From d69a978870beb7dc4ae1974854d3add8b222b6ad Mon Sep 17 00:00:00 2001
From: Warren Buckley <warren@umbraco.com>
Date: Wed, 8 May 2019 10:52:27 +0100
Subject: [PATCH] Fixes #4144 - Adds code back for allowing password changes
 without old password, that was removed in
 b0292159331f62ca755fa855b5ed30a98974387d

---
 src/Umbraco.Web/Editors/PasswordChanger.cs | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web/Editors/PasswordChanger.cs b/src/Umbraco.Web/Editors/PasswordChanger.cs
index 266af76454..707db3796d 100644
--- a/src/Umbraco.Web/Editors/PasswordChanger.cs
+++ b/src/Umbraco.Web/Editors/PasswordChanger.cs
@@ -155,6 +155,8 @@ namespace Umbraco.Web.Editors
         /// <returns></returns>
         public Attempt<PasswordChangedModel> ChangePasswordWithMembershipProvider(string username, ChangingPasswordModel passwordModel, MembershipProvider membershipProvider)
         {
+            var umbracoBaseProvider = membershipProvider as MembershipProviderBase;
+
             // YES! It is completely insane how many options you have to take into account based on the membership provider. yikes!
 
             if (passwordModel == null) throw new ArgumentNullException("passwordModel");
@@ -183,7 +185,7 @@ namespace Umbraco.Web.Editors
                 //this is only possible when using a membership provider if the membership provider supports AllowManuallyChangingPassword
                 if (passwordModel.NewPassword.IsNullOrWhiteSpace() == false)
                 {
-                    if (membershipProvider is MembershipProviderBase umbracoBaseProvider && umbracoBaseProvider.AllowManuallyChangingPassword)
+                    if (umbracoBaseProvider !=null && umbracoBaseProvider.AllowManuallyChangingPassword)
                     {
                         //this provider allows manually changing the password without the old password, so we can just do it
                         try
@@ -248,6 +250,25 @@ namespace Umbraco.Web.Editors
                 return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Cannot set an empty password", new[] { "value" }) });
             }
 
+            //This is an edge case and is only necessary for backwards compatibility:
+            if (umbracoBaseProvider != null && umbracoBaseProvider.AllowManuallyChangingPassword)
+            {
+                //this provider allows manually changing the password without the old password, so we can just do it
+                try
+                {
+                    var result = umbracoBaseProvider.ChangePassword(username, "", passwordModel.NewPassword);
+                    return result == false
+                        ? Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Could not change password, invalid username or password", new[] { "value" }) })
+                        : Attempt.Succeed(new PasswordChangedModel());
+                }
+                catch (Exception ex)
+                {
+                    _logger.WarnWithException<PasswordChanger>("Could not change member password", ex);
+                    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Could not change password, error: " + ex.Message + " (see log for full details)", new[] { "value" }) });
+                }
+            }
+
+
             //without being able to retrieve the original password, 
             //we cannot arbitrarily change the password without knowing the old one and no old password was supplied - need to return an error
             if (passwordModel.OldPassword.IsNullOrWhiteSpace() && membershipProvider.EnablePasswordRetrieval == false)