feat: Implement user roles, permissions, and profile management

cp099 · cp099 · commit 73174697ade0 · 2025-10-25T18:51:25.000+05:30
diff --git a/inventory/decorators.py b/inventory/decorators.py
@@ -0,0 +1,18 @@
+# In inventory/decorators.py
+
+from functools import wraps
+from django.contrib import messages
+from django.shortcuts import redirect
+
+def admin_required(view_func):
+    @wraps(view_func)
+    def _wrapped_view(request, *args, **kwargs):
+        if not request.user.is_authenticated:
+            return redirect('login')
+
+        if not hasattr(request.user, 'profile') or request.user.profile.role != 'ADMIN':
+            messages.error(request, "You do not have permission to access this page.")
+            return redirect('inventory:dashboard')
+        
+        return view_func(request, *args, **kwargs)
+    return _wrapped_view
diff --git a/inventory/forms.py b/inventory/forms.py
@@ -5,6 +5,8 @@
 from .models import Space
 from .models import Item
 from .models import Student
+from .models import UserProfile
+from django.contrib.auth.models import User
 
 class SectionForm(forms.ModelForm):
     class Meta:
@@ -71,4 +73,16 @@ class StockAdjustmentForm(forms.Form):
         widget=forms.Textarea(attrs={'rows': 3}),
         required=True,
         help_text="Please provide a reason for this stock change (e.g., 'New order received', 'Dropped and damaged')."
-    )
+    )
+
+class UserUpdateForm(forms.ModelForm):
+    """Form for users to update their own basic information."""
+    class Meta:
+        model = User
+        fields = ['first_name', 'last_name', 'email']
+
+class UserRoleForm(forms.ModelForm):
+    """Form for Admins to update a user's role."""
+    class Meta:
+        model = UserProfile
+        fields = ['role']
diff --git a/inventory/migrations/0013_userprofile.py b/inventory/migrations/0013_userprofile.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.2.7 on 2025-10-25 00:23
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('inventory', '0012_checkoutlog_notes'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserProfile',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('role', models.CharField(choices=[('ADMIN', 'Admin'), ('MEMBER', 'Member')], default='MEMBER', max_length=10)),
+                ('user', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='profile', to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]
diff --git a/inventory/models.py b/inventory/models.py
@@ -8,6 +8,7 @@
 from django.urls import reverse
 from django.utils import timezone
 from django.db.models import Sum
+from django.db.models.signals import post_save
 
 import barcode
 from barcode.writer import SVGWriter
@@ -216,6 +217,24 @@ def save(self, *args, **kwargs):
         
         super().save(*args, **kwargs)
 
+class UserProfile(models.Model):
+    """Extends the default Django User model to include a role."""
+    class Role(models.TextChoices):
+        ADMIN = 'ADMIN', 'Admin'
+        MEMBER = 'MEMBER', 'Member'
+
+    user = models.OneToOneField(settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name='profile')
+    role = models.CharField(max_length=10, choices=Role.choices, default=Role.MEMBER)
+
+    def __str__(self):
+        return f"{self.user.username} - {self.get_role_display()}"
+
+def create_user_profile(sender, instance, created, **kwargs):
+    if created:
+        UserProfile.objects.create(user=instance)
+
+post_save.connect(create_user_profile, sender=settings.AUTH_USER_MODEL)
+
 class CheckoutLog(models.Model):
     """A record of an item being checked out by a student."""
     item = models.ForeignKey(Item, on_delete=models.CASCADE, related_name="checkout_logs")
diff --git a/inventory/templates/inventory/base.html b/inventory/templates/inventory/base.html
@@ -77,6 +77,18 @@
                 <div class="navigation-object navigation-category">
                     <span class="navigation-category-title">Account</span>
                 </div>
+                <div class="navigation-object">
+                    <a class="navigation-link" href="{% url 'inventory:my_profile' %}">
+                        <i class="fa-solid fa-user"></i> My Profile ({{ request.user.username }})
+                    </a>
+                </div>
+                {% if request.user.profile.role == 'ADMIN' %}
+                <div class="navigation-object">
+                    <a class="navigation-link" href="{% url 'inventory:team_management' %}">
+                        <i class="fa-solid fa-users"></i> Team Management
+                    </a>
+                </div>
+                {% endif %}
                 <div class="navigation-object">
                     <form action="{% url 'logout' %}" method="post">
                         {% csrf_token %}
diff --git a/inventory/templates/inventory/create_user.html b/inventory/templates/inventory/create_user.html
@@ -0,0 +1,12 @@
+{% extends "inventory/base.html" %}
+{% block content %}
+    <p><a href="{% url 'inventory:team_management' %}">< Back to Team Management</a></p>
+    <h1>Create a New User</h1>
+    <div class="detail-container">
+        <form method="post">
+            {% csrf_token %}
+            {{ form.as_p }}
+            <button type="submit">Create User</button>
+        </form>
+    </div>
+{% endblock %}
diff --git a/inventory/templates/inventory/item_detail.html b/inventory/templates/inventory/item_detail.html
@@ -34,9 +34,11 @@ <h3>Item Barcode</h3>
             <div class="action-grid">
                 <!-- First Row -->
                 <div class="action-row">
+                    {% if request.user.profile.role == 'ADMIN' %}
                     <div>
                         <a href="{% url 'inventory:item_update' section_code=item.space.section.section_code space_code=item.space.space_code item_code=item.item_code %}">Edit Details</a>
                     </div>
+                    {% endif %}
                     <div>
                         <a href="{% url 'inventory:adjust_stock' section_code=item.space.section.section_code space_code=item.space.space_code item_code=item.item_code action='RECEIVED' %}" class="link-button">Receive Stock</a>
                     </div>
@@ -62,12 +64,14 @@ <h3>Item Barcode</h3>
 
             <hr>
 
-            <h2 class="destructive" style="margin-top: 2em;">Delete this Item</h2>
-            <p>This action is irreversible.</p>
-            <form action="{% url 'inventory:item_delete' section_code=item.space.section.section_code space_code=item.space.space_code item_code=item.item_code %}" method="post">
-                {% csrf_token %}
-                <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this item?');">I understand the consequences, delete this item</button>
-            </form>
+            {% if request.user.profile.role == 'ADMIN' %}
+                <h2 class="destructive" style="margin-top: 2em;">Delete this Item</h2>
+                <p>This action is irreversible.</p>
+                <form action="{% url 'inventory:item_delete' section_code=item.space.section.section_code space_code=item.space.space_code item_code=item.item_code %}" method="post">
+                    {% csrf_token %}
+                    <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this item?');">I understand the consequences, delete this item</button>
+                </form>
+            {% endif %}
         </div>
 
         <!-- === RIGHT COLUMN === -->
diff --git a/inventory/templates/inventory/my_profile.html b/inventory/templates/inventory/my_profile.html
@@ -0,0 +1,13 @@
+{% extends "inventory/base.html" %}
+{% block content %}
+    <h1>My Profile</h1>
+    <div class="detail-container">
+        <form method="post">
+            {% csrf_token %}
+            {{ form.as_p }}
+            <button type="submit">Save Changes</button>
+        </form>
+        <hr>
+        <p><a href="{% url 'password_change' %}">Change Password</a></p>
+    </div>
+{% endblock %}
diff --git a/inventory/templates/inventory/section_detail.html b/inventory/templates/inventory/section_detail.html
@@ -31,12 +31,14 @@ <h1>{{ section.name }}</h1>
                 <button type="submit">Add to print queue</button>
             </form>
         </div>
-
-        <h2 class="destructive">Delete this section</h2>
-        <p>If you no longer use this section, you can choose to delete it. All spaces associated with this section will be destroyed. This action is irreversible.</p>
-        <form action="{% url 'inventory:section_delete' section.section_code %}" method="post">
-            {% csrf_token %}
-            <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this section? This action is irreversible.');">I understand the consequences, delete this section</button>
-        </form>
+        
+        {% if request.user.profile.role == 'ADMIN' %}
+            <h2 class="destructive">Delete this section</h2>
+            <p>If you no longer use this section, you can choose to delete it. All spaces associated with this section will be destroyed. This action is irreversible.</p>
+            <form action="{% url 'inventory:section_delete' section.section_code %}" method="post">
+                {% csrf_token %}
+                <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this section? This action is irreversible.');">I understand the consequences, delete this section</button>
+            </form>
+        {% endif %}
     </div>
 {% endblock %}
diff --git a/inventory/templates/inventory/space_detail.html b/inventory/templates/inventory/space_detail.html
@@ -32,11 +32,13 @@ <h1>{{ space.name }}</h1>
             </form>
         </div>
 
-        <h2 class="destructive">Delete this space</h2>
-        <p>If you no longer use this space, you can choose to delete it. All inventory items associated with this space will be destroyed. This action is irreversible.</p>
-        <form action="{% url 'inventory:space_delete' section.section_code space.space_code %}" method="post">
-            {% csrf_token %}
-            <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this space? This action is irreversible.');">I understand the consequences, delete this space</button>
-        </form>
+        {% if request.user.profile.role == 'ADMIN' %}
+            <h2 class="destructive">Delete this space</h2>
+            <p>If you no longer use this space, you can choose to delete it. All inventory items associated with this space will be destroyed. This action is irreversible.</p>
+            <form action="{% url 'inventory:space_delete' section.section_code space.space_code %}" method="post">
+                {% csrf_token %}
+                <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this space? This action is irreversible.');">I understand the consequences, delete this space</button>
+            </form>
+        {% endif %}
     </div>
 {% endblock %}
diff --git a/inventory/templates/inventory/student_detail.html b/inventory/templates/inventory/student_detail.html
@@ -66,12 +66,14 @@ <h2 style="margin-top: 2em;">Full Loan History</h2>
             <p>This student has not returned any items yet.</p>
         {% endif %}
 
-        <h2 class="destructive">Delete this student</h2>
-        <form action="{% url 'inventory:student_delete' student.id %}" method="post">
-            {% csrf_token %}
-            <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this student record? This action is irreversible.');">
-                I understand, delete this student
-            </button>
-        </form>
+        {% if request.user.profile.role == 'ADMIN' %}
+            <h2 class="destructive">Delete this student</h2>
+            <form action="{% url 'inventory:student_delete' student.id %}" method="post">
+                {% csrf_token %}
+                <button type="submit" class="destructive-background" onclick="return confirm('Are you sure you want to delete this student record? This action is irreversible.');">
+                    I understand, delete this student
+                </button>
+            </form>
+        {% endif %}
     </div>
 {% endblock %}
diff --git a/inventory/templates/inventory/team_management.html b/inventory/templates/inventory/team_management.html
@@ -0,0 +1,33 @@
+{% extends "inventory/base.html" %}
+{% block content %}
+    <div style="display: flex; justify-content: space-between; align-items: center;">
+        <h1>Team Management</h1>
+        <a href="{% url 'inventory:create_user' %}" class="link-button">Add New User</a>
+    </div>
+    <p>As an Admin, you can manage the roles of other users in the system.</p>
+
+    <table class="open-table">
+        <thead>
+            <tr><th>Username</th><th>Email</th><th>Current Role</th><th>Change Role</th></tr>
+        </thead>
+        <tbody>
+            {% for profile in users %}
+            <tr>
+                <td>{{ profile.user.username }}</td>
+                <td>{{ profile.user.email }}</td>
+                <td>{{ profile.get_role_display }}</td>
+                <td>
+                    <form action="{% url 'inventory:update_user_role' profile.id %}" method="post">
+                        {% csrf_token %}
+                        <select name="role" onchange="this.form.submit()">
+                            {% for value, name in form.fields.role.choices %}
+                                <option value="{{ value }}" {% if profile.role == value %}selected{% endif %}>{{ name }}</option>
+                            {% endfor %}
+                        </select>
+                    </form>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+{% endblock %}
diff --git a/inventory/urls.py b/inventory/urls.py
@@ -6,6 +6,14 @@
 app_name = 'inventory'
 
 urlpatterns = [
+    # ==========================================================================
+    # User Profile & Team Management
+    # ==========================================================================
+    path('my-profile/', views.my_profile, name='my_profile'),
+    path('team-management/', views.team_management, name='team_management'),
+    path('team-management/update-role/<int:user_id>/', views.update_user_role, name='update_user_role'),
+    path('team-management/create-user/', views.create_user, name='create_user'),
+
     # ==========================================================================
     # Main Navigation & Dashboards
     # ==========================================================================
diff --git a/inventory/views.py b/inventory/views.py
diff --git a/templates/registration/password_change_done.html b/templates/registration/password_change_done.html
diff --git a/templates/registration/password_change_form.html b/templates/registration/password_change_form.html
