@@ -137,15 +137,34 @@ def post(self, request):
137137 def patch (self , request , uid ):
138138 data = request .data
139139 user = get_object_or_404 (User , id = uid )
140+
140141 if not request .user .has_perm ("account.change_user" ):
141142 if request .user .id != user .id :
142143 return Response ({
143144 "detail" : "You have no permission to change this user"
144145 }, status = status .HTTP_403_FORBIDDEN )
145-
146- data .pop ("is_active" , None )
147- data .pop ("is_staff" , None )
148- data .pop ("is_superuser" , None )
146+
147+ request_is_active = data .get ("is_active" )
148+ request_is_staff = data .get ("is_staff" )
149+ request_is_superuser = data .get ("is_superuser" )
150+
151+ if request_is_active != None :
152+ if request_is_active != user .is_active :
153+ return Response ({
154+ "detail" : "You have no permission to change this user"
155+ }, status = status .HTTP_403_FORBIDDEN )
156+
157+ if request_is_staff != None :
158+ if request_is_staff != user .is_active :
159+ return Response ({
160+ "detail" : "You have no permission to change this user"
161+ }, status = status .HTTP_403_FORBIDDEN )
162+
163+ if request_is_superuser != None :
164+ if request_is_superuser != user .is_active :
165+ return Response ({
166+ "detail" : "You have no permission to change this user"
167+ }, status = status .HTTP_403_FORBIDDEN )
149168
150169 us = AccountSerializer (user , data = data , partial = True )
151170 us .is_valid (raise_exception = True )
0 commit comments