1 files changed, 22 insertions, 0 deletions

diff --git a/src/chttpd/test/chttpd_security_tests.erl b/src/chttpd/test/chttpd_security_tests.erl
index b80238c78..737a32e11 100644
--- a/src/chttpd/test/chttpd_security_tests.erl
+++ b/src/chttpd/test/chttpd_security_tests.erl
@@ -102,6 +102,8 @@ all_test_() ->
                 fun setup/0, fun teardown/1,
                 [
                     fun should_allow_admin_db_compaction/1,
+                    fun should_allow_valid_password_to_create_user/1,
+                    fun should_disallow_invalid_password_to_create_user/1,
                     fun should_disallow_anonymous_db_compaction/1,
                     fun should_disallow_db_member_db_compaction/1,
                     fun should_allow_db_admin_db_compaction/1,
@@ -124,6 +126,26 @@ should_allow_admin_db_compaction([Url,_UsersUrl]) ->
             couch_util:get_value(<<"ok">>, InnerJson, undefined)
         end).
 
+
+should_allow_valid_password_to_create_user([_Url, UsersUrl]) ->
+    UserDoc = "{\"_id\": \"org.couchdb.user:foo\", \"name\": \"foo\",
+                \"type\": \"user\", \"roles\": [], \"password\": \"bar\"}",
+    {ok, _, _, ResultBody} = test_request:post(UsersUrl,
+        [?CONTENT_JSON, ?AUTH], UserDoc),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ?_assertEqual(true, couch_util:get_value(<<"ok">>, InnerJson)).
+
+should_disallow_invalid_password_to_create_user([_Url, UsersUrl]) ->
+    UserDoc = "{\"_id\": \"org.couchdb.user:foo\", \"name\": \"foo\",
+                \"type\": \"user\", \"roles\": [], \"password\": 123}",
+    {ok, _, _, ResultBody} = test_request:post(UsersUrl,
+        [?CONTENT_JSON, ?AUTH], UserDoc),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ErrType = couch_util:get_value(<<"error">>, InnerJson),
+    ?_assertEqual(<<"forbidden">>, ErrType).
+
 should_disallow_anonymous_db_compaction([Url,_UsersUrl]) ->
     {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact",
         [?CONTENT_JSON], ""),