Configurable taxa lists

[annavik]

Background

Will be a help for the upcoming class masking feature, but also something we have been wanting in general. This PR is still in draft mode.

Related to #997.

Missing BE stuff

• Make it possible to add and remove taxa from taxa lists using the API ✅
• Make it possible to access direct taxa only (exclude children) when using the API ✅
• Getting error 500 when creating new taxa list after the BE updates in this branch ✅
• Remove unused nested taxa endpoint taxalists/id/taxa/ ✅
• Fix extra project_id in URL ✅
• Decide what to do about user permissions for many2many objects, for now ✅

Missing FE stuff

• Make sure breadcrumbs are rendered correctly ✅
• Show taxon details from taxa list detail view without changing route ✅
• Update logic after API updates ✅

Notes

• When we have decided on naming, setup new tab "Collections" and add "Taxa lists" as a sub view to this tab (can happen in follow up PR)
• Expand taxa list detail view with more columns, or is it nice to keep it simple?
• Fetching taxa is very slow in production, can we make it quicker by not consider related occurrences BE side? Similar to what we did for captures? Or is child taxa the problem?
• If we can return more information about taxa lists in the taxa response, it would open up for more display options and quick actions in the generic taxa view

Screenshots

List view:

Create view:

Edit view:

Delete view:

Detail view:

Summary by CodeRabbit

• New Features

  • Full taxa-list management: create lists, view details, and add/remove taxa individually.

• UI / Navigation

  • Sidebar, routes, pages, dialogs, popovers, and table columns for taxa-list workflows; localized labels.

• API / Backend

  • Taxa lists now include taxa counts, project scoping, nested taxa endpoints, automatic project association, and descendant filtering.

• Hooks

  • New hooks to fetch taxa-list details and to add/remove taxa; list hook includes total count.

• Permissions

  • Project-member read/write permission guard applied to taxa-list actions.

• Tests

  • New API tests covering taxa-list taxon add/remove and validation.

[netlify]

✅ Deploy Preview for antenna-preview ready!

Name	Link
🔨 Latest commit	b94023d
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/69a15aa270eb7a0009925ab7
😎 Deploy Preview	https://deploy-preview-1094--antenna-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 75 (🟢 up 9 from production) Accessibility: 89 (🟢 up 9 from production) Best Practices: 92 (🔴 down 8 from production) SEO: 100 (🟢 up 8 from production) PWA: 80 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for antenna-ssec ready!

Name	Link
🔨 Latest commit	b94023d
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-ssec/deploys/69a15aa289d5700008c47adc
😎 Deploy Preview	https://deploy-preview-1094--antenna-ssec.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds end-to-end taxa-list management: backend serializers, viewsets, permissions, nested routes, and tests; frontend routes, pages, hooks, components, models, and translations to list, add, and remove taxa from taxa lists.

Changes

Cohort / File(s)	Summary
Backend — TaxaList serializers & input DTOs ami/main/api/serializers.py	TaxaListSerializer now uses DefaultSerializer; adds taxa_count and projects SerializerMethodFields; adds TaxaListTaxonInputSerializer and TaxaListTaxonSerializer.
Backend — Views, filters, nested endpoints ami/main/api/views.py, ami/main/api/...	TaxaListViewSet → DefaultViewSet, annotates annotated_taxa_count, enforces require_project, auto-attaches active project on create; new TaxaListTaxonViewSet for list/create/delete_by_taxon; TaxaListFilter supports include_descendants flag.
Backend — Permissions & tests ami/base/permissions.py, ami/main/tests.py	New IsProjectMemberOrReadOnly permission; ObjectPermission adjusted; extensive API tests for taxa-list taxa CRUD, validation, and M2M behavior added.
Backend — ML serializers & view tweaks ami/ml/serializers.py, ami/ml/views.py	ProcessingServiceSerializer replaces write-only project with read-only projects field; ProcessingServiceViewSet adds require_project and perform_create to attach active project.
Backend — Routing config/api_router.py	Adds nested router taxa_lists_router and registers TaxaListTaxonViewSet under /taxa/lists/{taxalist_id}/taxa/.
Frontend — Routes, constants, i18n ui/src/app.tsx, ui/src/utils/constants.ts, ui/src/utils/language.ts	New routes and APP_ROUTES builders for taxa lists/taxa-in-list; added translation keys and strings.
Frontend — Pages & columns ui/src/pages/taxa-lists/*, ui/src/pages/taxa-list-details/*, ui/src/pages/*	New TaxaLists and TaxaListDetails pages, column configs, pagination/sort integration, breadcrumb/sidebar updates, dialog integration for species/details.
Frontend — Add/Remove taxon components & hooks ui/src/pages/taxa-list-details/add-taxa-list-taxon/*, ui/src/pages/taxa-list-details/remove-taxa-list-taxon/*, ui/src/data-services/hooks/taxa-lists/*	New AddTaxaListTaxon, AddTaxaListTaxonPopover, RemoveTaxaListTaxonDialog; hooks useTaxaListDetails, useAddTaxaListTaxon, useRemoveTaxaListTaxon (invalidate TAXA_LISTS & SPECIES).
Frontend — Data models & service signature changes ui/src/data-services/models/taxa-list.ts, ui/src/data-services/models/entity.ts, ui/src/data-services/hooks/entities/useDeleteEntity.ts, ui/src/data-services/hooks/entities/utils.ts	ServerTaxaList adds taxa_count; TaxaList exposes taxaCount() and removes taxaUrl; Entity getters null-safe; convertToServerFieldValues uses project_id; useDeleteEntity signature changed to accept { collection, projectId, onSuccess? } and includes project_id query param.
Frontend — Misc UI tweaks ui/src/components/..., ui/src/pages/species/*, ui/src/pages/occurrences/*	Localization of labels, preserved search params on links, minor prop-order and breadcrumb logic updates.

Sequence Diagram(s)

sequenceDiagram
    participant UI as Client (UI)
    participant Auth as Auth Service
    participant API as Django API
    participant DB as Database

    UI->>Auth: include auth token
    UI->>API: POST /taxa/lists/{taxaListId}/taxa/?project_id={pid} { taxon_id }
    API->>Auth: validate token
    Auth-->>API: token OK
    API->>DB: fetch TaxaList scoped to project
    DB-->>API: TaxaList record
    API->>DB: fetch Taxon by id
    DB-->>API: Taxon record / not found
    alt taxon exists & not duplicate
        API->>DB: create M2M association (taxalist.taxa.add)
        DB-->>API: association persisted
        API-->>UI: 201 Created + taxon payload
    else duplicate or invalid
        API-->>UI: 400 Bad Request / 404 Not Found
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• Review M2M permissions for things that belong to multiple projects #1120 — permission and M2M scoping: this PR adds IsProjectMemberOrReadOnly and scoped taxa-list taxa endpoints relevant to that concern.

Possibly related PRs

• Role Management API and UI #801 — touches permission infrastructure and nested routing; closely related changes to permissions and routers.

Suggested labels

backend

Suggested reviewers

• mohamedelabbas1996

Poem

🐰 I hopped through serializers and routes with glee,

Nested lists now bloom for all to see.
Popovers pop, dialogs confirm the deed,
M2M connections planted like seed.
Tests hop in—now taxa-list is free.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides background and screenshots but lacks clear detail on changes, testing instructions, and specific deployment requirements.	Add a structured 'List of Changes' section, include 'How to Test the Changes' with specific test cases, and clarify any deployment notes (e.g., database migrations, configuration changes). Ensure the description aligns with the provided template structure.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Configurable taxa lists' directly corresponds to the main feature implemented in this PR, which adds a comprehensive taxa lists feature with frontend UI and backend API integration.
Docstring Coverage	✅ Passed	Docstring coverage is 85.19% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/taxa-lists

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mihow]

Exciting! I will look into the missing BE parts. But would love to merge some version of this sooner and continue to improve

[annavik]

Exciting! I will look into the missing BE parts. But would love to merge some version of this sooner and continue to improve

Yes, let's try get something out! I'm fine leaving everything under "Notes" for later. I have updated the PR description with current status. We can now add and remove taxa lists members from UI! 🎉

I think these two backend issues would be nice to fix before we try get this out, at least the first one (listed under "Missing BE stuff")...

[annavik]

Some observations when using the new endpoints to add and remove taxa from lists:

• The endpoint to add taxon to a list returns 200 even if the taxon is already added
• The endpoint to remove taxon from a list returns 200 even if the taxon is not a member if the list
• The endpoint to remove taxon from a list uses method POST, maybe should beDELETE?
• Maybe these endpoints should follow same structure as the project member endpoints? I'm thinking we have a similar situation of "related objects"...

Just some thoughts, I'm fine leaving this as is for now! Thank you so much for the help @mohamedelabbas1996, it worked well to hook up with FE 🙏

[annavik]

Question: does it make sense to check "can update" permission for the taxa list, before rendering controls for "Add taxon" and "Remove taxon"? This is what I do know! :)

[mihow]

@annavik @mohamedelabbas1996 I updated the endpoints to use the same pattern as the project-user membership API, but no through-model to keep it a little simpler. I have in a separate PR here until I test it. Feel free to take a look before then. #1104

[mihow]

Merge plan & interaction with #1110 and #1133

Permission fix (latest commit)

TaxaListViewSet was using ObjectPermission, which silently denied all write operations for every user. Root cause: TaxaList uses a M2M projects field, so BaseModel.get_project() returns None, and check_permission() always returns False. Switched to IsProjectMemberOrReadOnly which resolves the project via ProjectMixin.get_active_project(). Added 10 permission tests covering member CRUD, anonymous read-only, non-member rejection, and owner access.

Recommended merge order

1. This PR (Configurable taxa lists #1094) — mergeable now, permission fix is self-contained
2. Require project_id on list endpoints to prevent full table scans #1133 (require project_id) — minor conflict on TaxaListViewSet (require_project = True here vs require_project_for_list = False there). Resolve by adopting require_project_for_list = False since taxa lists are global M2M resources.
3. feat: Add model-level permissions framework (rebase test - no not merge) #1110 (model-level permissions) — has merge conflicts, stale since Jan 31. After it merges:
   • Switch TaxaListViewSet back to ObjectPermission (the new check_permission() will route M2M models through model-level checks)
   • Add create_taxalist, update_taxalist, delete_taxalist to the AuthorizedUser role definition — without this, taxa list creation will break for non-superusers

Inline review comments

I've added inline comments on the two lines that will need updates when #1110 and #1133 merge.

[mihow]

Inline notes for future merge compatibility with #1110 and #1133.

[mihow]

After #1110 merges: Switch back to ObjectPermission. The new check_permission() routes M2M models (where get_project_accessor() returns "projects") through check_model_level_permission(), which uses global Django permissions instead of guardian object-level perms.

This will work correctly only if create_taxalist, update_taxalist, delete_taxalist are added to the AuthorizedUser role definition in #1110. Without those, taxa list creation breaks for all non-superusers.

[mihow]

After #1133 merges: Change to require_project_for_list = False.

PR #1133 makes require_project_for_list = True the default on ProjectMixin, but opts out TaxaListViewSet because taxa lists are global M2M resources (same rationale as TaxonViewSet and TagViewSet). Keep require_project = True for write operations -- only listing should be allowed without a project filter.

[mihow]

Code review

Found 3 issues:

1. convertToServerFieldValues sends project_id instead of project, breaking entity creation for Sites, Devices, Storage Sources, and SourceImageCollections. All four serializers declare a writable project PrimaryKeyRelatedField (not project_id), so POST requests from NewEntityDialog for these entity types will fail with 400 validation errors.

antenna/ui/src/data-services/hooks/entities/utils.ts

Lines 8 to 10 in 4682933

	...(name ? { name } : {}),
	project_id: projectId,
	...(customFields ?? {}),

Affected serializers at serializers.py L1602, L1618, L1635, L1228 all use project = serializers.PrimaryKeyRelatedField(...).

2. user_permissions will always be empty for non-superusers on TaxaList responses. TaxaListSerializer extends DefaultSerializer, which calls add_object_level_permissions() -> get_project(). Since TaxaList uses a M2M to Project (via projects), get_project() explicitly returns None for M2M accessors (ami/base/models.py L143). This means the frontend will never see write permissions for taxa lists, so edit/delete buttons may be incorrectly hidden.

antenna/ami/main/api/serializers.py

Lines 635 to 637 in 4682933

	class TaxaListSerializer(DefaultSerializer):
	taxa = serializers.SerializerMethodField()

Root cause at get_project():

antenna/ami/base/models.py

Lines 142 to 144 in 4682933

	accessor = self.get_project_accessor()
	if accessor == "projects" or accessor is None:
	return None

3. TaxaListTaxonViewSet.list() bypasses DRF pagination entirely, returning all taxa in a single response without limit/offset support. It also evaluates the queryset twice (queryset.count() + serializer.data). Every other list endpoint in the codebase uses LimitOffsetPaginationWithPermissions via DefaultViewSet.

antenna/ami/main/api/views.py

Lines 1686 to 1691 in 4682933

	def list(self, request, taxalist_pk=None):
	"""List all taxa in the taxa list."""
	queryset = self.get_queryset()
	serializer = self.get_serializer(queryset, many=True)
	return Response({"count": queryset.count(), "results": serializer.data})

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[mihow]

Additional issues from code review

Two more issues to track:

4. user_permissions always empty for non-superusers on TaxaList responses

TaxaListSerializer extends DefaultSerializer, which calls add_object_level_permissions() → instance.get_user_object_permissions() → get_project(). Since TaxaList uses M2M to Project (projects), get_project() returns None (ami/base/models.py L142-144), so _get_object_perms() returns [] for all non-superusers.

The frontend gates edit/delete buttons on canUpdate/canDelete which read from user_permissions (taxa-list-columns.tsx L84-99), so non-superuser project members will never see those buttons even though IsProjectMemberOrReadOnly allows them to write at the API level.

5. TaxaListTaxonViewSet.list() bypasses DRF pagination

The list() method manually returns {"count": queryset.count(), "results": serializer.data} without calling self.paginate_queryset() or self.get_paginated_response(). It also evaluates the queryset twice (once for count(), once for serializer.data).

antenna/ami/main/api/views.py

Lines 1686 to 1691 in 4682933

	def list(self, request, taxalist_pk=None):
	"""List all taxa in the taxa list."""
	queryset = self.get_queryset()
	serializer = self.get_serializer(queryset, many=True)
	return Response({"count": queryset.count(), "results": serializer.data})

Note: the frontend currently doesn't call this endpoint (it uses useSpecies with a taxa_list_id filter on /api/v2/taxa/ instead), so this is low-impact for now but inconsistent with every other list endpoint.

🤖 Generated with Claude Code

[mihow]

All 3 issues from this review are now resolved:

1. project_id → project — Fixed in 312e362 (fix: send project instead of project_id in entity creation requests)
2. user_permissions empty for M2M models — Fixed in 3d2eb1e (fix: resolve user_permissions for M2M-to-Project models)
3. TaxaListTaxonViewSet.list() bypasses pagination — Removed in d0c8c24 (refactor: remove unused list endpoint from TaxaListTaxonViewSet)

[mihow]

Both issues from this comment are also resolved:

4. user_permissions always empty for non-superusers — Fixed in 3d2eb1e via add_m2m_object_permissions() in TaxaListSerializer.get_permissions(), which resolves the project from the request context instead of relying on get_project().

5. TaxaListTaxonViewSet.list() bypasses DRF pagination — The endpoint was removed entirely in d0c8c24 since the frontend uses useSpecies with a taxa_list_id filter on /api/v2/taxa/ instead.

[mihow]

Tested once more with different user roles and I think it's ready to go!