Konrad Mohrfeldt
--- a/program/views.py

+ 1

− 38
+++ b/program/views.py

+ 1

− 38
 @@ -193,6 +193,7 @@ def json_playout(request):


 class APIUserViewSet(
+    DisabledObjectPermissionCheckMixin,
    mixins.CreateModelMixin,
    mixins.RetrieveModelMixin,
    mixins.UpdateModelMixin,
 @@ -218,18 +219,6 @@ class APIUserViewSet(

        return queryset

-    def retrieve(self, request, *args, **kwargs):
-        """Returns a single user."""
-        pk = get_values(self.kwargs, "pk")
-
-        # Common users only see themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(user)
-        return Response(serializer.data)
-
    def create(self, request, *args, **kwargs):
        """
        Create a User.
 @@ -248,32 +237,6 @@ class APIUserViewSet(

        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

-    def update(self, request, *args, **kwargs):
-        """
-        Updates the user’s data.
-
-        Non-superusers may not be able to edit all of the available data.
-        """
-        pk = get_values(self.kwargs, "pk")
-
-        serializer = UserSerializer(data=request.data)
-        # Common users may only edit themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(
-                serializer.initial_data, status=status.HTTP_401_UNAUTHORIZED
-            )
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(
-            user, data=request.data, context={"user": request.user}
-        )
-
-        if serializer.is_valid():
-            serializer.save()
-            return Response(serializer.data)
-
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-

 class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
    """