implemented backend logic for retrieving and updating a user profile

Author: ElaineShu0312

csm_web/frontend/src/components/App.tsx

@@ -41,6 +41,9 @@ const App = () => {
           <Route path="matcher/*" element={<EnrollmentMatcher />} />
           <Route path="policies/*" element={<Policies />} />
           <Route path="export/*" element={<DataExport />} />
+          {
+            // TODO: add route for profiles (/user/:id/* element = {UserProfile})
+          }
           <Route path="*" element={<NotFound />} />
         </Route>
       </Routes>

csm_web/frontend/src/utils/queries/base.tsx

@@ -35,6 +35,7 @@ export const useProfiles = (): UseQueryResult<Profile[], Error> => {
   return queryResult;
 };
 
+// TODO: move to new queries/users.tsx
 /**
  * Hook to get the user's info.
  */
@@ -57,6 +58,7 @@ export const useUserInfo = (): UseQueryResult<RawUserInfo, Error> => {
   return queryResult;
 };
 
+// TODO: move to new queries/users.tsx
 /**
  * Hook to get a list of all user emails.
  */

csm_web/scheduler/migrations/0033_user_bio_user_pronouns_user_pronunciation.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.7 on 2024-07-20 05:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("scheduler", "0032_word_of_the_day"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="bio",
+            field=models.CharField(default="", max_length=500),
+        ),
+        migrations.AddField(
+            model_name="user",
+            name="pronouns",
+            field=models.CharField(default="", max_length=20),
+        ),
+        migrations.AddField(
+            model_name="user",
+            name="pronunciation",
+            field=models.CharField(default="", max_length=50),
+        ),
+    ]

csm_web/scheduler/models.py

@@ -51,6 +51,12 @@ def week_bounds(date):
 class User(AbstractUser):
     priority_enrollment = models.DateTimeField(null=True, blank=True)
 
+    pronouns = models.CharField(max_length=20, default="", blank=True)
+    pronunciation = models.CharField(max_length=50, default="", blank=True)
+    # profile_pic = models.ImageField(upload_to='profiles/', null=True, blank=True)
+    # if profile picture is implemented
+    bio = models.CharField(max_length=500, default="", blank=True)
+
     def can_enroll_in_course(self, course, bypass_enrollment_time=False):
         """Determine whether this user is allowed to enroll in the given course."""
         # check restricted first
@@ -260,19 +266,15 @@ def save(self, *args, **kwargs):
             ):
                 if settings.DJANGO_ENV != settings.DEVELOPMENT:
                     logger.info(
-                        (
-                            "<SectionOccurrence> SO automatically created for student"
-                            " %s in course %s for date %s"
-                        ),
+                        "<SectionOccurrence> SO automatically created for student"
+                        " %s in course %s for date %s",
                         self.user.email,
                         course.name,
                         now.date(),
                     )
                     logger.info(
-                        (
-                            "<Attendance> Attendance automatically created for student"
-                            " %s in course %s for date %s"
-                        ),
+                        "<Attendance> Attendance automatically created for student"
+                        " %s in course %s for date %s",
                         self.user.email,
                         course.name,
                         now.date(),

csm_web/scheduler/serializers.py

@@ -167,7 +167,16 @@ class Meta:
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
-        fields = ("id", "email", "first_name", "last_name", "priority_enrollment")
+        fields = (
+            "id",
+            "email",
+            "first_name",
+            "last_name",
+            "priority_enrollment",
+            "bio",
+            "pronunciation",
+            "pronouns",
+        )
 
 
 class ProfileSerializer(serializers.Serializer):  # pylint: disable=abstract-method

csm_web/scheduler/urls.py

@@ -15,7 +15,9 @@
 urlpatterns = router.urls
 
 urlpatterns += [
-    path("userinfo/", views.userinfo, name="userinfo"),
+    path("user_info/", views.user_info, name="user_info"),
+    path("user/<int:pk>/", views.user_retrieve, name="user_retrieve"),
+    path("user/<int:pk>/update/", views.user_update, name="user_update"),
     path("matcher/active/", views.matcher.active),
     path("matcher/<int:pk>/slots/", views.matcher.slots),
     path("matcher/<int:pk>/preferences/", views.matcher.preferences),

csm_web/scheduler/views/__init__.py

@@ -6,4 +6,4 @@
 from .section import SectionViewSet
 from .spacetime import SpacetimeViewSet
 from .student import StudentViewSet
-from .user import UserViewSet, userinfo
+from .user import UserViewSet, user_info, user_retrieve, user_update

csm_web/scheduler/views/user.py

@@ -1,34 +1,123 @@
-from rest_framework.exceptions import PermissionDenied
-from rest_framework.response import Response
 from rest_framework import status
 from rest_framework.decorators import api_view
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.response import Response
+from scheduler.serializers import UserSerializer
 
+from ..models import Coordinator, Mentor, Student, User
 from .utils import viewset_with
-from ..models import Coordinator, User
-from scheduler.serializers import UserSerializer
+
+# can create pytest to test this
 
 
 class UserViewSet(*viewset_with("list")):
     serializer_class = None
     queryset = User.objects.all()
 
     def list(self, request):
+        """
+        Lists the emails of all users in the system. Only accessible by coordinators and superusers.
+        """
         if not (
-            request.user.is_superuser
-            or Coordinator.objects.filter(user=request.user).exists()
+            # request.user.is_superuser or
+            Coordinator.objects.filter(user=request.user).exists()
         ):
             raise PermissionDenied(
                 "Only coordinators and superusers may view the user email list"
             )
         return Response(self.queryset.order_by("email").values_list("email", flat=True))
 
 
+def has_permission(request_user, target_user):
+    """
+    Returns True if the user has permission to access or edit the target user's profile
+    """
+    # Does not account for users who are both mentors and students of different courses
+    # need separation of concerns:
+    # coordinators/mentor should only have coordinator/mentor access for their course
+    # Check if request_user is a mentor
+    if Mentor.objects.filter(user=request_user).exists():
+        mentor_courses = Mentor.objects.filter(user=request_user).values_list(
+            "course", flat=True
+        )
+
+        if Student.objects.filter(user=target_user, course__in=mentor_courses).exists():
+            return True
+        if Mentor.objects.filter(user=target_user, course__in=mentor_courses).exists():
+            return True
+
+    # Check if request_user is a student in the same course as target_user
+    # Students in the same section can see each other
+    if (
+        Student.objects.filter(user=request_user).exists()
+        and Student.objects.filter(user=target_user).exists()
+    ):
+        request_user_courses = Student.objects.filter(user=request_user).values_list(
+            "course", flat=True
+        )
+        target_user_courses = Student.objects.filter(user=target_user).values_list(
+            "course", flat=True
+        )
+
+        if set(request_user_courses) & set(target_user_courses):
+            return True
+
+    # Coordinator access
+    if Coordinator.objects.filter(
+        user=request_user
+    ).exists():  # or if request_user.is_superuser
+        return True
+
+    # Request user accessing their own profile
+    if request_user == target_user:
+        return True
+
+    return False
+
+
 @api_view(["GET"])
-def userinfo(request):
+def user_retrieve(request, pk):
     """
-    Get user info for request user
+    Retrieve user profile. Only accessible by superusers and the user themselves.
+    """
+    try:
+        user = User.objects.get(pk=pk)
+    except User.DoesNotExist:
+        return Response({"detail": "Not found."}, status=status.HTTP_404_NOT_FOUND)
+
+    if not has_permission(request.user, user):
+        raise PermissionDenied("You do not have permission to access this profile")
 
-    TODO: perhaps replace this with a viewset when we establish profiles
+    serializer = UserSerializer(user)
+    return Response(serializer.data)
+
+
+@api_view(["PUT"])
+def user_update(request, pk):
+    """
+    Update user profile. Only accessible by Coordinators and the user themselves.
+    """
+    try:
+        user = User.objects.get(pk=pk)
+    except User.DoesNotExist:
+        return Response({"detail": "Not found."}, status=status.HTTP_404_NOT_FOUND)
+
+    if not (
+        (request.user == user) or Coordinator.objects.filter(user=request.user).exists()
+    ):
+        raise PermissionDenied("You do not have permission to edit this profile")
+
+    serializer = UserSerializer(user, data=request.data, partial=True)
+    if serializer.is_valid():
+        serializer.save()
+        return Response(serializer.data)
+    return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+
+@api_view(["GET"])
+def user_info(request):
+    """
+    Get user info for request user
     """
     serializer = UserSerializer(request.user)
     return Response(serializer.data, status=status.HTTP_200_OK)

docker-compose.yml

@@ -52,6 +52,10 @@ services:
         source: ./
         target: /opt/csm_web
         read_only: true
+      # output from migrations
+      - type: bind
+        source: ./csm_web/scheduler/migrations/
+        target: /opt/csm_web/csm_web/scheduler/migrations/
     depends_on:
       postgres:
         condition: service_healthy