websockets + chat app (django)

backend/account/views.py

@@ -229,13 +229,17 @@ class UserView(viewsets.ModelViewSet):
 
         # Only admin or the user themselves can update or delete
         elif self.action in ['update', 'partial_update', 'destroy']:
-            if self.request.user.role == 'admin':
+            user = getattr(self, 'request', None) and getattr(self.request, 'user', None)
+            # Admins can modify any user
+            if user and getattr(user, 'is_authenticated', False) and getattr(user, 'role', None) == 'admin':
                 return [OnlyRolesAllowed("admin")()]
-            elif self.kwargs.get('pk') and str(self.request.user.id) == self.kwargs['pk']:
+            
+            # Users can modify their own record
+            if user and getattr(user, 'is_authenticated', False) and self.kwargs.get('pk') and str(getattr(user, 'id', '')) == self.kwargs['pk']:
                 return [IsAuthenticated()]
-            else:
-                # fallback - deny access
-                return [OnlyRolesAllowed("admin")()]
+            
+            # Fallback - deny access (prevents AttributeError for AnonymousUser)
+            return [OnlyRolesAllowed("admin")()]
 
         # Any authenticated user can retrieve (view) any user's profile
         elif self.action == 'retrieve':