feat: add RBAC migrations, user modules, admin API updates, and utility scripts

accounts/migrations/0011_user_allowed_modules_alter_user_id.py

@@ -0,0 +1,23 @@
+# Generated by Django 4.2.21 on 2026-03-31 08:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0010_alter_user_id'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='allowed_modules',
+            field=models.TextField(blank=True, help_text='Comma-separated module slugs this user can access', null=True),
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='id',
+            field=models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID'),
+        ),
+    ]

accounts/models.py

@@ -37,6 +37,23 @@ class User(AbstractUser):
 
     profile_picture = models.ImageField(upload_to='profile_pictures/', blank=True, null=True, default='default.png')
 
+    allowed_modules = models.TextField(
+        blank=True, null=True,
+        help_text="Comma-separated module slugs this user can access"
+    )
+
+    ALL_MODULES = ["dashboard", "partners", "events", "ad-control", "users", "reviews", "contributions", "financials", "settings"]
+
+    def get_allowed_modules(self):
+        ALL = ["dashboard", "partners", "events", "ad-control", "users", "reviews", "contributions", "financials", "settings"]
+        if self.is_superuser or self.role == "admin":
+            return ALL
+        if self.allowed_modules:
+            return [m.strip() for m in self.allowed_modules.split(",") if m.strip()]
+        if self.role == "manager":
+            return ALL
+        return []
+
     objects = UserManager()
 
     def __str__(self):