fix(User): PRWLR-5356 allow deleting and updating users (#83)

src/backend/api/migrations/0001_initial.py

@@ -132,7 +132,7 @@ class Migration(migrations.Migration):
             """
         ),
         migrations.RunSQL(
-            # `runserver` command for dev tools requires read access to migrations
+            # Required permissions for API user related tables
             f"""
             GRANT CONNECT ON DATABASE "{DB_NAME}" TO {DB_PROWLER_USER};
             GRANT SELECT ON django_migrations TO {DB_PROWLER_USER};

src/backend/api/migrations/0002_token_migrations.py

@@ -15,8 +15,9 @@ class Migration(migrations.Migration):
     operations = [
         migrations.RunSQL(
             f"""
-            GRANT SELECT, INSERT, DELETE ON token_blacklist_blacklistedtoken TO {DB_PROWLER_USER};
-            GRANT SELECT, INSERT, DELETE ON token_blacklist_outstandingtoken TO {DB_PROWLER_USER};
+            GRANT SELECT, INSERT, UPDATE, DELETE ON token_blacklist_blacklistedtoken TO {DB_PROWLER_USER};
+            GRANT SELECT, INSERT, UPDATE, DELETE ON token_blacklist_outstandingtoken TO {DB_PROWLER_USER};
+            GRANT SELECT, DELETE ON django_admin_log TO {DB_PROWLER_USER};
             """
         ),
     ]

src/backend/api/specs/v1.yaml

@@ -2817,8 +2817,8 @@ paths:
           description: ''
     patch:
       operationId: users_partial_update
-      description: Partially update the authenticated user's information.
-      summary: Update the current user's information
+      description: Partially update information about a user.
+      summary: Update user information
       parameters:
       - in: path
         name: id
@@ -2852,8 +2852,8 @@ paths:
           description: ''
     delete:
       operationId: users_destroy
-      description: Remove the authenticated user's account from the system.
-      summary: Delete the current user's account
+      description: Remove a user account from the system.
+      summary: Delete a user account
       parameters:
       - in: path
         name: id

src/backend/api/v1/views.py

@@ -210,12 +210,12 @@ def get(self, request, *args, **kwargs):
         description="Create a new user account by providing the necessary registration details.",
     ),
     partial_update=extend_schema(
-        summary="Update the current user's information",
-        description="Partially update the authenticated user's information.",
+        summary="Update user information",
+        description="Partially update information about a user.",
     ),
     destroy=extend_schema(
-        summary="Delete the current user's account",
-        description="Remove the authenticated user's account from the system.",
+        summary="Delete a user account",
+        description="Remove a user account from the system.",
     ),
     me=extend_schema(
         summary="Retrieve the current user's information",
@@ -309,16 +309,6 @@ def create(self, request, *args, **kwargs):
             invitation.save(using=MainRouter.admin_db)
         return Response(data=UserSerializer(user).data, status=status.HTTP_201_CREATED)
 
-    def partial_update(self, request, *args, **kwargs):
-        if kwargs["pk"] != str(request.user.id):
-            raise NotFound(detail="User was not found.")
-        return super().partial_update(request, *args, **kwargs)
-
-    def destroy(self, request, *args, **kwargs):
-        if kwargs["pk"] != str(request.user.id):
-            raise NotFound(detail="User was not found.")
-        return super().destroy(request, *args, **kwargs)
-
 
 @extend_schema_view(
     list=extend_schema(