From 8bb71309ea81432f0030b5110caca890ce61a3f5 Mon Sep 17 00:00:00 2001
From: Marcin-Ramotowski <marcin00.mr@gmail.com>
Date: Sun, 16 Mar 2025 13:18:25 +0000
Subject: [PATCH] Improved endpoint to edit user data

---
 api/models.py     |  3 +++
 api/user_views.py | 35 +++++++++++++++++++++++------------
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/api/models.py b/api/models.py
index 0ad9319..5b590b7 100644
--- a/api/models.py
+++ b/api/models.py
@@ -11,6 +11,9 @@ class User(db.Model):
 
     def to_dict(self):
         return {"id": self.id, "username": self.username, "email": self.email, "role": self.role}
+    
+    def get_editable_fields():
+        return {"username", "email", "role", "password"}
 
 class Task(db.Model):
     id = db.Column(db.Integer, primary_key=True, autoincrement=True)
diff --git a/api/user_views.py b/api/user_views.py
index ec4d639..8775240 100644
--- a/api/user_views.py
+++ b/api/user_views.py
@@ -40,21 +40,32 @@ def create_user():
     return jsonify(user.to_dict()), 201
 
 
-@user_bp.route('/users/<int:user_id>', methods=['PUT'])
+@user_bp.route('/users/<int:user_id>', methods=['PUT', 'PATCH'])
 @jwt_required()
 def edit_user(user_id):
-    request_data = request.get_json()
-    user_to_update = User.query.get_or_404(user_id)
-    request_username = request_data.get('username')
-    request_email = request_data.get('email')
     validate_access(user_id) # check if user tries to edit other user account
-    if request_username and request_email:
-        user_to_update.username = request_username
-        user_to_update.email = request_email
-        db.session.commit()
-        return jsonify(user_to_update.to_dict())
-    else:
-        return abort(400, {'error': 'Incomplete user data.'})
+    request_data = request.get_json()
+    if request_data.get('role') == 'Administrator':
+        admin_required(get_jwt_identity())
+
+    request_fields = set(request_data.keys())
+    editable_fields = User.get_editable_fields()
+    
+    # PUT requires all values
+    if request.method == 'PUT':
+        if request_fields != editable_fields:
+            return jsonify({'error': 'Invalid request data structure.'}), 400
+
+    user_to_update = User.query.get_or_404(user_id)
+    for field_name in request_fields:
+        requested_value = request_data.get(field_name)
+        if requested_value is None:
+            continue
+        new_value = generate_password_hash(requested_value) \
+            if field_name == 'password' else requested_value
+        setattr(user_to_update, field_name, new_value)
+    db.session.commit()
+    return jsonify(user_to_update.to_dict())
 
 
 @user_bp.route('/users/<int:user_id>', methods=['DELETE'])