Hi Paul,
There are really two issues interacting there. The first is when you create the user with the secure flag. That flag really isn’t intended to be used that way, but is for internal use so to control how the user object is serialized. When the model object has secured set to true, the password and salt values are passed as null and are then ignored by the JSON serializer. What’s happening is that your various parameters are being deserialized into a User object with secured set to true so that when the code tries to get the password it just gets null, which is what gets set in the database:
# psql --command="SELECT login, primary_password FROM xdat_user WHERE login = 'testUser'"
login | primary_password
----------+—————————
testUser |
(1 row)
The code that handles that POST should explicitly set secured to false, but you can fix this just by not included "secured": true in your request data.
The second issue is that, once the password has been set to null, the code that looks for properties that have been changed and validates any changed data doesn’t check for null or use a null-safe utility method for comparing strings when comparing the password values. To work around this, you can set the password value to some random string, delete any potential cache entries for the user object, then try changing it again. That would look something like this:
In psql, pgAdmin, or whatever database management tool you have, run these queries:
UPDATE xdat_user SET primary_password = 'XXX' WHERE login = 'testUser';
DELETE FROM xs_item_cache WHERE contents ~ '^.*\(xdat:user\).*\(login:string\)=\(testUser\).*$';
Now re-run the PUT command and the password should update properly.
I created two issues to track this stuff:
Rick Herrick
Senior Software Developer
------ Original Message ------
Date 1/27/2023 9:40:35 AM
Subject [XNAT Discussion] Cannot change password via the API for secured users in 1.8.6.1