From cf82526d553e69b0cbf5f1a1e90c13f7aab8509c Mon Sep 17 00:00:00 2001
From: Konrad Mohrfeldt <konrad.mohrfeldt@farbdev.org>
Date: Thu, 17 Mar 2022 00:35:03 +0100
Subject: [PATCH] refactor: tidy up APIUserViewSet

* normalized queryset handling
* consistent formatting of method descriptions.
---
 program/views.py | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/program/views.py b/program/views.py
index bb2f1260..6fecaef5 100644
--- a/program/views.py
+++ b/program/views.py
@@ -195,26 +195,26 @@ class APIUserViewSet(
     viewsets.GenericViewSet,
 ):
     """
-    /users returns oneself. Superusers see all users. Only superusers may create a user (GET, POST)
-    /users/{pk} retrieves or updates a single user. Non-superusers may only update certain fields
-     (GET, PUT)
+    Returns a list of users.
 
-    Superusers may access and update all users.
+    Only returns the user that is currently authenticated unless the user is a superuser.
     """
 
     permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly]
     serializer_class = UserSerializer
-    queryset = User.objects.none()
+    queryset = User.objects.all()
 
     def get_queryset(self):
-        """Constrain access to oneself except for superusers"""
-        if self.request.user.is_superuser:
-            return User.objects.all()
+        queryset = super().get_queryset()
+
+        # Constrain access to oneself except for superusers.
+        if not self.request.user.is_superuser:
+            queryset = queryset.filter(pk=self.request.user.id)
 
-        return User.objects.filter(pk=self.request.user.id)
+        return queryset
 
     def retrieve(self, request, *args, **kwargs):
-        """Returns a single user"""
+        """Returns a single user."""
         pk = get_values(self.kwargs, "pk")
 
         # Common users only see themselves
@@ -227,8 +227,9 @@ class APIUserViewSet(
 
     def create(self, request, *args, **kwargs):
         """
-        Create a User
-        Only superusers may create a user
+        Create a User.
+
+        Only superusers may create users.
         """
 
         if not request.user.is_superuser:
@@ -243,6 +244,11 @@ class APIUserViewSet(
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
     def update(self, request, *args, **kwargs):
+        """
+        Updates the userâ€™s data.
+
+        Non-superusers may not be able to edit all of the available data.
+        """
         pk = get_values(self.kwargs, "pk")
 
         serializer = UserSerializer(data=request.data)
@@ -267,6 +273,7 @@ class APIUserViewSet(
 class APIShowViewSet(viewsets.ModelViewSet):
     """
     Returns a list of available shows.
+
     Only superusers may add and delete shows.
     """
 
-- 
GitLab