sarlink/sarlink-portal-api
7
0
Fork 0
mirror of https://github.com/i701/sarlink-portal-api.git synced 2025-04-19 23:46:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add authorization check in UpdateUserWalletView to restrict updates to the user's own wallet
All checks were successful
Build and Push Docker Images / Build and Push Docker Images (push) Successful in 2m32s
Details

Browse Source
This commit is contained in:
i701 2025-04-05 22:50:14 +05:00
parent 2368ff408a
commit a8adddfda4
Signed by: i701
GPG Key ID: 54A0DA1E26D8E587
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
api/views.py
View File

@ -53,8 +53,18 @@ class UpdateUserWalletView(generics.UpdateAPIView):
serializer_class = CustomUserByWalletBalanceSerializer serializer_class = CustomUserByWalletBalanceSerializer
permission_classes = (permissions.IsAuthenticated,) permission_classes = (permissions.IsAuthenticated,)
queryset = User.objects.all() queryset = User.objects.all()
lookup_field = "pk"
def update(self, request, *args, **kwargs): def update(self, request, *args, **kwargs):
id_to_update = kwargs.get("pk")
user_id = request.user.id
print(f"User ID: {user_id}")
print(f"ID to update: {id_to_update}")
if user_id != id_to_update:
return Response(
{"message": "You are not authorized to update this user."},
status=status.HTTP_403_FORBIDDEN,
)
wallet_balance = request.data.get("wallet_balance") wallet_balance = request.data.get("wallet_balance")
if not wallet_balance: if not wallet_balance:
return Response( return Response(