ansible · BasavarajBankolli · Jan 28, 2026 · Jan 28, 2026 · Jan 31, 2026 · Feb 4, 2026
diff --git a/awx/api/serializers.py b/awx/api/serializers.py
@@ -1025,6 +1025,7 @@ class UserSerializer(BaseSerializer):
     password = serializers.CharField(required=False, default='', help_text=_('Field used to change the password.'))
     is_system_auditor = serializers.BooleanField(default=False)
     show_capabilities = ['edit', 'delete']
+    password_reset_required = serializers.BooleanField(default=False, help_text=_('Force the user to reset their password on next login.'))
 
     class Meta:
         model = User
@@ -1039,6 +1040,7 @@ class Meta:
             'is_superuser',
             'is_system_auditor',
             'password',
+            'password_reset_required',
             'last_login',
         )
         extra_kwargs = {'last_login': {'read_only': True}}
@@ -1139,6 +1141,7 @@ def _update_password(self, obj, new_password):
     def create(self, validated_data):
         new_password = validated_data.pop('password', None)
         is_system_auditor = validated_data.pop('is_system_auditor', None)
+        password_reset_required = validated_data.pop('password_reset_required', False)
         obj = super(UserSerializer, self).create(validated_data)
         self._update_password(obj, new_password)
         if is_system_auditor is not None:
@@ -1148,6 +1151,7 @@ def create(self, validated_data):
     def update(self, obj, validated_data):
         new_password = validated_data.pop('password', None)
         is_system_auditor = validated_data.pop('is_system_auditor', None)
+        password_reset_required = validated_data.pop('password_reset_required', False)
         obj = super(UserSerializer, self).update(obj, validated_data)
         self._update_password(obj, new_password)
         if is_system_auditor is not None:

diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
@@ -1346,6 +1346,19 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
     serializer_class = serializers.UserSerializer
     resource_purpose = 'user detail'
 
+    def get(self, request, *args, **kwargs):
+        obj = self.get_object()
+
+        # If the admin set the 'password_reset_required' flag to True
+        if getattr(obj, 'password_reset_required', False):
+            # We return a 403 Forbidden with a specific detail message
+            return Response({
+                "detail": _("Password reset is required before you can continue."),
+                "password_reset_required": True
+            }, status=status.HTTP_403_FORBIDDEN)
+
+        return super(UserDetail, self).get(request, *args, **kwargs)
+
     def update_filter(self, request, *args, **kwargs):
         '''make sure non-read-only fields that can only be edited by admins, are only edited by admins'''
         obj = self.get_object()

diff --git a/awx/conf/views.py b/awx/conf/views.py
@@ -44,6 +44,13 @@ class SettingCategoryList(ListAPIView):
 
     @extend_schema_if_available(extensions={"x-ai-description": "A list of additional API endpoints related to settings."})
     def get(self, request, *args, **kwargs):
+        user = request.user
+        # If the database flag is set to True, tell the UI to block the user
+        if getattr(user, 'password_reset_required', False):
+            return Response({
+                "detail": "Password reset is required before proceeding.",
+                "password_reset_required": True
+            }, status=status.HTTP_403_FORBIDDEN)
         return super().get(request, *args, **kwargs)
 
     def get_queryset(self):

diff --git a/awx/main/migrations/0205_add_password_reset_flag.py b/awx/main/migrations/0205_add_password_reset_flag.py
@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        # Replace '0125_some_name' with the ACTUAL name of the last file in the folder
+        ('main', '0125_some_name'), 
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='password_reset_required',
+            field=models.BooleanField(default=False, help_text='Force the user to reset their password on next login.'),
+        ),
+    ]
diff --git a/awx/main/models/__init__.py b/awx/main/models/__init__.py
@@ -7,6 +7,7 @@
 from django.conf import settings  # noqa
 from django.db import connection
 from django.db.models.signals import pre_delete  # noqa
+from django.db import models # for pass
 
 # django-ansible-base
 from ansible_base.resource_registry.fields import AnsibleResourceField
@@ -186,6 +187,7 @@ def get_system_auditor_role():
         rd.permissions.add(*list(permission_registry.permission_qs.filter(codename__startswith='view')))
     return rd
 
+User.add_to_class('password_reset_required', models.BooleanField(default=False))
 
 @property
 def user_is_system_auditor(user):