sarlink/sarlink-portal-api
7
0
Fork 0
mirror of https://github.com/i701/sarlink-portal-api.git synced 2025-07-14 02:55:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(user): enhance user profile management with dynamic serializer selection and authorization check

Browse Source
This commit is contained in:
i701
2025-07-11 11:44:21 +05:00
parent 56ab79bd8c
commit 82ae1e6cea
1 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
api/views.py
View File

@ -40,6 +40,7 @@ from .serializers import (
CustomUserSerializer, CustomUserSerializer,
CustomReadOnlyUserSerializer, CustomReadOnlyUserSerializer,
CustomReadOnlyUserByIDCardSerializer, CustomReadOnlyUserByIDCardSerializer,
UserProfileUpdateSerializer,
) )
ID_CARD_PATTERN = r"^[A-Z]{1,2}[0-9]{6,7}$" ID_CARD_PATTERN = r"^[A-Z]{1,2}[0-9]{6,7}$"
@ -305,12 +306,20 @@ class LoginView(KnoxLoginView):
return Response({"message": message}, status=status.HTTP_400_BAD_REQUEST) return Response({"message": message}, status=status.HTTP_400_BAD_REQUEST)
class ManageUserView(generics.RetrieveUpdateAPIView): class UserprofileAPIView(generics.RetrieveUpdateAPIView):
"""Manage the authenticated user""" """Retrieve user api view"""
serializer_class = CustomUserSerializer queryset = User.objects.all()
permission_classes = (permissions.IsAuthenticated,) permission_classes = (permissions.IsAuthenticated,)
def get_serializer_class(self):
"""Return the serializer class based on the request method"""
if self.request.method == "GET":
return CustomReadOnlyUserSerializer
elif self.request.method == "PUT" or self.request.method == "PATCH":
return UserProfileUpdateSerializer
return super().get_serializer_class()
def get_object(self): def get_object(self):
"""Retrieve and return authenticated user""" """Retrieve and return authenticated user"""
return self.request.user return self.request.user
@ -459,6 +468,16 @@ class UserDetailAPIView(StaffEditorPermissionMixin, generics.RetrieveAPIView):
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
instance = self.get_object() instance = self.get_object()
user = request.user
if (
user != instance
and not getattr(user, "is_admin", False)
and not user.is_superuser
):
return Response(
{"message": "You are not authorized to view this user's details."},
status=status.HTTP_403_FORBIDDEN,
)
serializer = self.get_serializer(instance) serializer = self.get_serializer(instance)
data = serializer.data data = serializer.data