RolnickLab · mihow · Sep 16, 2025 · Jul 2, 2025 · Jul 2, 2025 · Jul 2, 2025
diff --git a/ami/base/models.py b/ami/base/models.py
@@ -1,19 +1,68 @@
 from django.contrib.auth.models import AbstractUser, AnonymousUser
 from django.db import models
+from django.db.models import Q, QuerySet
 from guardian.shortcuts import get_perms
 
 import ami.tasks
 
 
+class BaseQuerySet(QuerySet):
+    def visible_draft_projects_only(self, user):
+        """
+        Filter queryset to include only objects whose related draft projects
+        are visible to the given user. Only superusers, project owners,
+        or members are allowed to view draft projects and their related objects.
+        """
+        from ami.main.models import Project
+
+        if user.is_superuser:
+            return self
+
+        # Determine whether the model is Project itself
+        is_project_model = self.model == Project
+
+        # Use model-defined project accessor if available
+        project_accessor = getattr(self.model, "project_accessor", "project")
+        # For models that have many2many relationship with the project model
+        # or no relationship just return the qs without filtering
+        if not project_accessor and not is_project_model:
+            return self
+        project_field = "" if is_project_model else f"{project_accessor}__"
+
+        # Build Q filters
+        non_draft_filter = Q(**{f"{project_field}draft": False})
+        # Show only non-draft projects for anonymous users
+        if isinstance(user, AnonymousUser):
+            return self.filter(non_draft_filter).distinct()
+
+        owner_filter = Q(**{f"{project_field}owner": user})
+        member_filter = Q(**{f"{project_field}members": user})
+
+        return self.filter(non_draft_filter | owner_filter | member_filter).distinct()
+
+
 class BaseModel(models.Model):
     """ """
 
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
+    objects = BaseQuerySet.as_manager()
+
+    @classmethod
+    def get_project_accessor(cls):
+        return getattr(cls, "project_accessor", "project")
 
     def get_project(self):
-        """Get the project associated with the model."""
-        return self.project if hasattr(self, "project") else None
+        """Dynamically get the related project using the project_accessor."""
+        accessor = self.get_project_accessor()
+        if not accessor:
+            return self
+        project = self
+        for part in accessor.split("__"):
+            project = getattr(project, part, None)
+            if project is None:
+                break
+        return project
 
     def __str__(self) -> str:
         """All django models should have this method."""
@@ -52,13 +101,16 @@ def check_permission(self, user: AbstractUser | AnonymousUser, action: str) -> b
         This method is used to determine if the user can perform
         CRUD operations or custom actions on the model instance.
         """
+        from ami.users.roles import BasicMember
+
         project = self.get_project() if hasattr(self, "get_project") else None
         if not project:
             return False
         if action == "retrieve":
-            # Allow view
+            if project.draft:
+                # Allow view permission for members and owners of draft projects
+                return BasicMember.has_role(user, project) or user == project.owner or user.is_superuser
             return True
-
         model = self._meta.model_name
         crud_map = {
             "create": f"create_{model}",

diff --git a/ami/main/admin.py b/ami/main/admin.py
@@ -87,6 +87,7 @@ def save_related(self, request, form, formsets, change):
                     "description",
                     "priority",
                     "active",
+                    "draft",
                     "feature_flags",
                 )
             },

diff --git a/ami/main/api/views.py b/ami/main/api/views.py
@@ -120,6 +120,15 @@ def create(self, request, *args, **kwargs):
         self.perform_create(serializer)
         return Response(serializer.data, status=status.HTTP_201_CREATED)
 
+    def get_queryset(self):
+        qs: QuerySet = super().get_queryset()
+        assert self.queryset is not None
+
+        if hasattr(self.queryset.model, "get_project_accessor"):
+            return qs.visible_draft_projects_only(self.request.user)  # type: ignore
+
+        return qs
+
 
 class DefaultReadOnlyViewSet(DefaultViewSetMixin, viewsets.ReadOnlyModelViewSet):
     pass
@@ -1536,28 +1545,44 @@ class SummaryView(GenericAPIView, ProjectMixin):
     @extend_schema(parameters=[project_id_doc_param])
     def get(self, request):
         """
-        Return counts of all models.
+        Return counts of all models, applying visibility filters for draft projects.
         """
+        user = request.user
         project = self.get_active_project()
         if project:
             data = {
-                "projects_count": Project.objects.count(),  # @TODO filter by current user, here and everywhere!
-                "deployments_count": Deployment.objects.filter(project=project).count(),
-                "events_count": Event.objects.filter(deployment__project=project, deployment__isnull=False).count(),
-                "captures_count": SourceImage.objects.filter(deployment__project=project).count(),
-                # "detections_count": Detection.objects.filter(occurrence__project=project).count(),
-                "occurrences_count": Occurrence.objects.valid().filter(project=project).count(),  # type: ignore
-                "taxa_count": Occurrence.objects.all().unique_taxa(project=project).count(),  # type: ignore
+                "projects_count": Project.objects.visible_draft_projects_only(user).count(),  # type: ignore
+                "deployments_count": Deployment.objects.visible_draft_projects_only(user)  # type: ignore
+                .filter(project=project)
+                .count(),
+                "events_count": Event.objects.visible_draft_projects_only(user)  # type: ignore
+                .filter(deployment__project=project, deployment__isnull=False)
+                .count(),
+                "captures_count": SourceImage.objects.visible_draft_projects_only(user)  # type: ignore
+                .filter(deployment__project=project)
+                .count(),
+                "occurrences_count": Occurrence.objects.valid()
+                .visible_draft_projects_only(user)
+                .filter(project=project)
+                .count(),  # type: ignore
+                "taxa_count": Occurrence.objects.visible_draft_projects_only(user)
+                .unique_taxa(project=project)
+                .count(),  # type: ignore
             }
         else:
             data = {
-                "projects_count": Project.objects.count(),
-                "deployments_count": Deployment.objects.count(),
-                "events_count": Event.objects.filter(deployment__isnull=False).count(),
-                "captures_count": SourceImage.objects.count(),
-                # "detections_count": Detection.objects.count(),
-                "occurrences_count": Occurrence.objects.valid().count(),  # type: ignore
-                "taxa_count": Occurrence.objects.all().unique_taxa().count(),  # type: ignore
+                "projects_count": Project.objects.visible_draft_projects_only(user).count(),  # type: ignore
+                "deployments_count": Deployment.objects.visible_draft_projects_only(user).count(),  # type: ignore
+                "events_count": Event.objects.visible_draft_projects_only(user)  # type: ignore
+                .filter(deployment__isnull=False)
+                .count(),
+                "captures_count": SourceImage.objects.visible_draft_projects_only(user).count(),  # type: ignore
+                "occurrences_count": Occurrence.objects.valid()
+                .visible_draft_projects_only(user)
+                .count(),  # type: ignore
+                "taxa_count": Occurrence.objects.visible_draft_projects_only(user)
+                .unique_taxa()
+                .count(),  # type: ignore
                 "last_updated": timezone.now(),
             }
 

diff --git a/.../migrations/0058_alter_project_options.py → ...ns_squashed_0067_alter_project_options.py b/.../migrations/0058_alter_project_options.py → ...ns_squashed_0067_alter_project_options.py
@@ -1,9 +1,22 @@
-# Generated by Django 4.2.10 on 2025-02-22 19:23
+# Generated by Django 4.2.10 on 2025-07-07 10:41
 
 from django.db import migrations
 
 
 class Migration(migrations.Migration):
+    replaces = [
+        ("main", "0058_alter_project_options"),
+        ("main", "0059_alter_project_options"),
+        ("main", "0060_alter_project_options"),
+        ("main", "0061_alter_project_options"),
+        ("main", "0062_alter_project_options"),
+        ("main", "0063_alter_project_options"),
+        ("main", "0064_alter_project_options"),
+        ("main", "0065_alter_project_options"),
+        ("main", "0066_alter_project_options"),
+        ("main", "0067_alter_project_options"),
+    ]
+
     dependencies = [
         ("main", "0057_merge_20250220_0022"),
     ]
@@ -19,18 +32,26 @@ class Migration(migrations.Migration):
                     ("delete_identification", "Can delete identifications"),
                     ("create_job", "Can create a job"),
                     ("update_job", "Can update a job"),
-                    ("run_job", "Can run a job"),
+                    ("run_ml_job", "Can run/retry/cancel ML jobs"),
+                    ("run_populate_captures_collection_job", "Can run/retry/cancel Populate Collection jobs"),
+                    ("run_data_storage_sync_job", "Can run/retry/cancel Data Storage Sync jobs"),
+                    ("run_data_export_job", "Can run/retry/cancel Data Export jobs"),
+                    ("run_single_image_ml_job", "Can process a single capture"),
                     ("delete_job", "Can delete a job"),
-                    ("retry_job", "Can retry a job"),
-                    ("cancel_job", "Can cancel a job"),
                     ("create_deployment", "Can create a deployment"),
                     ("delete_deployment", "Can delete a deployment"),
                     ("update_deployment", "Can update a deployment"),
                     ("create_sourceimagecollection", "Can create a collection"),
                     ("update_sourceimagecollection", "Can update a collection"),
                     ("delete_sourceimagecollection", "Can delete a collection"),
                     ("populate_sourceimagecollection", "Can populate a collection"),
+                    ("create_sourceimage", "Can create a source image"),
+                    ("update_sourceimage", "Can update a source image"),
+                    ("delete_sourceimage", "Can delete a source image"),
                     ("star_sourceimage", "Can star a source image"),
+                    ("create_sourceimageupload", "Can create a source image upload"),
+                    ("update_sourceimageupload", "Can update a source image upload"),
+                    ("delete_sourceimageupload", "Can delete a source image upload"),
                     ("create_s3storagesource", "Can create storage"),
                     ("delete_s3storagesource", "Can delete storage"),
                     ("update_s3storagesource", "Can update storage"),

diff --git a/ami/main/migrations/0059_delete_deprecated_permissions.py b/ami/main/migrations/0059_delete_deprecated_permissions.py
@@ -0,0 +1,31 @@
+from django.db import migrations
+
+
+def delete_deprecated_permissions(apps, schema_editor):
+    Permission = apps.get_model("auth", "Permission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    deprecated_codenames = [
+        "process_sourceimage",
+        "process_single_image_job",
+        "process_single_image_ml_job",
+        "run_job",
+        "retry_job",
+        "cancel_job",
+    ]
+
+    permissions = Permission.objects.filter(codename__in=deprecated_codenames)
+    for perm in permissions:
+        print(f"Deleting permission: {perm.codename}")
+        perm.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("main", "0058_alter_project_options_squashed_0067_alter_project_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(delete_deprecated_permissions, reverse_code=migrations.RunPython.noop),
+    ]
diff --git a/ami/main/migrations/0061_merge_20250709_0024.py b/ami/main/migrations/0061_merge_20250709_0024.py
@@ -0,0 +1,12 @@
+# Generated by Django 4.2.10 on 2025-07-09 00:24
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("main", "0059_delete_deprecated_permissions"),
+        ("main", "0060_alter_sourceimagecollection_method"),
+    ]
+
+    operations = []
diff --git a/ami/main/migrations/0062_project_draft.py b/ami/main/migrations/0062_project_draft.py
@@ -0,0 +1,17 @@
+# Generated by Django 4.2.10 on 2025-08-11 07:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("main", "0061_merge_20250709_0024"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="project",
+            name="draft",
+            field=models.BooleanField(default=False, help_text="Indicates whether this project is in draft mode"),
+        ),
+    ]
diff --git a/ami/main/migrations/0070_merge_0062_project_draft_0069_merge_20250818_1201.py b/ami/main/migrations/0070_merge_0062_project_draft_0069_merge_20250818_1201.py
@@ -0,0 +1,12 @@
+# Generated by Django 4.2.10 on 2025-08-22 16:04
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("main", "0062_project_draft"),
+        ("main", "0069_merge_20250818_1201"),
+    ]
+
+    operations = []