fix: update user and article api handling

Author: b-angelov

izpitnik/accounts/api/filters.py

@@ -0,0 +1,14 @@
+
+
+def filter_user_response(func):
+    def wrapper(self, request, *args, **kwargs):
+        response = func(self, request, *args, **kwargs)
+        if (
+                not request.user.is_authenticated
+                or str(request.user.pk) != kwargs.get(self.lookup_url_kwarg)
+                or not request.user.has_perm("accounts.view_user")
+                or not request.user.is_superuser
+        ):
+            response.data = {k:v for k,v in response.data.items() if k in ['username','first_name','last_name','profile']}
+        return response
+    return wrapper

izpitnik/accounts/api/views.py

@@ -15,6 +15,7 @@
 from rest_framework.response import Response
 from django.conf import settings
 
+from izpitnik.accounts.api.filters import filter_user_response
 from izpitnik.accounts.api.permissions import IsOwnerPermission, add_or_change_permission_decorator, \
     delete_permission_decorator
 from izpitnik.accounts.mixins import GenerateTokenMixin
@@ -93,24 +94,31 @@ def post(self, request):
             return Response(form.errors, status=400)
 
 class GetUpdateDeleteProfileAPIView(RetrieveUpdateDestroyAPIView):
-    permission_classes = [IsOwnerPermission]
+    # permission_classes = [IsOwnerPermission]
+    permission_classes = [AllowAny]
     lookup_url_kwarg = "user_id"
     serializer_class = UserProfileSerializer
     parser_classes = (MultiPartParser, FormParser, JSONParser)
+    allowed_kwarg_values = ['my']
 
     def get_queryset(self):
         from izpitnik.accounts.models import User
         user_id = self.rectify_kwarg(self.request, self.kwargs).get(self.lookup_url_kwarg)
         return User.objects.filter(pk=user_id).prefetch_related("profile")
 
+    @filter_user_response
     def get(self, request, *args, **kwargs):
         kwargs = self.rectify_kwarg(request, kwargs)
         response = super().get(request,*args, **kwargs)
         return response
 
     def rectify_kwarg(self, request, kwargs):
         user_id = kwargs.get(self.lookup_url_kwarg)
+        if not user_id.isdigit() and user_id not in self.allowed_kwarg_values:
+            raise AuthenticationFailed('Invalid user identifier.')
         if user_id == 'my':
+            if not request.user.is_authenticated:
+                raise AuthenticationFailed('Authentication credentials were not provided.')
             kwargs[self.lookup_url_kwarg] = str(request.user.pk)
         return kwargs
 

izpitnik/accounts/serializers.py

@@ -48,3 +48,8 @@ def update(self, instance, validated_data):
 
         return instance
 
+class UserBasicSerializer(serializers.ModelSerializer):
+
+    class Meta:
+        model = User
+        fields = ['id', 'username', 'first_name', 'last_name']

izpitnik/articles/api/serializers.py

@@ -1,5 +1,7 @@
 from rest_framework import serializers
 
+# from izpitnik.accounts.models import User
+from izpitnik.accounts.serializers import UserBasicSerializer
 from izpitnik.articles.models import Article
 from izpitnik.orth_calendar.models import Saint, Feast, HolidayOccurrences
 from izpitnik.orth_calendar.serializers.feasts import FeastsSerializer
@@ -36,6 +38,10 @@ class ArticleSerializer(serializers.ModelSerializer):
         source='holiday', many=True, write_only=True,
         queryset=HolidayOccurrences.objects.all(), required=False
     )
+    author = UserBasicSerializer(
+        read_only=True,
+        many=False,
+    )
 
     image = serializers.ImageField(required=False,allow_null=True,allow_empty_file=True)