Don't assume username in CLI user_create. (#1080)

Some models may not have a username so only send it if the CLI user sets a username

close #1078

Author: jwag956

CHANGES.rst

@@ -11,6 +11,7 @@ Released xxx
 Fixes
 +++++
 - (:issue:`1077`) Fix runtime modification of a config string (TWO_FACTOR_METHODS)
+- (:issue:`1078`) Fix CLI user_create when model doesn't contain username
 
 Version 5.6.0
 -------------

docs/models.rst

@@ -117,13 +117,15 @@ At the bare minimum your `User` and `Role` model must include the following fiel
 * ``password`` (string, nullable)
 * ``active`` (boolean, non-nullable)
 * ``fs_uniquifier`` (string, 64 bytes, unique, non-nullable)
+* a many-to-many relationship to table Role
 
 
 **Role**
 
 * primary key
 * ``name`` (unique, non-nullable)
 * ``description`` (string)
+* a many-to-many relationship to table User
 
 
 Additional Functionality

flask_security/cli.py

@@ -145,7 +145,9 @@ def users_create(attributes, password, active, username):
                 )
 
         kwargs[attr] = attrarg
-    kwargs.update(**{"password": password, "username": username})
+    kwargs["password"] = password
+    if username:
+        kwargs["username"] = username
 
     # We always add password_confirm here - if user used the CLI in input mode -
     # it already asked for confirmation.

tests/conftest.py

@@ -543,12 +543,46 @@ def fsqlalite_datastore(app, tmpdir, realdburl):
     td()
 
 
-def fsqlalite_setup(app, tmpdir, realdburl):
+@pytest.fixture()
+def fsqlalite_min_datastore(app, tmpdir, realdburl):
+    pytest.importorskip("flask_sqlalchemy_lite")
+    from sqlalchemy.orm import declared_attr, mapped_column, relationship
+    from sqlalchemy import String
+
+    class FsMinUserMixin(UserMixin):
+        # flask_security basic fields
+        id: Mapped[int] = mapped_column(primary_key=True)  # type: ignore
+        email: Mapped[str] = mapped_column(String(255), unique=True)  # type: ignore
+        password: Mapped[str | None] = mapped_column(String(255))  # type: ignore
+        active: Mapped[bool] = mapped_column()  # type: ignore
+        fs_uniquifier: Mapped[str] = mapped_column(  # type: ignore
+            String(64), unique=True
+        )
+
+        @declared_attr
+        def roles(cls):
+            # The first arg is a class name, the backref is a column name
+            return relationship(
+                "Role",
+                secondary="roles_users",
+                back_populates="users",
+            )
+
+    ds, td = fsqlalite_setup(
+        app, tmpdir, realdburl, usermixin=FsMinUserMixin, use_webauthn=False
+    )
+    yield ds
+    td()
+
+
+def fsqlalite_setup(app, tmpdir, realdburl, usermixin=None, use_webauthn=True):
     pytest.importorskip("flask_sqlalchemy_lite")
     from flask_sqlalchemy_lite import SQLAlchemy
     from sqlalchemy.orm import DeclarativeBase, mapped_column
     from flask_security.models import sqla as sqla
 
+    if not usermixin:
+        usermixin = sqla.FsUserMixin
     if realdburl:
         db_url, db_info = _setup_realdb(realdburl)
     else:
@@ -568,10 +602,12 @@ class Model(DeclarativeBase):
     class Role(Model, sqla.FsRoleMixin):
         __tablename__ = "role"
 
-    class WebAuthn(Model, sqla.FsWebAuthnMixin):
-        __tablename__ = "webauthn"
+    if use_webauthn:
 
-    class User(Model, sqla.FsUserMixin):
+        class WebAuthn(Model, sqla.FsWebAuthnMixin):
+            __tablename__ = "webauthn"
+
+    class User(Model, usermixin):
         __tablename__ = "user"
         security_number: Mapped[t.Optional[int]] = mapped_column(  # type: ignore
             unique=True
@@ -593,7 +629,10 @@ def tear_down():
             if realdburl:
                 _teardown_realdb(db_info)
 
-    return FSQLALiteUserDatastore(db, User, Role, WebAuthn), tear_down
+    return (
+        FSQLALiteUserDatastore(db, User, Role, WebAuthn if use_webauthn else None),
+        tear_down,
+    )
 
 
 @pytest.fixture()
@@ -1022,6 +1061,17 @@ def create_app():
     return ScriptInfo(create_app=create_app)
 
 
+@pytest.fixture()
+def script_info_min(app, fsqlalite_min_datastore):
+    from flask.cli import ScriptInfo
+
+    def create_app():
+        app.security = Security(app, datastore=fsqlalite_min_datastore)
+        return app
+
+    return ScriptInfo(create_app=create_app)
+
+
 def pytest_addoption(parser):
     parser.addoption(
         "--realdburl",

tests/test_cli.py

@@ -412,6 +412,8 @@ def test_cli_createuserV2attr(script_info):
             "--password",
             "battery staple",
             "us_phone_number:5551212",
+            "--username",
+            "iamuser",
         ],
         obj=script_info,
     )
@@ -421,3 +423,22 @@ def test_cli_createuserV2attr(script_info):
     with app.app_context():
         user = app.security.datastore.find_user(email="[email protected]")
         assert user.us_phone_number == "5551212"
+        user = app.security.datastore.find_user(username="iamuser")
+        assert user
+
+
+def test_cli_create_nousername(script_info_min):
+    """Test create user CLI passing attr that is in User but not in form."""
+    runner = CliRunner()
+
+    # Create user
+    result = runner.invoke(
+        users_create,
+        [
+            "[email protected]",
+            "--password",
+            "battery staple",
+        ],
+        obj=script_info_min,
+    )
+    assert result.exit_code == 0