From 77bbe5730be9fdac354aad751de5d1e7d7e1dcf3 Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <stretch@packetlife.net>
Date: Wed, 25 Nov 2020 11:47:53 -0500
Subject: [PATCH] Fixes #5383: Fix setting user password via REST API

---
 docs/release-notes/version-2.9.md |  8 ++++++++
 netbox/users/api/serializers.py   | 18 ++++++++++++++++--
 netbox/users/tests/test_api.py    |  4 ++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/docs/release-notes/version-2.9.md b/docs/release-notes/version-2.9.md
index 7e7ddd249..563220cb5 100644
--- a/docs/release-notes/version-2.9.md
+++ b/docs/release-notes/version-2.9.md
@@ -1,5 +1,13 @@
 # NetBox v2.9
 
+## v2.9.11 (FUTURE)
+
+### Bug Fixes
+
+* [#5383](https://github.com/netbox-community/netbox/issues/5383) - Fix setting user password via REST API
+
+---
+
 ## v2.9.10 (2020-11-24)
 
 ### Enhancements
diff --git a/netbox/users/api/serializers.py b/netbox/users/api/serializers.py
index 1f338d6e4..a3028f3cb 100644
--- a/netbox/users/api/serializers.py
+++ b/netbox/users/api/serializers.py
@@ -19,9 +19,23 @@ class UserSerializer(ValidatedModelSerializer):
     class Meta:
         model = User
         fields = (
-            'id', 'url', 'username', 'first_name', 'last_name', 'email', 'is_staff', 'is_active', 'date_joined',
-            'groups',
+            'id', 'url', 'username', 'password', 'first_name', 'last_name', 'email', 'is_staff', 'is_active',
+            'date_joined', 'groups',
         )
+        extra_kwargs = {
+            'password': {'write_only': True}
+        }
+
+    def create(self, validated_data):
+        """
+        Extract the password from validated data and set it separately to ensure proper hash generation.
+        """
+        password = validated_data.pop('password')
+        user = super().create(validated_data)
+        user.set_password(password)
+        user.save()
+
+        return user
 
 
 class GroupSerializer(ValidatedModelSerializer):
diff --git a/netbox/users/tests/test_api.py b/netbox/users/tests/test_api.py
index c4229bff9..2e670b558 100644
--- a/netbox/users/tests/test_api.py
+++ b/netbox/users/tests/test_api.py
@@ -22,15 +22,19 @@ class UserTest(APIViewTestCases.APIViewTestCase):
     model = User
     view_namespace = 'users'
     brief_fields = ['id', 'url', 'username']
+    validation_excluded_fields = ['password']
     create_data = [
         {
             'username': 'User_4',
+            'password': 'password4',
         },
         {
             'username': 'User_5',
+            'password': 'password5',
         },
         {
             'username': 'User_6',
+            'password': 'password6',
         },
     ]