But this can cause a warning in sf2.8+ and break your app if you provide an empty string. If this needs to work as previously, why not simply change this to:

if (null ===$password ||'' ===$password) {// add violation that the password cannot be emptyreturn;}

That way there is no exception and no security issue.

That way there is no exception and no security issue.

WAT 😐 this means that when you provide an empty string it's considered valid, which is not the case at all. When you use this constraint you want to check if the provided password matches the current one. Leaving this empty means the user is bypassing security!

If you want to make this optional use validation-groups.

@sstok I am not sure we both understand each other, but my proposition is to automatically put a constraint violation if the password is empty. In newer implementations of the password checker, anull value raises a warning and thus breaks the app, hence why ignoring empty passwords was done in the first place.

EDIT To clarify - initially the PR simply removed theif statement, so it would not work properly still. It has been changed since then and all is OK now.

Thank you@xabbuh.

In theory, wasn't an empty password'' potentially valid before? Now it's never valid. Looks like a BC break to me.

@Tobion I agree this is a BC break, but for security reasons this is more logical.