diff --git a/src/Umbraco.Web.UI/config/metablogConfig.config b/src/Umbraco.Web.UI/config/metablogConfig.config
index 82502df5e3..5621dbee75 100644
--- a/src/Umbraco.Web.UI/config/metablogConfig.config
+++ b/src/Umbraco.Web.UI/config/metablogConfig.config
@@ -5,7 +5,7 @@
0
1080
False
- umbBlog
+ Base
diff --git a/src/Umbraco.Web.UI/install/steps/DefaultUser.ascx.cs b/src/Umbraco.Web.UI/install/steps/DefaultUser.ascx.cs
index 897bb9ad85..1114ebd89a 100644
--- a/src/Umbraco.Web.UI/install/steps/DefaultUser.ascx.cs
+++ b/src/Umbraco.Web.UI/install/steps/DefaultUser.ascx.cs
@@ -1,6 +1,7 @@
using System;
using System.Web.Security;
using Umbraco.Core.Configuration;
+using Umbraco.Core.Security;
using Umbraco.Web.Install;
using Umbraco.Web.Security;
using umbraco.BusinessLogic;
@@ -60,7 +61,7 @@ namespace Umbraco.Web.UI.Install.Steps
}
// Is it using the default membership provider
- if (CurrentProvider is UsersMembershipProvider)
+ if (CurrentProvider.IsUmbracoUsersProvider())
{
// Save user in membership provider
var umbracoUser = user as UsersMembershipUser;
diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs
index 6691a025e4..3582e873a4 100644
--- a/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs
@@ -38,9 +38,12 @@ namespace umbraco.controls
var umbProvider = Provider as MembershipProviderBase;
if (umbProvider != null && umbProvider.AllowManuallyChangingPassword)
{
- return false;
+ _showOldPassword = false;
+ }
+ else
+ {
+ _showOldPassword = Provider.EnablePasswordRetrieval == false;
}
- _showOldPassword = Provider.EnablePasswordRetrieval == false;
}
return _showOldPassword.Value;
}
diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs
index efc7e525fc..1df2c849a0 100644
--- a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs
@@ -167,14 +167,6 @@ namespace umbraco.cms.presentation.user
var passwordChanger = (passwordChanger) LoadControl(SystemDirectories.Umbraco + "/controls/passwordChanger.ascx");
passwordChanger.MembershipProviderName = UmbracoSettings.DefaultBackofficeProvider;
- //This is a hack to allow the admin to change a user's password to whatever they want - this will only work if we are using the
- // default umbraco membership provider.
- // See the notes below in the ChangePassword method.
- if (BackOfficeProvider.IsUmbracoUsersProvider())
- {
- passwordChanger.ShowOldPassword = false;
- }
-
//Add a custom validation message for the password changer
var passwordValidation = new CustomValidator
{
@@ -368,18 +360,6 @@ namespace umbraco.cms.presentation.user
lname.Text = (user == null) ? u.LoginName : user.UserName;
email.Text = (user == null) ? u.Email : user.Email;
- //// Prevent users from changing information if logged in through a custom provider
- //// custom provider mapped accounts have empty passwords by default... so set update user fields to read only
- //// this will not be a security issue because empty passwords are not allowed in membership provider.
- //// This might change in version 4.0
- //if (string.IsNullOrEmpty(u.GetPassword()))
- //{
- // uname.ReadOnly = true;
- // lname.ReadOnly = true;
- // email.ReadOnly = true;
- // passw.Visible = false;
- //}
-
contentPicker.Value = u.StartNodeId.ToString(CultureInfo.InvariantCulture);
mediaPicker.Value = u.StartMediaId.ToString(CultureInfo.InvariantCulture);
@@ -438,20 +418,6 @@ namespace umbraco.cms.presentation.user
var changePasswordModel = passwordChangerControl.ChangingPasswordModel;
- // Is it using the default membership provider
- if (BackOfficeProvider.IsUmbracoUsersProvider())
- {
- //This is a total hack so that an admin can change the password without knowing the previous one
- // we do this by simply passing in the already stored hashed/encrypted password in the database -
- // this shouldn't be allowed but to maintain backwards compatibility we need to do this because
- // this logic was previously allowed.
-
- //For this editor, we set the passwordChanger.ShowOldPassword = false so that the old password
- // field doesn't appear because we know we are going to manually set it here.
- // We'll change the model to have the already encrypted password stored in the db and that will continue to validate.
- changePasswordModel.OldPassword = u.Password;
- }
-
//now do the actual change
var changePassResult = _membershipHelper.ChangePassword(
membershipUser.UserName, changePasswordModel, BackOfficeProvider);
diff --git a/src/umbraco.providers/UsersMembershipProvider.cs b/src/umbraco.providers/UsersMembershipProvider.cs
index 6561482b89..1561b991bc 100644
--- a/src/umbraco.providers/UsersMembershipProvider.cs
+++ b/src/umbraco.providers/UsersMembershipProvider.cs
@@ -494,19 +494,6 @@ namespace umbraco.providers
return false;
}
- //Due to the way this legacy provider worked, when it 'validated' a password passed in, it would allow
- // having the already hashed/encrypted password checked directly - this is bad but hey, we gotta support legacy
- // don't we.
-
- //So, first we'll check if the user object's db stored password (already hashed/encrypted in the db) matches the password that
- // has been passed in, if so then we will confirm that it is valid. If it doesn't we'll attempt to hash/encrypt the passed in
- // password and then validate it - the way it is supposed to be done.
-
- if (user.Password == password)
- {
- return true;
- }
-
return CheckPassword(password, user.Password);
}
}