|
|
user:
|
|
|
let's enhance the users
|
|
|
- admin users can manage the users. add or remove (mark as delete) users, change user permissions.
|
|
|
user permissions are:
|
|
|
- can measure
|
|
|
- can manually measure
|
|
|
- can manage entities
|
|
|
- can edit documents
|
|
|
make the changes to the backend then make the necessary changes to frontend
|
|
|
|
|
|
Claude’s Plan
|
|
|
Plan: Enhanced User Management with Granular Permissions
|
|
|
Context
|
|
|
The current User model has a coarse role field (employee/viewer) and an is_admin boolean. The app needs granular permissions so admins can control exactly what each user can do. Additionally, admins need a UI to create, update, and soft-delete users.
|
|
|
|
|
|
New permissions to add:
|
|
|
|
|
|
can_measure – can set tare/gross weights
|
|
|
can_manually_measure – can manually enter measurements
|
|
|
can_manage_entities – can create/edit/delete vehicles
|
|
|
can_edit_documents – can create/edit reports
|
|
|
Backend Changes
|
|
|
1. backend/api/models.py
|
|
|
Add 4 boolean fields to the User model (default False):
|
|
|
|
|
|
|
|
|
can_measure = models.BooleanField(default=False)
|
|
|
can_manually_measure = models.BooleanField(default=False)
|
|
|
can_manage_entities = models.BooleanField(default=False)
|
|
|
can_edit_documents = models.BooleanField(default=False)
|
|
|
Keep existing role and is_admin fields intact.
|
|
|
|
|
|
2. backend/api/serializers.py
|
|
|
Add the 4 new fields to both UserSerializer and UserDetailSerializer fields lists.
|
|
|
|
|
|
3. backend/api/views.py
|
|
|
Add a custom DRF permission class IsAdminUser (checks request.user.is_admin)
|
|
|
Apply it to UserViewSet for all actions except me and change_password (which stay IsAuthenticated)
|
|
|
Override destroy to do soft-delete (instance.is_active = False; instance.save()) instead of actual deletion — no data loss
|
|
|
4. Migration
|
|
|
python manage.py makemigrations && python manage.py migrate
|
|
|
|
|
|
Frontend Changes
|
|
|
5. frontend/src/components/Users/UserManager.jsx (new file)
|
|
|
Single-page admin UI with:
|
|
|
|
|
|
Table of all users (username, role, is_active, 4 permission checkboxes)
|
|
|
"Add User" button → inline expandable form (username, password, permissions)
|
|
|
Per-row: Edit (toggle permissions inline) and Deactivate/Reactivate (soft-delete toggle)
|
|
|
Matches existing app style (similar panel pattern to Main.jsx)
|
|
|
6. frontend/src/App.jsx
|
|
|
Add route /users → <UserManager />, guarded so only currentUser.is_admin can access it (redirect to / otherwise).
|
|
|
|
|
|
7. frontend/src/components/Header.jsx
|
|
|
Add "User Manager" nav button, visible only when currentUser?.is_admin === true (matches existing "Report Editor" / "Nomenclature Manager" pattern).
|
|
|
|
|
|
Critical Files
|
|
|
backend/api/models.py – User model
|
|
|
backend/api/serializers.py – UserSerializer, UserDetailSerializer
|
|
|
backend/api/views.py – UserViewSet
|
|
|
frontend/src/App.jsx – routing
|
|
|
frontend/src/components/Header.jsx – nav
|
|
|
frontend/src/components/Users/UserManager.jsx – new component
|
|
|
Patterns to Reuse
|
|
|
ChangePasswordOverlay.jsx style for modal/overlay
|
|
|
api.get/post/patch/delete('/api/users/...') calls from services/api.js
|
|
|
useAuth() hook to read currentUser.is_admin
|
|
|
Two-panel layout pattern from Main.jsx
|
|
|
Verification
|
|
|
Backend: Run python manage.py makemigrations api && python manage.py migrate — should succeed
|
|
|
Backend: GET /api/users/ with non-admin JWT → 403; with admin JWT → 200
|
|
|
Backend: DELETE /api/users/{id}/ → user.is_active becomes False, user still in DB
|
|
|
Frontend: Admin user sees "User Manager" button in header; non-admin does not
|
|
|
Frontend: Admin can create a user with chosen permissions, edit permissions, and deactivate
|
|
|
Frontend: Created user can log in and existing permission flags appear in /api/users/me/ response |