feat(agreement): implement user agreement update functionality with validation checks ✨

api/serializers.py

@@ -49,6 +49,15 @@ class UserUpdateSerializer(serializers.ModelSerializer):
         )
 
 
+class UserAgreementSerializer(serializers.ModelSerializer):
+    """serializer for the user agreement object"""
+
+    class Meta:  # type: ignore
+        model = User
+        fields = ("agreement",)
+        extra_kwargs = {"agreement": {"required": True, "allow_null": False}}
+
+
 class CustomUserSerializer(serializers.ModelSerializer):
     """serializer for the user object"""
 

api/urls.py

@@ -23,6 +23,7 @@ from .views import (
     UserVerifyAPIView,
     UserUpdateAPIView,
     UserRejectAPIView,
+    AgreementUpdateAPIView,
 )
 
 
@@ -45,6 +46,11 @@ urlpatterns = [
     path("users/temp/filter/", filter_temporary_user, name="filter-temporary-users"),
     # User verification flow
     path("users/<int:pk>/verify/", UserVerifyAPIView.as_view(), name="user-verify"),
+    path(
+        "users/<int:pk>/agreement/",
+        AgreementUpdateAPIView.as_view(),
+        name="user-agreement-update",
+    ),
     path("users/<int:pk>/reject/", UserRejectAPIView.as_view(), name="user-reject"),
     path("healthcheck/", healthcheck, name="healthcheck"),
     path("test/", test_email, name="testemail"),

api/views.py

@@ -19,6 +19,7 @@ from api.serializers import (
     OTPVerificationSerializer,
     TemporaryUserSerializer,
     UserUpdateSerializer,
+    UserAgreementSerializer,
 )
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
@@ -378,6 +379,57 @@ class UserUpdateAPIView(StaffEditorPermissionMixin, generics.UpdateAPIView):
         return super().update(request, *args, **kwargs)
 
 
+class AgreementUpdateAPIView(StaffEditorPermissionMixin, generics.UpdateAPIView):
+    serializer_class = UserAgreementSerializer
+    queryset = User.objects.all()
+    lookup_field = "pk"
+
+    def update(self, request, *args, **kwargs):
+        user_id = kwargs.get("pk")
+        user = get_object_or_404(User, pk=user_id)
+        if user.is_superuser:
+            return Response(
+                {"message": "You cannot update a superuser."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        if request.user != user and (
+            not request.user.is_authenticated
+            or not getattr(request.user, "is_admin", False)
+        ):
+            return Response(
+                {"message": "You are not authorized to update this user."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        serializer = self.get_serializer(
+            user,
+            data=request.data,
+            partial=True,
+        )
+        agreement = request.data.get("agreement")
+        if not agreement:
+            return Response(
+                {"message": "Agreement file is required."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        if agreement.size > 10 * 1024 * 1024:  # 5 MB limit
+            return Response(
+                {"message": "File size exceeds 10 MB limit."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        if agreement.content_type not in [
+            "application/pdf",
+        ]:
+            return Response(
+                {"message": "Invalid file type. Only PDF files are allowed."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        if agreement:
+            user.agreement = agreement
+        serializer.is_valid(raise_exception=True)
+        user.save()
+        return super().update(request, *args, **kwargs)
+
+
 class KnoxTokenListApiView(
     StaffEditorPermissionMixin,
     generics.ListAPIView,