fix(demo): block external account actions

apps/users/api/serializers.py

@@ -212,10 +212,12 @@ class UserProfileSerializer(BaseModelSerializer):
             "profile_picture",
             "birth_date",
             "is_verified",
+            "is_demo",
+            "demo_expires_at",
             "full_name",
             "age",
         )
-        read_only_fields = BaseModelSerializer.Meta.fields + ("mobile", "is_verified")
+        read_only_fields = BaseModelSerializer.Meta.fields + ("mobile", "is_verified", "is_demo", "demo_expires_at")
 
 
 class UserSearchSerializer(serializers.ModelSerializer):

apps/users/api/views.py

@@ -293,6 +293,11 @@ class ChangePasswordView(APIView):
 
     @extend_schema(request=ChangePasswordSerializer)
     def patch(self, request, *args, **kwargs):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot change passwords."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         serializer = ChangePasswordSerializer(data=request.data, context={"request": request})
         serializer.is_valid(raise_exception=True)
 
@@ -327,6 +332,11 @@ class SetPasswordView(UpdateAPIView):
 
     @extend_schema(request=ChangePasswordSerializer, responses=None)
     def patch(self, request, *args, **kwargs):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot change passwords."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         return super().patch(request, *args, **kwargs)
 
     def get_object(self):
@@ -347,6 +357,11 @@ class ProfilePictureView(APIView):
         operation_id="users_profile_picture_self_create",
     )
     def post(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot upload profile pictures."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         serializer = UserProfilePictureSerializer(
             instance=request.user,
             data=request.data,
@@ -362,6 +377,11 @@ class ProfilePictureView(APIView):
         operation_id="users_profile_picture_self_delete",
     )
     def delete(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot remove profile pictures."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         request.user.profile_picture.delete(save=False)
         request.user.profile_picture = None
         request.user.save(update_fields=["profile_picture", "updated_at"])
@@ -401,6 +421,11 @@ class UserSearchAPIView(APIView):
     permission_classes = [IsAuthenticated]
 
     def get(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot search external users."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         mobile = request.query_params.get('mobile')
         if not mobile:
             return Response(

apps/users/services/auth.py

@@ -81,7 +81,11 @@ def register_user_with_otp(mobile, code, password, first_name="", last_name=""):
 
 def generate_and_send_otp(mobile, mode):
     """Business logic for generating OTP, checking existence rules, and sending SMS."""
-    user_exists = User.objects.filter(mobile=mobile).exists()
+    user = User.objects.filter(mobile=mobile).only("is_demo").first()
+    user_exists = user is not None
+
+    if user and user.is_demo:
+        raise ValidationError({"mobile": "Demo accounts cannot use SMS verification."})
 
     if mode == "register" and user_exists:
         raise ValidationError({"mobile": "این شماره قبلاً ثبت‌نام شده است."})