From f576e7bc507ab58a2133976f333b758261b03540 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Wed, 22 Jan 2020 11:07:57 +0000
Subject: [PATCH] Minor fixes to user admin api

* don't insist on a password (this is valid if you have an SSO login)
* fix reference to undefined `requester`
---
 changelog.d/6761.bugfix     |  1 +
 synapse/rest/admin/users.py | 14 +++++---------
 2 files changed, 6 insertions(+), 9 deletions(-)
 create mode 100644 changelog.d/6761.bugfix

diff --git a/changelog.d/6761.bugfix b/changelog.d/6761.bugfix
new file mode 100644
index 000000000000..1c664c02dff3
--- /dev/null
+++ b/changelog.d/6761.bugfix
@@ -0,0 +1 @@
+Minor fixes to `PUT /_synapse/admin/v2/users` admin api.
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
index 52d27fa3e383..5b27e4082cbc 100644
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@@ -151,7 +151,8 @@ async def on_GET(self, request, user_id):
         return 200, ret
 
     async def on_PUT(self, request, user_id):
-        await assert_requester_is_admin(self.auth, request)
+        requester = await self.auth.get_user_by_req(request)
+        await assert_user_is_admin(self.auth, requester.user)
 
         target_user = UserID.from_string(user_id)
         body = parse_json_object_from_request(request)
@@ -162,8 +163,6 @@ async def on_PUT(self, request, user_id):
         user = await self.admin_handler.get_user(target_user)
 
         if user:  # modify user
-            requester = await self.auth.get_user_by_req(request)
-
             if "displayname" in body:
                 await self.profile_handler.set_displayname(
                     target_user, requester, body["displayname"], True
@@ -210,11 +209,8 @@ async def on_PUT(self, request, user_id):
             return 200, user
 
         else:  # create user
-            if "password" not in body:
-                raise SynapseError(
-                    400, "password must be specified", errcode=Codes.BAD_JSON
-                )
-            elif (
+            password = body.get("password")
+            if password is not None and (
                 not isinstance(body["password"], text_type)
                 or len(body["password"]) > 512
             ):
@@ -229,7 +225,7 @@ async def on_PUT(self, request, user_id):
 
             user_id = await self.registration_handler.register_user(
                 localpart=target_user.localpart,
-                password=body["password"],
+                password=password,
                 admin=bool(admin),
                 default_display_name=displayname,
                 user_type=user_type,