diff --git a/awx/api/serializers.py b/awx/api/serializers.py index b092d6cf7e..65a70e23c9 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -594,6 +594,10 @@ class UserSerializer(BaseSerializer): def restore_object(self, attrs, instance=None): new_password = attrs.pop('password', None) + # first time creating, password required + if instance is None and new_password in (None, ''): + self._errors = {'password': ['Password required for new User']} + return instance = super(UserSerializer, self).restore_object(attrs, instance) instance._new_password = new_password return instance diff --git a/awx/main/tests/organizations.py b/awx/main/tests/organizations.py index 0cd0108ee2..5a93443220 100644 --- a/awx/main/tests/organizations.py +++ b/awx/main/tests/organizations.py @@ -288,7 +288,7 @@ class OrganizationsTest(BaseTest): self.assertEqual(users['count'], 2) # post a completely new user to verify we can add users to the subcollection directly - new_user = dict(username='NewUser9000') + new_user = dict(username='NewUser9000', password='NewPassword9000') which_org = self.normal_django_user.admin_of_organizations.all()[0] url = reverse('api:organization_users_list', args=(which_org.pk,)) self.post(url, new_user, expect=201, auth=self.get_normal_credentials()) diff --git a/awx/main/tests/projects.py b/awx/main/tests/projects.py index 3792db497b..0f3fecd771 100644 --- a/awx/main/tests/projects.py +++ b/awx/main/tests/projects.py @@ -419,11 +419,11 @@ class ProjectsTest(BaseTransactionTest): self.post(team_users, data=dict(x, is_superuser=False), expect=204, auth=self.get_normal_credentials()) # The normal admin user can't create a super user vicariously through the team/project - self.post(team_users, data=dict(username='attempted_superuser_create', is_superuser=True), - expect=403, auth=self.get_normal_credentials()) + self.post(team_users, data=dict(username='attempted_superuser_create', password='thepassword', + is_superuser=True), expect=403, auth=self.get_normal_credentials()) # ... but a superuser can - self.post(team_users, data=dict(username='attempted_superuser_create', is_superuser=True), - expect=201, auth=self.get_super_credentials()) + self.post(team_users, data=dict(username='attempted_superuser_create', password='thepassword', + is_superuser=True), expect=201, auth=self.get_super_credentials()) self.assertEqual(Team.objects.get(pk=team.pk).users.count(), 5) diff --git a/awx/main/tests/users.py b/awx/main/tests/users.py index d4cd3618e6..3de0658beb 100644 --- a/awx/main/tests/users.py +++ b/awx/main/tests/users.py @@ -119,11 +119,16 @@ class UsersTest(BaseTest): self.organizations[0].users.add(self.other_django_user) self.organizations[0].users.add(self.normal_django_user) self.organizations[1].users.add(self.other_django_user) + + def test_user_creation_fails_without_password(self): + url = reverse('api:user_list') + new_user = dict(username='blippy') + self.post(url, expect=400, data=new_user, auth=self.get_super_credentials()) def test_only_super_user_or_org_admin_can_add_users(self): url = reverse('api:user_list') - new_user = dict(username='blippy') - new_user2 = dict(username='blippy2') + new_user = dict(username='blippy', password='hippy') + new_user2 = dict(username='blippy2', password='hippy2') self.post(url, expect=401, data=new_user, auth=None) self.post(url, expect=401, data=new_user, auth=self.get_invalid_credentials()) self.post(url, expect=403, data=new_user, auth=self.get_other_credentials()) @@ -138,7 +143,7 @@ class UsersTest(BaseTest): def test_only_super_user_can_use_superuser_flag(self): url = reverse('api:user_list') - new_super_user = dict(username='nommy', is_superuser=True) + new_super_user = dict(username='nommy', password='cookie', is_superuser=True) self.post(url, expect=401, data=new_super_user, auth=self.get_invalid_credentials()) self.post(url, expect=403, data=new_super_user, auth=self.get_other_credentials()) self.post(url, expect=403, data=new_super_user, auth=self.get_normal_credentials())