First commit of claude's rework in django + vanillajs fronted

apps/users/admin.py

@@ -0,0 +1,10 @@
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
+
+from .models import User
+
+
+@admin.register(User)
+class UserAdmin(BaseUserAdmin):
+    list_display = ('email', 'username', 'is_staff', 'is_active')
+    ordering = ('email',)

apps/users/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class UsersConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'apps.users'

apps/users/management/commands/create_default_admin.py

@@ -0,0 +1,21 @@
+from django.contrib.auth import get_user_model
+from django.core.management.base import BaseCommand
+
+
+class Command(BaseCommand):
+    help = 'Create a default superuser for development (idempotent).'
+
+    def handle(self, *args, **options):
+        User = get_user_model()
+        email = 'admin@shooterhub.local'
+        if User.objects.filter(email=email).exists():
+            self.stdout.write(f'Admin already exists: {email}')
+            return
+        User.objects.create_superuser(
+            username='admin',
+            email=email,
+            password='changeme',
+        )
+        self.stdout.write(self.style.SUCCESS(
+            f'Superuser created — email: {email}  password: changeme'
+        ))

apps/users/migrations/0001_initial.py

@@ -0,0 +1,44 @@
+# Generated by Django 4.2.16 on 2026-03-24 09:48
+
+import django.contrib.auth.models
+import django.contrib.auth.validators
+from django.db import migrations, models
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('auth', '0012_alter_user_first_name_max_length'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='User',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('password', models.CharField(max_length=128, verbose_name='password')),
+                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
+                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
+                ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')),
+                ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')),
+                ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
+                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
+                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
+                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
+                ('email', models.EmailField(max_length=254, unique=True)),
+                ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.group', verbose_name='groups')),
+                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.permission', verbose_name='user permissions')),
+            ],
+            options={
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+                'abstract': False,
+            },
+            managers=[
+                ('objects', django.contrib.auth.models.UserManager()),
+            ],
+        ),
+    ]

apps/users/migrations/0002_user_avatar.py

@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='avatar',
+            field=models.ImageField(blank=True, null=True, upload_to='avatars/'),
+        ),
+    ]

apps/users/migrations/0003_user_language.py

@@ -0,0 +1,21 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0002_user_avatar'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='language',
+            field=models.CharField(
+                choices=[('en', 'English'), ('fr', 'Français'), ('de', 'Deutsch'), ('es', 'Español')],
+                default='en',
+                max_length=5,
+                verbose_name='language',
+            ),
+        ),
+    ]

apps/users/migrations/0004_alter_user_avatar.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.2.16 on 2026-03-25 10:15
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('photos', '0001_initial'),
+        ('users', '0003_user_language'),
+    ]
+
+    operations = [
+        # Clear empty-string avatar values left by the old ImageField before
+        # converting the column to a bigint FK.
+        migrations.RunSQL(
+            sql="UPDATE users_user SET avatar = NULL WHERE avatar = ''",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='avatar',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='avatar_user', to='photos.photo'),
+        ),
+    ]

apps/users/models.py

@@ -0,0 +1,31 @@
+from django.contrib.auth.models import AbstractUser
+from django.db import models
+
+
+LANGUAGE_CHOICES = [
+    ('en', 'English'),
+    ('fr', 'Français'),
+    ('de', 'Deutsch'),
+    ('es', 'Español'),
+]
+
+
+class User(AbstractUser):
+    """
+    Custom user model — kept intentionally thin so the schema can evolve.
+    Authentication is handled by dj-rest-auth + allauth (JWT + external IDP).
+    """
+    email = models.EmailField(unique=True)
+    avatar = models.ForeignKey(
+        'photos.Photo',
+        null=True, blank=True,
+        on_delete=models.SET_NULL,
+        related_name='avatar_user',
+    )
+    language = models.CharField(max_length=5, choices=LANGUAGE_CHOICES, default='en', verbose_name='language')
+
+    USERNAME_FIELD = 'email'
+    REQUIRED_FIELDS = ['username']
+
+    def __str__(self):
+        return self.email

apps/users/serializers.py

@@ -0,0 +1,52 @@
+from django.contrib.auth import get_user_model
+from rest_framework import serializers
+
+# Intentional cross-app import: users depends on photos for DB-backed avatar.
+from apps.photos.models import Photo
+
+User = get_user_model()
+
+
+class UserProfileSerializer(serializers.ModelSerializer):
+    # Write: accept a Photo PK; Read: return the serve URL
+    avatar = serializers.PrimaryKeyRelatedField(
+        required=False,
+        allow_null=True,
+        queryset=Photo.objects.all(),
+    )
+    avatar_url = serializers.SerializerMethodField()
+    is_staff = serializers.BooleanField(read_only=True)
+
+    class Meta:
+        model = User
+        fields = ['id', 'email', 'username', 'first_name', 'last_name',
+                  'avatar', 'avatar_url', 'is_staff', 'language']
+        read_only_fields = ['id', 'email', 'username', 'is_staff']
+
+    def get_avatar_url(self, obj) -> str | None:
+        if not obj.avatar_id:
+            return None
+        return f'/api/photos/{obj.avatar_id}/data/'
+
+
+class AdminUserSerializer(serializers.ModelSerializer):
+    """Flat serializer for the admin user-management panel."""
+
+    class Meta:
+        model = User
+        fields = ['id', 'email', 'username', 'first_name', 'last_name',
+                  'is_active', 'is_staff', 'date_joined']
+        read_only_fields = ['id', 'email', 'username', 'date_joined']
+
+
+class AdminCreateUserSerializer(serializers.ModelSerializer):
+    """Serializer used by admins to create a new user account."""
+    password = serializers.CharField(write_only=True, min_length=8)
+
+    class Meta:
+        model = User
+        fields = ['username', 'email', 'password', 'first_name', 'last_name', 'is_staff']
+
+    def create(self, validated_data):
+        password = validated_data.pop('password')
+        return User.objects.create_user(password=password, **validated_data)

apps/users/urls.py

@@ -0,0 +1,8 @@
+from django.urls import path
+from .views import AdminUserDetailView, AdminUserListView, UserProfileView
+
+urlpatterns = [
+    path('profile/',        UserProfileView.as_view(),    name='user-profile'),
+    path('admin/',          AdminUserListView.as_view(),  name='admin-user-list'),
+    path('admin/<int:pk>/', AdminUserDetailView.as_view(), name='admin-user-detail'),
+]

apps/users/views.py

@@ -0,0 +1,34 @@
+from rest_framework import generics, permissions, parsers
+
+from .serializers import AdminCreateUserSerializer, AdminUserSerializer, UserProfileSerializer
+from django.contrib.auth import get_user_model
+
+User = get_user_model()
+
+
+class UserProfileView(generics.RetrieveUpdateAPIView):
+    """GET / PATCH the authenticated user's profile (including avatar upload)."""
+    serializer_class = UserProfileSerializer
+    permission_classes = [permissions.IsAuthenticated]
+    parser_classes = [parsers.MultiPartParser, parsers.FormParser, parsers.JSONParser]
+
+    def get_object(self):
+        return self.request.user
+
+
+class AdminUserListView(generics.ListCreateAPIView):
+    """Admin: list all users (GET) or create a new user (POST)."""
+    permission_classes = [permissions.IsAdminUser]
+    queryset = User.objects.all().order_by('date_joined')
+
+    def get_serializer_class(self):
+        if self.request.method == 'POST':
+            return AdminCreateUserSerializer
+        return AdminUserSerializer
+
+
+class AdminUserDetailView(generics.RetrieveUpdateAPIView):
+    """Admin: activate/deactivate or promote/demote a user."""
+    serializer_class = AdminUserSerializer
+    permission_classes = [permissions.IsAdminUser]
+    queryset = User.objects.all()