From 9b5b97ff63d2fda560f136cf7a78e1dff6aa6fbe Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Mon, 31 Aug 2015 12:38:15 +0930
Subject: [PATCH] Validate password length

We can't do this using the ValidatesBeforeSave trait because the
password has been hashed by then. Instead, we must validate the
original password as it comes in.
---
 framework/core/src/Core/Users/User.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/framework/core/src/Core/Users/User.php b/framework/core/src/Core/Users/User.php
index da2a0aa19..db1ed8e54 100755
--- a/framework/core/src/Core/Users/User.php
+++ b/framework/core/src/Core/Users/User.php
@@ -32,6 +32,7 @@ use Flarum\Core\Support\Locked;
 use Flarum\Core\Support\VisibleScope;
 use Flarum\Core\Support\EventGenerator;
 use Flarum\Core\Support\ValidatesBeforeSave;
+use Flarum\Core\Exceptions\ValidationException;
 
 /**
  * @todo document database columns with @property
@@ -149,6 +150,8 @@ class User extends Model
     {
         $user = new static;
 
+        $this->assertValidPassword($password);
+
         $user->username  = $username;
         $user->email     = $email;
         $user->password  = $password;
@@ -225,6 +228,8 @@ class User extends Model
      */
     public function changePassword($password)
     {
+        $this->assertValidPassword($password);
+
         $this->password = $password;
 
         $this->raise(new UserPasswordWasChanged($this));
@@ -232,6 +237,20 @@ class User extends Model
         return $this;
     }
 
+    /**
+     * Validate password input.
+     *
+     * @param string $password
+     * @return void
+     * @throws \Flarum\Core\Exceptions\ValidationException
+     */
+    protected function assertValidPassword($password)
+    {
+        if (strlen($password) < 8) {
+            throw new ValidationException(['password' => 'Password must be at least 8 characters']);
+        }
+    }
+
     /**
      * Set the password attribute, storing it as a hash.
      *