UAT Feeback Tasks

.gitignore

@@ -118,3 +118,5 @@ private-media/
 **/data_migration/legacy_data/
 
 .db-backups/
+
+docs/sql-scripts/kb/

boranga/components/occurrence/api.py

@@ -331,7 +331,7 @@ def get_date(filter_date):
 
             filter_occurrence_name = request.POST.get("filter_occurrence_name")
             if filter_occurrence_name and not filter_occurrence_name.lower() == "all":
-                queryset = queryset.filter(occurrence__occurrence_name__icontains=filter_occurrence_name)
+                queryset = queryset.filter(occurrence__id=filter_occurrence_name)
 
             filter_common_name = request.POST.get("filter_common_name")
             if filter_common_name and not filter_common_name.lower() == "all":
@@ -2569,7 +2569,7 @@ def filter_queryset(self, request, queryset, view):
 
         filter_occurrence_name = request.POST.get("filter_occurrence_name")
         if filter_occurrence_name and not filter_occurrence_name.lower() == "all":
-            queryset = queryset.filter(occurrence_name__icontains=filter_occurrence_name)
+            queryset = queryset.filter(id=filter_occurrence_name)
 
         filter_scientific_name = request.POST.get("filter_scientific_name")
         if filter_scientific_name and not filter_scientific_name.lower() == "all":

boranga/components/occurrence/serializers.py

@@ -1463,6 +1463,7 @@ class BaseOccurrenceReportSerializer(BaseModelSerializer):
     has_main_observer = serializers.BooleanField(read_only=True)
     is_submitter = serializers.SerializerMethodField()
     can_user_edit = serializers.SerializerMethodField()
+    can_user_copy = serializers.SerializerMethodField()
     common_names = serializers.SerializerMethodField(read_only=True)
 
     class Meta:
@@ -1514,6 +1515,7 @@ class Meta:
             "number_of_observers",
             "has_main_observer",
             "is_submitter",
+            "can_user_copy",
             "record_source",
             "comments",
             "ocr_for_occ_number",
@@ -1623,6 +1625,10 @@ def get_can_user_edit(self, obj):
         request = self.context["request"]
         return obj.can_user_edit(request)
 
+    def get_can_user_copy(self, obj):
+        request = self.context["request"]
+        return obj.submitter == request.user.id or is_occurrence_assessor(request)
+
 
 class OccurrenceReportSerializer(BaseOccurrenceReportSerializer):
     submitter = serializers.SerializerMethodField(read_only=True)

boranga/components/spatial/utils.py

@@ -563,8 +563,11 @@ def save_geometry(
                 is_new_geometry = False
                 # Capture existing state to detect whether geometry data actually changes
                 pre_save_geometry_wkb = geometry.geometry.ewkb if geometry.geometry else None
-                pre_save_original_ewkb = geometry.original_geometry_ewkb
-                pre_save_buffer_radius = geometry.buffer_radius
+                # BinaryField returns memoryview from DB; normalise to bytes for comparison
+                pre_save_original_ewkb = (
+                    bytes(geometry.original_geometry_ewkb) if geometry.original_geometry_ewkb else None
+                )
+                pre_save_buffer_radius = getattr(geometry, "buffer_radius", None)
             else:
                 logger.info(f"Creating new geometry for {instance_model_name}: {instance}")
 
@@ -605,7 +608,12 @@ def save_geometry(
                     geometry_changed = (
                         (geometry_instance.geometry.ewkb if geometry_instance.geometry else None)
                         != pre_save_geometry_wkb
-                        or geometry_instance.original_geometry_ewkb != pre_save_original_ewkb
+                        or (
+                            bytes(geometry_instance.original_geometry_ewkb)
+                            if geometry_instance.original_geometry_ewkb
+                            else None
+                        )
+                        != pre_save_original_ewkb
                         or geometry_instance.buffer_radius != pre_save_buffer_radius
                     )
                     if geometry_changed:

boranga/components/species_and_communities/models.py

@@ -1389,6 +1389,7 @@ class SpeciesUserAction(UserAction):
     ACTION_REINSTATE_SPECIES = "Reinstate Species {}"
     ACTION_EDIT_SPECIES = "Edit Species {}"
     ACTION_CREATE_SPECIES = "Create new species {}"
+    ACTION_ACTIVATE_SPECIES = "Activated species {}"
     ACTION_SAVE_SPECIES = "Save Species {}"
     ACTION_MAKE_HISTORICAL = "Make Species {} historical"
     ACTION_IMAGE_UPDATE = "Species Image document updated for Species {}"
@@ -2305,6 +2306,7 @@ class CommunityUserAction(UserAction):
     ACTION_DISCARD_COMMUNITY = "Discard Community {}"
     ACTION_REINSTATE_COMMUNITY = "Reinstate Community {}"
     ACTION_CREATE_COMMUNITY = "Create new community {}"
+    ACTION_ACTIVATE_COMMUNITY = "Activated community {}"
     ACTION_SAVE_COMMUNITY = "Save Community {}"
     ACTION_RENAME_COMMUNITY_MADE_HISTORICAL = "Community {} renamed to {} and made historical"
     ACTION_RENAME_COMMUNITY_RETAINED = "Community {} renamed to {} but left active"

boranga/components/species_and_communities/utils.py

@@ -48,13 +48,13 @@ def species_form_submit(species_instance, request, split=False, rename=False):
 
     # Create a log entry for the proposal
     species_instance.log_user_action(
-        SpeciesUserAction.ACTION_CREATE_SPECIES.format(species_instance.species_number),
+        SpeciesUserAction.ACTION_ACTIVATE_SPECIES.format(species_instance.species_number),
         request,
     )
 
     # Create a log entry for the user
     request.user.log_user_action(
-        SpeciesUserAction.ACTION_CREATE_SPECIES.format(species_instance.species_number),
+        SpeciesUserAction.ACTION_ACTIVATE_SPECIES.format(species_instance.species_number),
         request,
     )
 
@@ -80,13 +80,13 @@ def community_form_submit(community_instance, request):
 
     # Create a log entry for the proposal
     community_instance.log_user_action(
-        CommunityUserAction.ACTION_CREATE_COMMUNITY.format(community_instance.community_number),
+        CommunityUserAction.ACTION_ACTIVATE_COMMUNITY.format(community_instance.community_number),
         request,
     )
 
     # Create a log entry for the user
     request.user.log_user_action(
-        CommunityUserAction.ACTION_CREATE_COMMUNITY.format(community_instance.community_number),
+        CommunityUserAction.ACTION_ACTIVATE_COMMUNITY.format(community_instance.community_number),
         request,
     )
 

boranga/frontend/boranga/src/components/common/occurrence_community_dashboard.vue

@@ -1200,7 +1200,7 @@ export default {
                     },
                 })
                 .on('select2:select', function (e) {
-                    let data = e.params.data.text;
+                    let data = e.params.data.id;
                     vm.filterOCCCommunityOccurrenceName = data;
                     sessionStorage.setItem(
                         'filterOCCCommunityOccurrenceNameText',

boranga/frontend/boranga/src/components/common/occurrence_fauna_dashboard.vue

@@ -1225,7 +1225,7 @@ export default {
                     },
                 })
                 .on('select2:select', function (e) {
-                    let data = e.params.data.text;
+                    let data = e.params.data.id;
                     vm.filterOCCFaunaOccurrenceName = data;
                     sessionStorage.setItem(
                         'filterOCCFaunaOccurrenceNameText',

boranga/frontend/boranga/src/components/common/occurrence_flora_dashboard.vue

@@ -1148,7 +1148,7 @@ export default {
                     },
                 })
                 .on('select2:select', function (e) {
-                    let data = e.params.data.text;
+                    let data = e.params.data.id;
                     vm.filterOCCFloraOccurrenceName = data;
                     sessionStorage.setItem(
                         'filterOCCFloraOccurrenceNameText',

boranga/frontend/boranga/src/components/common/occurrence_report_community_dashboard.vue

@@ -1673,6 +1673,7 @@ export default {
                                 term: params.term,
                                 type: 'public',
                                 group_type_id: vm.group_type_id,
+                                active_only: false,
                             };
                             return query;
                         },

boranga/frontend/boranga/src/components/common/occurrence_report_fauna_dashboard.vue

@@ -1677,6 +1677,7 @@ export default {
                                 term: params.term,
                                 type: 'public',
                                 group_type_id: vm.group_type_id,
+                                active_only: false,
                             };
                             return query;
                         },

boranga/frontend/boranga/src/components/common/occurrence_report_flora_dashboard.vue

@@ -1422,6 +1422,7 @@ export default {
                                 term: params.term,
                                 type: 'public',
                                 group_type_id: vm.group_type_id,
+                                active_only: false,
                             };
                             return query;
                         },

boranga/frontend/boranga/src/components/internal/occurrence/occurrence.vue

@@ -33,6 +33,7 @@
                         />
 
                         <ActivatedBy
+                            v-if="occurrence.lodgement_date"
                             :submitter_first_name="submitter_first_name"
                             :submitter_last_name="submitter_last_name"
                             :lodgement_date="occurrence.lodgement_date"

boranga/frontend/boranga/src/main.js

@@ -34,8 +34,59 @@ const app = createApp(App);
 
 const originalFetch = window.fetch.bind(window);
 
+// --- Read-only mode helpers ---
+const READ_ONLY_TOAST_ID = 'boranga-read-only-toast';
+
+function showReadOnlyBanner() {
+    if (document.getElementById(READ_ONLY_TOAST_ID)) return;
+
+    // Toast container — fixed top-right, no page height impact
+    const container = document.createElement('div');
+    container.style.cssText = 'position:fixed;top:6px;right:1rem;z-index:9999;';
+
+    container.innerHTML = `
+        <div id="${READ_ONLY_TOAST_ID}" class="toast align-items-center border-0 show" role="alert" aria-live="assertive" aria-atomic="true" style="background-color:#92400e;color:#fff;">
+            <div class="d-flex">
+                <div class="toast-body fw-semibold">
+                    \u{1F512} System READ-ONLY for data verification
+                </div>
+            </div>
+        </div>`;
+
+    document.body.appendChild(container);
+}
+
+function hideReadOnlyBanner() {
+    document
+        .getElementById(READ_ONLY_TOAST_ID)
+        ?.closest('div[style]')
+        ?.remove();
+}
+
+/** Fetches the current read-only status from the server and updates window.env + banner. */
+function refreshReadOnlyStatus() {
+    return originalFetch('/api/read_only_status')
+        .then((r) => r.json())
+        .then((data) => {
+            window.env = window.env || {};
+            window.env.read_only = !!data.read_only;
+            if (window.env.read_only) {
+                showReadOnlyBanner();
+            } else {
+                hideReadOnlyBanner();
+            }
+            return window.env.read_only;
+        })
+        .catch(() => false);
+}
+
+// Check on initial page load.
+refreshReadOnlyStatus();
+
 // Do NOT make the outer wrapper async; otherwise window.fetch becomes a Promise.
 window.fetch = ((orig) => {
+    const WRITE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+
     return async (...args) => {
         // Normalize URL (string | URL | Request)
         let url;
@@ -49,6 +100,43 @@ window.fetch = ((orig) => {
         const sameOrigin = url.origin === window.location.origin;
         const isApi = sameOrigin && url.pathname.startsWith('/api');
 
+        // Determine request method
+        const method = (
+            (args.length > 1 && args[1]?.method) ||
+            (args[0] instanceof Request && args[0].method) ||
+            'GET'
+        ).toUpperCase();
+
+        // Re-check read-only status from the server on every write attempt.
+        // DataTables uses POST on _paginated endpoints when the querystring is too
+        // long — these are read-only list queries and must not be blocked.
+        if (
+            isApi &&
+            WRITE_METHODS.has(method) &&
+            !url.pathname.includes('_paginated')
+        ) {
+            const isReadOnly = await refreshReadOnlyStatus();
+            if (isReadOnly) {
+                swal.fire({
+                    iconHtml:
+                        '<i class="bi bi-lock-fill" style="font-size:3rem;color:#92400e;"></i>',
+                    customClass: {
+                        icon: 'border-0',
+                        confirmButton: 'btn btn-primary',
+                    },
+                    title: 'Read-Only Mode',
+                    text: 'The system is currently in read-only mode for data verification. No changes can be made at this time.',
+                });
+                // Throw an AbortError so the fetch promise rejects silently —
+                // component reject handlers typically just log and show nothing,
+                // preventing a second error dialog from overwriting the lock dialog.
+                throw new DOMException(
+                    'Request blocked: system is in read-only mode.',
+                    'AbortError'
+                );
+            }
+        }
+
         // Merge headers
         let headers = new Headers();
         if (args.length > 1 && args[1]?.headers) {

boranga/middleware.py

@@ -42,6 +42,50 @@ def __call__(self, request):
         return redirect(path_ft + "?next=" + quote_plus(request.get_full_path()))
 
 
+class ReadOnlyMiddleware:
+    """Blocks all write requests (POST/PUT/PATCH/DELETE) to the API when
+    settings.DATA_VERIFICATION_READ_ONLY is truthy.  Django admin, authentication,
+    and other non-API paths are exempt so that admin and ORM-level operations still
+    work.  POST requests to *_paginated endpoints are also allowed through because
+    DataTables uses POST when the querystring is too long — these are read-only
+    list queries, not writes."""
+
+    EXEMPT_PATH_PREFIXES = (
+        "/admin/",
+        "/ledger/",
+        "/sso/",
+        "/logout",
+        "/ssologin",
+    )
+    WRITE_METHODS = frozenset({"POST", "PUT", "PATCH", "DELETE"})
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        from django.conf import settings as django_settings
+
+        if (
+            getattr(django_settings, "DATA_VERIFICATION_READ_ONLY", False)
+            and request.method in self.WRITE_METHODS
+            and request.path.startswith("/api/")
+            and not any(request.path.startswith(p) for p in self.EXEMPT_PATH_PREFIXES)
+            # Allow DataTables POST queries on paginated endpoints (read-only list queries)
+            and "_paginated" not in request.path
+        ):
+            from django.http import JsonResponse
+
+            return JsonResponse(
+                {
+                    "detail": "The system is currently in read-only mode for data verification. "
+                    "No changes can be made at this time."
+                },
+                status=503,
+            )
+
+        return self.get_response(request)
+
+
 class RevisionOverrideMiddleware(RevisionMiddleware):
     """
     Wraps the entire request in a revision.

boranga/settings.py

@@ -28,6 +28,7 @@
 DISABLE_EMAIL = env("DISABLE_EMAIL", False)
 SHOW_TESTS_URL = env("SHOW_TESTS_URL", False)
 SHOW_DEBUG_TOOLBAR = env("SHOW_DEBUG_TOOLBAR", False)
+DATA_VERIFICATION_READ_ONLY = env("DATA_VERIFICATION_READ_ONLY", False)
 TIME_ZONE = "Australia/Perth"
 
 SILENCE_SYSTEM_CHECKS = env("SILENCE_SYSTEM_CHECKS", False)
@@ -156,6 +157,7 @@ def show_toolbar(request):
 }
 
 MIDDLEWARE_CLASSES += [
+    "boranga.middleware.ReadOnlyMiddleware",
     "boranga.middleware.FirstTimeNagScreenMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
 ]

boranga/urls.py

@@ -191,6 +191,7 @@ def trigger_error(request):
 router.registry.sort(key=lambda x: x[0])
 
 api_patterns = [
+    re_path(r"^api/read_only_status$", views.ReadOnlyStatusView.as_view(), name="read-only-status"),
     re_path(r"^api/profile$", users_api.GetProfile.as_view(), name="get-profile"),
     re_path(
         r"^api/geojson_to_shapefile$",

boranga/views.py

@@ -5,9 +5,10 @@
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.core.management import call_command
-from django.http import HttpResponse
+from django.http import HttpResponse, JsonResponse
 from django.shortcuts import redirect, render
 from django.utils.http import url_has_allowed_host_and_scheme
+from django.views import View
 from django.views.generic import DetailView
 from django.views.generic.base import TemplateView
 
@@ -167,6 +168,15 @@ class BorangaFurtherInformationView(TemplateView):
     template_name = "boranga/further_info.html"
 
 
+class ReadOnlyStatusView(View):
+    """Returns the current read-only status. Never cached."""
+
+    def get(self, request):
+        response = JsonResponse({"read_only": getattr(settings, "DATA_VERIFICATION_READ_ONLY", False)})
+        response["Cache-Control"] = "no-store"
+        return response
+
+
 class ManagementCommandsView(LoginRequiredMixin, UserPassesTestMixin, TemplateView):
     template_name = "boranga/mgt-commands.html"