This code in UsersController.php:
if (empty($this->request->getData('password'))) {
$password = $this->Users->getOldPassword($id);
$user->password = $password;
}
if ($this->Users->save($user)) {
has the effect of changing the user's password to the hash of what their password previously was. So if they ever submit the form without changing their password, their existing password becomes unusable.
This code in
UsersController.php:has the effect of changing the user's password to the hash of what their password previously was. So if they ever submit the form without changing their password, their existing password becomes unusable.