Fixed password was not hashed on REST API update (#14340)

fanshan · web-flow · commit 3a3d43911cd4 · 2023-11-29T15:59:54.000-05:00
* Fixed password was not hashed on REST API update

* When we updated a user password with a REST API call the password was
  stored in clear in plain text in the database.

* Following code review

* Move test on UserTest class
* Call `super().update()` in overriding `update` method

* Return directly the result of `super().update()`
diff --git a/netbox/users/api/serializers.py b/netbox/users/api/serializers.py
@@ -52,6 +52,16 @@ def create(self, validated_data):
 
         return user
 
+    def update(self, instance, validated_data):
+        """
+        Ensure proper updated password hash generation.
+        """
+        password = validated_data.pop('password', None)
+        if password is not None:
+            instance.set_password(password)
+
+        return super().update(instance, validated_data)
+
     @extend_schema_field(OpenApiTypes.STR)
     def get_display(self, obj):
         if full_name := obj.get_full_name():
diff --git a/netbox/users/tests/test_api.py b/netbox/users/tests/test_api.py
@@ -54,6 +54,38 @@ def setUpTestData(cls):
         )
         User.objects.bulk_create(users)
 
+    def test_that_password_is_changed(self):
+        """
+        Test that password is changed
+        """
+
+        obj_perm = ObjectPermission(
+            name='Test permission',
+            actions=['change']
+        )
+        obj_perm.save()
+        obj_perm.users.add(self.user)
+        obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
+
+        user_credentials = {
+            'username': 'user1',
+            'password': 'abc123',
+        }
+        user = User.objects.create_user(**user_credentials)
+
+        data = {
+            'password': 'newpassword'
+        }
+        url = reverse('users-api:user-detail', kwargs={'pk': user.id})
+
+        response = self.client.patch(url, data, format='json', **self.header)
+
+        self.assertEqual(response.status_code, 200)
+
+        updated_user = User.objects.get(id=user.id)
+
+        self.assertTrue(updated_user.check_password(data['password']))
+
 
 class GroupTest(APIViewTestCases.APIViewTestCase):
     model = Group
