posts are done

2026-05-19 00:08:02 +02:00
parent 202ce22102
commit 2e9e3ed41b
35 changed files with 1528 additions and 272 deletions
--- a/backend/account/views.py
+++ b/backend/account/views.py
@@ -232,36 +232,29 @@ class UserView(viewsets.ModelViewSet):
        },
    )
    def get_permissions(self):
-        # Only admin can list or create users
-        if self.action in ['list', 'create']:
+        if self.action == 'create':
            return [OnlyRolesAllowed("admin")()]

-        # Only admin or the user themselves can update or delete
-        elif self.action in ['update', 'partial_update', 'destroy']:
+        if self.action in ['list', 'retrieve']:
+            return [IsAuthenticated()]
+
+        if self.action in ['update', 'partial_update', 'destroy']:
            user = getattr(self, 'request', None) and getattr(self.request, 'user', None)
-            # Admins can modify any user
            if user and getattr(user, 'is_authenticated', False) and getattr(user, 'role', None) == 'admin':
                return [OnlyRolesAllowed("admin")()]
-            
-            # Users can modify their own record
-            if user and getattr(user, 'is_authenticated', False) and self.kwargs.get('pk') and str(getattr(user, 'id', '')) == self.kwargs['pk']:
+            lookup = self.kwargs.get('pk', '')
+            if user and getattr(user, 'is_authenticated', False) and lookup and (
+                str(getattr(user, 'id', '')) == lookup
+            ):
                return [IsAuthenticated()]
-            
-            # Fallback - deny access (prevents AttributeError for AnonymousUser)
            return [OnlyRolesAllowed("admin")()]

-        # Any authenticated user can retrieve a profile (serializer limits fields for non-owner/non-admin)
-        elif self.action == 'retrieve':
-            return [IsAuthenticated()]
-
        return super().get_permissions()

    def get_serializer_class(self):
        user = getattr(self.request, 'user', None)
-        pk = self.kwargs.get('pk')
-        is_self = pk and user and str(getattr(user, 'id', '')) == str(pk)
        is_admin = user and (getattr(user, 'role', None) == 'admin' or getattr(user, 'is_superuser', False))
-        if self.action == 'retrieve' and not is_self and not is_admin:
+        if self.action in ['retrieve', 'list'] and not is_admin:
            return PublicUserSerializer
        return CustomUserSerializer
        
@@ -285,6 +278,29 @@ class CurrentUserView(APIView):
        return Response(serializer.data)


+@extend_schema(
+    tags=["account"],
+    summary="Change password for the authenticated user",
+    request=ChangePasswordSerializer,
+    responses={
+        200: OpenApiResponse(description="Password changed successfully."),
+        400: OpenApiResponse(description="Invalid current password or validation error."),
+    },
+)
+class ChangePasswordView(APIView):
+    permission_classes = [IsAuthenticated]
+
+    def post(self, request):
+        serializer = ChangePasswordSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        user = request.user
+        if not user.check_password(serializer.validated_data['current_password']):
+            return Response({"current_password": "Nesprávné heslo."}, status=status.HTTP_400_BAD_REQUEST)
+        user.set_password(serializer.validated_data['new_password'])
+        user.save()
+        return Response({"detail": "Heslo bylo úspěšně změněno."})
+
+
 #------------------------------------------------REGISTRACE--------------------------------------------------------------

 #1. registration API