fix(UserApi): Fixed pre_update issue (#2347)

alexandrusoare · web-flow · commit f808c6c1e59d · 2025-05-14T09:20:36.000+01:00
* fix(userapi): fixed pre_update issue

* feat(test): adding unittests for the fix

* feat(test): adding unittests for the fix
diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py
@@ -65,12 +65,12 @@ class UserApi(ModelRestApi):
     add_model_schema = UserPostSchema()
     edit_model_schema = UserPutSchema()
 
-    def pre_update(self, item):
+    def pre_update(self, item, data):
         item.changed_on = datetime.now()
         item.changed_by_fk = g.user.id
-        if item.password:
+        if "password" in data and data["password"]:
             item.password = generate_password_hash(
-                password=item.password,
+                password=data["password"],
                 method=self.appbuilder.get_app.config.get(
                     "FAB_PASSWORD_HASH_METHOD", "scrypt"
                 ),
@@ -220,7 +220,7 @@ def put(self, pk):
             if "roles" in item.keys():
                 model.roles = roles
 
-            self.pre_update(model)
+            self.pre_update(model, item)
             self.datamodel.edit(model, raise_exception=True)
             return self.response(
                 200,
diff --git a/tests/test_security_api.py b/tests/test_security_api.py
@@ -313,6 +313,7 @@ def test_create_user_with_invalid_role(self):
         token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
 
         uri = "api/v1/security/users/"
+
         create_user_payload = {
             "active": True,
             "email": "fab@test_create_user_1.com",
@@ -393,6 +394,72 @@ def test_edit_user(self):
             self.session.delete(r)
         self.session.commit()
 
+    def test_edit_user_check_password(self):
+        client = self.app.test_client()
+        token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
+        role_id = self.appbuilder.sm.find_role("Admin").id
+        uri = "api/v1/security/users/"
+        create_user_payload = {
+            "active": True,
+            "email": "test_password@test.com",
+            "first_name": "test",
+            "last_name": "test",
+            "password": "password",
+            "roles": [role_id],
+            "username": "test_password",
+        }
+        rv = self.auth_client_post(client, token, uri, create_user_payload)
+        self.assertEqual(rv.status_code, 201)
+
+        user = self.appbuilder.sm.find_user(username="test_password")
+        self.assertIsNotNone(user)
+        user_id = user.id
+        old_password_hash = user.password
+
+        update_payload = {"username": "test_password_renamed"}
+        rv = self.auth_client_put(client, token, f"{uri}{user_id}", update_payload)
+        self.assertEqual(rv.status_code, 200)
+
+        updated_user = self.appbuilder.sm.find_user(username="test_password_renamed")
+        self.assertIsNotNone(updated_user)
+        self.assertEqual(updated_user.password, old_password_hash)
+
+        self.session.delete(updated_user)
+        self.session.commit()
+
+    def test_edit_user_change_password(self):
+        client = self.app.test_client()
+        token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
+        role_id = self.appbuilder.sm.find_role("Admin").id
+        uri = "api/v1/security/users/"
+
+        create_user_payload = {
+            "active": True,
+            "email": "test_change_password@test.com",
+            "first_name": "test",
+            "last_name": "test",
+            "password": "initial_password",
+            "roles": [role_id],
+            "username": "test_change_password",
+        }
+        rv = self.auth_client_post(client, token, uri, create_user_payload)
+        self.assertEqual(rv.status_code, 201)
+
+        user = self.appbuilder.sm.find_user(username="test_change_password")
+        self.assertIsNotNone(user)
+        user_id = user.id
+        old_password_hash = user.password
+
+        update_payload = {"password": "new_secure_password"}
+        rv = self.auth_client_put(client, token, f"{uri}{user_id}", update_payload)
+        self.assertEqual(rv.status_code, 200)
+
+        updated_user = self.appbuilder.sm.find_user(username="test_change_password")
+        self.assertIsNotNone(updated_user)
+        self.assertNotEqual(updated_user.password, old_password_hash)
+
+        self.appbuilder.sm.del_register_user(updated_user)
+
     def test_delete_user(self):
         client = self.app.test_client()
         token = self.login(client, USERNAME_ADMIN, PASSWORD_ADMIN)
