Auth not validating properly on saving passwords

This seemed to be working perfectly, I added a checkbox to my form so the user can decide whether to change the password or not. In the add user action the validation works fine and won't save the user if there are any errors, but with my edit user action it will still save them when both password fields are blank, but still validate them properly if there's any data in either password input. Here's my model:

class User extends AppModel {
var $name = 'User';
var $displayField = 'name';
var $validate = array(
    'username' => array(
        'notempty' => array(
            'rule' => array('notempty'),
            'message' => 'User must have a username to login with',
        ),
    ),
    'password' => array(
        'notempty' => array(
            'rule' => array('notempty'),
            'message' => 'User must have a password',
        ),
        'alphanumeric' => array(
            'rule' => array('alphanumeric'),
            'required' => true,
            'message' => 'User must have a password'
        ),
        'minlength' => array(
            'rule' => array('minlength', 6),
            'message' => 'Password must be at least 6 characters',
        ),
        'confirmPassword' => array(
            'rule' => array('confirmPassword', 'password'),
            'message' => 'Passwords do not match'
        ),
    ),
    'password_confirm' => array(
        'notempty' => array(
            'rule' => array('notempty'),
            'message' => 'User must have a password',
        ),
        'alphanumeric' => array(
            'rule' => array('alphanumeric'),
            'required' => true,
            'message' 开发者_StackOverflow社区=> 'User must have a password'
        ),
        'minlength' => array(
            'rule' => array('minlength', 6),
            'message' => 'Password must be at least 6 characters',
        ),
    ),
);

function confirmPassword($data) {
    return ($data['password'] === Security::hash(Configure::read('Security.salt').$this->data['User']['password_confirm']));
}

And here's my edit user action:

function admin_edit($id = null) {
    $this->set('title_for_layout', 'Users / Editing User');

    if (!$id && empty($this->data)) {
        $this->Session->setFlash(__('Invalid user specified', true), 'flash_error');
        $this->redirect(array('action' => 'index'));
    }
    if (!empty($this->data)) {
        $redirect = array('action' => 'index');
        if ($this->data['User']['edit_password'] == 1) {
            $fields = array('username', 'confirm_password', 'password', 'name');
            if ($this->data['User']['id'] == $this->Auth->user('id')) {
                $redirect['action'] = 'logout';
            }
        } else {
            $fields = array('username', 'name');
        }

        if ($this->User->save($this->data, true, $fields)) {
            $this->Session->setFlash(__(sprintf('The user <i>%s</i> was saved successfully.', $this->data['User']['username']), true), 'flash_success');
            $this->redirect($redirect);
        } else {
            $this->Session->setFlash(__('There were errors when trying to save the user', true), 'flash_error');
        }
    }
    if (empty($this->data)) {
        $this->data = $this->User->read(null, $id);
        $this->data['User']['password'] = '';
        $this->data['User']['edit_password'] = 0;
    }
}

---

Sorry in advance as this is only a half-answer, but should get you moving in the right direction.

The Auth component will automatically hash the password field if the username field is also present in the submitted data

So you have set up your data to either anticipate this.. or avoid it.

This method will come in handy too. http://book.cakephp.org/view/1259/hashPasswords