From 7e822bb8a1ffc2c344e3a92ee083b2bc3f64ee59 Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Fri, 15 Mar 2024 15:58:22 +0100
Subject: [PATCH 1/2] Fix after merge

(cherry picked from commit 3e08ce1efb2a7f73ec84e8140585c0eff1d7cb30)
---
 src/Umbraco.Core/Scoping/LockingMechanism.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Core/Scoping/LockingMechanism.cs b/src/Umbraco.Core/Scoping/LockingMechanism.cs
index 1fa779d221..171580407d 100644
--- a/src/Umbraco.Core/Scoping/LockingMechanism.cs
+++ b/src/Umbraco.Core/Scoping/LockingMechanism.cs
@@ -39,7 +39,7 @@ public class LockingMechanism : ILockingMechanism
     public void ReadLock(Guid instanceId, params int[] lockIds) => ReadLock(instanceId, null, lockIds);
 
     /// <inheritdoc />
-    public void WriteLock(Guid instanceId, TimeSpan? timeout = null, params int[] lockIds) => EagerReadLockInner(instanceId, timeout, lockIds);
+    public void WriteLock(Guid instanceId, TimeSpan? timeout = null, params int[] lockIds) => EagerWriteLockInner(instanceId, timeout, lockIds);
 
     public void WriteLock(Guid instanceId, params int[] lockIds) => WriteLock(instanceId, null, lockIds);
 

From b743f6a2df7c4e8bc72d6aaffd2ae1544ed2ad1a Mon Sep 17 00:00:00 2001
From: Jey <cyaqublu@gmail.com>
Date: Mon, 18 Mar 2024 08:27:41 +0100
Subject: [PATCH 2/2] Merge pull request from GHSA-552f-97wf-pmpq

Co-authored-by: jey <jey@umbraco.dk>
---
 src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs b/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs
index 96f0025efa..231f2b3b1a 100644
--- a/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs
+++ b/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs
@@ -134,8 +134,8 @@ public abstract class UmbracoUserManager<TUser, TPasswordConfig> : UserManager<T
     /// <inheritdoc />
     public override async Task<bool> CheckPasswordAsync(TUser user, string? password)
     {
-        // we cannot proceed if the user passed in does not have an identity
-        if (user.HasIdentity == false)
+        // we cannot proceed if the user passed in does not have an identity, or if no password is provided.
+        if (user.HasIdentity == false || password is null)
         {
             return false;
         }
@@ -252,7 +252,7 @@ public abstract class UmbracoUserManager<TUser, TPasswordConfig> : UserManager<T
     public async Task<bool> ValidateCredentialsAsync(string username, string password)
     {
         TUser user = await FindByNameAsync(username);
-        
+
         if (user == null)
         {
             return false;
@@ -263,7 +263,7 @@ public abstract class UmbracoUserManager<TUser, TPasswordConfig> : UserManager<T
             throw new NotSupportedException("The current user store does not implement " +
                                             typeof(IUserPasswordStore<>));
         }
-        
+
         var result = await VerifyPasswordAsync(userPasswordStore, user, password);
 
         return result == PasswordVerificationResult.Success || result == PasswordVerificationResult.SuccessRehashNeeded;