openwisp · czarflix · Mar 12, 2026 · Mar 12, 2026
diff --git a/openwisp_users/api/urls.py b/openwisp_users/api/urls.py
@@ -16,7 +16,7 @@ def get_api_urls(api_views=None):
             name="organization_list",
         ),
         path(
-            "users/organization/<str:pk>/",
+            "users/organization/<uuid:pk>/",
             views.organization_detail,
             name="organization_detail",
         ),
@@ -25,19 +25,19 @@ def get_api_urls(api_views=None):
             views.user_list,
             name="user_list",
         ),
-        path("users/user/<str:pk>/", views.user_detail, name="user_detail"),
+        path("users/user/<uuid:pk>/", views.user_detail, name="user_detail"),
         path(
-            "users/user/<str:pk>/password/",
+            "users/user/<uuid:pk>/password/",
             views.change_password,
             name="change_password",
         ),
         path(
-            "users/user/<str:pk>/email/",
+            "users/user/<uuid:pk>/email/",
             views.email_list,
             name="email_list",
         ),
         path(
-            "users/user/<str:pk>/email/<int:email_id>/",
+            "users/user/<uuid:pk>/email/<int:email_id>/",
             views.email_update,
             name="email_update",
         ),

diff --git a/openwisp_users/api/views.py b/openwisp_users/api/views.py
@@ -158,7 +158,7 @@ def get_permissions(self):
         class if loggedin user wants to change
         his own password.
         """
-        if str(self.request.user.id) == self.kwargs["pk"]:
+        if self.request.user.id == self.kwargs["pk"]:
             self.permission_classes = [IsAuthenticated]
         else:
             self.permission_classes = [IsAuthenticated, DjangoModelPermissions]

diff --git a/openwisp_users/tests/test_api/test_views.py b/openwisp_users/tests/test_api/test_views.py
@@ -24,3 +24,17 @@ def test_protected_api_mixin_view(self):
         self.assertEqual(response.headers["WWW-Authenticate"], "Bearer")
         self.assertEqual(response.data["detail"], auth_error)
         self.assertEqual(response.status_code, 401)
+
+    def test_invalid_uuid_routes_return_404(self):
+        invalid_uuid_paths = (
+            "/api/v1/users/user/not-a-uuid/",
+            "/api/v1/users/organization/not-a-uuid/",
+            "/api/v1/users/user/not-a-uuid/password/",
+            "/api/v1/users/user/not-a-uuid/email/",
+            "/api/v1/users/user/not-a-uuid/email/1/",
+        )
+
+        for path in invalid_uuid_paths:
+            with self.subTest(path=path):
+                response = self.client.get(path)
+                self.assertEqual(response.status_code, 404)