From 9d27e90740b302d4fb5531c92f1c2c8f06056fb2 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 5 Aug 2022 13:42:22 -0400
Subject: [PATCH] fix: don't require password challenge if no password is set
 in user account

---
 src/user/interstitials.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/user/interstitials.js b/src/user/interstitials.js
index 9674ac3144..fcec4b7f96 100644
--- a/src/user/interstitials.js
+++ b/src/user/interstitials.js
@@ -22,7 +22,11 @@ Interstitials.email = async (data) => {
 		return data;
 	}
 
-	const isAdminOrGlobalMod = await user.isAdminOrGlobalMod(data.req.uid);
+	const [isAdminOrGlobalMod, hasPassword] = await Promise.all([
+		user.isAdminOrGlobalMod(data.req.uid),
+		user.hasPassword(data.userData.uid),
+	]);
+
 	let email;
 	if (data.userData.uid) {
 		email = await user.getUserField(data.userData.uid, 'email');
@@ -33,7 +37,7 @@ Interstitials.email = async (data) => {
 		data: {
 			email,
 			requireEmailAddress: meta.config.requireEmailAddress,
-			update: !!data.userData.uid,
+			issuePasswordChallenge: !!data.userData.uid && hasPassword,
 		},
 		callback: async (userData, formData) => {
 			// Validate and send email confirmation
@@ -69,7 +73,7 @@ Interstitials.email = async (data) => {
 						await user.setUserField(userData.uid, 'email', formData.email);
 						await user.email.confirmByUid(userData.uid);
 					} else if (canEdit) {
-						if (!isPasswordCorrect) {
+						if (hasPassword && !isPasswordCorrect) {
 							throw new Error('[[error:invalid-password]]');
 						}
 
@@ -89,7 +93,7 @@ Interstitials.email = async (data) => {
 						throw new Error('[[error:invalid-email]]');
 					}
 
-					if (current.length && (isPasswordCorrect || isAdminOrGlobalMod)) {
+					if (current.length && (!hasPassword || (hasPassword && isPasswordCorrect) || isAdminOrGlobalMod)) {
 						// User explicitly clearing their email
 						await user.email.remove(userData.uid, data.req.session.id);
 					}