fix(users): handle null name param #8785

[Shobhit150]

What does this PR do?

"v1/users" in this endpoint when we were previously sending 'name' as null, it was giving error. And as per #8785, 'name' is optional, so simply just made it optional, now even if you pass as null, it works. Thankyou

Test Plan

In postman i passed name as null and its working fine

Related PRs and Issues

• Fixes 🐛 Bug Report: All Users.CreateUser... endpoints return a vague server error is null name is provided #8785

Checklist

• [x ] Have you read the Contributing Guidelines on issues?
• If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

[coderabbitai]

📝 Walkthrough

Walkthrough

A null-coalescing assignment operator is introduced in the user creation endpoint to handle cases where the name parameter is explicitly set to null. The change ensures the $name variable defaults to an empty string before being passed to the createUser function, preventing a server error when this optional field is provided as null.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

The change is straightforward—a single-line defensive programming addition in one file. However, review should verify: (1) that defaulting to an empty string is the correct downstream behavior for a null name, (2) whether similar null-handling patterns should be applied to other optional parameters in this or related endpoints, and (3) that this change fully resolves the reported issue without introducing side effects in name processing logic.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "fix(users): handle null name param #8785" is directly related to the main change in the changeset, which introduces a null-coalescing assignment to handle null values for the optional name parameter in the user creation endpoint. The title is clear, specific, and uses a conventional format (fix type, component, brief description, and issue reference) that effectively summarizes the primary change without being vague or overly broad. A developer scanning the commit history would immediately understand this addresses a bug fix related to null name parameter handling.
Linked Issues Check	✅ Passed	The code changes successfully address the primary objective of issue #8785: allowing null values for the optional name field in the POST /v1/users endpoint. The null-coalescing assignment ($name = $name ?? '') converts null name parameters to empty strings, enabling user creation to proceed without error when name is null, which is the expected behavior documented in the issue. The author's Postman testing confirms the fix resolves the vague server error that was previously occurring when name was explicitly set to null.
Out of Scope Changes Check	✅ Passed	All changes in this pull request are directly related to and scoped by the requirements in linked issue #8785. The modification is limited to app/controllers/api/users.php and consists solely of a null-coalescing assignment for the name parameter in the user creation route. No unrelated changes, refactoring, or additional feature implementations are present, and no alterations to exported or public entity declarations were made. The change is minimal, focused, and entirely addresses the stated objective of handling null name parameters.
Description Check	✅ Passed	The pull request description is clearly related to the changeset and directly explains the issue being fixed: the v1/users endpoint was throwing an error when the name parameter was set to null, even though name is optional. The author describes the solution (making name optional by handling null values), provides concrete evidence of testing via a Postman screenshot, and properly references the linked issue #8785. The description contains sufficient context about both the problem and the resolution without being vague or generic.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Security Scan Results for PR

Docker Image Scan Results

Package	Version	Vulnerability	Severity
binutils	2.42-r0	CVE-2025-0840	HIGH
git	2.45.3-r0	CVE-2025-46334	HIGH
git	2.45.3-r0	CVE-2025-48384	HIGH
git	2.45.3-r0	CVE-2025-48385	HIGH
git-init-template	2.45.3-r0	CVE-2025-46334	HIGH
git-init-template	2.45.3-r0	CVE-2025-48384	HIGH
git-init-template	2.45.3-r0	CVE-2025-48385	HIGH
icu	74.2-r0	CVE-2025-5222	HIGH
icu-data-en	74.2-r0	CVE-2025-5222	HIGH
icu-dev	74.2-r0	CVE-2025-5222	HIGH
icu-libs	74.2-r0	CVE-2025-5222	HIGH
libecpg	16.8-r0	CVE-2025-8714	HIGH
libecpg	16.8-r0	CVE-2025-8715	HIGH
libecpg-dev	16.8-r0	CVE-2025-8714	HIGH
libecpg-dev	16.8-r0	CVE-2025-8715	HIGH
libexpat	2.6.4-r0	CVE-2024-8176	HIGH
libpq	16.8-r0	CVE-2025-8714	HIGH
libpq	16.8-r0	CVE-2025-8715	HIGH
libpq-dev	16.8-r0	CVE-2025-8714	HIGH
libpq-dev	16.8-r0	CVE-2025-8715	HIGH
libxml2	2.12.7-r0	CVE-2024-56171	HIGH
libxml2	2.12.7-r0	CVE-2025-24928	HIGH
libxml2	2.12.7-r0	CVE-2025-27113	HIGH
libxml2	2.12.7-r0	CVE-2025-32414	HIGH
libxml2	2.12.7-r0	CVE-2025-32415	HIGH
postgresql16-dev	16.8-r0	CVE-2025-8714	HIGH
postgresql16-dev	16.8-r0	CVE-2025-8715	HIGH
pyc	3.12.9-r0	CVE-2024-12718	HIGH
pyc	3.12.9-r0	CVE-2025-4138	HIGH
pyc	3.12.9-r0	CVE-2025-4330	HIGH
pyc	3.12.9-r0	CVE-2025-4517	HIGH
python3	3.12.9-r0	CVE-2024-12718	HIGH
python3	3.12.9-r0	CVE-2025-4138	HIGH
python3	3.12.9-r0	CVE-2025-4330	HIGH
python3	3.12.9-r0	CVE-2025-4517	HIGH
python3-pyc	3.12.9-r0	CVE-2024-12718	HIGH
python3-pyc	3.12.9-r0	CVE-2025-4138	HIGH
python3-pyc	3.12.9-r0	CVE-2025-4330	HIGH
python3-pyc	3.12.9-r0	CVE-2025-4517	HIGH
python3-pycache-pyc0	3.12.9-r0	CVE-2024-12718	HIGH
python3-pycache-pyc0	3.12.9-r0	CVE-2025-4138	HIGH
python3-pycache-pyc0	3.12.9-r0	CVE-2025-4330	HIGH
python3-pycache-pyc0	3.12.9-r0	CVE-2025-4517	HIGH
sqlite-libs	3.45.3-r1	CVE-2025-29087	HIGH
xz	5.6.2-r0	CVE-2025-31115	HIGH
xz-libs	5.6.2-r0	CVE-2025-31115	HIGH
golang.org/x/crypto	v0.31.0	CVE-2025-22869	HIGH
golang.org/x/oauth2	v0.24.0	CVE-2025-22868	HIGH
stdlib	1.22.10	CVE-2025-47907	HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/controllers/api/users.php (1)

218-219: LGTM with a minor formatting nit.

The fix correctly handles the case where name: null is explicitly passed by converting it to an empty string before calling createUser. This prevents the type error since createUser expects a non-nullable string $name.

Apply this diff to fix the formatting (remove extra space):

-        $name = $name ??  '';
+        $name = $name ?? '';

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 852f06c and c180b1f.

📒 Files selected for processing (1)

• app/controllers/api/users.php (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify if other user creation endpoints need the same fix.

Other user creation endpoints (/v1/users/bcrypt, /v1/users/md5, /v1/users/argon2, etc.) also have optional name parameters but don't use nullable type hints (?string $name) in their action closures. If users explicitly pass name: null to those endpoints, they may encounter the same server error.

Run the following script to check if the same pattern exists in other endpoints:

---

🏁 Script executed:

#!/bin/bash
# Description: Check if other user creation endpoints have the same issue with nullable name parameter

# Search for user creation endpoints that have optional name params but non-nullable action closures
rg -A 5 "param\('name', '', new Text\(128\)" app/controllers/api/users.php | \
  rg -B 20 "->action\(function.*string \\\$name" | \
  rg -C 3 "->param\('name'"

Length of output: 809

---

🏁 Script executed:

#!/bin/bash
# Search for user creation endpoints with optional name parameter
# First, find lines with param('name', '', new Text(128))

echo "=== Finding endpoints with optional name parameter ==="
rg -n "param\('name', '', new Text" app/controllers/api/users.php

echo -e "\n=== Checking action closures for these endpoints ==="
# Get surrounding context to see the action() closure
rg -B 30 "param\('name', '', new Text" app/controllers/api/users.php | \
  rg -A 3 "->action\(function"

Length of output: 1542

---

🏁 Script executed:

#!/bin/bash
# Check action closures for each endpoint with optional name parameter
# For each param line, look backwards to find the corresponding ->action() closure

echo "=== Endpoint 1 (line 213) ==="
sed -n '195,225p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 2 (line 248) ==="
sed -n '230,260p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 3 (line 283) ==="
sed -n '265,295p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 4 (line 318) ==="
sed -n '300,330p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 5 (line 354) ==="
sed -n '336,366p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 6 (line 395) ==="
sed -n '377,407p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 7 (line 435) ==="
sed -n '417,447p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

echo -e "\n=== Endpoint 8 (line 481) ==="
sed -n '463,493p' app/controllers/api/users.php | grep -E "(->action|string \$name)"

Length of output: 1795

---

Apply the same nullable type hint fix to other user creation endpoints.

The verification confirms the issue: endpoints at lines 248, 283, 318, 354, 395, 435, and 481 all have optional name parameters (default '') but use non-nullable string $name type hints in their action closures. This mirrors the vulnerability fixed in your endpoint (line 213), allowing users to pass name: null and trigger the same server error.

Apply the same fix (?string $name) to these endpoints:

• /v1/users/bcrypt (line 248)
• /v1/users/md5 (line 283)
• /v1/users/argon2 (line 318)
• /v1/users/scrypt (line 354)
• /v1/users/phpass (line 395)
• /v1/users/argon2id (line 435)
• /v1/users/custom (line 481)

🤖 Prompt for AI Agents

In app/controllers/api/users.php around lines 248, 283, 318, 354, 395, 435 and
481 update each action closure's sixth parameter from non-nullable string $name
to nullable ?string $name and keep the existing fallback assignment ($name =
$name ?? '') so the endpoint accepts explicit null without type error; apply the
same exact change as was made at line 213 to /v1/users/bcrypt, /v1/users/md5,
/v1/users/argon2, /v1/users/scrypt, /v1/users/phpass, /v1/users/argon2id and
/v1/users/custom.

[Aglowharmony]

Please merge this & close this PR