Feature/user models

backend/problem/views/problem.py

@@ -1,9 +1,12 @@
 from dataclasses import asdict, dataclass
 
 from django.db import DatabaseError
+from django.core.exceptions import PermissionDenied
+from django.contrib.auth.models import AnonymousUser
 from django.http import JsonResponse
 from rest_framework.views import APIView
 
+from user.models import User
 from langpro_annotator.logger import logger
 from problem.problem_details import get_filters, get_related_problem_ids
 from problem.models import KnowledgeBase, Problem, Sentence
@@ -91,9 +94,10 @@ def post(self, request, problem_id: int | None = None) -> JsonResponse:
         else the associated Problem is updated.
         """
         input_data = request.data
+        user: User | AnonymousUser | None = request.user
 
         try:
-            problem = save_problem(input_data, problem_id)
+            problem = save_problem(input_data, problem_id, user)
         except ValueError as ve:
             logger.error(f"Validation error saving problem: {ve}")
             return SaveProblemResponse(id=problem_id, error=str(ve)).json_response(
@@ -114,6 +118,11 @@ def post(self, request, problem_id: int | None = None) -> JsonResponse:
             return SaveProblemResponse(
                 id=problem_id, error="Database error saving problem."
             ).json_response(status=500)
+        except PermissionDenied as pde:
+            logger.error(f"Permission denied saving problem: {pde}")
+            return SaveProblemResponse(
+                id=problem_id, error="Permission denied."
+            ).json_response(status=403)
         except Exception as e:
             logger.exception(f"Unexpected error saving problem: {e}")
             return SaveProblemResponse(
@@ -123,7 +132,13 @@ def post(self, request, problem_id: int | None = None) -> JsonResponse:
         return SaveProblemResponse(id=problem.pk).json_response(status=200)
 
 
-def save_problem(input_data: dict, problem_id: int | None) -> Problem:
+def save_problem(input_data: dict, problem_id: int | None, user: User | AnonymousUser | None) -> Problem:
+    if user is None or user.is_anonymous:
+        raise PermissionDenied("User must be authenticated to edit/create problems.")
+
+    if not user.can_edit_or_add_problem:  # type: ignore
+        raise PermissionDenied("User does not have role required to edit/create problems.")
+
     serializer = ProblemInputSerializer(data=input_data)
 
     if not serializer.is_valid():

backend/user/admin.py

@@ -1,8 +1,45 @@
-from django.contrib import admin
-from django.contrib.auth import admin as auth_admin
-from . import models
-
-
-@admin.register(models.User)
-class UserAdmin(auth_admin.UserAdmin):
-    pass
+from typing import Any
+from django.contrib import admin
+from django.contrib.auth import admin as auth_admin
+from django.http import HttpRequest
+from . import models
+from django.utils.translation import gettext_lazy as _
+
+
+@admin.register(models.User)
+class UserAdmin(auth_admin.UserAdmin):
+    list_display = ("username", "first_name", "email", "last_name", "role", "is_staff")
+
+    def get_fieldsets(
+        self, request: HttpRequest, obj: models.User | None = None
+    ) -> list[tuple[str | None, dict[str, Any]]]:
+        user = request.user
+        if user.is_superuser:
+            admin_fieldset = super().get_fieldsets(request, obj)
+            if len(admin_fieldset) >= 3:
+                # Add the 'role' field to the admin fieldset for superusers.
+                admin_fieldset[2][1]["fields"] = (
+                    "is_active",
+                    "is_staff",
+                    "is_superuser",
+                    "role",
+                    "groups",
+                    "user_permissions",
+                )
+            return admin_fieldset
+
+        # Non-superusers should not be able to edit password, is_superuser and groups through Django Admin.
+        return [
+            (None, {"fields": ("username",)}),
+            (_("Personal info"), {"fields": ("first_name", "last_name", "email")}),
+            (
+                _("Permissions"),
+                {
+                    "fields": (
+                        "is_active",
+                        "is_staff",
+                        "role",
+                    ),
+                },
+            ),
+        ]

backend/user/migrations/0004_user_role.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.20 on 2025-11-04 10:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("user", "0003_sitedomain"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="role",
+            field=models.CharField(
+                choices=[
+                    ("annotator", "Annotator"),
+                    ("master_annotator", "Master Annotator"),
+                    ("visitor", "Visitor"),
+                ],
+                default="visitor",
+                help_text="Visitors can browse problems and parses. Annotators can annotate non-locked problems. Master Annotators can manage users, change problem lock status, and review annotations.",
+                max_length=20,
+            ),
+        ),
+    ]

backend/user/models.py

@@ -1,14 +1,33 @@
-import django.contrib.auth.models as django_auth_models
-
-
-class User(django_auth_models.AbstractUser):
-    """
-    Core user model used for authentication.
-    """
-
-    # Only extend this model with information that is relevant for
-    # authentication; for things like settings and preferences, add
-    # a UserProfile model.
-
-    class Meta:
-        db_table = "auth_user"
+import django.contrib.auth.models as django_auth_models
+from django.db import models
+
+
+class User(django_auth_models.AbstractUser):
+    """
+    Core user model used for authentication.
+    """
+
+    # Only extend this model with information that is relevant for
+    # authentication; for things like settings and preferences, add
+    # a UserProfile model.
+
+    class Meta:
+        db_table = "auth_user"
+
+    class Role(models.TextChoices):
+        ANNOTATOR = "annotator", "Annotator"
+        MASTER_ANNOTATOR = "master_annotator", "Master Annotator"
+        VISITOR = "visitor", "Visitor"
+
+    role = models.CharField(
+        max_length=20,
+        choices=Role.choices,
+        default=Role.VISITOR,
+        help_text="Visitors can browse problems and parses. Annotators can annotate non-locked problems. Master Annotators can manage users, change problem lock status, and review annotations.",
+    )
+    @property
+    def can_edit_or_add_problem(self) -> bool:
+        """
+        Determines whether the user can edit or add problems.
+        """
+        return self.is_superuser or self.role in [self.Role.MASTER_ANNOTATOR]

backend/user/serializers.py

@@ -1,17 +1,23 @@
-from dj_rest_auth.serializers import UserDetailsSerializer
-from rest_framework import serializers
-
-
-class CustomUserDetailsSerializer(UserDetailsSerializer):
-
-    class Meta(UserDetailsSerializer.Meta):
-        is_staff = serializers.BooleanField(read_only=True)
-        fields = (
-            "id",
-            "username",
-            "email",
-            "first_name",
-            "last_name",
-            "is_staff",
-        )
-        read_only_fields = ["is_staff", "id", "email"]
+from dj_rest_auth.serializers import UserDetailsSerializer
+from rest_framework import serializers
+
+
+class CustomUserDetailsSerializer(UserDetailsSerializer):
+    firstName = serializers.CharField(source='first_name')
+    lastName = serializers.CharField(source='last_name')
+    isStaff = serializers.BooleanField(read_only=True, source='is_staff')
+    canEditOrAddProblem = serializers.BooleanField(read_only=True, source='can_edit_or_add_problem')
+
+    class Meta(UserDetailsSerializer.Meta):
+
+        fields = (
+            "id",
+            "username",
+            "email",
+            "firstName",
+            "lastName",
+            "isStaff",
+            "role",
+            "canEditOrAddProblem",
+        )
+        read_only_fields = ["isStaff", "id", "email"]

backend/user/tests/test_user_views.py

@@ -1,37 +1,39 @@
-from unittest.mock import ANY
-
-
-def test_user_details(user_client, user_data):
-    details = user_client.get("/users/user/")
-    assert details.status_code == 200
-    assert details.data == {
-        "id": ANY,
-        "username": user_data["username"],
-        "email": user_data["email"],
-        "first_name": user_data["first_name"],
-        "last_name": user_data["last_name"],
-        "is_staff": False,
-    }
-
-
-def test_user_updates(user_client, user_data):
-    route = "/users/user/"
-    details = lambda: user_client.get(route).data
-    assert details()["username"] == user_data["username"]
-
-    # update username should succeed
-    response = user_client.patch(
-        route,
-        {"username": "NewName"},
-        content_type="application/json",
-    )
-    assert response.status_code == 200
-    assert details()["username"] == "NewName"
-
-    # is_staff is readonly, so nothing should happen
-    response = user_client.patch(
-        route,
-        {"is_staff": True},
-        content_type="application/json",
-    )
-    assert not details()["is_staff"]
+from unittest.mock import ANY
+
+
+def test_user_details(user_client, user_data):
+    details = user_client.get("/users/user/")
+    assert details.status_code == 200
+    assert details.data == {
+        "id": ANY,
+        "username": user_data["username"],
+        "email": user_data["email"],
+        "firstName": user_data["first_name"],
+        "lastName": user_data["last_name"],
+        "isStaff": False,
+        "role": "visitor",
+        "canEditOrAddProblem": False,
+    }
+
+
+def test_user_updates(user_client, user_data):
+    route = "/users/user/"
+    details = lambda: user_client.get(route).data
+    assert details()["username"] == user_data["username"]
+
+    # update username should succeed
+    response = user_client.patch(
+        route,
+        {"username": "NewName"},
+        content_type="application/json",
+    )
+    assert response.status_code == 200
+    assert details()["username"] == "NewName"
+
+    # isStaff is readonly, so nothing should happen
+    response = user_client.patch(
+        route,
+        {"isStaff": True},
+        content_type="application/json",
+    )
+    assert not details()["isStaff"]

frontend/src/app/annotate/annotate.component.html

@@ -4,7 +4,6 @@
 @let adding = appMode === 'add';
 @let editing = appMode === 'edit';
 
-
 <div class="row mb-4">
     <div class="d-flex flex-column col-4 gap-2">
         @if (browsing) {
@@ -61,32 +60,34 @@
         </section>
         }
         <div class="d-flex flex-column gap-2 align-items-stretch">
-            @if (browsing) {
-            <button
-                type="button"
-                class="btn btn-secondary d-flex align-items-center justify-content-center"
-                (click)="addProblem()"
-            >
-                <fa-icon
-                    [icon]="faPlus"
-                    aria-hidden="true"
-                    focusable="false"
-                ></fa-icon>
-                <span class="ms-3" i18n>Add new problem</span>
-            </button>
-            } @else {
-            <button
-                type="button"
-                class="btn btn-secondary d-flex align-items-center justify-content-center"
-                (click)="firstProblemId && goToProblem(firstProblemId)"
-            >
-                <fa-icon
-                    [icon]="faBinoculars"
-                    aria-hidden="true"
-                    focusable="false"
-                ></fa-icon>
-                <span class="ms-3" i18n>Browse existing problems</span>
-            </button>
+            @if (canAddProblem$ | async) {
+                @if (browsing) {
+                <button
+                    type="button"
+                    class="btn btn-secondary d-flex align-items-center justify-content-center"
+                    (click)="addProblem()"
+                >
+                    <fa-icon
+                        [icon]="faPlus"
+                        aria-hidden="true"
+                        focusable="false"
+                    ></fa-icon>
+                    <span class="ms-3" i18n>Add new problem</span>
+                </button>
+                } @else {
+                <button
+                    type="button"
+                    class="btn btn-secondary d-flex align-items-center justify-content-center"
+                    (click)="firstProblemId && goToProblem(firstProblemId)"
+                >
+                    <fa-icon
+                        [icon]="faBinoculars"
+                        aria-hidden="true"
+                        focusable="false"
+                    ></fa-icon>
+                    <span class="ms-3" i18n>Browse existing problems</span>
+                </button>
+                }
             }
         </div>
     </div>

frontend/src/app/annotate/annotate.component.ts

@@ -11,6 +11,7 @@ import { combineLatest, distinctUntilChanged, map } from "rxjs";
 import { CommonModule } from "@angular/common";
 import { Dataset } from "@/types";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
+import { AuthService } from "@/services/auth.service";
 
 @Component({
     selector: "la-annotate",
@@ -30,6 +31,7 @@ export class AnnotateComponent implements OnInit {
     private router = inject(Router);
     private route = inject(ActivatedRoute);
     private problemService = inject(ProblemService);
+    private authService = inject(AuthService);
     private destroyRef = inject(DestroyRef);
 
     public faPlus = faPlus;
@@ -42,6 +44,10 @@ export class AnnotateComponent implements OnInit {
         map(problem => problem?.dataset === Dataset.USER)
     );
 
+    public canAddProblem$ = this.authService.currentUser$.pipe(
+        map(user => user?.canEditOrAddProblem ?? false)
+    );
+
     ngOnInit(): void {
         const editParam$ = this.route.url.pipe(
             map(segments => segments.some(segment => segment.path === "edit")),