Merge pull request from GHSA-552f-97wf-pmpq

Co-authored-by: jey <jey@umbraco.dk> (cherry picked from commit b743f6a)
umbraco · Mar 18, 2024 · 7e1d1a1 · 7e1d1a1
1 parent a2511ff
commit 7e1d1a1
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs b/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs
@@ -134,8 +134,8 @@ public async Task<IdentityResult> ValidatePasswordAsync(string? password)
     /// <inheritdoc />
     public override async Task<bool> CheckPasswordAsync(TUser user, string? password)
     {
-        // we cannot proceed if the user passed in does not have an identity
-        if (user.HasIdentity == false)
+        // we cannot proceed if the user passed in does not have an identity, or if no password is provided.
+        if (user.HasIdentity == false || password is null)
         {
             return false;
         }
@@ -252,7 +252,7 @@ public override async Task<IdentityResult> AccessFailedAsync(TUser user)
     public async Task<bool> ValidateCredentialsAsync(string username, string password)
     {
         TUser user = await FindByNameAsync(username);
-        
+
         if (user == null)
         {
             return false;
@@ -263,7 +263,7 @@ public async Task<bool> ValidateCredentialsAsync(string username, string passwor
             throw new NotSupportedException("The current user store does not implement " +
                                             typeof(IUserPasswordStore<>));
         }
-        
+
         var result = await VerifyPasswordAsync(userPasswordStore, user, password);
 
         return result == PasswordVerificationResult.Success || result == PasswordVerificationResult.SuccessRehashNeeded;