Merge pull request #240 from chrismeyersfsu/fix-user_creation_password_required

user password required on creation

awx/api/serializers.py

@@ -594,6 +594,10 @@ class UserSerializer(BaseSerializer):
 
     def restore_object(self, attrs, instance=None):
         new_password = attrs.pop('password', None)
+        # first time creating, password required
+        if instance is None and new_password in (None, ''):
+            self._errors = {'password': ['Password required for new User']}
+            return
         instance = super(UserSerializer, self).restore_object(attrs, instance)
         instance._new_password = new_password
         return instance

awx/main/tests/organizations.py

@@ -288,7 +288,7 @@ class OrganizationsTest(BaseTest):
         self.assertEqual(users['count'], 2)
 
         # post a completely new user to verify we can add users to the subcollection directly
-        new_user = dict(username='NewUser9000')
+        new_user = dict(username='NewUser9000', password='NewPassword9000')
         which_org = self.normal_django_user.admin_of_organizations.all()[0]
         url = reverse('api:organization_users_list', args=(which_org.pk,))
         self.post(url, new_user, expect=201, auth=self.get_normal_credentials())

awx/main/tests/projects.py

@@ -419,11 +419,11 @@ class ProjectsTest(BaseTransactionTest):
             self.post(team_users, data=dict(x, is_superuser=False),
                       expect=204, auth=self.get_normal_credentials())
         # The normal admin user can't create a super user vicariously through the team/project
-        self.post(team_users, data=dict(username='attempted_superuser_create', is_superuser=True),
-                  expect=403, auth=self.get_normal_credentials())
+        self.post(team_users, data=dict(username='attempted_superuser_create', password='thepassword', 
+                  is_superuser=True), expect=403, auth=self.get_normal_credentials())
         # ... but a superuser can
-        self.post(team_users, data=dict(username='attempted_superuser_create', is_superuser=True),
-                  expect=201, auth=self.get_super_credentials())
+        self.post(team_users, data=dict(username='attempted_superuser_create', password='thepassword',
+                  is_superuser=True), expect=201, auth=self.get_super_credentials())
 
         self.assertEqual(Team.objects.get(pk=team.pk).users.count(), 5)
 

awx/main/tests/users.py

@@ -119,11 +119,16 @@ class UsersTest(BaseTest):
         self.organizations[0].users.add(self.other_django_user)
         self.organizations[0].users.add(self.normal_django_user)
         self.organizations[1].users.add(self.other_django_user)
+
+    def test_user_creation_fails_without_password(self):
+        url = reverse('api:user_list')
+        new_user = dict(username='blippy')
+        self.post(url, expect=400, data=new_user, auth=self.get_super_credentials())
  
     def test_only_super_user_or_org_admin_can_add_users(self):
         url = reverse('api:user_list')
-        new_user = dict(username='blippy')
-        new_user2 = dict(username='blippy2')
+        new_user = dict(username='blippy', password='hippy')
+        new_user2 = dict(username='blippy2', password='hippy2')
         self.post(url, expect=401, data=new_user, auth=None)
         self.post(url, expect=401, data=new_user, auth=self.get_invalid_credentials())
         self.post(url, expect=403, data=new_user, auth=self.get_other_credentials())
@@ -138,7 +143,7 @@ class UsersTest(BaseTest):
 
     def test_only_super_user_can_use_superuser_flag(self):
         url = reverse('api:user_list')
-        new_super_user = dict(username='nommy', is_superuser=True)
+        new_super_user = dict(username='nommy', password='cookie', is_superuser=True)
         self.post(url, expect=401, data=new_super_user, auth=self.get_invalid_credentials())
         self.post(url, expect=403, data=new_super_user, auth=self.get_other_credentials())
         self.post(url, expect=403, data=new_super_user, auth=self.get_normal_credentials())