# User View Permissions Fix

## Issue
Project managers and other managers were getting 403 Forbidden errors when trying to view user profiles, even for users in their own organization or shared projects.

**Error:**
```
GET /api/v1/users/43b778b0-2062-4724-abbb-916a4835a9b0 → 403 Forbidden
{"detail":"You don't have permission to view this user"}
```

## Root Cause
The `GET /api/v1/users/{user_id}` endpoint had overly restrictive permissions that only allowed:
- Platform admins
- Org admins (client_admin, contractor_admin)
- Self (viewing own profile)

Project managers, sales managers, and dispatchers couldn't view users even in their own organization.

## Solution

Updated the permission logic in `src/app/api/v1/users.py` to allow:

### Who Can View User Profiles:

1. **Platform Admin** - Can view anyone ✅
2. **Self** - Can view own profile ✅
3. **Org Admins** (client_admin, contractor_admin) - Can view users in their organization ✅
4. **Project Managers** - Can view:
   - Users in their organization (same client_id or contractor_id) ✅
   - Users in shared projects (for cross-org collaboration) ✅
5. **Sales Managers** - Can view:
   - Users in their organization ✅
   - Users in shared projects ✅
6. **Dispatchers** - Can view:
   - Users in their organization ✅
   - Users in shared projects ✅

### Permission Hierarchy:

```
Platform Admin
    └─ Can view ALL users

Org Admins (Client/Contractor Admin)
    └─ Can view users in their organization

Managers (PM, Sales Manager, Dispatcher)
    ├─ Can view users in their organization
    └─ Can view users in shared projects

Regular Users
    └─ Can view only themselves
```

## Use Cases Enabled

1. **Team Management**: Project managers can view profiles of team members to assign tasks
2. **Cross-Project Collaboration**: Managers can view users they collaborate with across projects
3. **User Import**: Managers can view org users when adding them to new projects
4. **Profile Review**: Sales managers can review field agent profiles for assignments

## Code Changes

**File:** `src/app/api/v1/users.py`

**Before:**
```python
# Only platform_admin, org_admins, and self could view
if current_user.role != 'platform_admin':
    if current_user.id == user.id:
        return user
    if current_user.role in ['client_admin', 'contractor_admin']:
        # Check org membership
        ...
    raise HTTPException(403, "No permission")
```

**After:**
```python
# Added support for managers
if current_user.role in ['project_manager', 'sales_manager', 'dispatcher']:
    # Check same organization
    if current_user.client_id == user.client_id:
        return user
    if current_user.contractor_id == user.contractor_id:
        return user
    
    # Check shared projects
    if shared_projects > 0:
        return user
```

## Testing

Test the fix by:
1. Login as project manager
2. Navigate to team page
3. Click on a team member
4. Should now see user profile (200 OK) instead of 403 Forbidden

## Related Issues

- Frontend was correctly using `user_id` field (fixed in previous update)
- This completes the user profile viewing workflow