FIX auth_saml: password reset when deactivating the config settings

auth_saml/models/ir_config_parameter.py

@@ -27,3 +27,14 @@ def write(self, vals):
         if self.filtered(lambda param: param.key == ALLOW_SAML_UID_AND_PASSWORD):
             self.env["res.users"].allow_saml_and_password_changed()
         return result
+
+    def unlink(self):
+        """Redefined to update users when our parameter is deleted."""
+        reset = False
+        for param in self:
+            if param.key == ALLOW_SAML_UID_AND_PASSWORD:
+                reset = True
+        result = super().unlink()
+        if result and reset:
+            self.env["res.users"].allow_saml_and_password_changed()
+        return result

auth_saml/tests/test_pysaml.py

@@ -273,3 +273,24 @@ def test_disallow_user_admin_can_have_password(self):
         ).value = "False"
         # Test base.user_admin exception
         self.env.ref("base.user_admin").password = "nNRST4j*->sEatNGg._!"
+
+    def test_config_setting_deactivate_password(self):
+        """Test that disabling the setting will remove passwords from related users"""
+        # We activate the settings to allow password login
+        self.env["res.config.settings"].create(
+            {
+                "allow_saml_uid_and_internal_password": True,
+            }
+        ).execute()
+
+        # Test the user can login with the password
+        self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa")
+
+        self.env["res.config.settings"].create(
+            {
+                "allow_saml_uid_and_internal_password": False,
+            }
+        ).execute()
+
+        with self.assertRaises(AccessDenied):
+            self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa")