diff --git a/program/views.py b/program/views.py
index b82d8312f6eaa35a5dd7e28c66aaab2b91de144f..d1ec8421be7ff2bddd222920f11cf13b45ff53a1 100644
--- a/program/views.py
+++ b/program/views.py
@@ -193,6 +193,7 @@ def json_playout(request):
class APIUserViewSet(
+ DisabledObjectPermissionCheckMixin,
mixins.CreateModelMixin,
mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
@@ -218,18 +219,6 @@ class APIUserViewSet(
return queryset
- def retrieve(self, request, *args, **kwargs):
- """Returns a single user."""
- pk = get_values(self.kwargs, "pk")
-
- # Common users only see themselves
- if not request.user.is_superuser and pk != request.user.id:
- return Response(status=status.HTTP_401_UNAUTHORIZED)
-
- user = get_object_or_404(User, pk=pk)
- serializer = UserSerializer(user)
- return Response(serializer.data)
-
def create(self, request, *args, **kwargs):
"""
Create a User.
@@ -248,32 +237,6 @@ class APIUserViewSet(
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
- def update(self, request, *args, **kwargs):
- """
- Updates the user’s data.
-
- Non-superusers may not be able to edit all of the available data.
- """
- pk = get_values(self.kwargs, "pk")
-
- serializer = UserSerializer(data=request.data)
- # Common users may only edit themselves
- if not request.user.is_superuser and pk != request.user.id:
- return Response(
- serializer.initial_data, status=status.HTTP_401_UNAUTHORIZED
- )
-
- user = get_object_or_404(User, pk=pk)
- serializer = UserSerializer(
- user, data=request.data, context={"user": request.user}
- )
-
- if serializer.is_valid():
- serializer.save()
- return Response(serializer.data)
-
- return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
"""