From 47c9a7819b97637115e44a60b9b514582f8e4fe8 Mon Sep 17 00:00:00 2001
From: Rohan Matta <rohan.matta11@gmail.com>
Date: Tue, 17 Feb 2026 13:56:11 -0500
Subject: [PATCH 1/2] Barebone admin page with add admins (any admin), remove
 admin (owners only), and add owner (owners only). Meant for owner > admin
 hierarchy

---
 .../tigerpath/admin/admin_dashboard.html      | 41 +++++++++++++
 tigerpath/urls.py                             |  1 +
 tigerpath/views.py                            | 58 +++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 tigerpath/templates/tigerpath/admin/admin_dashboard.html

diff --git a/tigerpath/templates/tigerpath/admin/admin_dashboard.html b/tigerpath/templates/tigerpath/admin/admin_dashboard.html
new file mode 100644
index 00000000..8884d65f
--- /dev/null
+++ b/tigerpath/templates/tigerpath/admin/admin_dashboard.html
@@ -0,0 +1,41 @@
+<h1>TigerPath Admin Dashboard</h1>
+
+{% if messages %}
+  <ul style="color: red; font-weight: bold;">
+    {% for message in messages %}
+      <li>{{ message }}</li>
+    {% endfor %}
+  </ul>
+{% endif %}
+
+<hr>
+
+<h3>Add New Admin</h3>
+<form method="POST">
+    {% csrf_token %}
+    <input type="hidden" name="action" value="add">
+    <label for="add_netid">Student NetID:</label>
+    <input type="text" id="add_netid" name="netid" required>
+    <button type="submit">Make Admin</button>
+</form>
+
+{% if request.user.is_superuser %}
+<hr>
+<h3>Remove Admin (Owner Only)</h3>
+<form method="POST">
+    {% csrf_token %}
+    <input type="hidden" name="action" value="remove">
+    <label for="remove_netid">Student NetID:</label>
+    <input type="text" id="remove_netid" name="netid" required>
+    <button type="submit" style="color: red;">Remove Admin</button>
+</form>
+<hr>
+<h3>Add Owner (Owner Only)</h3>
+<form method="POST">
+    {% csrf_token %}
+    <input type="hidden" name="action" value="add_owner">
+    <label for="add_netid_superuser">Student NetID:</label>
+    <input type="text" id="add_netid_superuser" name="netid" required>
+    <button type="submit" style="color: black;">Add Owner</button>
+</form>
+{% endif %}
\ No newline at end of file
diff --git a/tigerpath/urls.py b/tigerpath/urls.py
index 156172f8..3e0b1f6d 100644
--- a/tigerpath/urls.py
+++ b/tigerpath/urls.py
@@ -30,4 +30,5 @@
         views.update_schedule_and_get_requirements,
         name="update_schedule_and_get_requirements",
     ),
+    path('admin/admin-dashboard/', views.admin_dashboard, name='admin_dashboard'),
 ]
diff --git a/tigerpath/views.py b/tigerpath/views.py
index bed9376c..24be9272 100644
--- a/tigerpath/views.py
+++ b/tigerpath/views.py
@@ -12,6 +12,9 @@
 from django.http import Http404, JsonResponse
 from django.shortcuts import redirect, render
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth.models import User
+from functools import wraps
 
 from . import forms, models, utils
 from .majors_and_certificates.scripts.university_info import LANG_DEPTS
@@ -429,3 +432,58 @@ def get_profile(request):
     profile = {}
     profile["classYear"] = curr_user.year
     return JsonResponse(profile)
+
+def admin_required(view_func):
+    """Custom decorator to bounce non-admins to the home page with an error."""
+    @wraps(view_func)
+    def _wrapped_view(request, *args, **kwargs):
+        # Not logged in, so send to login page
+        if not request.user.is_authenticated:
+            return redirect('login')
+        
+        # Not an admin, so send to home page
+        if not request.user.is_staff:
+            messages.error(request, "Access Denied: You must be an Admin to view the admin dashboard.")
+            return redirect('index')
+            
+        # Admin, so go to admin page
+        return view_func(request, *args, **kwargs)
+    return _wrapped_view
+
+@admin_required
+def admin_dashboard(request):
+    if request.method == 'POST':
+        action = request.POST.get('action')
+        netid = request.POST.get('netid')
+
+        try:
+            target_user = User.objects.get(username=netid)
+
+            if action == 'add':
+                target_user.is_staff = True
+                target_user.save()
+                messages.success(request, f"Successfully made {netid} an admin.")
+
+            elif action == 'remove':
+                # Only superusers (Owners) can remove admins
+                if not request.user.is_superuser:
+                    messages.error(request, "Action Denied: You must be an Owner to remove admins.")
+                elif target_user.is_superuser:
+                    messages.error(request, "You cannot remove an owner's admin status!")
+                else:
+                    target_user.is_staff = False
+                    target_user.save()
+                    messages.success(request, f"Successfully removed admin rights from {netid}.")
+            
+            elif action == 'add_owner':
+                target_user.is_staff = True
+                target_user.is_superuser = True
+                target_user.save()
+                messages.success(request, f"Successfully made {netid} an owner.")
+
+        except User.DoesNotExist:
+            messages.error(request, f"User with NetID {netid} not found.")
+
+        return redirect('admin_dashboard')
+
+    return render(request, 'tigerpath/admin/admin_dashboard.html')

From cac84fbf6bf3401b56b43b990ece53636ac68530 Mon Sep 17 00:00:00 2001
From: Rohan Matta <rohan.matta11@gmail.com>
Date: Mon, 23 Feb 2026 16:18:03 -0500
Subject: [PATCH 2/2] superuser (owner) check for remove admin and add owner

---
 tigerpath/views.py | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/tigerpath/views.py b/tigerpath/views.py
index 24be9272..a9def8c2 100644
--- a/tigerpath/views.py
+++ b/tigerpath/views.py
@@ -460,9 +460,12 @@ def admin_dashboard(request):
             target_user = User.objects.get(username=netid)
 
             if action == 'add':
-                target_user.is_staff = True
-                target_user.save()
-                messages.success(request, f"Successfully made {netid} an admin.")
+                if target_user.is_staff:
+                    messages.error(request, f"{netid} is already an admin.")
+                else:
+                    target_user.is_staff = True
+                    target_user.save()
+                    messages.success(request, f"Successfully made {netid} an admin.")
 
             elif action == 'remove':
                 # Only superusers (Owners) can remove admins
@@ -476,10 +479,15 @@ def admin_dashboard(request):
                     messages.success(request, f"Successfully removed admin rights from {netid}.")
             
             elif action == 'add_owner':
-                target_user.is_staff = True
-                target_user.is_superuser = True
-                target_user.save()
-                messages.success(request, f"Successfully made {netid} an owner.")
+                if not request.user.is_superuser:
+                    messages.error(request, "Action Denied: You must be an Owner to add owners.")
+                elif target_user.is_superuser:
+                   messages.error(request, f"{netid} is already an owner.")
+                else: 
+                    target_user.is_staff = True
+                    target_user.is_superuser = True
+                    target_user.save()
+                    messages.success(request, f"Successfully made {netid} an owner.")
 
         except User.DoesNotExist:
             messages.error(request, f"User with NetID {netid} not found.")