3scale · jlledom · May 19, 2026 · May 19, 2026 · May 19, 2026 · jlledom
diff --git a/app/controllers/admin/api/buyers_users_controller.rb b/app/controllers/admin/api/buyers_users_controller.rb
@@ -17,7 +17,7 @@ def create
     authorize! :create, user
 
     user.unflattened_attributes = flat_params
-    user.signup_type = :api
+    user.signup_type = :created_by_provider
 
     user.save
 

diff --git a/app/controllers/admin/api/users_controller.rb b/app/controllers/admin/api/users_controller.rb
@@ -19,7 +19,7 @@ def create
     authorize! :create, user
 
     user.unflattened_attributes = flat_params
-    user.signup_type = :api
+    user.signup_type = :created_by_provider
 
     user.save
 

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -237,10 +237,6 @@ def minimal_signup?
     signup.minimal?
   end
 
-  def api_signup?
-    signup.api?
-  end
-
   def cas_signup?
     signup.cas?
   end
@@ -437,10 +433,6 @@ def minimal?
       signup_type == :minimal
     end
 
-    def api?
-      signup_type == :api
-    end
-
     def open_id?
       @user.open_id.present?
     end
@@ -450,19 +442,19 @@ def oauth2?
     end
 
     def created_by_provider?
-      signup_type == :created_by_provider
+      %i[created_by_provider api].include?(signup_type)
     end
 
     def cas?
       @user.cas_identifier.present?
     end
 
     def machine?
-      minimal? || api? || created_by_provider? || open_id? || cas? || oauth2?
+      minimal? || created_by_provider? || open_id? || cas? || oauth2?
     end
 
     def by_user?
-      not machine?
+      !machine?
     end
 
     private

diff --git a/test/functional/partners/providers_controller_test.rb b/test/functional/partners/providers_controller_test.rb
@@ -100,6 +100,17 @@ def provider_params
     assert_equal true, body['success']
   end
 
+  test 'post without password or open_id rejected' do
+    prepare_master_account
+    post :create, params: provider_params.except(:open_id)
+
+    assert_response :unprocessable_entity
+    body = JSON.parse(response.body)
+
+    assert_not body['success']
+    assert body['errors']['user']['password'].present?
+  end
+
   test 'post with weak password rejected when strong passwords enabled' do
     prepare_master_account
 

diff --git a/test/functional/partners/users_controller_test.rb b/test/functional/partners/users_controller_test.rb
@@ -82,6 +82,16 @@ def setup
     assert body['success']
   end
 
+  test 'create user without password or open_id rejected' do
+    post :create, params: { provider_id: @account.id, api_key: @partner.api_key, email: "foo@example.net", username: "aaron" }
+
+    assert_response :unprocessable_entity
+    body = JSON.parse(response.body)
+
+    assert_not body['success']
+    assert body['errors']['password'].present?
+  end
+
   test 'create user with invalid params returns 422' do
     post :create, params: { provider_id: @account.id, api_key: @partner.api_key, email: "invalid-email", username: "aaron" }
 

diff --git a/test/unit/liquid/drops/user_drop_test.rb b/test/unit/liquid/drops/user_drop_test.rb
@@ -77,6 +77,18 @@ def test_oauth2
       assert @user.signup.machine?
       assert_not @drop.password_required?
     end
+
+    test '#password_required? returns false for legacy :api signup type' do
+      @user.signup_type = :api
+
+      assert_not @drop.password_required?
+    end
+
+    test '#password_required? returns false for :created_by_provider signup type' do
+      @user.signup_type = :created_by_provider
+
+      assert_not @drop.password_required?
+    end
   end
 
   class BuyerUserTest < Liquid::Drops::UserDropTest

diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
@@ -273,6 +273,43 @@ def test_accessible_services
     assert created_by_provider_user.errors[:password].blank?
   end
 
+  test 'by_user? returns true only for :new_signup, nil, and :partner signup types' do
+    user = User.new
+
+    %i[new_signup partner].each do |type|
+      user.signup_type = type
+      assert user.signup.by_user?
+    end
+
+    user.signup_type = nil
+    assert user.signup.by_user?
+
+    %i[minimal api created_by_provider].each do |type|
+      user.signup_type = type
+      assert_not user.signup.by_user?
+    end
+  end
+
+  test 'by_user? returns false when user has SSO identifiers regardless of signup type' do
+    user = User.new
+    user.signup_type = :new_signup
+
+    user.open_id = 'some-open-id'
+    assert_not user.signup.by_user?
+    user.open_id = nil
+
+    user.stubs(:any_sso_authorizations?).returns(true)
+    assert_not user.signup.by_user?
+    user.unstub(:any_sso_authorizations?)
+
+    user.authentication_id = 'some-auth-id'
+    assert_not user.signup.by_user?
+    user.authentication_id = nil
+
+    user.cas_identifier = 'some-cas-id'
+    assert_not user.signup.by_user?
+  end
+
   test 'reset password' do
     user = FactoryBot.create(:simple_user, username: 'person', password: 'superSecret1234#')
     user.activate!