User password update via REST API is not hashed #14339
Description
NetBox version
v3.6.5
Python version
3.11
Steps to Reproduce
- Create a new User with password (username: test, password: test). For the request use a user with user creation permission:
curl --location 'http://netbox/api/users/users/' \
--header 'Authorization: Token 45202..6e9e092df' \
--header 'Content-Type: application/json' \
--data '{
"username": "test",
"password": "test"
}'
- Update the new created user's password with a new one. For the request use a user with user change permission and the created user
{id}:
curl --location --request PATCH 'http://netbox/api/users/users/{id}/' \
--header 'Authorization: Token 45202..6e9e092df' \
--header 'Content-Type: application/json' \
--data '{
"password": "newpassword"
}'
Expected Behavior
The password stored on the database must be hashed, so user with the password updated is able to login on the Netbox instance.
Observed Behavior
The password stored on the database is not hashed, so user with the password updated is not able to login on the Netbox instance.
Connected on the database, do (where {id} is the created user's id) :
SELECT password FROM auth_user WHERE id={id}
Result "newpassword"