WebAdmin: allow to create admins with an unusable password

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

internal/httpd/httpd_test.go

@@ -20871,13 +20871,6 @@ func TestWebAdminBasicMock(t *testing.T) {
 	assert.Contains(t, rr.Body.String(), util.I18nError500Message)
 
 	form.Set("default_users_expiration", "10")
-	req, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))
-	req.RemoteAddr = defaultRemoteAddr
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	setJWTCookieForReq(req, token)
-	rr = executeRequest(req)
-	checkResponseCode(t, http.StatusOK, rr)
-
 	form.Set("password", admin.Password)
 	req, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))
 	req.RemoteAddr = defaultRemoteAddr

internal/httpd/webadmin.go

@@ -3111,7 +3111,11 @@ func (s *httpdServer) handleWebAddAdminPost(w http.ResponseWriter, r *http.Reque
 		s.renderAddUpdateAdminPage(w, r, &admin, err, true)
 		return
 	}
-	if admin.Password == "" && s.binding.isWebAdminLoginFormDisabled() {
+	if admin.Password == "" {
+		// Administrators can be used with OpenID Connect or for authentication
+		// via API key, in these cases the password is not necessary, we create
+		// a non-usable one. This feature is only useful for WebAdmin, in REST
+		// API you can create an unusable password externally.
 		admin.Password = util.GenerateUniqueID()
 	}
 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)