diff --git a/care/emr/api/viewsets/user.py b/care/emr/api/viewsets/user.py
index 97d2f19a9f..ea086e41f3 100644
--- a/care/emr/api/viewsets/user.py
+++ b/care/emr/api/viewsets/user.py
@@ -72,8 +72,9 @@ def perform_create(self, instance):
 
     def authorize_update(self, request_obj, model_instance):
         if self.request.user.is_superuser:
-            return True
-        return self.request.user.id == model_instance.id
+            return
+        if not self.request.user.id == model_instance.id:
+            raise PermissionDenied("You do not have permission to update this user")
 
     def authorize_create(self, instance):
         if not AuthorizationController.call("can_create_user", self.request.user):
diff --git a/care/emr/resources/encounter/spec.py b/care/emr/resources/encounter/spec.py
index 48a31006c2..0a50aed23e 100644
--- a/care/emr/resources/encounter/spec.py
+++ b/care/emr/resources/encounter/spec.py
@@ -4,7 +4,12 @@
 from django.utils import timezone
 from pydantic import UUID4, BaseModel, model_validator
 
-from care.emr.models import Encounter, EncounterOrganization, TokenBooking
+from care.emr.models import (
+    Encounter,
+    EncounterOrganization,
+    FacilityLocationEncounter,
+    TokenBooking,
+)
 from care.emr.models.patient import Patient
 from care.emr.resources.base import EMRResource
 from care.emr.resources.encounter.constants import (
@@ -17,10 +22,12 @@
 )
 from care.emr.resources.facility.spec import FacilityBareMinimumSpec
 from care.emr.resources.facility_organization.spec import FacilityOrganizationReadSpec
-from care.emr.resources.location.spec import FacilityLocationListSpec
+from care.emr.resources.location.spec import (
+    FacilityLocationEncounterListSpec,
+    FacilityLocationListSpec,
+)
 from care.emr.resources.patient.spec import PatientListSpec
 from care.emr.resources.scheduling.slot.spec import TokenBookingReadSpec
-from care.emr.resources.user.spec import UserSpec
 from care.facility.models import Facility
 
 
@@ -118,6 +125,7 @@ class EncounterRetrieveSpec(EncounterListSpec):
     updated_by: dict = {}
     organizations: list[dict] = []
     current_location: dict | None = None
+    location_history: list[dict] = []
 
     @classmethod
     def perform_extra_serialization(cls, mapping, obj):
@@ -136,7 +144,10 @@ def perform_extra_serialization(cls, mapping, obj):
             mapping["current_location"] = FacilityLocationListSpec.serialize(
                 obj.current_location
             ).to_json()
-        if obj.created_by:
-            mapping["created_by"] = UserSpec.serialize(obj.created_by)
-        if obj.updated_by:
-            mapping["updated_by"] = UserSpec.serialize(obj.updated_by)
+        mapping["location_history"] = [
+            FacilityLocationEncounterListSpec.serialize(i)
+            for i in FacilityLocationEncounter.objects.filter(encounter=obj).order_by(
+                "-created_date"
+            )
+        ]
+        cls.serialize_audit_users(mapping, obj)
diff --git a/care/emr/resources/location/spec.py b/care/emr/resources/location/spec.py
index f6f9e0b904..db2b7f85c3 100644
--- a/care/emr/resources/location/spec.py
+++ b/care/emr/resources/location/spec.py
@@ -161,6 +161,17 @@ class FacilityLocationEncounterUpdateSpec(FacilityLocationEncounterBaseSpec):
     end_datetime: datetime.datetime | None = None
 
 
+class FacilityLocationEncounterListSpec(FacilityLocationEncounterBaseSpec):
+    encounter: UUID4
+    start_datetime: datetime.datetime
+    end_datetime: datetime.datetime | None = None
+    status: str
+
+    @classmethod
+    def perform_extra_serialization(cls, mapping, obj):
+        mapping["id"] = obj.external_id
+
+
 class FacilityLocationEncounterReadSpec(FacilityLocationEncounterBaseSpec):
     encounter: UUID4
     start_datetime: datetime.datetime