feat(superuser): Allow super user creation using signup endpoint (#5266)

gagantrivedi · pre-commit-ci[bot] · web-flow · commit 86098a6eef48 · 2025-04-11T15:05:07.000+05:30
Co-authored-by: pre-commit-ci[bot] &lt;66853113+pre-commit-ci[bot]@users.noreply.github.com&gt;
diff --git a/api/custom_auth/serializers.py b/api/custom_auth/serializers.py
@@ -1,5 +1,6 @@
 from typing import Any
 
+from common.core.utils import is_saas
 from django.conf import settings
 from djoser.serializers import UserCreateSerializer  # type: ignore[import-untyped]
 from rest_framework import serializers
@@ -52,6 +53,11 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
         if not settings.COOKIE_AUTH_ENABLED:
             self.fields["key"] = serializers.SerializerMethodField()
 
+        if not is_saas():
+            self.fields["superuser"] = serializers.BooleanField(
+                write_only=True, required=False
+            )
+
     class Meta(UserCreateSerializer.Meta):  # type: ignore[misc]
         fields = UserCreateSerializer.Meta.fields + (
             "is_active",
@@ -75,6 +81,17 @@ class Meta(UserCreateSerializer.Meta):  # type: ignore[misc]
     def validate(self, attrs):  # type: ignore[no-untyped-def]
         attrs = super().validate(attrs)
         email = attrs.get("email")
+        if attrs.get("superuser"):
+            if FFAdminUser.objects.exists():
+                raise serializers.ValidationError(
+                    {
+                        "superuser": (
+                            "A superuser can only be created through this  "
+                            "endpoint if no other users exist."
+                        )
+                    }
+                )
+
         if settings.AUTH_CONTROLLER_INSTALLED:
             from auth_controller.controller import (  # type: ignore[import-not-found,import-untyped,unused-ignore]
                 is_authentication_method_valid,
diff --git a/api/tests/integration/custom_auth/end_to_end/test_custom_auth_integration.py b/api/tests/integration/custom_auth/end_to_end/test_custom_auth_integration.py
@@ -617,3 +617,87 @@ def test_register_with_sign_up_type(client, db, settings):  # type: ignore[no-un
     assert response_json["sign_up_type"] == sign_up_type
 
     assert FFAdminUser.objects.filter(email=email, sign_up_type=sign_up_type).exists()
+
+
+def test_can_create_superuser(
+    db: None, api_client: APIClient, mocker: MockerFixture
+) -> None:
+    # Given
+    mocker.patch("custom_auth.serializers.is_saas", return_value=False)
+
+    email = "test@example.com"
+    password = FFAdminUser.objects.make_random_password()
+    register_data = {
+        "email": email,
+        "password": password,
+        "re_password": password,
+        "first_name": "user",
+        "last_name": "test",
+        "superuser": True,
+        "other_field": "meh",
+    }
+    url = reverse("api-v1:custom_auth:ffadminuser-list")
+
+    # When
+    response = api_client.post(url, data=register_data)
+
+    # Then
+    assert response.status_code == status.HTTP_201_CREATED
+    user = FFAdminUser.objects.get(email=email)
+    assert user.superuser is True
+
+
+def test_cannot_create_superuser_on_saas_build(
+    db: None, api_client: APIClient, mocker: MockerFixture
+) -> None:
+    # Given
+    mocker.patch("custom_auth.serializers.is_saas", return_value=True)
+
+    email = "test@example.com"
+    password = FFAdminUser.objects.make_random_password()
+    register_data = {
+        "email": email,
+        "password": password,
+        "re_password": password,
+        "first_name": "user",
+        "last_name": "test",
+        "superuser": True,
+    }
+    url = reverse("api-v1:custom_auth:ffadminuser-list")
+
+    # When
+    response = api_client.post(url, data=register_data)
+
+    # Then
+    assert response.status_code == status.HTTP_201_CREATED
+    user = FFAdminUser.objects.get(email=email)
+    assert user.superuser is False
+
+
+def test_cannot_create_superuser_if_any_user_exists(
+    admin_user: FFAdminUser, api_client: APIClient, mocker: MockerFixture
+) -> None:
+    # Given
+    mocker.patch("custom_auth.serializers.is_saas", return_value=False)
+
+    email = "test@example.com"
+    password = FFAdminUser.objects.make_random_password()
+    register_data = {
+        "email": email,
+        "password": password,
+        "re_password": password,
+        "first_name": "user",
+        "last_name": "test",
+        "superuser": True,
+    }
+    url = reverse("api-v1:custom_auth:ffadminuser-list")
+
+    # When
+    response = api_client.post(url, data=register_data)
+
+    # Then
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["superuser"] == [
+        "A superuser can only be created through this  endpoint if no other users exist."
+    ]
+    assert FFAdminUser.objects.filter(email=email).exists() is False
diff --git a/api/users/models.py b/api/users/models.py
@@ -131,6 +131,15 @@ class Meta:
     def __str__(self):  # type: ignore[no-untyped-def]
         return self.email
 
+    @property
+    def superuser(self) -> bool:
+        return self.is_staff and self.is_superuser
+
+    @superuser.setter
+    def superuser(self, value: bool) -> None:
+        self.is_staff = value
+        self.is_superuser = value
+
     @hook(AFTER_CREATE)  # type: ignore[misc]
     def schedule_hubspot_tracking(self) -> None:
         if settings.ENABLE_HUBSPOT_LEAD_TRACKING:
