From 82ae1e6cea8d1a8d86520916104c1b0bb51d9224 Mon Sep 17 00:00:00 2001
From: i701 <idhaan701@outlook.com>
Date: Fri, 11 Jul 2025 11:44:21 +0500
Subject: [PATCH] =?UTF-8?q?feat(user):=20enhance=20user=20profile=20manage?=
 =?UTF-8?q?ment=20with=20dynamic=20serializer=20selection=20and=20authoriz?=
 =?UTF-8?q?ation=20check=20=E2=9C=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/views.py | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/api/views.py b/api/views.py
index bc1c37f..ab2304a 100644
--- a/api/views.py
+++ b/api/views.py
@@ -40,6 +40,7 @@ from .serializers import (
     CustomUserSerializer,
     CustomReadOnlyUserSerializer,
     CustomReadOnlyUserByIDCardSerializer,
+    UserProfileUpdateSerializer,
 )
 
 ID_CARD_PATTERN = r"^[A-Z]{1,2}[0-9]{6,7}$"
@@ -305,12 +306,20 @@ class LoginView(KnoxLoginView):
             return Response({"message": message}, status=status.HTTP_400_BAD_REQUEST)
 
 
-class ManageUserView(generics.RetrieveUpdateAPIView):
-    """Manage the authenticated user"""
+class UserprofileAPIView(generics.RetrieveUpdateAPIView):
+    """Retrieve user api view"""
 
-    serializer_class = CustomUserSerializer
+    queryset = User.objects.all()
     permission_classes = (permissions.IsAuthenticated,)
 
+    def get_serializer_class(self):
+        """Return the serializer class based on the request method"""
+        if self.request.method == "GET":
+            return CustomReadOnlyUserSerializer
+        elif self.request.method == "PUT" or self.request.method == "PATCH":
+            return UserProfileUpdateSerializer
+        return super().get_serializer_class()
+
     def get_object(self):
         """Retrieve and return authenticated user"""
         return self.request.user
@@ -459,6 +468,16 @@ class UserDetailAPIView(StaffEditorPermissionMixin, generics.RetrieveAPIView):
 
     def retrieve(self, request, *args, **kwargs):
         instance = self.get_object()
+        user = request.user
+        if (
+            user != instance
+            and not getattr(user, "is_admin", False)
+            and not user.is_superuser
+        ):
+            return Response(
+                {"message": "You are not authorized to view this user's details."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         serializer = self.get_serializer(instance)
         data = serializer.data