[Fixes #11995] Implement POST and PATCH methods for the User API

GeoNode · Mar 4, 2024 · edef64b · edef64b
1 parent 380abbb
commit edef64b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 26 deletions.
diff --git a/geonode/base/api/permissions.py b/geonode/base/api/permissions.py
@@ -40,30 +40,6 @@
 logger = logging.getLogger(__name__)
 
 
-class IsSelfOrAdminOrReadOnlyUsers(permissions.BasePermission):
-    """Grant permission only if the current instance is the request user.
-    Used to allow users to edit their own account).
-    """
-
-    def has_permission(self, request, view):
-        """Always return True here.
-        The fine-grained permissions are handled in has_object_permission().
-        """
-        return True
-
-    def has_object_permission(self, request, view, obj):
-        user = request.user
-        if request.method in permissions.SAFE_METHODS:
-            return True
-        if user and (user.is_superuser or user.is_staff):
-            return True
-        if user and isinstance(obj, get_user_model()) and obj.pk == user.pk:
-            if request.method == "DELETE":
-                return False
-            return True
-        return False
-
-
 class IsSelf(permissions.BasePermission):
     """Grant permission only if the current instance is the request user.
     Used to allow users to edit their own account, nothing to others (even
@@ -74,6 +50,8 @@ def has_permission(self, request, view):
         """Always return False here.
         The fine-grained permissions are handled in has_object_permission().
         """
+        if request.user:
+            return True
         return False
 
     def has_object_permission(self, request, view, obj):

diff --git a/geonode/people/views.py b/geonode/people/views.py
@@ -49,7 +49,7 @@
 from geonode.base.models import ResourceBase
 from geonode.base.api.filters import DynamicSearchFilter
 from geonode.groups.models import GroupProfile, GroupMember
-from geonode.base.api.permissions import IsSelfOrAdminOrReadOnlyUsers
+from geonode.base.api.permissions import IsSelfOrAdminOrReadOnly
 from geonode.base.api.serializers import UserSerializer, GroupProfileSerializer, ResourceBaseSerializer
 from geonode.base.api.pagination import GeoNodeApiPagination
 
@@ -178,10 +178,11 @@ class UserViewSet(DynamicModelViewSet):
     API endpoint that allows users to be viewed or edited.
     """
 
+    http_method_names = ["get", "post", "patch"]
     authentication_classes = [SessionAuthentication, BasicAuthentication, OAuth2Authentication]
     permission_classes = [
         IsAuthenticated,
-        IsSelfOrAdminOrReadOnlyUsers,
+        IsSelfOrAdminOrReadOnly,
     ]
     filter_backends = [DynamicFilterBackend, DynamicSortingFilter, DynamicSearchFilter]
     serializer_class = UserSerializer