user:
let's enhance the users 
- admin users can manage the users. add or remove (mark as delete) users, change user permissions. 
user permissions are:
- can measure
- can manually measure
- can manage entities
- can edit documents
make the changes to the backend then make the necessary changes to frontend

Claude’s Plan
Plan: Enhanced User Management with Granular Permissions
Context
The current User model has a coarse role field (employee/viewer) and an is_admin boolean. The app needs granular permissions so admins can control exactly what each user can do. Additionally, admins need a UI to create, update, and soft-delete users.

New permissions to add:

can_measure – can set tare/gross weights
can_manually_measure – can manually enter measurements
can_manage_entities – can create/edit/delete vehicles
can_edit_documents – can create/edit reports
Backend Changes
1. backend/api/models.py
Add 4 boolean fields to the User model (default False):


can_measure = models.BooleanField(default=False)
can_manually_measure = models.BooleanField(default=False)
can_manage_entities = models.BooleanField(default=False)
can_edit_documents = models.BooleanField(default=False)
Keep existing role and is_admin fields intact.

2. backend/api/serializers.py
Add the 4 new fields to both UserSerializer and UserDetailSerializer fields lists.

3. backend/api/views.py
Add a custom DRF permission class IsAdminUser (checks request.user.is_admin)
Apply it to UserViewSet for all actions except me and change_password (which stay IsAuthenticated)
Override destroy to do soft-delete (instance.is_active = False; instance.save()) instead of actual deletion — no data loss
4. Migration
python manage.py makemigrations && python manage.py migrate

Frontend Changes
5. frontend/src/components/Users/UserManager.jsx (new file)
Single-page admin UI with:

Table of all users (username, role, is_active, 4 permission checkboxes)
"Add User" button → inline expandable form (username, password, permissions)
Per-row: Edit (toggle permissions inline) and Deactivate/Reactivate (soft-delete toggle)
Matches existing app style (similar panel pattern to Main.jsx)
6. frontend/src/App.jsx
Add route /users → <UserManager />, guarded so only currentUser.is_admin can access it (redirect to / otherwise).

7. frontend/src/components/Header.jsx
Add "User Manager" nav button, visible only when currentUser?.is_admin === true (matches existing "Report Editor" / "Nomenclature Manager" pattern).

Critical Files
backend/api/models.py – User model
backend/api/serializers.py – UserSerializer, UserDetailSerializer
backend/api/views.py – UserViewSet
frontend/src/App.jsx – routing
frontend/src/components/Header.jsx – nav
frontend/src/components/Users/UserManager.jsx – new component
Patterns to Reuse
ChangePasswordOverlay.jsx style for modal/overlay
api.get/post/patch/delete('/api/users/...') calls from services/api.js
useAuth() hook to read currentUser.is_admin
Two-panel layout pattern from Main.jsx
Verification
Backend: Run python manage.py makemigrations api && python manage.py migrate — should succeed
Backend: GET /api/users/ with non-admin JWT → 403; with admin JWT → 200
Backend: DELETE /api/users/{id}/ → user.is_active becomes False, user still in DB
Frontend: Admin user sees "User Manager" button in header; non-admin does not
Frontend: Admin can create a user with chosen permissions, edit permissions, and deactivate
Frontend: Created user can log in and existing permission flags appear in /api/users/me/ response   