From 16f56eab5c53ca3006d820ca271ed859393c9c48 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Thu, 22 Aug 2024 06:12:18 +0000 Subject: [PATCH] Add specific "MeUserSerializer" - Prevent certain attributes from being adjusted --- .../InvenTree/InvenTree/serializers.py | 26 +++++++++++++++++-- src/backend/InvenTree/users/api.py | 12 +++++++-- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/backend/InvenTree/InvenTree/serializers.py b/src/backend/InvenTree/InvenTree/serializers.py index b50634d016..ca018928d1 100644 --- a/src/backend/InvenTree/InvenTree/serializers.py +++ b/src/backend/InvenTree/InvenTree/serializers.py @@ -405,18 +405,21 @@ class UserSerializer(InvenTreeModelSerializer): read_only_fields = ['username', 'email'] username = serializers.CharField(label=_('Username'), help_text=_('Username')) + first_name = serializers.CharField( label=_('First Name'), help_text=_('First name of the user'), allow_blank=True ) + last_name = serializers.CharField( label=_('Last Name'), help_text=_('Last name of the user'), allow_blank=True ) + email = serializers.EmailField( label=_('Email'), help_text=_('Email address of the user'), allow_blank=True ) -class ExendedUserSerializer(UserSerializer): +class ExtendedUserSerializer(UserSerializer): """Serializer for a User with a bit more info.""" from users.serializers import GroupSerializer @@ -438,9 +441,11 @@ class ExendedUserSerializer(UserSerializer): is_staff = serializers.BooleanField( label=_('Staff'), help_text=_('Does this user have staff permissions') ) + is_superuser = serializers.BooleanField( label=_('Superuser'), help_text=_('Is this user a superuser') ) + is_active = serializers.BooleanField( label=_('Active'), help_text=_('Is this user account active') ) @@ -465,7 +470,24 @@ class ExendedUserSerializer(UserSerializer): return super().validate(attrs) -class UserCreateSerializer(ExendedUserSerializer): +class MeUserSerializer(ExtendedUserSerializer): + """API serializer specifically for the 'me' endpoint.""" + + class Meta(ExtendedUserSerializer.Meta): + """Metaclass options. + + Extends the ExtendedUserSerializer.Meta options, + but ensures that certain fields are read-only. + """ + + read_only_fields = ExtendedUserSerializer.Meta.read_only_fields + [ + 'is_active', + 'is_staff', + 'is_superuser', + ] + + +class UserCreateSerializer(ExtendedUserSerializer): """Serializer for creating a new User.""" def validate(self, attrs): diff --git a/src/backend/InvenTree/users/api.py b/src/backend/InvenTree/users/api.py index 0f9076ce0c..8707511a22 100644 --- a/src/backend/InvenTree/users/api.py +++ b/src/backend/InvenTree/users/api.py @@ -34,7 +34,11 @@ from InvenTree.mixins import ( RetrieveUpdateAPI, RetrieveUpdateDestroyAPI, ) -from InvenTree.serializers import ExendedUserSerializer, UserCreateSerializer +from InvenTree.serializers import ( + ExtendedUserSerializer, + MeUserSerializer, + UserCreateSerializer, +) from InvenTree.settings import FRONTEND_URL_BASE from users.models import ApiToken, Owner from users.serializers import ( @@ -135,13 +139,17 @@ class UserDetail(RetrieveUpdateDestroyAPI): """Detail endpoint for a single user.""" queryset = User.objects.all() - serializer_class = ExendedUserSerializer + serializer_class = ExtendedUserSerializer permission_classes = [permissions.IsAuthenticated] class MeUserDetail(RetrieveUpdateAPI, UserDetail): """Detail endpoint for current user.""" + serializer_class = MeUserSerializer + + rolemap = {'POST': 'view', 'PUT': 'view', 'PATCH': 'view'} + def get_object(self): """Always return the current user object.""" return self.request.user