Summary

Update user API to allow creating users without a password.

Review Request #14450 — Created June 4, 2025 and submitted June 10, 2025, 2:17 p.m.

Information

Owner

david

Repository

Review Board

Branch

release-7.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

This change makes it possible to do a POST to the /api/users/ endpoint
without a password set, which will create the user with an unusable
password.

Testing Done

Ran unit tests.

Commits

Summary	ID
Update user API to allow creating users without a password. It's extremely common now to have authentication driven by LDAP/AD and/or SAML SSO. With this, admins increasingly want to provision users separately instead of just letting a successful authentication create the user account. This change makes it possible to do a POST to the /api/users/ endpoint without a password set, which will create the user with an unusable password. Testing Done: Ran unit tests.	ebf3e233c1f0e2b4110b70abeb7704b93bf5087f

Summary

Update user API to allow creating users without a password.

It's extremely common now to have authentication driven by LDAP/AD and/or SAML SSO. With this, admins increasingly want to provision users separately instead of just letting a successful authentication create the user account. This change makes it possible to do a POST to the /api/users/ endpoint without a password set, which will create the user with an unusable password. Testing Done: Ran unit tests.

ebf3e233c1f0e2b4110b70abeb7704b93bf5087f

Issues

Description	From	Last Updated
This will break if an anonymous user makes the request. We're (somewhat) checking for that right below. An AnonymousUser object …	chipx86	June 9, 2025, 5:11 p.m.

flake8 passed.

JSHint passed.

reviewboard/webapi/resources/user.py (Diff revision 1)

The issue has been dropped. Show all issues

This will break if an anonymous user makes the request. We're (somewhat) checking for that right below. An AnonymousUser object should be valid here.

Given this breakage, we should have a test for this scenario.

david June 6, 2025, 1:30 p.m.

An anonymous user can't get to this point in the code because the entire method is wrapped in @webapi_check_login_required

chipx86 June 9, 2025, 5:11 p.m.
```
Right. Not sure what I was thinking.
```

Ship it!

```
Ship It!
```

Status:: Completed
Change Summary:: Pushed to release-7.x (5222bb8)