Fixed password was not hashed on REST API update (#14340)

* Fixed password was not hashed on REST API update * When we updated a user password with a REST API call the password was stored in clear in plain text in the database. * Following code review * Move test on UserTest class * Call `super().update()` in overriding `update` method * Return directly the result of `super().update()`
2024-05-10 07:54:54 +00:00 · 2023-11-29 21:59:54 +01:00
parent c43c63a817
commit 3a3d43911c
2 changed files with 42 additions and 0 deletions
--- a/netbox/users/api/serializers.py
+++ b/netbox/users/api/serializers.py
@ -52,6 +52,16 @@ class UserSerializer(ValidatedModelSerializer):

        return user

+    def update(self, instance, validated_data):
+        """
+        Ensure proper updated password hash generation.
+        """
+        password = validated_data.pop('password', None)
+        if password is not None:
+            instance.set_password(password)
+
+        return super().update(instance, validated_data)
+
    @extend_schema_field(OpenApiTypes.STR)
    def get_display(self, obj):
        if full_name := obj.get_full_name():
--- a/netbox/users/tests/test_api.py
+++ b/netbox/users/tests/test_api.py
@ -54,6 +54,38 @@ class UserTest(APIViewTestCases.APIViewTestCase):
        )
        User.objects.bulk_create(users)

+    def test_that_password_is_changed(self):
+        """
+        Test that password is changed
+        """
+
+        obj_perm = ObjectPermission(
+            name='Test permission',
+            actions=['change']
+        )
+        obj_perm.save()
+        obj_perm.users.add(self.user)
+        obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
+
+        user_credentials = {
+            'username': 'user1',
+            'password': 'abc123',
+        }
+        user = User.objects.create_user(**user_credentials)
+
+        data = {
+            'password': 'newpassword'
+        }
+        url = reverse('users-api:user-detail', kwargs={'pk': user.id})
+
+        response = self.client.patch(url, data, format='json', **self.header)
+
+        self.assertEqual(response.status_code, 200)
+
+        updated_user = User.objects.get(id=user.id)
+
+        self.assertTrue(updated_user.check_password(data['password']))
+

 class GroupTest(APIViewTestCases.APIViewTestCase):
    model = Group