Django Rest Framework user endpoint with change password

serializers.py

# -*- coding: utf-8 -*-
from __future__ import absolute_import, unicode_literals

from rest_framework import serializers
from .models import User


class UserSerializer(serializers.ModelSerializer):
    """
    User accounts serializer
    """

    class Meta:
        model = User
        fields = ('id', 'username', 'email', 'first_name', 'last_name',
                  'is_active','is_staff', 'is_superuser', 'date_joined',)
        read_only_fields = ('username', 'auth_token', 'date_joined',)


class PasswordSerializer(serializers.Serializer):
    """
    Serializer for password change endpoint.
    """
    old_password = serializers.CharField(required=True)
    new_password = serializers.CharField(required=True)

urls.py

from django.conf.urls import url, include
from django.conf import settings
from django.views import defaults
from django.conf.urls.static import static
from django.contrib import admin

from rest_framework.documentation import include_docs_urls
from rest_framework.routers import DefaultRouter

from users.views import UserViewSet

router = DefaultRouter()
router.register(r'users', UserViewSet)

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^api/v1/', include(router.urls)),
    url(r'^api/v1/docs/', include_docs_urls(title='MY API'))
]

if settings.DEBUG:
    # static/media files
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
    urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

    import debug_toolbar
    urlpatterns += [url(r'^__debug__/', include(debug_toolbar.urls))]

views.py

# -*- coding: utf-8 -*-
from __future__ import absolute_import, unicode_literals

from rest_framework import viewsets, mixins, status
from rest_framework.response import Response
from rest_framework.request import Request
from rest_framework.decorators import list_route
from rest_framework.views import APIView

from .models import User
from .permissions import IsSuperuserOrIsSelf
from .serializers import UserSerializer, PasswordSerializer


class UserViewSet(mixins.ListModelMixin,
                  mixins.RetrieveModelMixin,
                  mixins.UpdateModelMixin,
                  viewsets.GenericViewSet):
    """
    list:
    Return a list of all the existing users.

    read:
    Return the given user.

    me:
    Return authenticated user.
    """
    queryset = User.objects.all()
    serializer_class = UserSerializer
    permission_classes = (IsSuperuserOrIsSelf,)


    @list_route(methods=['put'], serializer_class=PasswordSerializer)
    def set_password(self, request):
        serializer = PasswordSerializer(data=request.data)

        if serializer.is_valid():
            if not user.check_password(serializer.data.get('old_password')):
                return Response({'old_password': ['Wrong password.']}, 
                                status=status.HTTP_400_BAD_REQUEST)
            # set_password also hashes the password that the user will get
            user.set_password(serializer.data.get('new_password'))
            user.save()
            return Response({'status': 'password set'}, status=status.HTTP_200_OK)

        return Response(serializer.errors,
                        status=status.HTTP_400_BAD_REQUEST)

@Aubrey-t, you should check this one: https://pypi.org/project/django-rest-passwordreset/

I added @nosarthur response to my code and replaced @list_route with @action and it worked!

Hi,
Thanks for it!
Could you share the code for IsSuperuserOrIsSelf ? Seems interresting to me.

Thank you all! this code is from 5 years ago I will try updated soon