fix(demo): block external account actions

2026-06-07 00:50:42 +03:30
parent 30a324c6f4
commit 170ec90ec1
4 changed files with 47 additions and 3 deletions
--- a/apps/users/api/serializers.py
+++ b/apps/users/api/serializers.py
@@ -212,10 +212,12 @@ class UserProfileSerializer(BaseModelSerializer):
            "profile_picture",
            "birth_date",
            "is_verified",
+            "is_demo",
+            "demo_expires_at",
            "full_name",
            "age",
        )
-        read_only_fields = BaseModelSerializer.Meta.fields + ("mobile", "is_verified")
+        read_only_fields = BaseModelSerializer.Meta.fields + ("mobile", "is_verified", "is_demo", "demo_expires_at")


 class UserSearchSerializer(serializers.ModelSerializer):
--- a/apps/users/api/views.py
+++ b/apps/users/api/views.py
@@ -293,6 +293,11 @@ class ChangePasswordView(APIView):

    @extend_schema(request=ChangePasswordSerializer)
    def patch(self, request, *args, **kwargs):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot change passwords."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        serializer = ChangePasswordSerializer(data=request.data, context={"request": request})
        serializer.is_valid(raise_exception=True)

@@ -327,6 +332,11 @@ class SetPasswordView(UpdateAPIView):

    @extend_schema(request=ChangePasswordSerializer, responses=None)
    def patch(self, request, *args, **kwargs):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot change passwords."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        return super().patch(request, *args, **kwargs)

    def get_object(self):
@@ -347,6 +357,11 @@ class ProfilePictureView(APIView):
        operation_id="users_profile_picture_self_create",
    )
    def post(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot upload profile pictures."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        serializer = UserProfilePictureSerializer(
            instance=request.user,
            data=request.data,
@@ -362,6 +377,11 @@ class ProfilePictureView(APIView):
        operation_id="users_profile_picture_self_delete",
    )
    def delete(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot remove profile pictures."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        request.user.profile_picture.delete(save=False)
        request.user.profile_picture = None
        request.user.save(update_fields=["profile_picture", "updated_at"])
@@ -401,6 +421,11 @@ class UserSearchAPIView(APIView):
    permission_classes = [IsAuthenticated]

    def get(self, request):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot search external users."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        mobile = request.query_params.get('mobile')
        if not mobile:
            return Response(