hit the is_valid method before stripping the special fields in credential view

awx/api/views.py

@@ -1231,6 +1231,11 @@ class CredentialList(ListCreateAPIView):
     serializer_class = CredentialSerializerCreate
 
     def post(self, request, *args, **kwargs):
+
+        # Check the validity of POST data, including special fields
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
         for field in [x for x in ['user', 'team', 'organization'] if x in request.data and request.data[x] in ('', None)]:
             request.data.pop(field)
             kwargs.pop(field, None)

awx/main/tests/functional/api/test_credential.py

@@ -21,6 +21,16 @@ def test_create_user_credential_via_credentials_list(post, get, alice):
     assert response.status_code == 200
     assert response.data['count'] == 1
 
+@pytest.mark.django_db
+def test_credential_validation_error_with_bad_user(post, alice):
+    response = post(reverse('api:credential_list'), {
+        'user': 'asdf',
+        'name': 'Some name',
+        'username': 'someusername'
+    }, alice)
+    assert response.status_code == 403
+    assert response.data['detail'] == 'You do not have permission to perform this action.'
+
 @pytest.mark.django_db
 def test_create_user_credential_via_user_credentials_list(post, get, alice):
     response = post(reverse('api:user_credentials_list', args=(alice.pk,)), {