From 2d18b73138e94d20591fcb41f880e330939b6c02 Mon Sep 17 00:00:00 2001
From: Daniel Meltzer <dmeltzer.devel@gmail.com>
Date: Wed, 20 Jun 2018 04:59:04 -0400
Subject: [PATCH] Fix #5408. (#5715)

The temporary password cannot be added to the users data until after do
any update-related logic, otherwise their password will be overwritten.
---
 app/Importer/UserImporter.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/Importer/UserImporter.php b/app/Importer/UserImporter.php
index 4e852e621d..258f339060 100644
--- a/app/Importer/UserImporter.php
+++ b/app/Importer/UserImporter.php
@@ -37,7 +37,6 @@ class UserImporter extends ItemImporter
         $this->item['phone'] = $this->findCsvMatch($row, 'phone_number');
         $this->item['jobtitle'] = $this->findCsvMatch($row, 'jobtitle');
         $this->item['employee_num'] = $this->findCsvMatch($row, 'employee_num');
-        $this->item['password'] = $this->tempPassword;
         $user = User::where('username', $this->item['username'])->first();
         if ($user) {
             if (!$this->updating) {
@@ -45,11 +44,14 @@ class UserImporter extends ItemImporter
                 return;
             }
             $this->log('Updating User');
-            // $user = $this->users[$userId];
             $user->update($this->sanitizeItemForUpdating($user));
             $user->save();
             return;
         }
+        // This needs to be applied after the update logic, otherwise we'll overwrite user passwords
+        // Issue #5408
+        $this->item['password'] = $this->tempPassword;
+
         $this->log("No matching user, creating one");
         $user = new User();
         $user->fill($this->sanitizeItemForStoring($user));