From a8adddfda4950d025f4b7c4c907eeab4be4a897e Mon Sep 17 00:00:00 2001
From: i701 <idhaan701@outlook.com>
Date: Sat, 5 Apr 2025 22:50:14 +0500
Subject: [PATCH] Add authorization check in UpdateUserWalletView to restrict
 updates to the user's own wallet

---
 api/views.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/api/views.py b/api/views.py
index 31a6e7f..766fcba 100644
--- a/api/views.py
+++ b/api/views.py
@@ -53,8 +53,18 @@ class UpdateUserWalletView(generics.UpdateAPIView):
     serializer_class = CustomUserByWalletBalanceSerializer
     permission_classes = (permissions.IsAuthenticated,)
     queryset = User.objects.all()
+    lookup_field = "pk"
 
     def update(self, request, *args, **kwargs):
+        id_to_update = kwargs.get("pk")
+        user_id = request.user.id
+        print(f"User ID: {user_id}")
+        print(f"ID to update: {id_to_update}")
+        if user_id != id_to_update:
+            return Response(
+                {"message": "You are not authorized to update this user."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         wallet_balance = request.data.get("wallet_balance")
         if not wallet_balance:
             return Response(