Merge pull request #15 from i701/feat/user-verification-flow

feat(user): add user rejection endpoint and improve verification response messages ✨

api/urls.py

@@ -22,6 +22,7 @@ from .views import (
     VerifyOTPView,
     UserVerifyAPIView,
     UserUpdateAPIView,
+    UserRejectAPIView,
 )
 
 
@@ -39,10 +40,12 @@ urlpatterns = [
         "update-wallet/<int:pk>/", UpdateUserWalletView.as_view(), name="update-wallet"
     ),
     path("users/<int:pk>/", UserDetailAPIView.as_view(), name="user-detail"),
-    path("users/<int:pk>/verify/", UserVerifyAPIView.as_view(), name="user-verify"),
     path("users/<int:pk>/update/", UserUpdateAPIView.as_view(), name="user-update"),
     path("users/filter/", filter_user, name="filter-users"),
     path("users/temp/filter/", filter_temporary_user, name="filter-temporary-users"),
+    # User verification flow
+    path("users/<int:pk>/verify/", UserVerifyAPIView.as_view(), name="user-verify"),
+    path("users/<int:pk>/reject/", UserRejectAPIView.as_view(), name="user-reject"),
     path("healthcheck/", healthcheck, name="healthcheck"),
     path("test/", test_email, name="testemail"),
     path("atolls/", ListAtollView.as_view(), name="atolls"),

api/views.py

@@ -7,6 +7,7 @@ from rest_framework.authtoken.serializers import AuthTokenSerializer
 from api.filters import UserFilter
 from api.mixins import StaffEditorPermissionMixin
 from api.models import User, Atoll, Island, TemporaryUser
+from api.notifications import send_sms
 from rest_framework.response import Response
 from rest_framework import status
 from rest_framework.exceptions import ValidationError
@@ -407,28 +408,69 @@ class UserVerifyAPIView(StaffEditorPermissionMixin, generics.UpdateAPIView):
             )
         serializer = self.get_serializer(user, data=request.data, partial=True)
         serializer.is_valid(raise_exception=True)
-        verified_person = check_person_api_verification(
-            user_data=user, id_card=user.id_card
-        )
-        if not verified_person["ok"]:
+        result = check_person_api_verification(user_data=user, id_card=user.id_card)
+        if not result["ok"]:
             return Response(
                 {
-                    "message": "User verification failed. Please check sarlink user details.",
-                    "mismatch_fields": verified_person["mismatch_fields"],
+                    "message": "User verification failed. Please check the api user details.",
+                    "mismatch_fields": result["mismatch_fields"],
                 },
                 status=status.HTTP_400_BAD_REQUEST,
             )
-        if verified_person["mismatch_fields"]:
+        if result["mismatch_fields"]:
             return Response(
                 {
                     "message": "User verification failed due to mismatched fields.",
-                    "mismatch_fields": verified_person["mismatch_fields"],
+                    "mismatch_fields": result["mismatch_fields"],
                 },
                 status=status.HTTP_400_BAD_REQUEST,
             )
         user.verified = True
         user.save()
-        return Response({"message": "User verification status updated."})
+        return Response({"message": "User successfully verified."})
+
+
+class UserRejectAPIView(StaffEditorPermissionMixin, generics.DestroyAPIView):
+    serializer_class = CustomUserSerializer
+    queryset = User.objects.all()
+    lookup_field = "pk"
+
+    def destroy(self, request, *args, **kwargs):
+        rejection_details = request.data.get("rejection_details", "")
+        if not rejection_details:
+            return Response(
+                {"message": "Rejection details are required."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        user_id = kwargs.get("pk")
+        user = get_object_or_404(User, pk=user_id)
+        mobile_number = user.mobile
+        if not mobile_number:
+            return Response(
+                {"message": "User does not have a mobile number."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        if user.is_superuser:
+            return Response(
+                {"message": "You cannot remove a superuser."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        if request.user != user and (
+            not request.user.is_authenticated
+            or not getattr(request.user, "is_admin", False)
+        ):
+            return Response(
+                {"message": "You are not authorized to reject this user."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        user.delete()
+        t_user = get_object_or_404(TemporaryUser, t_mobile=user.mobile)
+        t_user.delete()
+        send_sms(message=rejection_details, mobile=mobile_number)
+        return Response(
+            {"message": "User successfully rejected."},
+            status=status.HTTP_204_NO_CONTENT,
+        )
 
 
 @api_view(["GET"])