From 5c287f583b9e8526f086b1797c99bf52a338a797 Mon Sep 17 00:00:00 2001
From: "Cody B. Daig" <cody@daig.me>
Date: Thu, 20 Aug 2015 09:26:07 -0700
Subject: [PATCH] [fix] Was storing a 6 char password in plain text [fixes
 #829]

---
 .../users/server/models/user.server.model.js  |  2 +-
 .../tests/server/user.server.model.tests.js   | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js
index 9be2a618ae..bcaff5d84b 100644
--- a/modules/users/server/models/user.server.model.js
+++ b/modules/users/server/models/user.server.model.js
@@ -107,7 +107,7 @@ var UserSchema = new Schema({
  * Hook a pre save method to hash the password
  */
 UserSchema.pre('save', function (next) {
-  if (this.password && this.isModified('password') && this.password.length > 6) {
+  if (this.password && this.isModified('password') && this.password.length >= 6) {
     this.salt = crypto.randomBytes(16).toString('base64');
     this.password = this.hashPassword(this.password);
   }
diff --git a/modules/users/tests/server/user.server.model.tests.js b/modules/users/tests/server/user.server.model.tests.js
index 9479bc28f0..66890671c7 100644
--- a/modules/users/tests/server/user.server.model.tests.js
+++ b/modules/users/tests/server/user.server.model.tests.js
@@ -155,6 +155,33 @@ describe('User Model Unit Tests:', function () {
 
   });
 
+  it('should not save the password in plain text', function (done) {
+    var _user = new User(user);
+    var passwordBeforeSave = _user.password;
+    _user.save(function (err) {
+      should.not.exist(err);
+      _user.password.should.not.equal(passwordBeforeSave);
+      _user.remove(function(err) {
+        should.not.exist(err);
+        done();
+      });
+    });
+  });
+
+  it('should not save the password in plain text (6 char password)', function (done) {
+    var _user = new User(user);
+    _user.password = '123456';
+    var passwordBeforeSave = _user.password;
+    _user.save(function (err) {
+      should.not.exist(err);
+      _user.password.should.not.equal(passwordBeforeSave);
+      _user.remove(function(err) {
+        should.not.exist(err);
+        done();
+      });
+    });
+  });
+
   describe("User E-mail Validation Tests", function() {
     it('should not allow invalid email address - "123"', function (done) {
       var _user = new User(user);