From ff065fa4a94e16273b08492c7383e24d7a88aa85 Mon Sep 17 00:00:00 2001
From: i701 <idhaan701@outlook.com>
Date: Fri, 11 Jul 2025 19:55:25 +0500
Subject: [PATCH] =?UTF-8?q?feat(user):=20add=20user=20update=20endpoint=20?=
 =?UTF-8?q?with=20authorization=20checks=20and=20serializer=20support=20?=
 =?UTF-8?q?=E2=9C=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/serializers.py | 15 +++++++++++++++
 api/urls.py        |  2 ++
 api/views.py       | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/api/serializers.py b/api/serializers.py
index 71532d4..7643397 100644
--- a/api/serializers.py
+++ b/api/serializers.py
@@ -33,6 +33,21 @@ class UserProfileUpdateSerializer(serializers.ModelSerializer):
         )  # Only allow these fields
 
 
+class UserUpdateSerializer(serializers.ModelSerializer):
+    class Meta:  # type: ignore
+        model = User
+        fields = (
+            "id_card",
+            "mobile",
+            "first_name",
+            "last_name",
+            "address",
+            "dob",
+            "atoll",
+            "island",
+        )
+
+
 class CustomUserSerializer(serializers.ModelSerializer):
     """serializer for the user object"""
 
diff --git a/api/urls.py b/api/urls.py
index 00ae448..d228ae0 100644
--- a/api/urls.py
+++ b/api/urls.py
@@ -21,6 +21,7 @@ from .views import (
     UpdateUserWalletView,
     VerifyOTPView,
     UserVerifyAPIView,
+    UserUpdateAPIView,
 )
 
 
@@ -39,6 +40,7 @@ urlpatterns = [
     ),
     path("users/<int:pk>/", UserDetailAPIView.as_view(), name="user-detail"),
     path("users/<int:pk>/verify/", UserVerifyAPIView.as_view(), name="user-verify"),
+    path("users/<int:pk>/update/", UserUpdateAPIView.as_view(), name="user-update"),
     path("users/filter/", filter_user, name="filter-users"),
     path("users/temp/filter/", filter_temporary_user, name="filter-temporary-users"),
     path("healthcheck/", healthcheck, name="healthcheck"),
diff --git a/api/views.py b/api/views.py
index ca81d8d..b8afac0 100644
--- a/api/views.py
+++ b/api/views.py
@@ -17,6 +17,7 @@ from api.serializers import (
     CustomUserByWalletBalanceSerializer,
     OTPVerificationSerializer,
     TemporaryUserSerializer,
+    UserUpdateSerializer,
 )
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
@@ -325,6 +326,37 @@ class UserprofileAPIView(generics.RetrieveUpdateAPIView):
         return self.request.user
 
 
+class UserUpdateAPIView(StaffEditorPermissionMixin, generics.UpdateAPIView):
+    serializer_class = UserUpdateSerializer
+    queryset = User.objects.all()
+    lookup_field = "pk"
+
+    def update(self, request, *args, **kwargs):
+        user_id = kwargs.get("pk")
+        user = get_object_or_404(User, pk=user_id)
+        if user.is_superuser:
+            return Response(
+                {"message": "You cannot update a superuser."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        if request.user != user and (
+            not request.user.is_authenticated
+            or not getattr(request.user, "is_admin", False)
+        ):
+            return Response(
+                {"message": "You are not authorized to update this user."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        serializer = self.get_serializer(
+            user,
+            data=request.data,
+            partial=True,
+        )
+        serializer.is_valid(raise_exception=True)
+        user.save()
+        return super().update(request, *args, **kwargs)
+
+
 class KnoxTokenListApiView(
     StaffEditorPermissionMixin,
     generics.ListAPIView,