feat(user): enhance user profile management with dynamic serializer selection and authorization check ✨

api/views.py

@@ -40,6 +40,7 @@ from .serializers import (
     CustomUserSerializer,
     CustomReadOnlyUserSerializer,
     CustomReadOnlyUserByIDCardSerializer,
+    UserProfileUpdateSerializer,
 )
 
 ID_CARD_PATTERN = r"^[A-Z]{1,2}[0-9]{6,7}$"
@@ -305,12 +306,20 @@ class LoginView(KnoxLoginView):
             return Response({"message": message}, status=status.HTTP_400_BAD_REQUEST)
 
 
-class ManageUserView(generics.RetrieveUpdateAPIView):
-    """Manage the authenticated user"""
+class UserprofileAPIView(generics.RetrieveUpdateAPIView):
+    """Retrieve user api view"""
 
-    serializer_class = CustomUserSerializer
+    queryset = User.objects.all()
     permission_classes = (permissions.IsAuthenticated,)
 
+    def get_serializer_class(self):
+        """Return the serializer class based on the request method"""
+        if self.request.method == "GET":
+            return CustomReadOnlyUserSerializer
+        elif self.request.method == "PUT" or self.request.method == "PATCH":
+            return UserProfileUpdateSerializer
+        return super().get_serializer_class()
+
     def get_object(self):
         """Retrieve and return authenticated user"""
         return self.request.user
@@ -459,6 +468,16 @@ class UserDetailAPIView(StaffEditorPermissionMixin, generics.RetrieveAPIView):
 
     def retrieve(self, request, *args, **kwargs):
         instance = self.get_object()
+        user = request.user
+        if (
+            user != instance
+            and not getattr(user, "is_admin", False)
+            and not user.is_superuser
+        ):
+            return Response(
+                {"message": "You are not authorized to view this user's details."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         serializer = self.get_serializer(instance)
         data = serializer.data