Hello. Here’s one approach.
[list=1]
[*]Don’t render the password attribute at all in your user form when you are updating (using [font=“Courier New”]if($model->isNewRecord)[/font] for instance)
[*]Remove the password attribute (and any password_repeat) from the ‘required’ array in your user Model validation rules, and add a new validation rule for the password (and password_repeat) on ‘insert’ only.
[/list]
This may be tricky if you want to offer as well password change in your application. If that case, you should rather render 3 other attributes:
[list=1]
[*]Old password (leave empty if no change)
[*]New password (leave empty if no change)
[*]Repeat new password (leave empty if no change) — you may keep the same "repeat password" from the create scenario if you had one.
[/list]
In your model rules, you may:
[list=1]
[*]Remove the password attribute (and any password_repeat) from the ‘required’ array, and add a new validation rule for the password (and password_repeat) on ‘insert’ only
[*]Declare as public the three new attributes above
[*]Add your custom validation rule checking if "old password" attribute is set, then compare it (hashed) to the value stored in the DB
[*]Make the three new attributes required on ‘update’ scenario
[*]Add your format validation rule for the new password
[*]Add a compare validation rule between the repeat value and the new password value
[/list]
P.S. The order of the validation rules can be important. The one above seems to do the job, but you may try other ones if you like.