Optionally make users created via the API set their password

6fab6d94 · Joost Rijneveld · 52ea5051 · 6fab6d94 · 6fab6d94 · 6fab6d94
Commit 6fab6d94 authored Feb 03, 2017 by Joost Rijneveld
4 changed files
--- a/changelogs/unreleased/1051-api-create-users-without-password.yml
+++ b/changelogs/unreleased/1051-api-create-users-without-password.yml
+---
+title: Optionally make users created via the API set their password
+merge_request: 8957
+author: Joost Rijneveld
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -216,7 +216,7 @@ Parameters:

 ## User creation

-Creates a new user. Note only administrators can create new users.
+Creates a new user. Note only administrators can create new users. Either `password` or `reset_password` should be specified (`reset_password` takes priority).

 ```
 POST /users
@@ -225,7 +225,8 @@ POST /users
 Parameters:

 - `email` (required)            - Email
- `password` (required)         - Password
+- `password` (optional)         - Password
+- `reset_password` (optional)   - Send user password reset link - true or false(default)
 - `username` (required)         - Username
 - `name` (required)             - Name
 - `skype` (optional)            - Skype ID

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -82,7 +82,9 @@ module API
      end
      params do
        requires :email, type: String, desc: 'The email of the user'
-        requires :password, type: String, desc: 'The password of the new user'
+        optional :password, type: String, desc: 'The password of the new user'
+        optional :reset_password, type: Boolean, desc: 'Flag indicating the user will be sent a password reset token'
+        at_least_one_of :password, :reset_password
        requires :name, type: String, desc: 'The name of the user'
        requires :username, type: String, desc: 'The username of the user'
        use :optional_attributes
@@ -94,8 +96,18 @@ module API
        user_params = declared_params(include_missing: false)
        identity_attrs = user_params.slice(:provider, :extern_uid)
        confirm = user_params.delete(:confirm)
+        user = User.new(user_params.except(:extern_uid, :provider, :reset_password))
+
+        if user_params.delete(:reset_password)
+          user.attributes = {
+            force_random_password: true,
+            password_expires_at: nil,
+            created_by_id: current_user.id
+          }
+          user.generate_password
+          user.generate_reset_token
+        end

-        user = User.new(user_params.except(:extern_uid, :provider))
        user.skip_confirmation! unless confirm

        if identity_attrs.any?

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -190,6 +190,18 @@ describe API::Users, api: true  do
      expect(new_user.external).to be_truthy
    end

+    it "creates user with reset password" do
+      post api('/users', admin), attributes_for(:user, reset_password: true).except(:password)
+
+      expect(response).to have_http_status(201)
+
+      user_id = json_response['id']
+      new_user = User.find(user_id)
+
+      expect(new_user).not_to eq(nil)
+      expect(new_user.recently_sent_password_reset?).to eq(true)
+    end
+
    it "does not create user with invalid email" do
      post api('/users', admin),
        email: 'invalid email',