[feature] Added API endpoint to manage RADIUS groups of users #676

pandafy · pandafy · commit dc8d44535c5d · 2026-02-06T18:59:34.000+05:30
Closes #676
diff --git a/docs/user/rest-api.rst b/docs/user/rest-api.rst
@@ -961,3 +961,70 @@ DELETE
 ^^^^^^
 
 Deletes a RADIUS group identified by its UUID.
+
+RADIUS User Groups
+++++++++++++++++++
+
+.. code-block:: text
+
+    /api/v1/users/user/<user_pk>/radius-group/
+
+GET
+^^^
+
+Returns the list of RADIUS group assignments for the specified user.
+Pagination is provided using page number pagination; default page size is
+20 and can be overridden with the ``page_size`` parameter (maximum 100).
+
+.. code-block:: text
+
+    GET /api/v1/users/user/<user_pk>/radius-group/
+
+POST
+^^^^
+
+Creates a RADIUS user group assignment for the specified user.
+
+======== ==============================================
+Param    Description
+======== ==============================================
+group    UUID of the RADIUS group to assign (required)
+priority Priority of the assignment (optional, integer)
+======== ==============================================
+
+.. note::
+
+    The provided ``group`` must belong to the same organization as the
+    user; attempting to assign a group from another organization will
+    return a ``400`` error with ``does_not_exist`` for the ``group``
+    field.
+
+.. code-block:: text
+
+    /api/v1/users/user/<user_pk>/radius-group/<uuid>/
+
+GET (detail)
+^^^^^^^^^^^^
+
+Returns a single RADIUS user group assignment by its UUID.
+
+PATCH
+^^^^^
+
+Partially updates a RADIUS group identified by its UUID.
+
+Partially or fully updates the RADIUS user group assignment. Supported
+updatable fields: ``group`` and ``priority``. When changing ``group``, the
+same-organization constraint applies.
+
+======== ==============================================
+Param    Description
+======== ==============================================
+group    UUID of the RADIUS group to assign (required)
+priority Priority of the assignment (optional, integer)
+======== ==============================================
+
+DELETE
+^^^^^^
+
+Deletes the RADIUS user group assignment identified by the UUID.
diff --git a/openwisp_radius/api/serializers.py b/openwisp_radius/api/serializers.py
@@ -365,6 +365,24 @@ def validate(self, data):
         return data
 
 
+class RadiusUserGroupSerializer(FilterSerializerByOrgManaged, ValidatedModelSerializer):
+    """Serializer for RadiusUserGroup model."""
+
+    class Meta:
+        model = RadiusUserGroup
+        fields = ("id", "group", "priority", "created", "modified")
+        read_only_fields = ("id", "created", "modified")
+
+    def validate(self, data):
+        view = self.context.get("view")
+        user = view.get_parent_queryset().first()
+        if "username" not in data:
+            data["username"] = user.username
+        if "user" not in data:
+            data["user"] = user
+        return super().validate(data)
+
+
 class GroupSerializer(serializers.ModelSerializer):
     class Meta:
         model = Group
diff --git a/openwisp_radius/api/urls.py b/openwisp_radius/api/urls.py
@@ -98,6 +98,16 @@ def get_api_urls(api_views=None):
                 api_views.radius_group_detail,
                 name="radius_group_detail",
             ),
+            path(
+                "users/user/<str:user_pk>/radius-group/",
+                api_views.radius_user_group_list,
+                name="radius_user_group_list",
+            ),
+            path(
+                "users/user/<str:user_pk>/radius-group/<uuid:pk>/",
+                api_views.radius_user_group_detail,
+                name="radius_user_group_detail",
+            ),
         ]
     else:
         return []
diff --git a/openwisp_radius/api/views.py b/openwisp_radius/api/views.py
@@ -48,7 +48,11 @@
 from openwisp_radius.api.serializers import RadiusUserSerializer
 from openwisp_users.api.authentication import BearerAuthentication, SesameAuthentication
 from openwisp_users.api.filters import OrganizationManagedFilter
-from openwisp_users.api.mixins import FilterByOrganizationManaged, ProtectedAPIMixin
+from openwisp_users.api.mixins import (
+    FilterByOrganizationManaged,
+    FilterByParentManaged,
+    ProtectedAPIMixin,
+)
 from openwisp_users.api.permissions import IsOrganizationManager
 from openwisp_users.api.views import ChangePasswordView as BasePasswordChangeView
 from openwisp_users.backends import UsersAuthenticationBackend
@@ -69,6 +73,7 @@
     RadiusAccountingSerializer,
     RadiusBatchSerializer,
     RadiusGroupSerializer,
+    RadiusUserGroupSerializer,
     UserRadiusUsageSerializer,
     ValidatePhoneTokenSerializer,
 )
@@ -942,3 +947,97 @@ class RadiusGroupDetailView(
 
 
 radius_group_detail = RadiusGroupDetailView.as_view()
+
+
+class BaseRadiusUserGroupView(ProtectedAPIMixin, FilterByParentManaged):
+    """
+    Base view for RadiusUserGroup management.
+    Provides user parent filtering and queryset logic.
+    """
+
+    serializer_class = RadiusUserGroupSerializer
+    queryset = RadiusUserGroup.objects.select_related("group", "user").order_by(
+        "-created"
+    )
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+        return qs.filter(user_id=self.kwargs["user_pk"])
+
+    def get_parent_queryset(self):
+        """Get the parent user from the URL."""
+        return User.objects.filter(pk=self.kwargs["user_pk"])
+
+    def get_organization_queryset(self, qs):
+        """Filter users by organizations the request user manages."""
+        orgs = self.request.user.organizations_managed
+        app_label = User._meta.app_config.label
+        filter_kwargs = {
+            # exclude superusers
+            "is_superuser": False,
+            # ensure user is member of the org
+            f"{app_label}_organizationuser__organization_id__in": orgs,
+        }
+        return qs.filter(**filter_kwargs).distinct()
+
+
+@method_decorator(
+    name="get",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Returns the list of RADIUS user groups for a specific user.
+        """,
+    ),
+)
+@method_decorator(
+    name="post",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Creates a new RADIUS user group assignment for the user.
+        """,
+    ),
+)
+class RadiusUserGroupListCreateView(BaseRadiusUserGroupView, ListCreateAPIView):
+    pagination_class = RadiusGroupPaginator
+
+
+radius_user_group_list = RadiusUserGroupListCreateView.as_view()
+
+
+@method_decorator(
+    name="get",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Returns a single RADIUS user group by its UUID.
+        """,
+    ),
+)
+@method_decorator(
+    name="put",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Updates a RADIUS user group identified by its UUID.
+        """,
+    ),
+)
+@method_decorator(
+    name="patch",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Partially updates a RADIUS user group identified by its UUID.
+        """,
+    ),
+)
+@method_decorator(
+    name="delete",
+    decorator=swagger_auto_schema(
+        operation_description="""
+        Deletes a RADIUS user group identified by its UUID.
+        """,
+    ),
+)
+class RadiusUserGroupDetailView(BaseRadiusUserGroupView, RetrieveUpdateDestroyAPIView):
+    organization_field = "group__organization"
+
+
+radius_user_group_detail = RadiusUserGroupDetailView.as_view()
diff --git a/openwisp_radius/tests/test_api/test_api.py b/openwisp_radius/tests/test_api/test_api.py
diff --git a/tests/openwisp2/sample_radius/api/views.py b/tests/openwisp2/sample_radius/api/views.py
