From ab7ebd65c99e830e05976e94c87cf64c874a402c Mon Sep 17 00:00:00 2001
From: Andrea Piovanelli
 <83577153+AndreaPiovanelliLaser@users.noreply.github.com>
Date: Fri, 30 Sep 2022 09:00:00 +0200
Subject: [PATCH] Logon crash when checking if password is expired (#8624)

* Added null check for last password change date. If that is null, use user date creation to check for password expiration.

* Added nullable date checks in AccountController ChangeExpiredPassword action too.
---
 .../Orchard.Users/Controllers/AccountController.cs |  6 +++++-
 .../Orchard.Users/Services/MembershipService.cs    | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
index c18972513..541ff8fb6 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
@@ -332,7 +332,11 @@ namespace Orchard.Users.Controllers {
             var membershipSettings = _membershipService.GetSettings();
             var userPart = _membershipService.GetUser(username).As<UserPart>();
             var lastPasswordChangeUtc = userPart.LastPasswordChangeUtc;
-            if (lastPasswordChangeUtc.Value.AddDays(membershipSettings.PasswordExpirationTimeInDays) > _clock.UtcNow &&
+            // If there is no last password change date, use user creation date.
+            if (lastPasswordChangeUtc == null) {
+                lastPasswordChangeUtc = userPart.CreatedUtc;
+            }
+            if (lastPasswordChangeUtc != null && lastPasswordChangeUtc.Value.AddDays(membershipSettings.PasswordExpirationTimeInDays) > _clock.UtcNow &&
                     !userPart.ForcePasswordChange) {
                 return RedirectToAction("LogOn");
             }
diff --git a/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs b/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
index 333c216ff..8b7f4161c 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
@@ -167,7 +167,19 @@ namespace Orchard.Users.Services {
 
         public bool PasswordIsExpired(IUser user, int days) {
             // TODO: add providers to extend this
-            var passwordIsExpired = user.As<UserPart>().LastPasswordChangeUtc.Value.AddDays(days) < _clock.UtcNow;
+
+            // Null check on LastPasswordChangeUtc.
+            // If this is null, use CreatedUtc as if it's the last password change date.
+            // If both are null, consider the password to be expired.
+            var passwordIsExpired = true;
+            DateTime? date = null;
+            date = user.As<UserPart>().LastPasswordChangeUtc;                       
+            if (date == null) {
+                date = user.As<UserPart>().CreatedUtc;
+            }
+            if (date != null) {
+                passwordIsExpired = date.Value.AddDays(days) < _clock.UtcNow;
+            }
             var securityPart = user.As<UserSecurityConfigurationPart>();
             var preventExpiration = securityPart != null && securityPart.PreventPasswordExpiration;
             return passwordIsExpired