From 8a185d963af8655cd55211bbb825b47d7229a6db Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Thu, 26 Sep 2024 13:57:05 -0500
Subject: [PATCH] User Password: Add toggle to require on creation (#10962)

---
 dojo/api_v2/serializers.py                | 2 +-
 dojo/forms.py                             | 2 +-
 dojo/settings/.settings.dist.py.sha256sum | 2 +-
 dojo/settings/settings.dist.py            | 3 +++
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
index 78ea12e7adf..1cc6d35ed09 100644
--- a/dojo/api_v2/serializers.py
+++ b/dojo/api_v2/serializers.py
@@ -553,7 +553,7 @@ def validate(self, data):
         if self.context["request"].method in ["PATCH", "PUT"] and "password" in data:
             msg = "Update of password though API is not allowed"
             raise ValidationError(msg)
-        if self.context["request"].method == "POST" and "password" not in data:
+        if self.context["request"].method == "POST" and "password" not in data and settings.REQUIRE_PASSWORD_ON_USER:
             msg = "Passwords must be supplied for new users"
             raise ValidationError(msg)
         else:
diff --git a/dojo/forms.py b/dojo/forms.py
index fd5c55a7b6a..cbeaa0a0c31 100644
--- a/dojo/forms.py
+++ b/dojo/forms.py
@@ -2170,7 +2170,7 @@ def clean(self):
 class AddDojoUserForm(forms.ModelForm):
     email = forms.EmailField(required=True)
     password = forms.CharField(widget=forms.PasswordInput,
-        required=True,
+        required=settings.REQUIRE_PASSWORD_ON_USER,
         validators=[validate_password],
         help_text="")
 
diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum
index f8adf9d7d4e..69b5b66b058 100644
--- a/dojo/settings/.settings.dist.py.sha256sum
+++ b/dojo/settings/.settings.dist.py.sha256sum
@@ -1 +1 @@
-f7e63afa0003d1992f8247f9a7a830847bd7498fa1e2d46d6ea04e3006bb9ee2
+aa4ec1520b0bc612431ecb7f80a53cca997fd415ff39d8b9c718fb3fc30b2fef
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 348596ef75b..caa84d6b2b3 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -304,6 +304,8 @@
     DD_QUALYS_LEGACY_SEVERITY_PARSING=(bool, True),
     # Use System notification settings to override user's notification settings
     DD_NOTIFICATIONS_SYSTEM_LEVEL_TRUMP=(list, ["user_mentioned", "review_requested"]),
+    # When enabled, force the password field to be required for creating/updating users
+    DD_REQUIRE_PASSWORD_ON_USER=(bool, True),
 )
 
 
@@ -527,6 +529,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 CLASSIC_AUTH_ENABLED = True
 FORGOT_PASSWORD = env("DD_FORGOT_PASSWORD")
+REQUIRE_PASSWORD_ON_USER = env("DD_REQUIRE_PASSWORD_ON_USER")
 FORGOT_USERNAME = env("DD_FORGOT_USERNAME")
 PASSWORD_RESET_TIMEOUT = env("DD_PASSWORD_RESET_TIMEOUT")
 # Showing login form (form is not needed for external auth: OKTA, Google Auth, etc.)