From 69de1cc0f65c02e91486d6d95d4c66dc32d63bf7 Mon Sep 17 00:00:00 2001
From: len <len@lambdao.dev>
Date: Fri, 10 Oct 2025 15:15:40 +0200
Subject: [PATCH] [FIX] auth_saml: do not crash if no users

---
 auth_saml/models/res_users.py        | 15 ++++++++-------
 auth_saml/tests/__init__.py          |  5 ++++-
 auth_saml/tests/test_param_change.py | 10 ++++++++++
 3 files changed, 22 insertions(+), 8 deletions(-)
 create mode 100644 auth_saml/tests/test_param_change.py

diff --git a/auth_saml/models/res_users.py b/auth_saml/models/res_users.py
index fe869a3d26..9b6a6f713e 100644
--- a/auth_saml/models/res_users.py
+++ b/auth_saml/models/res_users.py
@@ -183,13 +183,14 @@ def _set_password_blank(self):
         """Set the password to a value that prohibits logging."""
         # Use SQL to blank the password to avoid sending security messages (done in
         # mail module) to end users.
-        _logger.debug("Removing password from %s user(s)", len(self.ids))
-        # similar to what Odoo does in Users._set_encrypted_password
-        self.env.cr.execute(
-            "UPDATE res_users SET password = NULL WHERE id IN %s",
-            (tuple(self.ids),),
-        )
-        self.invalidate_recordset(fnames=["password"])
+        if self:  # no users, nothing to do.
+            _logger.debug("Removing password from %s user(s)", len(self.ids))
+            # similar to what Odoo does in Users._set_encrypted_password
+            self.env.cr.execute(
+                "UPDATE res_users SET password = NULL WHERE id IN %s",
+                (tuple(self.ids),),
+            )
+            self.invalidate_recordset(fnames=["password"])
 
     def allow_saml_and_password_changed(self):
         """Called after the parameter is changed."""
diff --git a/auth_saml/tests/__init__.py b/auth_saml/tests/__init__.py
index af2e0f3ed2..0e3b1fe600 100644
--- a/auth_saml/tests/__init__.py
+++ b/auth_saml/tests/__init__.py
@@ -1 +1,4 @@
-from . import fake_idp, test_pysaml, test_models_saml_attribute_mapping
+from . import fake_idp
+from . import test_pysaml
+from . import test_models_saml_attribute_mapping
+from . import test_param_change
diff --git a/auth_saml/tests/test_param_change.py b/auth_saml/tests/test_param_change.py
new file mode 100644
index 0000000000..8e4c2a44a7
--- /dev/null
+++ b/auth_saml/tests/test_param_change.py
@@ -0,0 +1,10 @@
+from odoo.tests.common import TransactionCase
+
+
+class TestParamChange(TransactionCase):
+    def test_set_param(self):
+        """Changing the parameter should go through without error"""
+        self.env["ir.config_parameter"].set_param(
+            "auth_saml.allow_saml_uid_and_internal_password",
+            False,
+        )