Role Management API and UI

ami/base/permissions.py

@@ -87,3 +87,32 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj: BaseModel):
         return obj.check_permission(request.user, view.action)
+
+
+class UserMembershipPermission(ObjectPermission):
+    """
+    Custom permission for UserProjectMembershipViewSet.
+
+    The `list` action has no object to check against, so we treat it like a
+    `retrieve` action: we fetch the active project, create a temporary
+    membership object for it, and apply the same permission check. All other
+    actions fall back to the default ObjectPermission logic.
+    """
+
+    def has_permission(self, request, view):
+        # Special handling for the list action: treat it like retrieve action
+        from ami.main.models import UserProjectMembership
+
+        if view.action == "list":
+            project = view.get_active_project()
+            if not project:
+                return False
+
+            # Create an unsaved membership instance with only project set
+            membership = UserProjectMembership(user=None, project=project)
+
+            # Check whether the requesting user would be allowed to retrieve this
+            return membership.check_permission(request.user, "retrieve")
+
+        # Fallback to default ObjectPermission behavior
+        return super().has_permission(request, view)

ami/base/views.py

@@ -30,8 +30,11 @@ def get_active_project(
     param = "project_id"
 
     project_id = None
+    # Support nested routers: /projects/{project_pk}/members/{pk}
+    if kwargs and "project_pk" in kwargs:
+        project_id = kwargs["project_pk"]
     # Extract from URL if `/projects/` is in the url path
-    if kwargs and "/projects/" in request.path:
+    elif kwargs and "/projects/" in request.path:
         project_id = kwargs.get("pk")
 
     # If not in URL, try query parameters

ami/main/admin.py

@@ -73,8 +73,7 @@ def save_related(self, request, form, formsets, change):
 
     list_display = ("name", "owner", "priority", "active", "created_at", "updated_at")
     list_filter = ("active", "owner")
-    search_fields = ("name", "owner__email", "members__email")
-    filter_horizontal = ("members",)
+    search_fields = ("name", "owner__email")
 
     inlines = [ProjectPipelineConfigInline]
     autocomplete_fields = ("default_filters_include_taxa", "default_filters_exclude_taxa")
@@ -108,7 +107,7 @@ def save_related(self, request, form, formsets, change):
         (
             "Ownership & Access",
             {
-                "fields": ("owner", "members"),
+                "fields": ("owner",),
                 "classes": ("wide",),
             },
         ),

ami/main/api/serializers.py

@@ -329,6 +329,7 @@ class ProjectSerializer(DefaultSerializer):
     feature_flags = serializers.SerializerMethodField()
     owner = UserNestedSerializer(read_only=True)
     settings = ProjectSettingsSerializer(source="*", required=False)
+    is_member = serializers.SerializerMethodField()
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -341,6 +342,23 @@ def get_feature_flags(self, obj):
             return obj.feature_flags.dict()
         return {}
 
+    def get_is_member(self, obj):
+        """Check if the current user is a member of this project."""
+        from ami.users.roles import Role
+
+        request = self.context["request"]
+        user = request.user
+
+        if not user or not user.is_authenticated:
+            return False
+
+        # Return True for superusers
+        if user.is_superuser:
+            return True
+
+        # Check if the user has any role in the project
+        return Role.user_has_any_role(user, obj)
+
     class Meta:
         model = Project
         fields = ProjectListSerializer.Meta.fields + [
@@ -349,6 +367,7 @@ class Meta:
             "owner",
             "feature_flags",
             "settings",
+            "is_member",  # is the current user a member of this project
         ]
 
 

ami/main/migrations/0080_userprojectmembership.py

@@ -0,0 +1,160 @@
+from django.db import migrations, models
+from django.conf import settings
+import django.db.models.deletion
+
+
+def forwards(apps, schema_editor):
+    UserProjectMembership = apps.get_model("main", "UserProjectMembership")
+
+    # Copy data from old implicit M2M table
+    through_table = "main_project_members"
+
+    with schema_editor.connection.cursor() as cursor:
+        cursor.execute(f"SELECT project_id, user_id FROM {through_table};")
+        rows = cursor.fetchall()
+
+    # Create new through model entries
+    for project_id, user_id in rows:
+        UserProjectMembership.objects.get_or_create(
+            project_id=project_id,
+            user_id=user_id,
+        )
+
+
+def backwards(apps, schema_editor):
+    UserProjectMembership = apps.get_model("main", "UserProjectMembership")
+
+    with schema_editor.connection.cursor() as cursor:
+        # Recreate old table
+        cursor.execute(
+            """
+            CREATE TABLE IF NOT EXISTS main_project_members (
+                id serial PRIMARY KEY,
+                project_id integer NOT NULL,
+                user_id integer NOT NULL
+            );
+        """
+        )
+        # Copy back membership data
+        for m in UserProjectMembership.objects.all():
+            cursor.execute(
+                "INSERT INTO main_project_members (project_id, user_id) VALUES (%s, %s)",
+                [m.project_id, m.user_id],
+            )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("main", "0079_alter_project_options"),
+    ]
+
+    operations = [
+        # 1. Create through model
+        migrations.CreateModel(
+            name="UserProjectMembership",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="project_memberships",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "project",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="project_memberships",
+                        to="main.project",
+                    ),
+                ),
+            ],
+            options={"unique_together": {("user", "project")}},
+        ),
+        # 2. Copy old M2M data to new through model
+        migrations.RunPython(forwards, backwards),
+        # 3. Drop old M2M implicit table
+        migrations.RunSQL(
+            "DROP TABLE IF EXISTS main_project_members;",
+            reverse_sql="DROP TABLE IF EXISTS main_project_members;",
+        ),
+        # 4. Update Django's internal model state (NO DB change)
+        migrations.SeparateDatabaseAndState(
+            database_operations=[],
+            state_operations=[
+                migrations.AlterField(
+                    model_name="project",
+                    name="members",
+                    field=models.ManyToManyField(
+                        blank=True,
+                        related_name="user_projects",
+                        through="main.UserProjectMembership",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                )
+            ],
+        ),
+        # 5. Update Project permissions to current state
+        migrations.AlterModelOptions(
+            name="project",
+            options={
+                "ordering": ["-priority", "created_at"],
+                "permissions": [
+                    ("create_identification", "Can create identifications"),
+                    ("update_identification", "Can update identifications"),
+                    ("delete_identification", "Can delete identifications"),
+                    ("create_job", "Can create a job"),
+                    ("update_job", "Can update a job"),
+                    ("run_ml_job", "Can run/retry/cancel ML jobs"),
+                    ("run_populate_captures_collection_job", "Can run/retry/cancel Populate Collection jobs"),
+                    ("run_data_storage_sync_job", "Can run/retry/cancel Data Storage Sync jobs"),
+                    ("run_data_export_job", "Can run/retry/cancel Data Export jobs"),
+                    ("run_single_image_ml_job", "Can process a single capture"),
+                    ("run_post_processing_job", "Can run/retry/cancel Post-Processing jobs"),
+                    ("delete_job", "Can delete a job"),
+                    ("create_deployment", "Can create a deployment"),
+                    ("delete_deployment", "Can delete a deployment"),
+                    ("update_deployment", "Can update a deployment"),
+                    ("sync_deployment", "Can sync images to a deployment"),
+                    ("create_sourceimagecollection", "Can create a collection"),
+                    ("update_sourceimagecollection", "Can update a collection"),
+                    ("delete_sourceimagecollection", "Can delete a collection"),
+                    ("populate_sourceimagecollection", "Can populate a collection"),
+                    ("create_sourceimage", "Can create a source image"),
+                    ("update_sourceimage", "Can update a source image"),
+                    ("delete_sourceimage", "Can delete a source image"),
+                    ("star_sourceimage", "Can star a source image"),
+                    ("create_sourceimageupload", "Can create a source image upload"),
+                    ("update_sourceimageupload", "Can update a source image upload"),
+                    ("delete_sourceimageupload", "Can delete a source image upload"),
+                    ("create_s3storagesource", "Can create storage"),
+                    ("delete_s3storagesource", "Can delete storage"),
+                    ("update_s3storagesource", "Can update storage"),
+                    ("test_s3storagesource", "Can test storage connection"),
+                    ("create_site", "Can create a site"),
+                    ("delete_site", "Can delete a site"),
+                    ("update_site", "Can update a site"),
+                    ("create_device", "Can create a device"),
+                    ("delete_device", "Can delete a device"),
+                    ("update_device", "Can update a device"),
+                    ("view_userprojectmembership", "Can view project members"),
+                    ("create_userprojectmembership", "Can add a user to the project"),
+                    (
+                        "update_userprojectmembership",
+                        "Can update a user's project membership and role in the project",
+                    ),
+                    ("delete_userprojectmembership", "Can remove a user from the project"),
+                    ("create_dataexport", "Can create a data export"),
+                    ("update_dataexport", "Can update a data export"),
+                    ("delete_dataexport", "Can delete a data export"),
+                    ("view_private_data", "Can view private data"),
+                ],
+            },
+        ),
+    ]

ami/main/models.py

@@ -232,7 +232,12 @@ class Project(ProjectSettingsMixin, BaseModel):
     description = models.TextField(blank=True)
     image = models.ImageField(upload_to="projects", blank=True, null=True)
     owner = models.ForeignKey(User, on_delete=models.SET_NULL, null=True, related_name="projects")
-    members = models.ManyToManyField(User, related_name="user_projects", blank=True)
+    members = models.ManyToManyField(
+        User,
+        through="UserProjectMembership",
+        related_name="user_projects",
+        blank=True,
+    )
     draft = models.BooleanField(
         default=False,
         help_text="Indicates whether this project is in draft mode",
@@ -405,6 +410,11 @@ class Permissions:
         CREATE_DEVICE = "create_device"
         DELETE_DEVICE = "delete_device"
         UPDATE_DEVICE = "update_device"
+        # User project membership permissions
+        VIEW_USER_PROJECT_MEMBERSHIP = "view_userprojectmembership"
+        CREATE_USER_PROJECT_MEMBERSHIP = "create_userprojectmembership"
+        UPDATE_USER_PROJECT_MEMBERSHIP = "update_userprojectmembership"
+        DELETE_USER_PROJECT_MEMBERSHIP = "delete_userprojectmembership"
 
         # Data Export permissions
         CREATE_DATA_EXPORT = "create_dataexport"
@@ -415,7 +425,6 @@ class Permissions:
         VIEW_PRIVATE_DATA = "view_private_data"
         DELETE_OCCURRENCES = "delete_occurrences"
         IMPORT_DATA = "import_data"
-        MANAGE_MEMBERS = "manage_members"
 
     class Meta:
         ordering = ["-priority", "created_at"]
@@ -466,6 +475,11 @@ class Meta:
             ("create_device", "Can create a device"),
             ("delete_device", "Can delete a device"),
             ("update_device", "Can update a device"),
+            # User project membership permissions
+            ("view_userprojectmembership", "Can view project members"),
+            ("create_userprojectmembership", "Can add a user to the project"),
+            ("update_userprojectmembership", "Can update a user's project membership and role in the project"),
+            ("delete_userprojectmembership", "Can remove a user from the project"),
             # Data Export permissions
             ("create_dataexport", "Can create a data export"),
             ("update_dataexport", "Can update a data export"),
@@ -475,6 +489,47 @@ class Meta:
         ]
 
 
+class UserProjectMembership(BaseModel):
+    """
+    Through model connecting User <-> Project.
+    This model represents membership ONLY.
+    Role assignment is handled separately via permission groups.
+    """
+
+    user = models.ForeignKey(
+        User,
+        on_delete=models.CASCADE,
+        related_name="project_memberships",
+    )
+
+    project = models.ForeignKey(
+        "main.Project",
+        on_delete=models.CASCADE,
+        related_name="project_memberships",
+    )
+
+    def check_permission(self, user: AbstractUser | AnonymousUser, action: str) -> bool:
+        project = self.project
+        # Allow viewing membership details if the user has view permission on the project
+        if action == "retrieve":
+            return user.has_perm(Project.Permissions.VIEW_USER_PROJECT_MEMBERSHIP, project)
+        # Allow users to delete their own membership
+        if action == "destroy" and user == self.user:
+            return True
+        return super().check_permission(user, action)
+
+    def get_user_object_permissions(self, user) -> list[str]:
+        # Return delete permission if user is the same as the membership user
+        user_permissions = super().get_user_object_permissions(user)
+        if user == self.user:
+            if "delete" not in user_permissions:
+                user_permissions.append("delete")
+        return user_permissions
+
+    class Meta:
+        unique_together = ("user", "project")
+
+
 @final
 class Device(BaseModel):
     """