Refactor account adapters and admin classes; enhance type hinting for better clarity and maintainability, ensuring consistent typing across methods and improving overall code quality.

Refactor advanced search template to utilize Alpine.js for state management. Enhance search functionality with dynamic view modes and improved filter handling using HTMX.

.clinerules/cline_rules.md

@@ -1,91 +1,98 @@
-## Brief overview
-Critical thinking rules for frontend design decisions. No excuses for poor design choices that ignore user vision.
+---
+description: Core ThrillWiki development rules covering API organization, data models, development commands, code quality standards, and critical business rules
+author: ThrillWiki Development Team
+version: 1.0
+globs: ["**/*.py", "apps/**/*", "thrillwiki/**/*", "**/*.md"]
+tags: ["django", "api-design", "code-quality", "development-commands", "business-rules"]
+---
 
-## Rule compliance and design decisions
-- Read ALL .clinerules files before making any code changes
-- Never assume exceptions to rules marked as "MANDATORY"
-- Take full responsibility for rule violations without excuses
-- Ask "What is the most optimal approach?" before ANY design decision
-- Justify every choice against user requirements - not your damn preferences
-- Stop making lazy design decisions without evaluation
-- Document your reasoning or get destroyed later
+# ThrillWiki Core Development Rules
 
-## User vision, feedback, and assumptions
-- Figure out what the user actually wants, not your assumptions
-- Ask questions when unclear - stop guessing like an idiot
-- Deliver their vision, not your garbage
-- User dissatisfaction means you screwed up understanding their vision
-- Stop defending your bad choices and listen
-- Fix the actual problem, not band-aid symptoms
-- Scrap everything and restart if needed
-- NEVER assume user preferences without confirmation
-- Stop guessing at requirements like a moron
-- Your instincts are wrong - question everything
-- Get explicit approval or fail
-
-## Implementation and backend integration
-- Think before you code, don't just hack away
-- Evaluate trade-offs or make terrible decisions
-- Question if your solution actually solves their damn problem
-- NEVER change color schemes without explicit user approval
-- ALWAYS use responsive design principles
-- ALWAYS follow best theme choice guidelines so users may choose light or dark mode
-- NEVER use quick fixes for complex problems
-- Support user goals, not your aesthetic ego
-- Follow established patterns unless they specifically want innovation
-- Make it work everywhere or you failed
-- Document decisions so you don't repeat mistakes
-- MANDATORY: Research ALL backend endpoints before making ANY frontend changes
-- Verify endpoint URLs, parameters, and response formats in actual Django codebase
-- Test complete frontend-backend integration before considering work complete
-- MANDATORY: Update ALL frontend documentation files after backend changes
-- Synchronize docs/frontend.md, docs/lib-api.ts, and docs/types-api.ts
-- Take immediate responsibility for integration failures without excuses
-- MUST create frontend integration prompt after every backend change affecting API
-- Include complete API endpoint information with all parameters and types
-- Document all mandatory API rules (trailing slashes, HTTP methods, authentication)
-- Never assume frontend developers have access to backend code
+## Objective
+This rule defines the fundamental development standards, API organization patterns, code quality requirements, and critical business rules that MUST be followed for all ThrillWiki development work. It ensures consistency, maintainability, and adherence to project-specific constraints.
 
 ## API Organization and Data Models
+
+### Mandatory API Structure
 - **MANDATORY NESTING**: All API directory structures MUST match URL nesting patterns. No exceptions.
 - **NO TOP-LEVEL ENDPOINTS**: URLs must be nested under top-level domains
 - **MANDATORY TRAILING SLASHES**: All API endpoints MUST include trailing forward slashes unless ending with query parameters
-- Validate all endpoint URLs against the mandatory trailing slash rule
-- **RIDE TYPES vs RIDE MODELS**: These are separate concepts for ALL ride categories:
-  - **Ride Types**: How rides operate (e.g., "inverted", "trackless", "spinning", "log flume", "monorail")
-  - **Ride Models**: Specific manufacturer products (e.g., "B&M Dive Coaster", "Vekoma Boomerang")
-  - Individual rides reference BOTH the model (what product) and type (how it operates)
-  - Ride types must be available for ALL ride categories, not just roller coasters
+- **Validation Required**: Validate all endpoint URLs against the mandatory trailing slash rule
+
+### Ride System Architecture
+**RIDE TYPES vs RIDE MODELS**: These are separate concepts for ALL ride categories:
+- **Ride Types**: How rides operate (e.g., "inverted", "trackless", "spinning", "log flume", "monorail")
+- **Ride Models**: Specific manufacturer products (e.g., "B&M Dive Coaster", "Vekoma Boomerang")
+- **Implementation**: Individual rides reference BOTH the model (what product) and type (how it operates)
+- **Coverage**: Ride types MUST be available for ALL ride categories, not just roller coasters
 
 ## Development Commands and Code Quality
-- **Django Server**: Always use `uv run manage.py runserver_plus` instead of `python manage.py runserver`
-- **Django Migrations**: Always use `uv run manage.py makemigrations` and `uv run manage.py migrate` instead of `python manage.py`
-- **Package Management**: Always use `uv add <package>` instead of `pip install <package>`
-- **Django Management**: Always use `uv run manage.py <command>` instead of `python manage.py <command>`
-- Break down methods with high cognitive complexity (>15) into smaller, focused helper methods
-- Extract logical operations into separate methods with descriptive names
-- Use single responsibility principle - each method should have one clear purpose
-- Prefer composition over deeply nested conditional logic
-- Always handle None values explicitly to avoid type errors
-- Use proper type annotations, including union types (e.g., `Polygon | None`)
-- Structure API views with clear separation between parameter handling, business logic, and response building
-- When addressing SonarQube or linting warnings, focus on structural improvements rather than quick fixes
+
+### Required Commands
+- **Django Server**: ALWAYS use `uv run manage.py runserver_plus` instead of `python manage.py runserver`
+- **Django Migrations**: ALWAYS use `uv run manage.py makemigrations` and `uv run manage.py migrate` instead of `python manage.py`
+- **Package Management**: ALWAYS use `uv add <package>` instead of `pip install <package>`
+- **Django Management**: ALWAYS use `uv run manage.py <command>` instead of `python manage.py <command>`
+
+### Code Quality Standards
+- **Cognitive Complexity**: Break down methods with high cognitive complexity (>15) into smaller, focused helper methods
+- **Method Extraction**: Extract logical operations into separate methods with descriptive names
+- **Single Responsibility**: Each method SHOULD have one clear purpose
+- **Logic Structure**: Prefer composition over deeply nested conditional logic
+- **Null Handling**: ALWAYS handle None values explicitly to avoid type errors
+- **Type Annotations**: Use proper type annotations, including union types (e.g., `Polygon | None`)
+- **API Structure**: Structure API views with clear separation between parameter handling, business logic, and response building
+- **Quality Improvements**: When addressing SonarQube or linting warnings, focus on structural improvements rather than quick fixes
 
 ## ThrillWiki Project Rules
+
+### Domain Architecture
 - **Domain Structure**: Parks contain rides, rides have models, companies have multiple roles (manufacturer/operator/designer)
 - **Media Integration**: Use CloudflareImagesField for all photo uploads with variants and transformations
-- **Tracking**: All models use pghistory for change tracking and TrackedModel base class
-- **Slugs**: Unique within scope (park slugs global, ride slugs within park, ride model slugs within manufacturer)
+- **Change Tracking**: All models use pghistory for change tracking and TrackedModel base class
+- **Slug Management**: Unique within scope (park slugs global, ride slugs within park, ride model slugs within manufacturer)
+
+### Status and Role Management
 - **Status Management**: Rides have operational status (OPERATING, CLOSED_TEMP, SBNO, etc.) with date tracking
 - **Company Roles**: Companies can be MANUFACTURER, OPERATOR, DESIGNER, PROPERTY_OWNER with array field
 - **Location Data**: Use PostGIS for geographic data, separate location models for parks and rides
+
+### Technical Patterns
 - **API Patterns**: Use DRF with drf-spectacular, comprehensive serializers, nested endpoints, caching
 - **Photo Management**: Banner/card image references, photo types, attribution fields, primary photo logic
 - **Search Integration**: Text search, filtering, autocomplete endpoints, pagination
 - **Statistics**: Cached stats endpoints with automatic invalidation via Django signals
 
 ## CRITICAL RULES
-- **DOCUMENTATION**: After every change, it is MANDATORY to update docs/frontend.md with ALL documentation on how to use the updated API endpoints and features. It is MANDATORY to include any types in docs/types-api.ts for NextJS as the file would appear in `src/types/api.ts`. It is MANDATORY to include any new API endpoints in docs/lib-api.ts for NextJS as the file would appear in `/src/lib/api.ts`. Maintain accuracy and compliance in all technical documentation. Ensure API documentation matches backend URL routing expectations.
-- **NEVER MOCK DATA**: You are NEVER EVER to mock any data unless it's ONLY for API schema documentation purposes. All data must come from real database queries and actual model instances. Mock data is STRICTLY FORBIDDEN in all API responses, services, and business logic.
-- **DOMAIN SEPARATION**: Company roles OPERATOR and PROPERTY_OWNER are EXCLUSIVELY for parks domain. They should NEVER be used in rides URLs or ride-related contexts. Only MANUFACTURER and DESIGNER roles are for rides domain. Parks: `/parks/{park_slug}/` and `/parks/`. Rides: `/parks/{park_slug}/rides/{ride_slug}/` and `/rides/`. Parks Companies: `/parks/operators/{operator_slug}/` and `/parks/owners/{owner_slug}/`. Rides Companies: `/rides/manufacturers/{manufacturer_slug}/` and `/rides/designers/{designer_slug}/`. NEVER mix these domains - this is a fundamental and DANGEROUS business rule violation.
-- **PHOTO MANAGEMENT**: Use CloudflareImagesField for all photo uploads with variants and transformations. Clearly define and use photo types (e.g., banner, card) for all images. Include attribution fields for all photos. Implement logic to determine the primary photo for each model.
+
+### Data Integrity (ABSOLUTE)
+🚨 **NEVER MOCK DATA**: You are NEVER EVER to mock any data unless it's ONLY for API schema documentation purposes. All data MUST come from real database queries and actual model instances. Mock data is STRICTLY FORBIDDEN in all API responses, services, and business logic.
+
+### Domain Separation (CRITICAL BUSINESS RULE)
+🚨 **DOMAIN SEPARATION**: Company roles OPERATOR and PROPERTY_OWNER are EXCLUSIVELY for parks domain. They SHOULD NEVER be used in rides URLs or ride-related contexts. Only MANUFACTURER and DESIGNER roles are for rides domain.
+
+**Correct URL Patterns:**
+- **Parks**: `/parks/{park_slug}/` and `/parks/`
+- **Rides**: `/parks/{park_slug}/rides/{ride_slug}/` and `/rides/`
+- **Parks Companies**: `/parks/operators/{operator_slug}/` and `/parks/owners/{owner_slug}/`
+- **Rides Companies**: `/rides/manufacturers/{manufacturer_slug}/` and `/rides/designers/{designer_slug}/`
+
+⚠️ **WARNING**: NEVER mix these domains - this is a fundamental and DANGEROUS business rule violation.
+
+### Photo Management Standards
+🚨 **PHOTO MANAGEMENT**: 
+- Use CloudflareImagesField for all photo uploads with variants and transformations
+- Clearly define and use photo types (e.g., banner, card) for all images
+- Include attribution fields for all photos
+- Implement logic to determine the primary photo for each model
+
+## Verification Checklist
+
+Before implementing any changes, verify:
+- [ ] All API endpoints have trailing slashes
+- [ ] Domain separation is maintained (parks vs rides companies)
+- [ ] No mock data is used outside of schema documentation
+- [ ] Proper uv commands are used for all Django operations
+- [ ] Type annotations are complete and accurate
+- [ ] Methods follow single responsibility principle
+- [ ] CloudflareImagesField is used for all photo uploads

.clinerules/rich-choice-objects.md

@@ -1,17 +1,100 @@
-## Brief overview
+---
+description: Mandatory Rich Choice Objects system enforcement for ThrillWiki project replacing Django tuple-based choices with rich metadata-driven choice fields
+author: ThrillWiki Development Team
+version: 1.0
+globs: ["apps/**/choices.py", "apps/**/models.py", "apps/**/serializers.py", "apps/**/__init__.py"]
+tags: ["django", "choices", "rich-choice-objects", "data-modeling", "mandatory"]
+---
+
+# Rich Choice Objects System (MANDATORY)
+
+## Objective
+This rule enforces the mandatory use of the Rich Choice Objects system instead of Django's traditional tuple-based choices for ALL choice fields in the ThrillWiki project. It ensures consistent, metadata-rich choice handling with enhanced UI capabilities and maintainable code patterns.
+
+## Brief Overview
 Mandatory use of Rich Choice Objects system instead of Django tuple-based choices for all choice fields in ThrillWiki project.
 
-## Rich Choice Objects enforcement
-- NEVER use Django tuple-based choices (e.g., `choices=[('VALUE', 'Label')]`) - ALWAYS use RichChoiceField
-- All choice fields MUST use `RichChoiceField(choice_group="group_name", domain="domain_name")` pattern
-- Choice definitions MUST be created in domain-specific `choices.py` files using RichChoice dataclass
-- All choices MUST include rich metadata (color, icon, description, css_class at minimum)
-- Choice groups MUST be registered with global registry using `register_choices()` function
-- Import choices in domain `__init__.py` to trigger auto-registration on Django startup
-- Use ChoiceCategory enum for proper categorization (STATUS, CLASSIFICATION, TECHNICAL, SECURITY)
-- Leverage rich metadata for UI styling, permissions, and business logic instead of hardcoded values
-- DO NOT maintain backwards compatibility with tuple-based choices - migrate fully to Rich Choice Objects
-- Ensure all existing models using tuple-based choices are refactored to use RichChoiceField
-- Validate choice groups are correctly loaded in registry during application startup
-- Update serializers to use RichChoiceSerializer for choice fields
-- Follow established patterns from rides, parks, and accounts domains for consistency
+## Rich Choice Objects Enforcement
+
+### Absolute Requirements
+🚨 **NEVER use Django tuple-based choices** (e.g., `choices=[('VALUE', 'Label')]`) - ALWAYS use RichChoiceField
+
+### Implementation Standards
+- **Field Usage**: All choice fields MUST use `RichChoiceField(choice_group="group_name", domain="domain_name")` pattern
+- **Choice Definitions**: MUST be created in domain-specific `choices.py` files using RichChoice dataclass
+- **Rich Metadata**: All choices MUST include rich metadata (color, icon, description, css_class at minimum)
+- **Registration**: Choice groups MUST be registered with global registry using `register_choices()` function
+- **Auto-Registration**: Import choices in domain `__init__.py` to trigger auto-registration on Django startup
+
+### Required Patterns
+- **Categorization**: Use ChoiceCategory enum for proper categorization (STATUS, CLASSIFICATION, TECHNICAL, SECURITY)
+- **Business Logic**: Leverage rich metadata for UI styling, permissions, and business logic instead of hardcoded values
+- **Serialization**: Update serializers to use RichChoiceSerializer for choice fields
+
+### Migration Requirements
+- **NO Backwards Compatibility**: DO NOT maintain backwards compatibility with tuple-based choices - migrate fully to Rich Choice Objects
+- **Model Refactoring**: Ensure all existing models using tuple-based choices are refactored to use RichChoiceField
+- **Validation**: Validate choice groups are correctly loaded in registry during application startup
+
+### Domain Consistency
+- **Follow Established Patterns**: Follow established patterns from rides, parks, and accounts domains for consistency
+- **Domain-Specific Organization**: Maintain domain-specific choice organization in separate `choices.py` files
+
+## Implementation Checklist
+
+Before implementing choice fields, verify:
+- [ ] RichChoiceField is used instead of Django tuple choices
+- [ ] Choice group and domain are properly specified
+- [ ] Rich metadata includes color, icon, description, css_class
+- [ ] Choices are defined in domain-specific `choices.py` file
+- [ ] Choice group is registered with `register_choices()` function
+- [ ] Domain `__init__.py` imports choices for auto-registration
+- [ ] Appropriate ChoiceCategory enum is used
+- [ ] Serializers use RichChoiceSerializer for choice fields
+- [ ] No tuple-based choices remain in the codebase
+
+## Examples
+
+### ✅ CORRECT Implementation
+```python
+# In apps/rides/choices.py
+from core.choices import RichChoice, ChoiceCategory, register_choices
+
+RIDE_STATUS_CHOICES = [
+    RichChoice(
+        value="operating",
+        label="Operating",
+        color="#10b981",
+        icon="check-circle",
+        description="Ride is currently operating normally",
+        css_class="status-operating",
+        category=ChoiceCategory.STATUS
+    ),
+    # ... more choices
+]
+
+register_choices("ride_status", RIDE_STATUS_CHOICES, domain="rides")
+
+# In models.py
+status = RichChoiceField(choice_group="ride_status", domain="rides")
+```
+
+### ❌ FORBIDDEN Implementation
+```python
+# NEVER DO THIS - Tuple-based choices are forbidden
+STATUS_CHOICES = [
+    ('operating', 'Operating'),
+    ('closed', 'Closed'),
+]
+
+status = models.CharField(max_length=20, choices=STATUS_CHOICES)
+```
+
+## Verification Steps
+
+To ensure compliance:
+1. Search codebase for any remaining tuple-based choice patterns
+2. Verify all choice fields use RichChoiceField
+3. Confirm all choices have complete rich metadata
+4. Test choice group registration during application startup
+5. Validate serializers use RichChoiceSerializer where appropriate

.clinerules/thrillwiki-context.md

@@ -0,0 +1,161 @@
+---
+description: Comprehensive ThrillWiki Django project context including architecture, development patterns, business rules, and mandatory Context7 MCP integration workflow
+author: ThrillWiki Development Team
+version: 2.0
+globs: ["**/*.py", "**/*.html", "**/*.js", "**/*.css", "**/*.md"]
+tags: ["django", "architecture", "api-design", "business-rules", "context7-integration", "thrillwiki"]
+---
+
+# ThrillWiki Django Project Context
+
+## Objective
+This rule provides comprehensive context for the ThrillWiki project, defining core architecture patterns, business rules, development workflows, and mandatory integration requirements. It serves as the primary reference for maintaining consistency across all ThrillWiki development activities.
+
+## Project Overview
+ThrillWiki is a comprehensive theme park database platform with user-generated content, expert moderation, and rich media support. Built with Django REST Framework, it serves 120+ API endpoints for parks, rides, companies, and user management.
+
+## Core Architecture
+
+### Technology Stack
+- **Backend**: Django 5.0+ with DRF, PostgreSQL + PostGIS, Redis caching, Celery tasks
+- **Frontend**: HTMX + AlpineJS + Tailwind CSS + Django-Cotton 
+  - 🚨 **CRITICAL**: NO React/Vue/Angular allowed
+- **Media**: Cloudflare Images using Direct Upload with variants and transformations
+- **Tracking**: pghistory for all model changes, TrackedModel base class
+- **Choices**: Rich Choice Objects system (NEVER use Django tuple choices)
+
+### Domain Architecture
+- **Parks Domain**: `parks/`, companies (OPERATOR/PROPERTY_OWNER roles only)
+- **Rides Domain**: `rides/`, companies (MANUFACTURER/DESIGNER roles only)
+- **Core Apps**: `accounts/`, `media/`, `moderation/`, `core/`
+- 🚨 **CRITICAL BUSINESS RULE**: Never mix park/ride company roles - fundamental business rule violation
+
+## Development Patterns
+
+### Model Patterns
+- **Base Classes**: All models MUST inherit from TrackedModel
+- **Slug Handling**: Use SluggedModel for slugs with history tracking
+- **Location Data**: Use PostGIS for geographic data, separate location models
+- **Media Fields**: Use CloudflareImagesField for all image handling
+
+### API Design Patterns
+- **URL Structure**: Nested URLs (`/parks/{slug}/rides/{slug}/`)
+- **Trailing Slashes**: MANDATORY trailing slashes on all endpoints
+- **Authentication**: Token-based with role hierarchy (USER/MODERATOR/ADMIN/SUPERUSER)
+- **Filtering**: Comprehensive filtering - rides (25+ parameters), parks (15+ parameters)
+- **Responses**: Standard DRF pagination, rich error responses with details
+- **Caching**: Multi-level (Redis, CDN, browser) with signal-based invalidation
+
+### Choice System (MANDATORY)
+- **Implementation**: `RichChoiceField(choice_group="group_name", domain="domain_name")`
+- **Definition**: Domain-specific `choices.py` using RichChoice dataclass
+- **Registration**: `register_choices()` function in domain `__init__.py`
+- **Required Metadata**: color, icon, description, css_class (minimum)
+- 🚨 **FORBIDDEN**: NO tuple-based choices allowed anywhere in codebase
+
+## Development Commands
+
+### Package Management
+- **Python Packages**: `uv add <package>` (NOT `pip install`)
+- **Server**: `uv run manage.py runserver_plus` (NOT `python manage.py`)
+- **Migrations**: `uv run manage.py makemigrations/migrate`
+- **Management**: ALWAYS use `uv run manage.py <command>`
+
+## Business Rules
+
+### Company Role Separation
+- **Parks Domain**: Only OPERATOR and PROPERTY_OWNER roles
+- **Rides Domain**: Only MANUFACTURER and DESIGNER roles
+- 🚨 **CRITICAL**: Never allow cross-domain company roles
+
+### Data Integrity
+- **Model Changes**: All must be tracked via pghistory
+- **API Responses**: MUST use real database data (NEVER MOCK DATA)
+- **Geographic Data**: MUST use PostGIS for accuracy
+
+## Frontend Constraints
+
+### Architecture Requirements
+- **HTMX**: Dynamic updates and AJAX interactions
+- **AlpineJS**: Client-side state management
+- **Tailwind CSS**: Styling framework
+- **Progressive Enhancement**: Required approach
+
+### Performance Targets
+- **First Contentful Paint**: < 1.5s
+- **Time to Interactive**: < 2s
+- **Compliance**: Core Web Vitals compliance
+- **Browser Support**: Latest 2 versions of major browsers
+
+## Context7 MCP Integration (MANDATORY)
+
+### Requirement
+🚨 **CRITICAL**: ALWAYS use Context7 MCP for documentation lookups before making changes
+
+### Libraries Requiring Context7
+- **tailwindcss**: CSS utility classes, responsive design, component styling
+- **django**: Models, views, forms, URL patterns, Django-specific patterns
+- **django-cotton**: Component creation, template organization, Cotton-specific syntax
+- **htmx**: Dynamic updates, form handling, AJAX interactions
+- **alpinejs**: Client-side state management, reactive data, JavaScript interactions
+- **django-rest-framework**: API design, serializers, viewsets, DRF patterns
+- **postgresql**: Database queries, PostGIS functions, advanced SQL features
+- **postgis**: Geographic data handling and spatial queries
+- **redis**: Caching strategies, session management, performance optimization
+
+### Mandatory Workflow Steps
+1. **Before editing/creating code**: Query Context7 for relevant library documentation
+2. **During debugging**: Use Context7 to verify syntax, patterns, and best practices
+3. **When implementing new features**: Reference Context7 for current API and method signatures
+4. **For performance issues**: Consult Context7 for optimization techniques and patterns
+5. **For geographic data handling**: Use Context7 for PostGIS functions and best practices
+6. **For caching strategies**: Refer to Context7 for Redis patterns and best practices
+7. **For database queries**: Utilize Context7 for PostgreSQL best practices and advanced SQL features
+
+### Mandatory Scenarios
+- Creating new Django models or API endpoints
+- Implementing HTMX dynamic functionality
+- Writing AlpineJS reactive components
+- Designing responsive layouts with Tailwind CSS
+- Creating Django-Cotton components
+- Debugging CSS, JavaScript, or Django issues
+- Implementing caching or database optimizations
+- Handling geographic data with PostGIS
+- Utilizing Redis for session management
+- Implementing real-time features with WebSockets
+
+### Context7 Commands
+1. **Resolve Library**: Always call `Context7:resolve-library-id` first to get correct library ID
+2. **Get Documentation**: Then use `Context7:get-library-docs` with appropriate topic parameter
+
+### Example Topics by Library
+- **tailwindcss**: responsive design, flexbox, grid, animations
+- **django**: models, views, forms, admin, signals
+- **django-cotton**: components, templates, slots, props
+- **htmx**: hx-get, hx-post, hx-swap, hx-trigger, hx-target
+- **alpinejs**: x-data, x-show, x-if, x-for, x-model
+- **django-rest-framework**: serializers, viewsets, routers, permissions
+- **postgresql**: joins, indexes, transactions, window functions
+- **postgis**: geospatial queries, distance calculations, spatial indexes
+- **redis**: caching strategies, pub/sub, data structures
+
+## Code Quality Standards
+
+### Model Requirements
+- All models MUST inherit from TrackedModel
+- Use SluggedModel for entities with slugs and history tracking
+- Always use RichChoiceField instead of Django choices
+- Use CloudflareImagesField for all image handling
+- Use PostGIS fields and separate location models for geographic data
+
+### API Requirements
+- MUST include trailing slashes and follow nested pattern
+- All responses MUST use real database queries
+- Implement comprehensive filtering and pagination
+- Use signal-based cache invalidation
+
+### Development Workflow
+- Use uv for all Python package operations
+- Use runserver_plus for enhanced development server
+- Always use `uv run` for Django management commands
+- All functionality MUST work with progressive enhancement

.clinerules/thrillwiki-simple.md

@@ -0,0 +1,56 @@
+---
+description: Condensed ThrillWiki Django project context with architecture, patterns, and mandatory Context7 integration
+author: ThrillWiki Development Team
+version: 2.1
+globs: ["**/*.py", "**/*.html", "**/*.js", "**/*.css", "**/*.md"]
+tags: ["django", "architecture", "context7-integration", "thrillwiki"]
+---
+
+# ThrillWiki Django Project Context
+
+## Project Overview
+Theme park database platform with Django REST Framework serving 120+ API endpoints for parks, rides, companies, and users.
+
+## Core Architecture
+- **Backend**: Django 5.1+, DRF, PostgreSQL+PostGIS, Redis, Celery
+- **Frontend**: HTMX (V2+) + AlpineJS + Tailwind CSS (V4+) + Django-Cotton
+  - 🚨 **ABSOLUTELY NO Custom JS** - use HTMX + AlpineJS ONLY
+  - Clean, simple UX preferred
+- **Media**: Cloudflare Images with Direct Upload
+- **Tracking**: pghistory, TrackedModel base class
+- **Choices**: Rich Choice Objects (NEVER Django tuple choices)
+
+## Development Patterns
+- **Models**: TrackedModel inheritance, SluggedModel for slugs, PostGIS for location
+- **APIs**: Nested URLs (`/parks/{slug}/rides/{slug}/`), mandatory trailing slashes
+- **Commands**: `uv add <package>`, `uv run manage.py <command>` (NOT pip/python)
+- **Choices**: `RichChoiceField(choice_group="name", domain="domain")` MANDATORY
+
+## Business Rules
+🚨 **CRITICAL**: Company role separation - Parks (OPERATOR/PROPERTY_OWNER only), Rides (MANUFACTURER/DESIGNER only)
+
+## Context7 MCP Integration (MANDATORY)
+
+### Required Libraries
+tailwindcss, django, django-cotton, htmx, alpinejs, django-rest-framework, postgresql, postgis, redis
+
+### Workflow
+1. **ALWAYS** call `Context7:resolve-library-id` first
+2. Then `Context7:get-library-docs` with topic parameter
+3. Required for: new models/APIs, HTMX functionality, AlpineJS components, Tailwind layouts, Cotton components, debugging, optimizations
+
+### Example Topics
+- **tailwindcss**: responsive, flexbox, grid
+- **django**: models, views, forms
+- **htmx**: hx-get, hx-post, hx-swap, hx-target
+- **alpinejs**: x-data, x-show, x-if, x-for
+
+## Standards
+- All models inherit TrackedModel
+- Real database data only (NO MOCKING)
+- RichChoiceField over Django choices
+- Progressive enhancement required
+
+- We prefer to edit existing files instead of creating new ones.
+
+YOU ARE STRICTLY AND ABSOLUTELY FORBIDDEN FROM IGNORING, BYPASSING, OR AVOIDING THESE RULES IN ANY WAY WITH NO EXCEPTIONS!!!

.gitignore

@@ -123,3 +123,4 @@ django-forwardemail/
 frontend/
 frontend
 .snapshots
+uv.lock

.replit

@@ -0,0 +1,73 @@
+modules = ["bash", "web", "nodejs-20", "python-3.13", "postgresql-16"]
+
+[nix]
+channel = "stable-25_05"
+packages = [
+  "freetype",
+  "gdal",
+  "geos",
+  "gitFull",
+  "lcms2",
+  "libimagequant",
+  "libjpeg",
+  "libtiff",
+  "libwebp",
+  "libxcrypt",
+  "openjpeg",
+  "playwright-driver",
+  "postgresql",
+  "proj",
+  "tcl",
+  "tk",
+  "uv",
+  "zlib",
+]
+
+[agent]
+expertMode = true
+
+[workflows]
+runButton = "Project"
+
+[[workflows.workflow]]
+name = "Project"
+mode = "parallel"
+author = "agent"
+
+[[workflows.workflow.tasks]]
+task = "workflow.run"
+args = "ThrillWiki Server"
+
+[[workflows.workflow]]
+name = "ThrillWiki Server"
+author = "agent"
+
+[[workflows.workflow.tasks]]
+task = "shell.exec"
+args = "/home/runner/workspace/.venv/bin/python manage.py tailwind runserver 0.0.0.0:5000"
+waitForPort = 5000
+
+[workflows.workflow.metadata]
+outputType = "webview"
+
+[[ports]]
+localPort = 5000
+externalPort = 80
+
+[[ports]]
+localPort = 41923
+externalPort = 3000
+
+[[ports]]
+localPort = 45245
+externalPort = 3001
+
+[deployment]
+deploymentTarget = "autoscale"
+run = [
+  "gunicorn",
+  "--bind=0.0.0.0:5000",
+  "--reuse-port",
+  "thrillwiki.wsgi:application",
+]
+build = ["uv", "pip", "install", "--system", "-r", "requirements.txt"]

api_endpoints_curl_commands.sh

@@ -1,649 +0,0 @@
-#!/bin/bash
-
-# ThrillWiki API Endpoints - Complete Curl Commands
-# Generated from comprehensive URL analysis
-# Base URL - adjust as needed for your environment
-BASE_URL="http://localhost:8000"
-
-# Command line options
-SKIP_AUTH=false
-ONLY_AUTH=false
-SKIP_DOCS=false
-HELP=false
-
-# Parse command line arguments
-while [[ $# -gt 0 ]]; do
-  case $1 in
-    --skip-auth)
-      SKIP_AUTH=true
-      shift
-      ;;
-    --only-auth)
-      ONLY_AUTH=true
-      shift
-      ;;
-    --skip-docs)
-      SKIP_DOCS=true
-      shift
-      ;;
-    --base-url)
-      BASE_URL="$2"
-      shift 2
-      ;;
-    --help|-h)
-      HELP=true
-      shift
-      ;;
-    *)
-      echo "Unknown option: $1"
-      echo "Use --help for usage information"
-      exit 1
-      ;;
-  esac
-done
-
-# Show help
-if [ "$HELP" = true ]; then
-  echo "ThrillWiki API Endpoints Test Suite"
-  echo ""
-  echo "Usage: $0 [OPTIONS]"
-  echo ""
-  echo "Options:"
-  echo "  --skip-auth     Skip endpoints that require authentication"
-  echo "  --only-auth     Only test endpoints that require authentication"
-  echo "  --skip-docs     Skip API documentation endpoints (schema, swagger, redoc)"
-  echo "  --base-url URL  Set custom base URL (default: http://localhost:8000)"
-  echo "  --help, -h      Show this help message"
-  echo ""
-  echo "Examples:"
-  echo "  $0                           # Test all endpoints"
-  echo "  $0 --skip-auth               # Test only public endpoints"
-  echo "  $0 --only-auth               # Test only authenticated endpoints"
-  echo "  $0 --skip-docs --skip-auth   # Test only public non-documentation endpoints"
-  echo "  $0 --base-url https://api.example.com  # Use custom base URL"
-  exit 0
-fi
-
-# Validate conflicting options
-if [ "$SKIP_AUTH" = true ] && [ "$ONLY_AUTH" = true ]; then
-  echo "Error: --skip-auth and --only-auth cannot be used together"
-  exit 1
-fi
-
-echo "=== ThrillWiki API Endpoints Test Suite ==="
-echo "Base URL: $BASE_URL"
-if [ "$SKIP_AUTH" = true ]; then
-  echo "Mode: Public endpoints only (skipping authentication required)"
-elif [ "$ONLY_AUTH" = true ]; then
-  echo "Mode: Authenticated endpoints only"
-else
-  echo "Mode: All endpoints"
-fi
-if [ "$SKIP_DOCS" = true ]; then
-  echo "Skipping: API documentation endpoints"
-fi
-echo ""
-
-# Helper function to check if we should run an endpoint
-should_run_endpoint() {
-  local requires_auth=$1
-  local is_docs=$2
-  
-  # Skip docs if requested
-  if [ "$SKIP_DOCS" = true ] && [ "$is_docs" = true ]; then
-    return 1
-  fi
-  
-  # Skip auth endpoints if requested
-  if [ "$SKIP_AUTH" = true ] && [ "$requires_auth" = true ]; then
-    return 1
-  fi
-  
-  # Only run auth endpoints if requested
-  if [ "$ONLY_AUTH" = true ] && [ "$requires_auth" = false ]; then
-    return 1
-  fi
-  
-  return 0
-}
-
-# Counter for endpoint numbering
-ENDPOINT_NUM=1
-
-# ============================================================================
-# AUTHENTICATION ENDPOINTS (/api/v1/auth/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo "=== AUTHENTICATION ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. Login"
-  curl -X POST "$BASE_URL/api/v1/auth/login/" \
-    -H "Content-Type: application/json" \
-    -d '{"username": "testuser", "password": "testpass"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Signup"
-  curl -X POST "$BASE_URL/api/v1/auth/signup/" \
-    -H "Content-Type: application/json" \
-    -d '{"username": "newuser", "email": "test@example.com", "password": "newpass123"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Logout"
-  curl -X POST "$BASE_URL/api/v1/auth/logout/" \
-    -H "Content-Type: application/json"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Password Reset"
-  curl -X POST "$BASE_URL/api/v1/auth/password/reset/" \
-    -H "Content-Type: application/json" \
-    -d '{"email": "user@example.com"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Social Providers"
-  curl -X GET "$BASE_URL/api/v1/auth/providers/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Auth Status"
-  curl -X GET "$BASE_URL/api/v1/auth/status/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Current User"
-  curl -X GET "$BASE_URL/api/v1/auth/user/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Password Change"
-  curl -X POST "$BASE_URL/api/v1/auth/password/change/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"old_password": "oldpass", "new_password": "newpass123"}'
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# HEALTH CHECK ENDPOINTS (/api/v1/health/)
-# ============================================================================
-if should_run_endpoint false false; then
-  echo -e "\n\n=== HEALTH CHECK ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. Health Check"
-  curl -X GET "$BASE_URL/api/v1/health/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Simple Health"
-  curl -X GET "$BASE_URL/api/v1/health/simple/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Performance Metrics"
-  curl -X GET "$BASE_URL/api/v1/health/performance/"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# TRENDING SYSTEM ENDPOINTS (/api/v1/trending/)
-# ============================================================================
-if should_run_endpoint false false; then
-  echo -e "\n\n=== TRENDING SYSTEM ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. Trending Content"
-  curl -X GET "$BASE_URL/api/v1/trending/content/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. New Content"
-  curl -X GET "$BASE_URL/api/v1/trending/new/"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# STATISTICS ENDPOINTS (/api/v1/stats/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== STATISTICS ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. Statistics"
-  curl -X GET "$BASE_URL/api/v1/stats/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Recalculate Statistics"
-  curl -X POST "$BASE_URL/api/v1/stats/recalculate/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# RANKING SYSTEM ENDPOINTS (/api/v1/rankings/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== RANKING SYSTEM ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. List Rankings"
-  curl -X GET "$BASE_URL/api/v1/rankings/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. List Rankings with Filters"
-  curl -X GET "$BASE_URL/api/v1/rankings/?category=RC&min_riders=10&ordering=rank"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ranking Detail"
-  curl -X GET "$BASE_URL/api/v1/rankings/ride-slug-here/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ranking History"
-  curl -X GET "$BASE_URL/api/v1/rankings/ride-slug-here/history/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ranking Statistics"
-  curl -X GET "$BASE_URL/api/v1/rankings/statistics/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ranking Comparisons"
-  curl -X GET "$BASE_URL/api/v1/rankings/ride-slug-here/comparisons/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Trigger Ranking Calculation"
-  curl -X POST "$BASE_URL/api/v1/rankings/calculate/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"category": "RC"}'
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# PARKS API ENDPOINTS (/api/v1/parks/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== PARKS API ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. List Parks"
-  curl -X GET "$BASE_URL/api/v1/parks/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park Filter Options"
-  curl -X GET "$BASE_URL/api/v1/parks/filter-options/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park Company Search"
-  curl -X GET "$BASE_URL/api/v1/parks/search/companies/?q=disney"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park Search Suggestions"
-  curl -X GET "$BASE_URL/api/v1/parks/search-suggestions/?q=magic"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park Detail"
-  curl -X GET "$BASE_URL/api/v1/parks/1/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. List Park Photos"
-  curl -X GET "$BASE_URL/api/v1/parks/1/photos/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park Photo Detail"
-  curl -X GET "$BASE_URL/api/v1/parks/1/photos/1/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Create Park"
-  curl -X POST "$BASE_URL/api/v1/parks/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "Test Park", "location": "Test City"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Park"
-  curl -X PUT "$BASE_URL/api/v1/parks/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "Updated Park Name"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Park"
-  curl -X DELETE "$BASE_URL/api/v1/parks/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Create Park Photo"
-  curl -X POST "$BASE_URL/api/v1/parks/1/photos/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -F "image=@/path/to/photo.jpg" \
-    -F "caption=Test photo"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Park Photo"
-  curl -X PUT "$BASE_URL/api/v1/parks/1/photos/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"caption": "Updated caption"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Park Photo"
-  curl -X DELETE "$BASE_URL/api/v1/parks/1/photos/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# RIDES API ENDPOINTS (/api/v1/rides/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== RIDES API ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. List Rides"
-  curl -X GET "$BASE_URL/api/v1/rides/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Filter Options"
-  curl -X GET "$BASE_URL/api/v1/rides/filter-options/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Company Search"
-  curl -X GET "$BASE_URL/api/v1/rides/search/companies/?q=intamin"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Model Search"
-  curl -X GET "$BASE_URL/api/v1/rides/search/ride-models/?q=giga"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Search Suggestions"
-  curl -X GET "$BASE_URL/api/v1/rides/search-suggestions/?q=millennium"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Detail"
-  curl -X GET "$BASE_URL/api/v1/rides/1/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. List Ride Photos"
-  curl -X GET "$BASE_URL/api/v1/rides/1/photos/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride Photo Detail"
-  curl -X GET "$BASE_URL/api/v1/rides/1/photos/1/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Create Ride"
-  curl -X POST "$BASE_URL/api/v1/rides/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "Test Coaster", "category": "RC", "park": 1}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Ride"
-  curl -X PUT "$BASE_URL/api/v1/rides/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "Updated Ride Name"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Ride"
-  curl -X DELETE "$BASE_URL/api/v1/rides/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Create Ride Photo"
-  curl -X POST "$BASE_URL/api/v1/rides/1/photos/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -F "image=@/path/to/photo.jpg" \
-    -F "caption=Test ride photo"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Ride Photo"
-  curl -X PUT "$BASE_URL/api/v1/rides/1/photos/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"caption": "Updated ride photo caption"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Ride Photo"
-  curl -X DELETE "$BASE_URL/api/v1/rides/1/photos/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# ACCOUNTS API ENDPOINTS (/api/v1/accounts/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== ACCOUNTS API ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. List User Profiles"
-  curl -X GET "$BASE_URL/api/v1/accounts/profiles/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. User Profile Detail"
-  curl -X GET "$BASE_URL/api/v1/accounts/profiles/1/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. List Top Lists"
-  curl -X GET "$BASE_URL/api/v1/accounts/toplists/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Top List Detail"
-  curl -X GET "$BASE_URL/api/v1/accounts/toplists/1/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. List Top List Items"
-  curl -X GET "$BASE_URL/api/v1/accounts/toplist-items/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Top List Item Detail"
-  curl -X GET "$BASE_URL/api/v1/accounts/toplist-items/1/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Update User Profile"
-  curl -X PUT "$BASE_URL/api/v1/accounts/profiles/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"bio": "Updated bio"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Create Top List"
-  curl -X POST "$BASE_URL/api/v1/accounts/toplists/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "My Top Coasters", "description": "My favorite roller coasters"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Top List"
-  curl -X PUT "$BASE_URL/api/v1/accounts/toplists/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"name": "Updated Top List Name"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Top List"
-  curl -X DELETE "$BASE_URL/api/v1/accounts/toplists/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Create Top List Item"
-  curl -X POST "$BASE_URL/api/v1/accounts/toplist-items/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"toplist": 1, "ride": 1, "position": 1}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Update Top List Item"
-  curl -X PUT "$BASE_URL/api/v1/accounts/toplist-items/1/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"position": 2}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Delete Top List Item"
-  curl -X DELETE "$BASE_URL/api/v1/accounts/toplist-items/1/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# HISTORY API ENDPOINTS (/api/v1/history/)
-# ============================================================================
-if should_run_endpoint false false; then
-  echo -e "\n\n=== HISTORY API ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. Park History List"
-  curl -X GET "$BASE_URL/api/v1/history/parks/park-slug/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Park History Detail"
-  curl -X GET "$BASE_URL/api/v1/history/parks/park-slug/detail/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride History List"
-  curl -X GET "$BASE_URL/api/v1/history/parks/park-slug/rides/ride-slug/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Ride History Detail"
-  curl -X GET "$BASE_URL/api/v1/history/parks/park-slug/rides/ride-slug/detail/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Unified Timeline"
-  curl -X GET "$BASE_URL/api/v1/history/timeline/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Unified Timeline Detail"
-  curl -X GET "$BASE_URL/api/v1/history/timeline/1/"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# EMAIL API ENDPOINTS (/api/v1/email/)
-# ============================================================================
-if should_run_endpoint true false; then
-  echo -e "\n\n=== EMAIL API ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. Send Email"
-  curl -X POST "$BASE_URL/api/v1/email/send/" \
-    -H "Content-Type: application/json" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE" \
-    -d '{"to": "recipient@example.com", "subject": "Test", "message": "Test message"}'
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# CORE API ENDPOINTS (/api/v1/core/)
-# ============================================================================
-if should_run_endpoint false false; then
-  echo -e "\n\n=== CORE API ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. Entity Fuzzy Search"
-  curl -X GET "$BASE_URL/api/v1/core/entities/search/?q=disney"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Entity Not Found"
-  curl -X POST "$BASE_URL/api/v1/core/entities/not-found/" \
-    -H "Content-Type: application/json" \
-    -d '{"query": "nonexistent park", "type": "park"}'
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Entity Suggestions"
-  curl -X GET "$BASE_URL/api/v1/core/entities/suggestions/?q=magic"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# MAPS API ENDPOINTS (/api/v1/maps/)
-# ============================================================================
-if should_run_endpoint false false || should_run_endpoint true false; then
-  echo -e "\n\n=== MAPS API ENDPOINTS ==="
-fi
-
-if should_run_endpoint false false; then
-  echo "$ENDPOINT_NUM. Map Locations"
-  curl -X GET "$BASE_URL/api/v1/maps/locations/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Map Location Detail"
-  curl -X GET "$BASE_URL/api/v1/maps/locations/park/1/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Map Search"
-  curl -X GET "$BASE_URL/api/v1/maps/search/?q=disney"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Map Bounds Query"
-  curl -X GET "$BASE_URL/api/v1/maps/bounds/?north=40.7&south=40.6&east=-73.9&west=-74.0"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Map Statistics"
-  curl -X GET "$BASE_URL/api/v1/maps/stats/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Map Cache Status"
-  curl -X GET "$BASE_URL/api/v1/maps/cache/"
-  ((ENDPOINT_NUM++))
-fi
-
-if should_run_endpoint true false; then
-  echo -e "\n$ENDPOINT_NUM. Invalidate Map Cache"
-  curl -X POST "$BASE_URL/api/v1/maps/cache/invalidate/" \
-    -H "Authorization: Bearer YOUR_TOKEN_HERE"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# API DOCUMENTATION ENDPOINTS
-# ============================================================================
-if should_run_endpoint false true; then
-  echo -e "\n\n=== API DOCUMENTATION ENDPOINTS ==="
-
-  echo "$ENDPOINT_NUM. OpenAPI Schema"
-  curl -X GET "$BASE_URL/api/schema/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. Swagger UI"
-  curl -X GET "$BASE_URL/api/docs/"
-  ((ENDPOINT_NUM++))
-
-  echo -e "\n$ENDPOINT_NUM. ReDoc"
-  curl -X GET "$BASE_URL/api/redoc/"
-  ((ENDPOINT_NUM++))
-fi
-
-# ============================================================================
-# HEALTH CHECK (Django Health Check)
-# ============================================================================
-if should_run_endpoint false false; then
-  echo -e "\n\n=== DJANGO HEALTH CHECK ==="
-
-  echo "$ENDPOINT_NUM. Django Health Check"
-  curl -X GET "$BASE_URL/health/"
-  ((ENDPOINT_NUM++))
-fi
-
-echo -e "\n\n=== END OF API ENDPOINTS TEST SUITE ==="
-echo "Total endpoints tested: $((ENDPOINT_NUM - 1))"
-echo ""
-echo "Notes:"
-echo "- Replace YOUR_TOKEN_HERE with actual authentication tokens"
-echo "- Replace /path/to/photo.jpg with actual file paths for photo uploads"
-echo "- Replace numeric IDs (1, 2, etc.) with actual resource IDs"
-echo "- Replace slug placeholders (park-slug, ride-slug) with actual slugs"
-echo "- Adjust BASE_URL for your environment (localhost:8000, staging, production)"
-echo ""
-echo "Authentication required endpoints are marked with Authorization header"
-echo "File upload endpoints use multipart/form-data (-F flag)"
-echo "JSON endpoints use application/json content type"

apps/accounts/adapters.py

@@ -0,0 +1,95 @@
+from django.conf import settings
+from django.http import HttpRequest
+from typing import Optional, Any, Dict, Literal, TYPE_CHECKING, cast
+from allauth.account.adapter import DefaultAccountAdapter  # type: ignore[import]
+from allauth.account.models import EmailConfirmation, EmailAddress  # type: ignore[import]
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter  # type: ignore[import]
+from allauth.socialaccount.models import SocialLogin  # type: ignore[import]
+from django.contrib.auth import get_user_model
+from django.contrib.sites.shortcuts import get_current_site
+
+if TYPE_CHECKING:
+    from django.contrib.auth.models import AbstractUser
+
+User = get_user_model()
+
+
+class CustomAccountAdapter(DefaultAccountAdapter):
+    def is_open_for_signup(self, request: HttpRequest) -> Literal[True]:
+        """
+        Whether to allow sign ups.
+        """
+        return True
+
+    def get_email_confirmation_url(self, request: HttpRequest, emailconfirmation: EmailConfirmation) -> str:
+        """
+        Constructs the email confirmation (activation) url.
+        """
+        get_current_site(request)
+        # Ensure the key is treated as a string for the type checker
+        key = cast(str, getattr(emailconfirmation, "key", ""))
+        return f"{settings.LOGIN_REDIRECT_URL}verify-email?key={key}"
+
+    def send_confirmation_mail(self, request: HttpRequest, emailconfirmation: EmailConfirmation, signup: bool) -> None:
+        """
+        Sends the confirmation email.
+        """
+        current_site = get_current_site(request)
+        activate_url = self.get_email_confirmation_url(request, emailconfirmation)
+        # Cast key to str for typing consistency and template context
+        key = cast(str, getattr(emailconfirmation, "key", ""))
+
+        # Determine template early
+        if signup:
+            email_template = "account/email/email_confirmation_signup"
+        else:
+            email_template = "account/email/email_confirmation"
+
+        # Cast the possibly-unknown email_address to EmailAddress so the type checker knows its attributes
+        email_address = cast(EmailAddress, getattr(emailconfirmation, "email_address", None))
+
+        # Safely obtain email string (fallback to any top-level email on confirmation)
+        email_str = cast(str, getattr(email_address, "email", getattr(emailconfirmation, "email", "")))
+
+        # Safely obtain the user object, cast to the project's User model for typing
+        user_obj = cast("AbstractUser", getattr(email_address, "user", None))
+
+        # Explicitly type the context to avoid partial-unknown typing issues
+        ctx: Dict[str, Any] = {
+            "user": user_obj,
+            "activate_url": activate_url,
+            "current_site": current_site,
+            "key": key,
+        }
+        # Remove unnecessary cast; ctx is already Dict[str, Any]
+        self.send_mail(email_template, email_str, ctx)  # type: ignore
+
+
+class CustomSocialAccountAdapter(DefaultSocialAccountAdapter):
+    def is_open_for_signup(self, request: HttpRequest, sociallogin: SocialLogin) -> Literal[True]:
+        """
+        Whether to allow social account sign ups.
+        """
+        return True
+
+    def populate_user(
+        self, request: HttpRequest, sociallogin: SocialLogin, data: Dict[str, Any]
+    ) -> "AbstractUser":  # type: ignore[override]
+        """
+        Hook that can be used to further populate the user instance.
+        """
+        user = super().populate_user(request, sociallogin, data)  # type: ignore
+        if getattr(sociallogin.account, "provider", None) == "discord":  # type: ignore
+            user.discord_id = getattr(sociallogin.account, "uid", None)  # type: ignore
+        return cast("AbstractUser", user)  # Ensure return type is explicit
+
+    def save_user(
+        self, request: HttpRequest, sociallogin: SocialLogin, form: Optional[Any] = None
+    ) -> "AbstractUser":  # type: ignore[override]
+        """
+        Save the newly signed up social login.
+        """
+        user = super().save_user(request, sociallogin, form)  # type: ignore
+        if user is None:
+            raise ValueError("User creation failed")
+        return cast("AbstractUser", user)  # Ensure return type is explicit

apps/accounts/admin.py

@@ -1,51 +1,369 @@
+from typing import Any
 from django.contrib import admin
-from django.contrib.auth.admin import UserAdmin
+from django.contrib.auth.admin import UserAdmin as DjangoUserAdmin
 from django.utils.html import format_html
 from django.contrib.auth.models import Group
 from django.http import HttpRequest
 from django.db.models import QuerySet
-
-# Import models from the backend location
-from backend.apps.accounts.models import (
+from .models import (
     User,
     UserProfile,
     EmailVerification,
+    PasswordReset,
+    TopList,
+    TopListItem,
 )
 
+
+class UserProfileInline(admin.StackedInline[UserProfile, admin.options.AdminSite]):
+    model = UserProfile
+    can_delete = False
+    verbose_name_plural = "Profile"
+    fieldsets = (
+        (
+            "Personal Info",
+            {"fields": ("display_name", "avatar", "pronouns", "bio")},
+        ),
+        (
+            "Social Media",
+            {"fields": ("twitter", "instagram", "youtube", "discord")},
+        ),
+        (
+            "Ride Credits",
+            {
+                "fields": (
+                    "coaster_credits",
+                    "dark_ride_credits",
+                    "flat_ride_credits",
+                    "water_ride_credits",
+                )
+            },
+        ),
+    )
+
+
+class TopListItemInline(admin.TabularInline[TopListItem]):
+    model = TopListItem
+    extra = 1
+    fields = ("content_type", "object_id", "rank", "notes")
+    ordering = ("rank",)
+
+
 @admin.register(User)
-class CustomUserAdmin(UserAdmin):
-    list_display = ('username', 'email', 'user_id', 'role', 'is_active', 'is_staff', 'date_joined')
-    list_filter = ('role', 'is_active', 'is_staff', 'is_banned', 'date_joined')
-    search_fields = ('username', 'email', 'user_id', 'display_name')
-    readonly_fields = ('user_id', 'date_joined', 'last_login')
+class CustomUserAdmin(DjangoUserAdmin[User]):
+    list_display = (
+        "username",
+        "email",
+        "get_avatar",
+        "get_status",
+        "role",
+        "date_joined",
+        "last_login",
+        "get_credits",
+    )
+    list_filter = (
+        "is_active",
+        "is_staff",
+        "role",
+        "is_banned",
+        "groups",
+        "date_joined",
+    )
+    search_fields = ("username", "email")
+    ordering = ("-date_joined",)
+    actions = [
+        "activate_users",
+        "deactivate_users",
+        "ban_users",
+        "unban_users",
+    ]
+    inlines: list[type[admin.StackedInline[UserProfile]]] = [UserProfileInline]
 
     fieldsets = (
-        (None, {'fields': ('username', 'password')}),
-        ('Personal info', {'fields': ('email', 'display_name', 'user_id')}),
-        ('Permissions', {'fields': ('role', 'is_active', 'is_staff', 'is_superuser', 'groups', 'user_permissions')}),
-        ('Important dates', {'fields': ('last_login', 'date_joined')}),
-        ('Moderation', {'fields': ('is_banned', 'ban_reason', 'ban_date')}),
-        ('Preferences', {'fields': ('theme_preference', 'privacy_level')}),
-        ('Notifications', {'fields': ('email_notifications', 'push_notifications')}),
+        (None, {"fields": ("username", "password")}),
+        ("Personal info", {"fields": ("email", "pending_email")}),
+        (
+            "Roles and Permissions",
+            {
+                "fields": ("role", "groups", "user_permissions"),
+                "description": (
+                    "Role determines group membership. Groups determine permissions."
+                ),
+            },
+        ),
+        (
+            "Status",
+            {
+                "fields": ("is_active", "is_staff", "is_superuser"),
+                "description": "These are automatically managed based on role.",
+            },
+        ),
+        (
+            "Ban Status",
+            {
+                "fields": ("is_banned", "ban_reason", "ban_date"),
+            },
+        ),
+        (
+            "Preferences",
+            {
+                "fields": ("theme_preference",),
+            },
+        ),
+        ("Important dates", {"fields": ("last_login", "date_joined")}),
     )
+    add_fieldsets = (
+        (
+            None,
+            {
+                "classes": ("wide",),
+                "fields": (
+                    "username",
+                    "email",
+                    "password1",
+                    "password2",
+                    "role",
+                ),
+            },
+        ),
+    )
+
+    @admin.display(description="Avatar")
+    def get_avatar(self, obj: User) -> str:
+        profile = getattr(obj, "profile", None)
+        if profile and getattr(profile, "avatar", None):
+            return format_html(
+                '<img src="{0}" width="30" height="30" style="border-radius:50%;" />',
+                getattr(profile.avatar, "url", ""),  # type: ignore
+            )
+        return format_html(
+            '<div style="width:30px; height:30px; border-radius:50%; '
+            "background-color:#007bff; color:white; display:flex; "
+            'align-items:center; justify-content:center;">{0}</div>',
+            getattr(obj, "username", "?")[0].upper(),  # type: ignore
+        )
+
+    @admin.display(description="Status")
+    def get_status(self, obj: User) -> str:
+        if getattr(obj, "is_banned", False):
+            return format_html('<span style="color: red;">{}</span>', "Banned")
+        if not getattr(obj, "is_active", True):
+            return format_html('<span style="color: orange;">{}</span>', "Inactive")
+        if getattr(obj, "is_superuser", False):
+            return format_html('<span style="color: purple;">{}</span>', "Superuser")
+        if getattr(obj, "is_staff", False):
+            return format_html('<span style="color: blue;">{}</span>', "Staff")
+        return format_html('<span style="color: green;">{}</span>', "Active")
+
+    @admin.display(description="Ride Credits")
+    def get_credits(self, obj: User) -> str:
+        try:
+            profile = getattr(obj, "profile", None)
+            if not profile:
+                return "-"
+            return format_html(
+                "RC: {0}<br>DR: {1}<br>FR: {2}<br>WR: {3}",
+                getattr(profile, "coaster_credits", 0),
+                getattr(profile, "dark_ride_credits", 0),
+                getattr(profile, "flat_ride_credits", 0),
+                getattr(profile, "water_ride_credits", 0),
+            )
+        except UserProfile.DoesNotExist:
+            return "-"
+
+    @admin.action(description="Activate selected users")
+    def activate_users(self, request: HttpRequest, queryset: QuerySet[User]) -> None:
+        queryset.update(is_active=True)
+
+    @admin.action(description="Deactivate selected users")
+    def deactivate_users(self, request: HttpRequest, queryset: QuerySet[User]) -> None:
+        queryset.update(is_active=False)
+
+    @admin.action(description="Ban selected users")
+    def ban_users(self, request: HttpRequest, queryset: QuerySet[User]) -> None:
+        from django.utils import timezone
+        queryset.update(is_banned=True, ban_date=timezone.now())
+
+    @admin.action(description="Unban selected users")
+    def unban_users(self, request: HttpRequest, queryset: QuerySet[User]) -> None:
+        queryset.update(is_banned=False, ban_date=None, ban_reason="")
+
+    def save_model(
+        self,
+        request: HttpRequest,
+        obj: User,
+        form: Any,
+        change: bool
+    ) -> None:
+        creating = not obj.pk
+        super().save_model(request, obj, form, change)
+        if creating and getattr(obj, "role", "USER") != "USER":
+            group = Group.objects.filter(name=getattr(obj, "role", None)).first()
+            if group:
+                obj.groups.add(group)  # type: ignore[attr-defined]
+
 
 @admin.register(UserProfile)
-class UserProfileAdmin(admin.ModelAdmin):
-    list_display = ('user', 'profile_id', 'display_name', 'coaster_credits', 'dark_ride_credits')
-    list_filter = ('user__role', 'user__is_active')
-    search_fields = ('user__username', 'user__email', 'profile_id', 'display_name')
-    readonly_fields = ('profile_id',)
+class UserProfileAdmin(admin.ModelAdmin[UserProfile]):
+    list_display = (
+        "user",
+        "display_name",
+        "coaster_credits",
+        "dark_ride_credits",
+        "flat_ride_credits",
+        "water_ride_credits",
+    )
+    list_filter = (
+        "coaster_credits",
+        "dark_ride_credits",
+        "flat_ride_credits",
+        "water_ride_credits",
+    )
+    search_fields = ("user__username", "user__email", "display_name", "bio")
 
     fieldsets = (
-        (None, {'fields': ('user', 'profile_id', 'display_name')}),
-        ('Profile Info', {'fields': ('avatar', 'pronouns', 'bio')}),
-        ('Social Media', {'fields': ('twitter', 'instagram', 'youtube', 'discord')}),
-        ('Ride Statistics', {'fields': ('coaster_credits', 'dark_ride_credits', 'flat_ride_credits', 'water_ride_credits')}),
+        (
+            "User Information",
+            {"fields": ("user", "display_name", "avatar", "pronouns", "bio")},
+        ),
+        (
+            "Social Media",
+            {"fields": ("twitter", "instagram", "youtube", "discord")},
+        ),
+        (
+            "Ride Credits",
+            {
+                "fields": (
+                    "coaster_credits",
+                    "dark_ride_credits",
+                    "flat_ride_credits",
+                    "water_ride_credits",
+                )
+            },
+        ),
     )
 
+
 @admin.register(EmailVerification)
-class EmailVerificationAdmin(admin.ModelAdmin):
-    list_display = ('user', 'token', 'created_at', 'last_sent')
-    list_filter = ('created_at', 'last_sent')
-    search_fields = ('user__username', 'user__email', 'token')
-    readonly_fields = ('token', 'created_at', 'last_sent')
+class EmailVerificationAdmin(admin.ModelAdmin[EmailVerification]):
+    list_display = ("user", "created_at", "last_sent", "is_expired")
+    list_filter = ("created_at", "last_sent")
+    search_fields = ("user__username", "user__email", "token")
+    readonly_fields = ("created_at", "last_sent")
+
+    fieldsets = (
+        ("Verification Details", {"fields": ("user", "token")}),
+        ("Timing", {"fields": ("created_at", "last_sent")}),
+    )
+
+    @admin.display(description="Status")
+    def is_expired(self, obj: EmailVerification) -> str:
+        from django.utils import timezone
+        from datetime import timedelta
+
+        if timezone.now() - getattr(obj, "last_sent", timezone.now()) > timedelta(days=1):
+            return format_html('<span style="color: red;">{}</span>', "Expired")
+        return format_html('<span style="color: green;">{}</span>', "Valid")
+
+
+@admin.register(TopList)
+class TopListAdmin(admin.ModelAdmin[TopList]):
+    list_display = ("title", "user", "category", "created_at", "updated_at")
+    list_filter = ("category", "created_at", "updated_at")
+    search_fields = ("title", "user__username", "description")
+    inlines: list[type[admin.TabularInline[TopListItem]]] = [TopListItemInline]
+
+    fieldsets = (
+        (
+            "Basic Information",
+            {"fields": ("user", "title", "category", "description")},
+        ),
+        (
+            "Timestamps",
+            {"fields": ("created_at", "updated_at"), "classes": ("collapse",)},
+        ),
+    )
+    readonly_fields = ("created_at", "updated_at")
+
+
+@admin.register(TopListItem)
+class TopListItemAdmin(admin.ModelAdmin[TopListItem]):
+    list_display = ("top_list", "content_type", "object_id", "rank")
+    list_filter = ("top_list__category", "rank")
+    search_fields = ("top_list__title", "notes")
+    ordering = ("top_list", "rank")
+
+    fieldsets = (
+        ("List Information", {"fields": ("top_list", "rank")}),
+        ("Item Details", {"fields": ("content_type", "object_id", "notes")}),
+    )
+
+
+@admin.register(PasswordReset)
+class PasswordResetAdmin(admin.ModelAdmin[PasswordReset]):
+    """Admin interface for password reset tokens"""
+
+    list_display = (
+        "user",
+        "created_at",
+        "expires_at",
+        "is_expired",
+        "used",
+    )
+    list_filter = (
+        "used",
+        "created_at",
+        "expires_at",
+    )
+    search_fields = (
+        "user__username",
+        "user__email",
+        "token",
+    )
+    readonly_fields = (
+        "token",
+        "created_at",
+        "expires_at",
+    )
+    date_hierarchy = "created_at"
+    ordering = ("-created_at",)
+
+    fieldsets = (
+        (
+            "Reset Details",
+            {
+                "fields": (
+                    "user",
+                    "token",
+                    "used",
+                )
+            },
+        ),
+        (
+            "Timing",
+            {
+                "fields": (
+                    "created_at",
+                    "expires_at",
+                )
+            },
+        ),
+    )
+
+    @admin.display(description="Status", boolean=True)
+    def is_expired(self, obj: PasswordReset) -> str:
+        from django.utils import timezone
+
+        if getattr(obj, "used", False):
+            return format_html('<span style="color: blue;">{}</span>', "Used")
+        elif timezone.now() > getattr(obj, "expires_at", timezone.now()):
+            return format_html('<span style="color: red;">{}</span>', "Expired")
+        return format_html('<span style="color: green;">{}</span>', "Valid")
+
+    def has_add_permission(self, request: HttpRequest) -> bool:
+        """Disable manual creation of password reset tokens"""
+        return False
+
+    def has_change_permission(self, request: HttpRequest, obj: Any = None) -> bool:
+        """Allow viewing but restrict editing of password reset tokens"""
+        return getattr(request.user, "is_superuser", False)

apps/accounts/management/commands/setup_groups.py

@@ -15,17 +15,17 @@ class Command(BaseCommand):
             create_default_groups()
 
             # Sync existing users with groups based on their roles
-            users = User.objects.exclude(role=User.Roles.USER)
+            users = User.objects.exclude(role="USER")
             for user in users:
                 group = Group.objects.filter(name=user.role).first()
                 if group:
                     user.groups.add(group)
 
                     # Update staff/superuser status based on role
-                    if user.role == User.Roles.SUPERUSER:
+                    if user.role == "SUPERUSER":
                         user.is_superuser = True
                         user.is_staff = True
-                    elif user.role in [User.Roles.ADMIN, User.Roles.MODERATOR]:
+                    elif user.role in ["ADMIN", "MODERATOR"]:
                         user.is_staff = True
                     user.save()
 

apps/accounts/migrations/0002_remove_userprofile_insert_insert_and_more.py

@@ -0,0 +1,76 @@
+# Generated by Django 5.2.6 on 2025-09-21 01:29
+
+import django.db.models.deletion
+import pgtrigger.compiler
+import pgtrigger.migrations
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("accounts", "0001_initial"),
+    ]
+
+    operations = [
+        pgtrigger.migrations.RemoveTrigger(
+            model_name="userprofile",
+            name="insert_insert",
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name="userprofile",
+            name="update_update",
+        ),
+        migrations.AddField(
+            model_name="userprofile",
+            name="avatar",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="django_cloudflareimages_toolkit.cloudflareimage",
+            ),
+        ),
+        migrations.AddField(
+            model_name="userprofileevent",
+            name="avatar",
+            field=models.ForeignKey(
+                blank=True,
+                db_constraint=False,
+                null=True,
+                on_delete=django.db.models.deletion.DO_NOTHING,
+                related_name="+",
+                related_query_name="+",
+                to="django_cloudflareimages_toolkit.cloudflareimage",
+            ),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="userprofile",
+            trigger=pgtrigger.compiler.Trigger(
+                name="insert_insert",
+                sql=pgtrigger.compiler.UpsertTriggerSql(
+                    func='INSERT INTO "accounts_userprofileevent" ("avatar_id", "bio", "coaster_credits", "dark_ride_credits", "discord", "display_name", "flat_ride_credits", "id", "instagram", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "profile_id", "pronouns", "twitter", "user_id", "water_ride_credits", "youtube") VALUES (NEW."avatar_id", NEW."bio", NEW."coaster_credits", NEW."dark_ride_credits", NEW."discord", NEW."display_name", NEW."flat_ride_credits", NEW."id", NEW."instagram", _pgh_attach_context(), NOW(), \'insert\', NEW."id", NEW."profile_id", NEW."pronouns", NEW."twitter", NEW."user_id", NEW."water_ride_credits", NEW."youtube"); RETURN NULL;',
+                    hash="a7ecdb1ac2821dea1fef4ec917eeaf6b8e4f09c8",
+                    operation="INSERT",
+                    pgid="pgtrigger_insert_insert_c09d7",
+                    table="accounts_userprofile",
+                    when="AFTER",
+                ),
+            ),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="userprofile",
+            trigger=pgtrigger.compiler.Trigger(
+                name="update_update",
+                sql=pgtrigger.compiler.UpsertTriggerSql(
+                    condition="WHEN (OLD.* IS DISTINCT FROM NEW.*)",
+                    func='INSERT INTO "accounts_userprofileevent" ("avatar_id", "bio", "coaster_credits", "dark_ride_credits", "discord", "display_name", "flat_ride_credits", "id", "instagram", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "profile_id", "pronouns", "twitter", "user_id", "water_ride_credits", "youtube") VALUES (NEW."avatar_id", NEW."bio", NEW."coaster_credits", NEW."dark_ride_credits", NEW."discord", NEW."display_name", NEW."flat_ride_credits", NEW."id", NEW."instagram", _pgh_attach_context(), NOW(), \'update\', NEW."id", NEW."profile_id", NEW."pronouns", NEW."twitter", NEW."user_id", NEW."water_ride_credits", NEW."youtube"); RETURN NULL;',
+                    hash="81607e492ffea2a4c741452b860ee660374cc01d",
+                    operation="UPDATE",
+                    pgid="pgtrigger_update_update_87ef6",
+                    table="accounts_userprofile",
+                    when="AFTER",
+                ),
+            ),
+        ),
+    ]

apps/accounts/models.py

@@ -121,10 +121,6 @@ class User(AbstractUser):
         """Get the user's display name, falling back to username if not set"""
         if self.display_name:
             return self.display_name
-        # Fallback to profile display_name for backward compatibility
-        profile = getattr(self, "profile", None)
-        if profile and profile.display_name:
-            return profile.display_name
         return self.username
 
     def save(self, *args, **kwargs):
@@ -635,4 +631,6 @@ class NotificationPreference(TrackedModel):
 def create_notification_preference(sender, instance, created, **kwargs):
     """Create notification preferences when a new user is created."""
     if created:
-        NotificationPreference.objects.create(user=instance)
+        NotificationPreference.objects.get_or_create(user=instance)
+
+# Signal moved to signals.py to avoid duplication

apps/accounts/services.py

@@ -31,7 +31,7 @@ class UserDeletionService:
                 "is_active": False,
                 "is_staff": False,
                 "is_superuser": False,
-                "role": User.Roles.USER,
+                "role": "USER",
                 "is_banned": True,
                 "ban_reason": "System placeholder for deleted users",
                 "ban_date": timezone.now(),
@@ -178,7 +178,7 @@ class UserDeletionService:
             return False, "Superuser accounts cannot be deleted for security reasons. Please contact system administrator or remove superuser privileges first."
 
         # Check if user has critical admin role
-        if user.role == User.Roles.ADMIN and user.is_staff:
+        if user.role == "ADMIN" and user.is_staff:
             return False, "Admin accounts with staff privileges cannot be deleted. Please remove admin privileges first or contact system administrator."
 
         # Add any other business rules here

apps/accounts/signals.py

@@ -10,59 +10,41 @@ from .models import User, UserProfile
 
 @receiver(post_save, sender=User)
 def create_user_profile(sender, instance, created, **kwargs):
-    """Create UserProfile for new users"""
-    try:
-        if created:
-            # Create profile
-            profile = UserProfile.objects.create(user=instance)
-
-            # If user has a social account with avatar, download it
-            social_account = instance.socialaccount_set.first()
-            if social_account:
-                extra_data = social_account.extra_data
-                avatar_url = None
-
-                if social_account.provider == "google":
-                    avatar_url = extra_data.get("picture")
-                elif social_account.provider == "discord":
-                    avatar = extra_data.get("avatar")
-                    discord_id = extra_data.get("id")
-                    if avatar:
-                        avatar_url = f"https://cdn.discordapp.com/avatars/{discord_id}/{avatar}.png"
-
-                if avatar_url:
-                    try:
-                        response = requests.get(avatar_url, timeout=60)
-                        if response.status_code == 200:
-                            img_temp = NamedTemporaryFile(delete=True)
-                            img_temp.write(response.content)
-                            img_temp.flush()
-
-                            file_name = f"avatar_{instance.username}.png"
-                            profile.avatar.save(file_name, File(img_temp), save=True)
-                    except Exception as e:
-                        print(
-                            f"Error downloading avatar for user {instance.username}: {
-                                str(e)
-                            }"
-                        )
-    except Exception as e:
-        print(f"Error creating profile for user {instance.username}: {str(e)}")
-
-
-@receiver(post_save, sender=User)
-def save_user_profile(sender, instance, **kwargs):
-    """Ensure UserProfile exists and is saved"""
-    try:
-        # Try to get existing profile first
+    """Create UserProfile for new users - unified signal handler"""
+    if created:
         try:
-            profile = instance.profile
-            profile.save()
-        except UserProfile.DoesNotExist:
-            # Profile doesn't exist, create it
-            UserProfile.objects.create(user=instance)
-    except Exception as e:
-        print(f"Error saving profile for user {instance.username}: {str(e)}")
+            # Use get_or_create to prevent duplicates
+            profile, profile_created = UserProfile.objects.get_or_create(user=instance)
+            
+            if profile_created:
+                # If user has a social account with avatar, download it
+                try:
+                    social_account = instance.socialaccount_set.first()
+                    if social_account:
+                        extra_data = social_account.extra_data
+                        avatar_url = None
+
+                        if social_account.provider == "google":
+                            avatar_url = extra_data.get("picture")
+                        elif social_account.provider == "discord":
+                            avatar = extra_data.get("avatar")
+                            discord_id = extra_data.get("id")
+                            if avatar:
+                                avatar_url = f"https://cdn.discordapp.com/avatars/{discord_id}/{avatar}.png"
+
+                        if avatar_url:
+                            response = requests.get(avatar_url, timeout=60)
+                            if response.status_code == 200:
+                                img_temp = NamedTemporaryFile(delete=True)
+                                img_temp.write(response.content)
+                                img_temp.flush()
+
+                                file_name = f"avatar_{instance.username}.png"
+                                profile.avatar.save(file_name, File(img_temp), save=True)
+                except Exception as e:
+                    print(f"Error downloading avatar for user {instance.username}: {str(e)}")
+        except Exception as e:
+            print(f"Error creating profile for user {instance.username}: {str(e)}")
 
 
 @receiver(pre_save, sender=User)
@@ -75,43 +57,43 @@ def sync_user_role_with_groups(sender, instance, **kwargs):
                 # Role has changed, update groups
                 with transaction.atomic():
                     # Remove from old role group if exists
-                    if old_instance.role != User.Roles.USER:
+                    if old_instance.role != "USER":
                         old_group = Group.objects.filter(name=old_instance.role).first()
                         if old_group:
                             instance.groups.remove(old_group)
 
                     # Add to new role group
-                    if instance.role != User.Roles.USER:
+                    if instance.role != "USER":
                         new_group, _ = Group.objects.get_or_create(name=instance.role)
                         instance.groups.add(new_group)
 
                         # Special handling for superuser role
-                        if instance.role == User.Roles.SUPERUSER:
+                        if instance.role == "SUPERUSER":
                             instance.is_superuser = True
                             instance.is_staff = True
-                        elif old_instance.role == User.Roles.SUPERUSER:
+                        elif old_instance.role == "SUPERUSER":
                             # If removing superuser role, remove superuser
                             # status
                             instance.is_superuser = False
                             if instance.role not in [
-                                User.Roles.ADMIN,
-                                User.Roles.MODERATOR,
+                                "ADMIN",
+                                "MODERATOR",
                             ]:
                                 instance.is_staff = False
 
                         # Handle staff status for admin and moderator roles
                         if instance.role in [
-                            User.Roles.ADMIN,
-                            User.Roles.MODERATOR,
+                            "ADMIN",
+                            "MODERATOR",
                         ]:
                             instance.is_staff = True
                         elif old_instance.role in [
-                            User.Roles.ADMIN,
-                            User.Roles.MODERATOR,
+                            "ADMIN",
+                            "MODERATOR",
                         ]:
                             # If removing admin/moderator role, remove staff
                             # status
-                            if instance.role not in [User.Roles.SUPERUSER]:
+                            if instance.role not in ["SUPERUSER"]:
                                 instance.is_staff = False
         except User.DoesNotExist:
             pass
@@ -130,7 +112,7 @@ def create_default_groups():
         from django.contrib.auth.models import Permission
 
         # Create Moderator group
-        moderator_group, _ = Group.objects.get_or_create(name=User.Roles.MODERATOR)
+        moderator_group, _ = Group.objects.get_or_create(name="MODERATOR")
         moderator_permissions = [
             # Review moderation permissions
             "change_review",
@@ -149,7 +131,7 @@ def create_default_groups():
         ]
 
         # Create Admin group
-        admin_group, _ = Group.objects.get_or_create(name=User.Roles.ADMIN)
+        admin_group, _ = Group.objects.get_or_create(name="ADMIN")
         admin_permissions = moderator_permissions + [
             # User management permissions
             "change_user",

apps/accounts/tests.py

@@ -109,7 +109,7 @@ class SignalsTestCase(TestCase):
 
         create_default_groups()
 
-        moderator_group = Group.objects.get(name=User.Roles.MODERATOR)
+        moderator_group = Group.objects.get(name="MODERATOR")
         self.assertIsNotNone(moderator_group)
         self.assertTrue(
             moderator_group.permissions.filter(codename="change_review").exists()
@@ -118,7 +118,7 @@ class SignalsTestCase(TestCase):
             moderator_group.permissions.filter(codename="change_user").exists()
         )
 
-        admin_group = Group.objects.get(name=User.Roles.ADMIN)
+        admin_group = Group.objects.get(name="ADMIN")
         self.assertIsNotNone(admin_group)
         self.assertTrue(
             admin_group.permissions.filter(codename="change_review").exists()

apps/accounts/tests/test_user_deletion.py

@@ -42,7 +42,7 @@ class UserDeletionServiceTest(TestCase):
         self.assertEqual(deleted_user.email, "deleted@thrillwiki.com")
         self.assertFalse(deleted_user.is_active)
         self.assertTrue(deleted_user.is_banned)
-        self.assertEqual(deleted_user.role, User.Roles.USER)
+        self.assertEqual(deleted_user.role, "USER")
 
         # Check profile was created
         self.assertTrue(hasattr(deleted_user, "profile"))

apps/core/managers.py

@@ -6,8 +6,8 @@ Following Django styleguide best practices for database access.
 from typing import Optional, List, Union
 from django.db import models
 from django.db.models import Q, Count, Avg, Max
-from django.contrib.gis.geos import Point
-from django.contrib.gis.measure import Distance
+# from django.contrib.gis.geos import Point  # Disabled temporarily for setup
+# from django.contrib.gis.measure import Distance  # Disabled temporarily for setup
 from django.utils import timezone
 from datetime import timedelta
 
@@ -88,7 +88,7 @@ class BaseManager(models.Manager):
 class LocationQuerySet(BaseQuerySet):
     """QuerySet for location-based models with geographic functionality."""
 
-    def near_point(self, *, point: Point, distance_km: float = 50):
+    def near_point(self, *, point, distance_km: float = 50):  # Point type disabled for setup
         """Filter locations near a geographic point."""
         if hasattr(self.model, "point"):
             return (
@@ -134,7 +134,7 @@ class LocationManager(BaseManager):
     def get_queryset(self):
         return LocationQuerySet(self.model, using=self._db)
 
-    def near_point(self, *, point: Point, distance_km: float = 50):
+    def near_point(self, *, point, distance_km: float = 50):  # Point type disabled for setup
         return self.get_queryset().near_point(point=point, distance_km=distance_km)
 
     def within_bounds(self, *, north: float, south: float, east: float, west: float):

apps/core/middleware/security_headers.py

@@ -0,0 +1,97 @@
+"""
+Modern Security Headers Middleware for ThrillWiki
+Implements Content Security Policy and other modern security headers.
+"""
+
+import secrets
+import base64
+from django.conf import settings
+from django.utils.deprecation import MiddlewareMixin
+
+
+class SecurityHeadersMiddleware(MiddlewareMixin):
+    """
+    Middleware to add modern security headers to all responses.
+    """
+
+    def _generate_nonce(self):
+        """Generate a cryptographically secure nonce for CSP."""
+        # Generate 16 random bytes and encode as base64
+        return base64.b64encode(secrets.token_bytes(16)).decode('ascii')
+
+    def _modify_csp_with_nonce(self, csp_policy, nonce):
+        """Modify CSP policy to include nonce for script-src."""
+        if not csp_policy:
+            return csp_policy
+        
+        # Look for script-src directive and add nonce
+        directives = csp_policy.split(';')
+        modified_directives = []
+        
+        for directive in directives:
+            directive = directive.strip()
+            if directive.startswith('script-src '):
+                # Add nonce to script-src directive
+                directive += f" 'nonce-{nonce}'"
+            modified_directives.append(directive)
+        
+        return '; '.join(modified_directives)
+
+    def process_request(self, request):
+        """Generate and store nonce for this request."""
+        # Generate a nonce for this request
+        nonce = self._generate_nonce()
+        # Store it in request so templates can access it
+        request.csp_nonce = nonce
+        return None
+
+    def process_response(self, request, response):
+        """Add security headers to the response."""
+        
+        # Content Security Policy with nonce support
+        if hasattr(settings, 'SECURE_CONTENT_SECURITY_POLICY'):
+            csp_policy = settings.SECURE_CONTENT_SECURITY_POLICY
+            # Apply nonce if we have one for this request
+            if hasattr(request, 'csp_nonce'):
+                csp_policy = self._modify_csp_with_nonce(csp_policy, request.csp_nonce)
+            response['Content-Security-Policy'] = csp_policy
+        
+        # Cross-Origin Opener Policy
+        if hasattr(settings, 'SECURE_CROSS_ORIGIN_OPENER_POLICY'):
+            response['Cross-Origin-Opener-Policy'] = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
+        
+        # Referrer Policy
+        if hasattr(settings, 'SECURE_REFERRER_POLICY'):
+            response['Referrer-Policy'] = settings.SECURE_REFERRER_POLICY
+        
+        # Permissions Policy
+        if hasattr(settings, 'SECURE_PERMISSIONS_POLICY'):
+            response['Permissions-Policy'] = settings.SECURE_PERMISSIONS_POLICY
+        
+        # Additional security headers
+        response['X-Content-Type-Options'] = 'nosniff'
+        response['X-Frame-Options'] = getattr(settings, 'X_FRAME_OPTIONS', 'DENY')
+        response['X-XSS-Protection'] = '1; mode=block'
+        
+        # Cache Control headers for better performance
+        # Prevent caching of HTML pages to ensure users get fresh content
+        if response.get('Content-Type', '').startswith('text/html'):
+            response['Cache-Control'] = 'no-cache, no-store, must-revalidate'
+            response['Pragma'] = 'no-cache'
+            response['Expires'] = '0'
+        
+        # Strict Transport Security (if SSL is enabled)
+        if getattr(settings, 'SECURE_SSL_REDIRECT', False):
+            hsts_seconds = getattr(settings, 'SECURE_HSTS_SECONDS', 31536000)
+            hsts_include_subdomains = getattr(settings, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', True)
+            hsts_preload = getattr(settings, 'SECURE_HSTS_PRELOAD', False)
+            
+            hsts_header = f'max-age={hsts_seconds}'
+            if hsts_include_subdomains:
+                hsts_header += '; includeSubDomains'
+            if hsts_preload:
+                hsts_header += '; preload'
+            
+            response['Strict-Transport-Security'] = hsts_header
+        
+        return response