From 1245ff2cce6029a1dda1db42fe4a0155ab65e92b Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Sat, 6 Sep 2025 10:41:51 +0300
Subject: [PATCH] disable edit password

---
 app/controllers/users_controller.rb |  2 +-
 app/views/users/_form.html.erb      | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2e361097..da60da91 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -54,7 +54,7 @@ class UsersController < ApplicationController
       @user.account = account
     end
 
-    if @user.update(attrs.except(*(current_user == @user ? %i[otp_required_for_login role] : nil)))
+    if @user.update(attrs.except(*(current_user == @user ? %i[password otp_required_for_login role] : %i[password])))
       redirect_back fallback_location: settings_users_path, notice: I18n.t('user_has_been_updated')
     else
       render turbo_stream: turbo_stream.replace(:modal, template: 'users/edit'), status: :unprocessable_content
diff --git a/app/views/users/_form.html.erb b/app/views/users/_form.html.erb
index 304748e5..19b9f0f2 100644
--- a/app/views/users/_form.html.erb
+++ b/app/views/users/_form.html.erb
@@ -14,10 +14,12 @@
       <%= f.label :email, t('email'), class: 'label' %>
       <%= f.email_field :email, required: true, class: 'base-input' %>
     </div>
-    <div class="form-control">
-      <%= f.label :password, t('password'), class: 'label' %>
-      <%= f.password_field :password, required: user.new_record?, class: 'base-input' %>
-    </div>
+    <% if user.new_record? && !Docuseal.multitenant? %>
+      <div class="form-control">
+        <%= f.label :password, t('password'), class: 'label' %>
+        <%= f.password_field :password, required: true, class: 'base-input' %>
+      </div>
+    <% end %>
     <% if f.object != current_user %>
       <% if user.otp_required_for_login %>
         <div class="form-control">