from __future__ import annotations from datetime import timedelta from django.conf import settings from django.contrib import messages from django.contrib.auth.decorators import login_required from django.core.paginator import Paginator from django.db import transaction from django.db.models import Count, Q from django.forms import formset_factory from django.http import HttpResponseForbidden from django.shortcuts import get_object_or_404, redirect, render from django.urls import reverse from django.utils import timezone from django.views.decorators.http import require_http_methods from contract.models import User from contract.utils.auth_helpers import generate_temp_password, notify_user_credentials from market.forms import ( CompanyAdminDocumentForm, CompanyAdminMemberForm, CompanyAdminProfileForm, ) from market.models import ( CompanyActivityLog, CompanyDocument, CompanyInvitation, CompanyMember, CompanyProfile, ) from market.services.access import ( ROLE_MARKET_SELLER, assign_market_role, can_approve_company_profiles, can_create_company_profiles, can_edit_company_profiles, can_manage_company_admin_pages, can_manage_company_documents, can_manage_company_members_admin, can_view_company_admin_pages, ) from market.services.app_links import build_market_app_url from market.services.messaging import send_market_email from market.views.helpers import build_market_context CompanyCreateMemberFormSet = formset_factory(CompanyAdminMemberForm, extra=3, max_num=8) CompanyCreateDocumentFormSet = formset_factory(CompanyAdminDocumentForm, extra=2, max_num=8) def _member_search_queryset(): return CompanyMember.objects.select_related("company", "user", "invited_by", "deactivated_by").annotate( document_count=Count("company__documents", distinct=True), company_member_count=Count("company__members", distinct=True), ) def _document_search_queryset(): return CompanyDocument.objects.select_related("company", "uploaded_by", "verified_by") def _company_search_queryset(): return ( CompanyProfile.objects.select_related("created_by", "reviewed_by", "legacy_seller_profile") .prefetch_related("members", "documents", "activity_logs", "products") .annotate( member_count=Count("members", distinct=True), active_member_count=Count("members", filter=Q(members__is_active=True), distinct=True), document_count=Count("documents", distinct=True), verified_document_count=Count("documents", filter=Q(documents__is_verified=True), distinct=True), product_count=Count("products", distinct=True), active_product_count=Count("products", filter=Q(products__is_active=True), distinct=True), ) .order_by("-created_at", "-id") ) def _normalize_search_value(value): return (value or "").strip() def _normalize_contact_phone(phone): if not phone: return "" return User.normalize_phone_number(phone) or "" def _find_user_by_contact(email: str = "", phone_number: str = ""): if email: user = User.objects.filter(email__iexact=email).first() if user: return user if phone_number: normalized_phone = _normalize_contact_phone(phone_number) if normalized_phone: user = User.objects.filter(phone_number=normalized_phone).first() if user: return user return None def _member_has_owner_or_admin(company): return company.members.filter( is_active=True, member_role__in=[CompanyMember.Roles.OWNER, CompanyMember.Roles.ADMIN], ).exists() def _log_company_action(company, *, action, actor, notes="", target_user=None, entity_type="", entity_id="", metadata=None): return CompanyActivityLog.objects.create( company=company, action=action, actor=actor, target_user=target_user, entity_type=entity_type, entity_id=str(entity_id or ""), notes=notes or "", metadata=metadata or {}, ) def _company_app_access_url(): configured = str( getattr(settings, "BOMABEST_SOKO_APP_LINK", "") or getattr(settings, "COMPANY_APP_DEEP_LINK", "") or "" ).strip() return configured or build_market_app_url("/market/dashboard/seller/", fallback_path="market") def _company_login_url(): return reverse("market:login") def _send_company_access_email(*, company, user=None, email="", phone_number="", display_name="", role_label="", actor=None, temporary_password="", subject_suffix="company access"): recipient = (email or getattr(user, "email", "") or "").strip() if not recipient: return False name = display_name or (user.get_full_name() if user else "") or recipient registered_email = (getattr(user, "email", "") or email or "Not provided").strip() registered_phone = (getattr(user, "phone_number", "") or phone_number or "Not provided").strip() password_line = ( f"\nTemporary password: {temporary_password}\n" "Please sign in and change this password immediately." if temporary_password else "\nTemporary password: not available. Ask a platform administrator to reset it if you cannot sign in." ) app_link = _company_app_access_url() message = ( f"Hello {name},\n\n" f"You have Bomabest Soko company access for {company.display_name}.\n" f"Role: {role_label or 'Company team member'}\n" f"Registered email: {registered_email}\n" f"Registered phone: {registered_phone}\n" f"{password_line}\n\n" f"App access link: {app_link}\n" f"Web login: {_company_login_url()}\n\n" "Open Bomabest Soko, sign in with the registered email or phone, and change your password after login.\n" "For support, contact the Bomabest Soko operations team." ) try: send_market_email( subject=f"Bomabest Soko: {subject_suffix} for {company.display_name}", message=message, recipients=[recipient], cta_text="Open Bomabest Soko", cta_url=_company_login_url(), ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.NOTE, actor=actor, target_user=user, entity_type="CompanyAccessEmail", entity_id=getattr(user, "pk", "") or "", notes=f"Company access email sent to {recipient}.", ) return True except Exception: return False def _reset_member_temporary_password(*, company, member, actor): temp_password = generate_temp_password() user = member.user user.set_password(temp_password) user.is_temporary_password = True user.save(update_fields=["password", "is_temporary_password"]) sent = _send_company_access_email( company=company, user=user, role_label=member.get_member_role_display(), actor=actor, temporary_password=temp_password, subject_suffix="temporary password reset", ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.NOTE, actor=actor, target_user=user, entity_type="User", entity_id=user.pk, notes="Temporary password reset for company member.", ) return temp_password, sent def _resend_invitation_email(*, invitation, actor): sent = _send_company_access_email( company=invitation.company, email=invitation.email, phone_number=invitation.phone_number, display_name=invitation.display_name, role_label=invitation.get_member_role_display(), actor=actor, subject_suffix="team invitation", ) if sent: invitation.notes = "Invitation email resent." invitation.save(update_fields=["notes", "updated_at"]) return sent def _create_or_link_company_member(company, *, actor, form_data, create_user=True): email = (form_data.get("email") or "").strip().lower() phone_number = _normalize_contact_phone(form_data.get("phone_number") or "") member_role = form_data.get("member_role") or CompanyMember.Roles.SALESPERSON display_name = (form_data.get("display_name") or "").strip() first_name = (form_data.get("first_name") or "").strip() last_name = (form_data.get("last_name") or "").strip() send_credentials = bool(form_data.get("send_credentials", True)) existing_user = _find_user_by_contact(email=email, phone_number=phone_number) if existing_user: membership, created = CompanyMember.objects.get_or_create( company=company, user=existing_user, defaults={ "member_role": member_role, "invited_by": actor, "joined_at": timezone.now(), "is_active": True, }, ) if not created: membership.member_role = member_role membership.is_active = True membership.deactivated_by = None membership.deactivated_at = None membership.joined_at = membership.joined_at or timezone.now() membership.save( update_fields=[ "member_role", "is_active", "deactivated_by", "deactivated_at", "joined_at", "updated_at", ] ) assign_market_role(existing_user, ROLE_MARKET_SELLER, assigned_by=actor) _log_company_action( company, action=CompanyActivityLog.ActionChoices.MEMBER_JOINED, actor=actor, target_user=existing_user, entity_type="CompanyMember", entity_id=membership.pk, notes=f"{existing_user.get_full_name() or existing_user.email or existing_user.phone_number} linked as {member_role}.", ) _send_company_access_email( company=company, user=existing_user, role_label=membership.get_member_role_display(), actor=actor, subject_suffix="company access", ) return { "kind": "membership", "membership": membership, "user": existing_user, "created_user": False, "credentials_sent": False, } if not create_user: invitation = CompanyInvitation.objects.create( company=company, email=email, phone_number=phone_number, display_name=display_name, member_role=member_role, invited_by=actor, expires_at=timezone.now() + timedelta(days=14), ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.INVITED_MEMBER, actor=actor, entity_type="CompanyInvitation", entity_id=invitation.pk, notes=f"Invitation queued for {email or phone_number or display_name or 'salesperson'}.", ) _resend_invitation_email(invitation=invitation, actor=actor) return {"kind": "invitation", "invitation": invitation, "created_user": False, "credentials_sent": False} if not email and not phone_number: raise ValueError("Provide at least an email or phone number to create a new company member.") temp_password = generate_temp_password() user = User.objects.create_user( email=email or None, phone_number=phone_number or None, password=temp_password, first_name=first_name or (display_name.split(" ", 1)[0] if display_name else "Company"), last_name=last_name or (display_name.split(" ", 1)[1] if display_name and " " in display_name else "Member"), type=User.Types.BUSINESS_PERSON, is_active=True, is_staff=False, is_superuser=False, is_temporary_password=True, ) assign_market_role(user, ROLE_MARKET_SELLER, assigned_by=actor) membership = CompanyMember.objects.create( company=company, user=user, member_role=member_role, invited_by=actor, joined_at=timezone.now(), is_active=True, ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.MEMBER_JOINED, actor=actor, target_user=user, entity_type="CompanyMember", entity_id=membership.pk, notes=f"Created new account and added it as {member_role}.", metadata={"created_user": True}, ) credentials_sent = False if send_credentials: try: notify_user_credentials(user, temp_password) _send_company_access_email( company=company, user=user, role_label=membership.get_member_role_display(), actor=actor, temporary_password=temp_password, subject_suffix="company credentials", ) credentials_sent = True _log_company_action( company, action=CompanyActivityLog.ActionChoices.NOTE, actor=actor, target_user=user, entity_type="User", entity_id=user.pk, notes="Temporary credentials sent to the new salesperson.", ) except Exception: credentials_sent = False return { "kind": "membership", "membership": membership, "user": user, "created_user": True, "credentials_sent": credentials_sent, } def _apply_company_status(company, *, status, actor, notes=""): company.status = status company.reviewed_by = actor company.reviewed_at = timezone.now() if status == CompanyProfile.Status.APPROVED: company.is_active = True company.approved_at = timezone.now() company.rejection_reason = "" elif status == CompanyProfile.Status.REJECTED: company.rejection_reason = notes or company.rejection_reason elif status == CompanyProfile.Status.SUSPENDED: company.is_active = False company.save( update_fields=[ "status", "reviewed_by", "reviewed_at", "approved_at", "rejection_reason", "is_active", "updated_at", ] ) action = { CompanyProfile.Status.APPROVED: CompanyActivityLog.ActionChoices.APPROVED, CompanyProfile.Status.REJECTED: CompanyActivityLog.ActionChoices.REJECTED, }.get(status, CompanyActivityLog.ActionChoices.UPDATED) _log_company_action( company, action=action, actor=actor, entity_type="CompanyProfile", entity_id=company.pk, notes=notes or f"Company status changed to {status}.", ) def _company_page_context(request, **extra): return build_market_context(request, **extra) def _ensure_admin_access(request): if not getattr(request.user, "is_authenticated", False): return False, redirect("market:login") if can_view_company_admin_pages(request.user): return True, None messages.error(request, "You do not have permission to access company admin pages.") return False, redirect("market:home") def _render(request, template_name, **context): return render(request, template_name, _company_page_context(request, **context)) def _company_form_errors_from_member_forms(formset): errors = [] for form in formset: if form.errors: errors.extend(form.errors.as_ul()) return errors def _has_member_payload(cleaned_data): return bool( (cleaned_data.get("email") or "").strip() or (cleaned_data.get("phone_number") or "").strip() or (cleaned_data.get("display_name") or "").strip() or (cleaned_data.get("first_name") or "").strip() or (cleaned_data.get("last_name") or "").strip() ) @login_required(login_url="market:login") @require_http_methods(["GET"]) def company_admin_list(request): allowed, response = _ensure_admin_access(request) if not allowed: return response query = _normalize_search_value(request.GET.get("q")) status_filter = _normalize_search_value(request.GET.get("status")).upper() company_type = _normalize_search_value(request.GET.get("company_type")).upper() contact = _normalize_search_value(request.GET.get("contact")) compliance_filter = _normalize_search_value(request.GET.get("compliance")).lower() companies = _company_search_queryset() if query: companies = companies.filter( Q(display_name__icontains=query) | Q(legal_name__icontains=query) | Q(registration_number__icontains=query) | Q(tax_pin__icontains=query) | Q(contact_email__icontains=query) | Q(contact_phone__icontains=query) | Q(county__icontains=query) | Q(created_by__email__icontains=query) | Q(created_by__phone_number__icontains=query) | Q(created_by__first_name__icontains=query) | Q(created_by__last_name__icontains=query) ) if status_filter in dict(CompanyProfile.Status.choices): companies = companies.filter(status=status_filter) if company_type in dict(CompanyProfile.CompanyTypes.choices): companies = companies.filter(company_type=company_type) if contact: companies = companies.filter(Q(contact_email__icontains=contact) | Q(contact_phone__icontains=contact)) if compliance_filter == "verified": companies = companies.filter(document_count__gt=0, verified_document_count__gte=3) elif compliance_filter == "partial": companies = companies.filter(document_count__gt=0, verified_document_count__lt=3) elif compliance_filter == "missing": companies = companies.filter(document_count=0) page_obj = Paginator(companies, 20).get_page(request.GET.get("page")) return _render( request, "market/companies/admin/list.html", companies=page_obj.object_list, page_obj=page_obj, company_status_choices=CompanyProfile.Status.choices, company_type_choices=CompanyProfile.CompanyTypes.choices, query=query, status_filter=status_filter, company_type_filter=company_type, contact_filter=contact, compliance_filter=compliance_filter, can_create_company=can_create_company_profiles(request.user), can_approve_company=can_approve_company_profiles(request.user), ) @login_required(login_url="market:login") @require_http_methods(["GET"]) def company_admin_approvals(request): allowed, response = _ensure_admin_access(request) if not allowed: return response return redirect(f"{reverse('market:company_admin_list')}?status={CompanyProfile.Status.PENDING}") @login_required(login_url="market:login") @require_http_methods(["GET", "POST"]) def company_admin_create(request): allowed, response = _ensure_admin_access(request) if not allowed: return response if not can_create_company_profiles(request.user): messages.error(request, "You do not have permission to create company profiles.") return redirect("market:company_admin_list") profile_form = CompanyAdminProfileForm(request.POST or None, user=request.user) member_formset = CompanyCreateMemberFormSet(request.POST or None, prefix="members") document_formset = CompanyCreateDocumentFormSet(request.POST or None, request.FILES or None, prefix="documents") if request.method == "POST": valid_forms = profile_form.is_valid() and member_formset.is_valid() and document_formset.is_valid() if valid_forms: member_rows = [form.cleaned_data for form in member_formset if form.cleaned_data and _has_member_payload(form.cleaned_data)] document_rows = [form.cleaned_data for form in document_formset if form.cleaned_data and form.cleaned_data.get("file")] if profile_form.cleaned_data.get("status") == CompanyProfile.Status.APPROVED and not any( row.get("member_role") in {CompanyMember.Roles.OWNER, CompanyMember.Roles.ADMIN} for row in member_rows ): profile_form.add_error( "status", "Approved companies must include at least one OWNER or ADMIN member.", ) else: with transaction.atomic(): company = profile_form.save(commit=False) company.created_by = request.user company.submitted_at = timezone.now() company.save() _log_company_action( company, action=CompanyActivityLog.ActionChoices.CREATED, actor=request.user, entity_type="CompanyProfile", entity_id=company.pk, notes="Company created by a marketplace admin.", ) if company.status == CompanyProfile.Status.APPROVED: _apply_company_status(company, status=CompanyProfile.Status.APPROVED, actor=request.user, notes="Company approved at creation.") for row in member_rows: result = _create_or_link_company_member(company, actor=request.user, form_data=row, create_user=bool(row.get("create_user", True))) if result.get("credentials_sent"): messages.info(request, "Temporary credentials were sent to a new salesperson.") for row in document_rows: document = CompanyDocument.objects.create( company=company, document_type=row["document_type"], file=row["file"], notes=row.get("notes") or "", is_verified=bool(row.get("is_verified")), uploaded_by=request.user, verified_by=request.user if row.get("is_verified") else None, ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document.pk, notes=f"Uploaded {document.get_document_type_display()} during creation.", ) messages.success(request, "Company profile created successfully.") return redirect("market:company_admin_detail", company_id=company.pk) return _render( request, "market/companies/admin/create.html", form=profile_form, member_formset=member_formset, document_formset=document_formset, can_approve_company=can_approve_company_profiles(request.user), ) @login_required(login_url="market:login") @require_http_methods(["GET", "POST"]) def company_admin_detail(request, company_id): allowed, response = _ensure_admin_access(request) if not allowed: return response company = get_object_or_404( CompanyProfile.objects.select_related("created_by", "reviewed_by", "legacy_seller_profile"), pk=company_id, ) member_form = CompanyAdminMemberForm() document_form = CompanyAdminDocumentForm() if request.method == "POST": action = _normalize_search_value(request.POST.get("action")).lower() if action in {"approve", "reject", "suspend", "pending"}: if not can_approve_company_profiles(request.user): messages.error(request, "You do not have permission to change company status.") else: status_value = { "approve": CompanyProfile.Status.APPROVED, "reject": CompanyProfile.Status.REJECTED, "suspend": CompanyProfile.Status.SUSPENDED, "pending": CompanyProfile.Status.PENDING, }[action] notes = _normalize_search_value(request.POST.get("notes")) if status_value == CompanyProfile.Status.APPROVED and not _member_has_owner_or_admin(company): messages.error(request, "Approved companies must have at least one OWNER or ADMIN member.") else: with transaction.atomic(): _apply_company_status(company, status=status_value, actor=request.user, notes=notes) messages.success(request, f"Company status updated to {company.get_status_display()}.") return redirect("market:company_admin_detail", company_id=company.pk) elif action == "add_member": if not can_manage_company_members_admin(request.user): messages.error(request, "You do not have permission to manage company members.") else: member_form = CompanyAdminMemberForm(request.POST) if member_form.is_valid(): cleaned = member_form.cleaned_data if _has_member_payload(cleaned): with transaction.atomic(): result = _create_or_link_company_member( company, actor=request.user, form_data=cleaned, create_user=bool(cleaned.get("create_user", True)), ) if result.get("credentials_sent"): messages.success(request, "Member added and credentials sent.") else: messages.success(request, "Member added successfully.") return redirect("market:company_admin_detail", company_id=company.pk) else: messages.error(request, "Please correct the member form errors.") elif action == "upload_document": if not can_manage_company_documents(request.user): messages.error(request, "You do not have permission to manage company documents.") else: document_form = CompanyAdminDocumentForm(request.POST, request.FILES) if document_form.is_valid(): cleaned = document_form.cleaned_data document = CompanyDocument.objects.create( company=company, document_type=cleaned["document_type"], file=cleaned["file"], notes=cleaned.get("notes") or "", is_verified=bool(cleaned.get("is_verified")), uploaded_by=request.user, verified_by=request.user if cleaned.get("is_verified") else None, ) _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document.pk, notes=f"Uploaded {document.get_document_type_display()}.", ) messages.success(request, "Document uploaded successfully.") return redirect("market:company_admin_detail", company_id=company.pk) messages.error(request, "Please correct the document form errors.") elif action in {"deactivate_member", "reactivate_member", "remove_member"}: if not can_manage_company_members_admin(request.user): messages.error(request, "You do not have permission to manage company members.") else: member_id = request.POST.get("member_id") member = get_object_or_404(CompanyMember, pk=member_id, company=company) if member.is_owner and action != "reactivate_member": messages.error(request, "Company owners cannot be removed or deactivated here.") else: member.is_active = action != "deactivate_member" and action != "remove_member" or action == "reactivate_member" if action == "reactivate_member": member.deactivated_by = None member.deactivated_at = None member.joined_at = member.joined_at or timezone.now() else: member.deactivated_by = request.user member.deactivated_at = timezone.now() member.save(update_fields=["is_active", "deactivated_by", "deactivated_at", "joined_at", "updated_at"]) _log_company_action( company, action=CompanyActivityLog.ActionChoices.MEMBER_REMOVED if action != "reactivate_member" else CompanyActivityLog.ActionChoices.MEMBER_JOINED, actor=request.user, target_user=member.user, entity_type="CompanyMember", entity_id=member.pk, notes=f"{member.user.get_full_name() or member.user.email or member.user.phone_number} membership updated.", ) messages.success(request, "Member status updated.") return redirect("market:company_admin_detail", company_id=company.pk) elif action in {"reset_temp_password", "resend_credentials"}: if not can_manage_company_members_admin(request.user): messages.error(request, "You do not have permission to manage company members.") else: member_id = request.POST.get("member_id") member = get_object_or_404(CompanyMember.objects.select_related("user"), pk=member_id, company=company) if action == "resend_credentials": temp_password, sent = _reset_member_temporary_password(company=company, member=member, actor=request.user) messages.success( request, f"New temporary password generated for {member.user.get_full_name() or member.user.email or member.user.phone_number}: {temp_password}", ) if sent: messages.info(request, "Credentials were sent to the member by email.") else: messages.warning(request, "No credential email was sent. Confirm the member has a valid email address.") else: temp_password, sent = _reset_member_temporary_password(company=company, member=member, actor=request.user) messages.success( request, f"Temporary password reset. Show this once to the member if needed: {temp_password}", ) if sent: messages.info(request, "The new credentials were sent by email.") return redirect("market:company_admin_detail", company_id=company.pk) elif action == "resend_invite": if not can_manage_company_members_admin(request.user): messages.error(request, "You do not have permission to manage company invitations.") else: invitation_id = request.POST.get("invitation_id") invitation = get_object_or_404(CompanyInvitation, pk=invitation_id, company=company) if _resend_invitation_email(invitation=invitation, actor=request.user): messages.success(request, "Invitation email resent.") else: messages.warning(request, "Invitation email was not sent because no email address is available.") return redirect("market:company_admin_detail", company_id=company.pk) elif action in {"verify_document", "unverify_document", "delete_document"}: if not can_manage_company_documents(request.user): messages.error(request, "You do not have permission to manage company documents.") else: document_id = request.POST.get("document_id") document = get_object_or_404(CompanyDocument, pk=document_id, company=company) if action == "delete_document": if document.file: document.file.delete(save=False) document.delete() _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document_id, notes="Document deleted by an admin.", ) messages.success(request, "Document deleted.") return redirect("market:company_admin_detail", company_id=company.pk) document.is_verified = action == "verify_document" document.verified_by = request.user if document.is_verified else None document.save(update_fields=["is_verified", "verified_by", "updated_at"]) _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document.pk, notes=f"Document marked as {'verified' if document.is_verified else 'unverified'}.", ) messages.success(request, "Document verification updated.") return redirect("market:company_admin_detail", company_id=company.pk) members = company.members.select_related("user", "invited_by", "deactivated_by").order_by( "-is_active", "member_role", "user__first_name", "user__last_name" ) documents = company.documents.select_related("uploaded_by", "verified_by").order_by("-created_at", "-id") invitations = company.invitations.select_related("invited_by", "accepted_by").order_by("-created_at", "-id") products = company.products.select_related("category", "created_by", "managed_by").order_by("-updated_at", "-id")[:20] rfqs = company.product_rfqs.select_related("product", "buyer", "assigned_to").order_by("-updated_at", "-id")[:20] activities = company.activity_logs.select_related("actor", "target_user").order_by("-created_at", "-id")[:80] return _render( request, "market/companies/admin/detail.html", company=company, company_member_count=members.count(), company_active_member_count=members.filter(is_active=True).count(), company_document_count=documents.count(), company_product_count=company.products.count(), company_rfq_count=company.product_rfqs.count(), company_members=members, company_documents=documents, company_invitations=invitations, company_products=products, company_rfqs=rfqs, company_activity_logs=activities, can_edit_company=can_edit_company_profiles(request.user), can_manage_members=can_manage_company_members_admin(request.user), can_manage_documents=can_manage_company_documents(request.user), can_approve_company=can_approve_company_profiles(request.user), member_form=member_form, document_form=document_form, ) @login_required(login_url="market:login") @require_http_methods(["GET", "POST"]) def company_admin_edit(request, company_id): allowed, response = _ensure_admin_access(request) if not allowed: return response if not can_edit_company_profiles(request.user): messages.error(request, "You do not have permission to edit company profiles.") return redirect("market:company_admin_detail", company_id=company_id) company = get_object_or_404(CompanyProfile, pk=company_id) form = CompanyAdminProfileForm(request.POST or None, request.FILES or None, instance=company, user=request.user) if request.method == "POST" and form.is_valid(): with transaction.atomic(): company = form.save(commit=False) if company.status == CompanyProfile.Status.APPROVED and not _member_has_owner_or_admin(company): form.add_error("status", "Approved companies must have at least one OWNER or ADMIN member.") else: company.reviewed_by = request.user company.reviewed_at = timezone.now() company.save() _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyProfile", entity_id=company.pk, notes="Company profile edited by an admin.", ) messages.success(request, "Company profile updated successfully.") return redirect("market:company_admin_detail", company_id=company.pk) return _render( request, "market/companies/admin/edit.html", company=company, form=form, can_approve_company=can_approve_company_profiles(request.user), ) @login_required(login_url="market:login") @require_http_methods(["GET", "POST"]) def company_admin_members(request): allowed, response = _ensure_admin_access(request) if not allowed: return response if not can_manage_company_admin_pages(request.user): messages.error(request, "You do not have permission to manage company members.") return redirect("market:company_admin_list") query = _normalize_search_value(request.GET.get("q")) status_filter = _normalize_search_value(request.GET.get("status")).lower() members = _member_search_queryset() if query: members = members.filter( Q(company__display_name__icontains=query) | Q(company__legal_name__icontains=query) | Q(user__email__icontains=query) | Q(user__phone_number__icontains=query) | Q(user__first_name__icontains=query) | Q(user__last_name__icontains=query) ) if status_filter == "active": members = members.filter(is_active=True) elif status_filter == "inactive": members = members.filter(is_active=False) if request.method == "POST": action = _normalize_search_value(request.POST.get("action")).lower() company_id = request.POST.get("company_id") member_id = request.POST.get("member_id") company = get_object_or_404(CompanyProfile, pk=company_id) member = get_object_or_404(CompanyMember, pk=member_id, company=company) if not can_manage_company_members_admin(request.user): messages.error(request, "You do not have permission to manage company members.") elif action in {"deactivate_member", "remove_member"} and not member.is_owner: member.is_active = False member.deactivated_by = request.user member.deactivated_at = timezone.now() member.save(update_fields=["is_active", "deactivated_by", "deactivated_at", "updated_at"]) _log_company_action( company, action=CompanyActivityLog.ActionChoices.MEMBER_REMOVED, actor=request.user, target_user=member.user, entity_type="CompanyMember", entity_id=member.pk, notes="Member deactivated from the global member list.", ) messages.success(request, "Member deactivated.") return redirect("market:company_admin_members") elif action == "reactivate_member": member.is_active = True member.deactivated_by = None member.deactivated_at = None member.joined_at = member.joined_at or timezone.now() member.save(update_fields=["is_active", "deactivated_by", "deactivated_at", "joined_at", "updated_at"]) _log_company_action( company, action=CompanyActivityLog.ActionChoices.MEMBER_JOINED, actor=request.user, target_user=member.user, entity_type="CompanyMember", entity_id=member.pk, notes="Member reactivated from the global member list.", ) messages.success(request, "Member reactivated.") return redirect("market:company_admin_members") elif action in {"reset_temp_password", "resend_credentials"}: temp_password, sent = _reset_member_temporary_password(company=company, member=member, actor=request.user) messages.success( request, f"New temporary password generated for {member.user.get_full_name() or member.user.email or member.user.phone_number}: {temp_password}", ) if sent: messages.info(request, "Credentials were sent to the member by email.") else: messages.warning(request, "No credential email was sent. Confirm the member has a valid email address.") return redirect("market:company_admin_members") page_obj = Paginator(members, 30).get_page(request.GET.get("page")) return _render( request, "market/companies/admin/members.html", company_members=page_obj.object_list, page_obj=page_obj, query=query, status_filter=status_filter, ) @login_required(login_url="market:login") @require_http_methods(["GET", "POST"]) def company_admin_documents(request): allowed, response = _ensure_admin_access(request) if not allowed: return response if not can_manage_company_documents(request.user): messages.error(request, "You do not have permission to manage company documents.") return redirect("market:company_admin_list") query = _normalize_search_value(request.GET.get("q")) status_filter = _normalize_search_value(request.GET.get("status")).lower() documents = _document_search_queryset() if query: documents = documents.filter( Q(company__display_name__icontains=query) | Q(company__legal_name__icontains=query) | Q(notes__icontains=query) | Q(uploaded_by__email__icontains=query) | Q(uploaded_by__phone_number__icontains=query) ) if status_filter == "verified": documents = documents.filter(is_verified=True) elif status_filter == "unverified": documents = documents.filter(is_verified=False) if request.method == "POST": action = _normalize_search_value(request.POST.get("action")).lower() company_id = request.POST.get("company_id") document_id = request.POST.get("document_id") company = get_object_or_404(CompanyProfile, pk=company_id) document = get_object_or_404(CompanyDocument, pk=document_id, company=company) if action == "delete_document": if document.file: document.file.delete(save=False) document.delete() _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document_id, notes="Document deleted from the global document list.", ) messages.success(request, "Document deleted.") return redirect("market:company_admin_documents") if action in {"verify_document", "unverify_document"}: document.is_verified = action == "verify_document" document.verified_by = request.user if document.is_verified else None document.save(update_fields=["is_verified", "verified_by", "updated_at"]) _log_company_action( company, action=CompanyActivityLog.ActionChoices.UPDATED, actor=request.user, entity_type="CompanyDocument", entity_id=document.pk, notes=f"Document marked as {'verified' if document.is_verified else 'unverified'}.", ) messages.success(request, "Document verification updated.") return redirect("market:company_admin_documents") page_obj = Paginator(documents, 30).get_page(request.GET.get("page")) return _render( request, "market/companies/admin/documents.html", company_documents=page_obj.object_list, page_obj=page_obj, query=query, status_filter=status_filter, )