[fix] Compare UUID values in password permission check #487

czarflix · czarflix · commit a42ea59330f1 · 2026-03-12T22:29:58.000+05:30
After switching the users API detail routes to uuid converters, ChangePasswordView receives a UUID object in kwargs['pk'] instead of a string. The self-password permission check was still comparing str(self.request.user.id) to that UUID, which broke self password changes and caused API test regressions. Compare UUID values directly so self-password requests keep using the intended IsAuthenticated permission path. Refs #487
diff --git a/openwisp_users/api/views.py b/openwisp_users/api/views.py
@@ -158,7 +158,7 @@ def get_permissions(self):
         class if loggedin user wants to change
         his own password.
         """
-        if str(self.request.user.id) == self.kwargs["pk"]:
+        if self.request.user.id == self.kwargs["pk"]:
             self.permission_classes = [IsAuthenticated]
         else:
             self.permission_classes = [IsAuthenticated, DjangoModelPermissions]
