From de8dcf49b7f2c9c21e2b2a8154cf5a71e1238f66 Mon Sep 17 00:00:00 2001
From: Hetavi Shah <hetavi.shah@bluexkye.com>
Date: Wed, 12 Nov 2025 17:28:28 +0530
Subject: [PATCH] [OND211-2329]: Updated create user and update user API's to
 handle auth.

---
 api/apps/user_app.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/api/apps/user_app.py b/api/apps/user_app.py
index b221615ff..c0bb3d813 100644
--- a/api/apps/user_app.py
+++ b/api/apps/user_app.py
@@ -754,7 +754,7 @@ def user_add():
 
 
 @manager.route("/create", methods=["POST"])  # noqa: F821
-# @login_required
+@login_required
 @validate_request("nickname", "email", "password")
 def create_user() -> Response:
     """
@@ -890,11 +890,11 @@ def create_user() -> Response:
 
 
 @manager.route("/update", methods=["PUT"])  # noqa: F821
-# @login_required
+@login_required
 @validate_request()
 def update_user() -> Response:
     """
-    Update an existing user.
+    Update an existing user. Users can only update their own account.
     ---
     tags:
       - User
@@ -1014,6 +1014,14 @@ def update_user() -> Response:
             code=RetCode.DATA_ERROR,
         )
 
+    # Ensure user can only update themselves
+    if user.id != current_user.id:
+        return get_json_result(
+            data=False,
+            message="You can only update your own account!",
+            code=RetCode.FORBIDDEN,
+        )
+
     # Build update dictionary
     update_dict: Dict[str, Any] = {}