User Password: Add toggle to require on creation (#10962)

dojo/api_v2/serializers.py

@@ -553,7 +553,7 @@ def validate(self, data):
         if self.context["request"].method in ["PATCH", "PUT"] and "password" in data:
             msg = "Update of password though API is not allowed"
             raise ValidationError(msg)
-        if self.context["request"].method == "POST" and "password" not in data:
+        if self.context["request"].method == "POST" and "password" not in data and settings.REQUIRE_PASSWORD_ON_USER:
             msg = "Passwords must be supplied for new users"
             raise ValidationError(msg)
         else:

dojo/forms.py

@@ -2170,7 +2170,7 @@ def clean(self):
 class AddDojoUserForm(forms.ModelForm):
     email = forms.EmailField(required=True)
     password = forms.CharField(widget=forms.PasswordInput,
-        required=True,
+        required=settings.REQUIRE_PASSWORD_ON_USER,
         validators=[validate_password],
         help_text="")
 

dojo/settings/.settings.dist.py.sha256sum

@@ -1 +1 @@
-f7e63afa0003d1992f8247f9a7a830847bd7498fa1e2d46d6ea04e3006bb9ee2
+aa4ec1520b0bc612431ecb7f80a53cca997fd415ff39d8b9c718fb3fc30b2fef

dojo/settings/settings.dist.py

@@ -304,6 +304,8 @@
     DD_QUALYS_LEGACY_SEVERITY_PARSING=(bool, True),
     # Use System notification settings to override user's notification settings
     DD_NOTIFICATIONS_SYSTEM_LEVEL_TRUMP=(list, ["user_mentioned", "review_requested"]),
+    # When enabled, force the password field to be required for creating/updating users
+    DD_REQUIRE_PASSWORD_ON_USER=(bool, True),
 )
 
 
@@ -527,6 +529,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 CLASSIC_AUTH_ENABLED = True
 FORGOT_PASSWORD = env("DD_FORGOT_PASSWORD")
+REQUIRE_PASSWORD_ON_USER = env("DD_REQUIRE_PASSWORD_ON_USER")
 FORGOT_USERNAME = env("DD_FORGOT_USERNAME")
 PASSWORD_RESET_TIMEOUT = env("DD_PASSWORD_RESET_TIMEOUT")
 # Showing login form (form is not needed for external auth: OKTA, Google Auth, etc.)