Feature: Add Security-Gated Admin Dashboard & Admin Management

[rohanmatta11]

Security gated admin page that requires users to be Django staff (or superuser) to access. Users without access get redirected to the login page if not signed in and to the course planner/home page if logged in. Staff are able to

Currently, this dashboard allows existing admins to:

• Promote other users to Admin status (via NetID).
• [Owner Only] Revoke Admin status from users.
• [Owner Only] Grant Owner status to other users.

Key Changes:

• New View (admin_dashboard): Created a new view protected by a custom @admin_required decorator.
• Custom Decorator: Implemented a security check that redirects unauthorized users (non-admins) to the home page with a flash error message.
• Admin Management: Added a form to the dashboard to promote users to is_staff.
• Owner Privileges: Added a "Remove Admin" and "Add Owner" form that is only visible and accessible to Superusers (Owners).
• Templates: Added admin_dashboard.html

How to Test

1. Create the First Admin (Manual DB Override)
   Since the dashboard is gated, you must manually promote yourself to access it for the first time.
   cd to directory containing manage.py, then run:

python manage.py shell

Then, run the following commands:

from django.contrib.auth.models import User
me = User.objects.get(username='YOUR_NETID')
me.is_staff = True
me.is_superuser = True  # Required to test "Remove Admin" feature
me.save()
exit()

2. Access the Dashboard

• Navigate to: http://localhost:8000/admin-dashboard/
• Verify you can see the "Add Admin" and "Remove Admin" forms.

3. Test Functionality

• Add Admin: Enter another valid NetID (e.g., a test user) and click "Make Admin." Verify in the Django admin panel or shell that their is_staff status is now True.
• Remove Admin: Enter that same NetID and click "Remove Admin." Verify their status is now False.
• Permissions:
• In the shell, set me.is_superuser = False and refresh the page. The "Remove Admin" form and "Add Owner" form should disappear.
• In the shell, set me.is_staff = False and refresh. You should be redirected to the home page with an "Access Denied" error message.

TIG-188.Pull.Request.Video.mov

[linear]

TIG-188 TigerPath EGR — Admin Dashboard

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 47c9a7819b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restrict owner promotion action to superusers

The add_owner branch performs a privilege escalation without validating the caller’s role, so any authenticated staff user can bypass the hidden form and POST action=add_owner to grant superuser access to arbitrary accounts. Since @admin_required only enforces is_staff, this creates a server-side authorization gap that allows non-owner admins to become owners.

Useful? React with 👍 / 👎.

[joshuamotoaki]

This is true. Need to add an additional check. Might be clean to have a single if for all actions that require a superuser and then nest the subconditions.

[joshuamotoaki]

LGTM, make sure to add this check

[joshuamotoaki]

This is true. Need to add an additional check. Might be clean to have a single if for all actions that require a superuser and then nest the subconditions.