validator
-	 * @see Burzum\UserTools\Controller\Component\UserToolComponent::requestPassword()
+	 * @see \Burzum\UserTools\Controller\Component\UserToolComponent::requestPassword()
 	 */
 	public function validationRequestPassword(Validator $validator) {
 		$validator = $this->_table->validationDefault($validator);
@@ -195,6 +195,9 @@ protected function validationOldPassword($validator) {
 	/**
 	 * Validation method for the old password.
 	 *
+	 * This method will hash the old password and compare it to the stored hash
+	 * in the database. You don't have to hash it manually before validating.
+	 *
 	 * @param mixed $value
 	 * @param string $field
 	 * @param mixed $context
@@ -207,7 +210,7 @@ public function validateOldPassword($value, $field, $context) {
 
 		$result = $this->_table->find()
 			->select([
-				$this->_field('password')
+				$this->_table->aliasField($field)
 			])
 			->where([
 				$this->_table->primaryKey() => $context['data'][$this->_table->primaryKey()],
@@ -217,7 +220,8 @@ public function validateOldPassword($value, $field, $context) {
 		if (!$result) {
 			return false;
 		}
-		return $this->passwordHasher()->check($value, $result->password);
+
+		return $this->getPasswordHasher()->check($value, $result->get($field));
 	}
 
 	/**