Version: 3.1.7.6
Steps to reproduce:
Create an item with a password
Edit the item and clear the password field
Save the item
Open the item again — the old password is still there, the change was not saved
Expected behavior: When the password field is cleared and saved, the item should be saved with an empty password (if "Allow item creation without password" is enabled).
Actual behavior: The old password remains unchanged in the database. The empty password is silently ignored.
Root cause (found in sources/items.queries.php, case update_item, around line 1206):
The condition for re-encrypting the password is:
if (
($session->get('user-create_item_without_password') !== 1 || !empty($post_password))
&& $post_password !== $pw
)
When the user clears the password: $post_password = '', so !empty($post_password) = false. Combined with create_item_without_password = 1, the entire condition evaluates to false, and the encryption block is skipped. The old password $data['pw'] is then reused instead of saving the empty value.
Suggested fix: Add an explicit check for intentional password clearing when create_item_without_password = 1 is enabled.
Version: 3.1.7.6
Steps to reproduce:
Create an item with a password
Edit the item and clear the password field
Save the item
Open the item again — the old password is still there, the change was not saved
Expected behavior: When the password field is cleared and saved, the item should be saved with an empty password (if "Allow item creation without password" is enabled).
Actual behavior: The old password remains unchanged in the database. The empty password is silently ignored.
Root cause (found in sources/items.queries.php, case update_item, around line 1206):
The condition for re-encrypting the password is:
if (
($session->get('user-create_item_without_password') !== 1 || !empty($post_password))
&& $post_password !== $pw
)
When the user clears the password: $post_password = '', so !empty($post_password) = false. Combined with create_item_without_password = 1, the entire condition evaluates to false, and the encryption block is skipped. The old password $data['pw'] is then reused instead of saving the empty value.
Suggested fix: Add an explicit check for intentional password clearing when create_item_without_password = 1 is enabled.