From 78917490766f82ef6d218ffccac141bb68542859 Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Wed, 2 Mar 2016 11:53:01 -0500
Subject: [PATCH] Do not wipe out Shibboleth credentials on logout. - Thanks to
 @Cloud8 and @lahmann - Resolves PR #612.

---
 module/VuFind/src/VuFind/Auth/Shibboleth.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/module/VuFind/src/VuFind/Auth/Shibboleth.php b/module/VuFind/src/VuFind/Auth/Shibboleth.php
index c435c6e62dd..591e2381dfe 100644
--- a/module/VuFind/src/VuFind/Auth/Shibboleth.php
+++ b/module/VuFind/src/VuFind/Auth/Shibboleth.php
@@ -121,9 +121,21 @@ class Shibboleth extends AbstractBase
             }
         }
 
-        // Save credentials if applicable:
+        // Save credentials if applicable. Note that if $catPassword is empty,
+        // we'll pass through the existing password already in the database;
+        // otherwise, when users log out, their passwords may be cleared from
+        // the database. We can't simply skip saving credentials when the password
+        // is empty, because in some scenarios, an empty password is normal.
+        // Note that this leaves an edge case where, if a user changes their
+        // password from something to nothing, VuFind will not properly clear it
+        // out. This seems unlikely, but if it is encountered, we may need to
+        // add more logic here. See https://github.com/vufind-org/vufind/pull/612
+        // for related discussion.
         if (!empty($user->cat_username)) {
-            $user->saveCredentials($user->cat_username, $catPassword);
+            $user->saveCredentials(
+                $user->cat_username,
+                empty($catPassword) ? $user->cat_password : $catPassword
+            );
         }
 
         // Save and return the user object:
-- 
GitLab