diff --git a/changelogs/unreleased/1051-api-create-users-without-password.yml b/changelogs/unreleased/1051-api-create-users-without-password.yml
new file mode 100644
index 0000000000000000000000000000000000000000..24b5a73b45c75a87cfdfa5fac4e3fcd285810a2c
--- /dev/null
+++ b/changelogs/unreleased/1051-api-create-users-without-password.yml
@@ -0,0 +1,4 @@
+---
+title: Optionally make users created via the API set their password
+merge_request: 8957
+author: Joost Rijneveld
diff --git a/doc/api/users.md b/doc/api/users.md
index fea9bdf9639dd37da8112eb89f7ed95ba7c1741d..ed3469521fc9d0b72924cc56fa5d27f9d88d348f 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -216,7 +216,7 @@ Parameters:
## User creation
-Creates a new user. Note only administrators can create new users.
+Creates a new user. Note only administrators can create new users. Either `password` or `reset_password` should be specified (`reset_password` takes priority).
```
POST /users
@@ -225,7 +225,8 @@ POST /users
Parameters:
- `email` (required) - Email
-- `password` (required) - Password
+- `password` (optional) - Password
+- `reset_password` (optional) - Send user password reset link - true or false(default)
- `username` (required) - Username
- `name` (required) - Name
- `skype` (optional) - Skype ID
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 4980a90f952a3d0e15713e17b220c9323ab81013..82ac3886ac3b9feb3e6b8034f4cc41d3fa432219 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -82,7 +82,9 @@ module API
end
params do
requires :email, type: String, desc: 'The email of the user'
- requires :password, type: String, desc: 'The password of the new user'
+ optional :password, type: String, desc: 'The password of the new user'
+ optional :reset_password, type: Boolean, desc: 'Flag indicating the user will be sent a password reset token'
+ at_least_one_of :password, :reset_password
requires :name, type: String, desc: 'The name of the user'
requires :username, type: String, desc: 'The username of the user'
use :optional_attributes
@@ -94,8 +96,18 @@ module API
user_params = declared_params(include_missing: false)
identity_attrs = user_params.slice(:provider, :extern_uid)
confirm = user_params.delete(:confirm)
+ user = User.new(user_params.except(:extern_uid, :provider, :reset_password))
+
+ if user_params.delete(:reset_password)
+ user.attributes = {
+ force_random_password: true,
+ password_expires_at: nil,
+ created_by_id: current_user.id
+ }
+ user.generate_password
+ user.generate_reset_token
+ end
- user = User.new(user_params.except(:extern_uid, :provider))
user.skip_confirmation! unless confirm
if identity_attrs.any?
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 8692f9da976eb149ad5757288f367bd323dbcf09..5958012672ed4db6a0951802bc45461fabfb5a78 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -190,6 +190,18 @@ describe API::Users, api: true do
expect(new_user.external).to be_truthy
end
+ it "creates user with reset password" do
+ post api('/users', admin), attributes_for(:user, reset_password: true).except(:password)
+
+ expect(response).to have_http_status(201)
+
+ user_id = json_response['id']
+ new_user = User.find(user_id)
+
+ expect(new_user).not_to eq(nil)
+ expect(new_user.recently_sent_password_reset?).to eq(true)
+ end
+
it "does not create user with invalid email" do
post api('/users', admin),
email: 'invalid email',