Skip to content

Commit

Permalink
Added get user route
Browse files Browse the repository at this point in the history 
- Added get user route
	- For fetching details of other users
- Added additional permissions check for change password
	- Allowing district admins and above to change password
- Enable username search for FacilityUsers
  • Loading branch information
@Jacobjeevan
Jacobjeevan committed Nov 11, 2024
1 parent d6d069e commit 7fc9ca3
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 1 deletion.
1 change: 1 addition & 0 deletions care/facility/api/viewsets/facility_users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ class UserFilter(filters.FilterSet):
choices=[(key, key) for key in User.TYPE_VALUE_MAP],
coerce=lambda role: User.TYPE_VALUE_MAP[role],
)
username = filters.CharFilter(field_name="username", lookup_expr="icontains")

class Meta:
model = User
Expand Down
29 changes: 28 additions & 1 deletion care/users/api/viewsets/change_password.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,26 @@ class ChangePasswordView(UpdateAPIView):
model = User

def update(self, request, *args, **kwargs):
self.object = self.request.user
username = request.data.get("username")
if not username:
return Response(
{"message": ["Username is required"]},
status=status.HTTP_400_BAD_REQUEST,
)
self.object = User.objects.get(username=username)
if not self.object:
return Response(
{"message": ["User not found"]}, status=status.HTTP_404_NOT_FOUND
)
if not self.has_permission(request, self.object):
return Response(
{
"message": [
"User does not have elevated permissions to change password"
]
},
status=status.HTTP_403_FORBIDDEN,
)
serializer = self.get_serializer(data=request.data)

if serializer.is_valid():
Expand All @@ -48,3 +67,11 @@ def update(self, request, *args, **kwargs):
return Response({"message": "Password updated successfully"})

return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

def has_permission(self, request, user):
authuser = request.user
return (
authuser == user
or authuser.is_superuser
or authuser.user_type >= User.TYPE_VALUE_MAP["DistrictAdmin"]
)
25 changes: 25 additions & 0 deletions care/users/api/viewsets/users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,31 @@ def destroy(self, request, *args, **kwargs):
user.save(update_fields=["is_active"])
return Response(status=status.HTTP_204_NO_CONTENT)

@extend_schema(tags=["users"])
@action(detail=False, methods=["GET"])
def get_user(self, request):
username = request.query_params.get("username")
if not username:
raise ValidationError({"username": "This field is required"})
user = User.objects.filter(username=username).first()
if not user:
raise Http404({"user": "User not found"})
if not self.has_permission(user):
raise ValidationError({"user": "Cannot Access Higher Level User"})
return Response(
status=status.HTTP_200_OK,
data=UserSerializer(user, context={"request": request}).data,
)

def has_permission(self, user):
requesting_user = self.request.user
return (
requesting_user == user
or requesting_user.is_superuser
or requesting_user.user_type >= User.TYPE_VALUE_MAP["DistrictAdmin"]
or requesting_user.user_type >= user.user_type
)

@extend_schema(tags=["users"])
@action(detail=False, methods=["POST"])
def add_user(self, request, *args, **kwargs):
Expand Down

0 comments on commit 7fc9ca3

Please sign in to comment.