added frontend for social + feed partiali working

2026-05-18 02:25:47 +02:00
parent e1df55df0e
commit 202ce22102
88 changed files with 4236 additions and 737 deletions
--- a/backend/account/views.py
+++ b/backend/account/views.py
@@ -250,21 +250,20 @@ class UserView(viewsets.ModelViewSet):
            # Fallback - deny access (prevents AttributeError for AnonymousUser)
            return [OnlyRolesAllowed("admin")()]

-        # Users can only view their own profile, admins can view any profile
+        # Any authenticated user can retrieve a profile (serializer limits fields for non-owner/non-admin)
        elif self.action == 'retrieve':
-            user = getattr(self, 'request', None) and getattr(self.request, 'user', None)
-            # Admins can view any user profile
-            if user and getattr(user, 'is_authenticated', False) and getattr(user, 'role', None) == 'admin':
-                return [IsAuthenticated()]
-            
-            # Users can view their own profile
-            if user and getattr(user, 'is_authenticated', False) and self.kwargs.get('pk') and str(getattr(user, 'id', '')) == self.kwargs['pk']:
-                return [IsAuthenticated()]
-            
-            # Deny access to other users' profiles
-            return [OnlyRolesAllowed("admin")()]
+            return [IsAuthenticated()]

        return super().get_permissions()
+
+    def get_serializer_class(self):
+        user = getattr(self.request, 'user', None)
+        pk = self.kwargs.get('pk')
+        is_self = pk and user and str(getattr(user, 'id', '')) == str(pk)
+        is_admin = user and (getattr(user, 'role', None) == 'admin' or getattr(user, 'is_superuser', False))
+        if self.action == 'retrieve' and not is_self and not is_admin:
+            return PublicUserSerializer
+        return CustomUserSerializer