From e3a8d15ebbb9789e5664a2f890e3b150546f2007 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:03:48 +0100
Subject: [PATCH 01/37] refactor: enhance task status handling in dashboard
 logic and update AdminDashboard component to include backlog and review tasks

---
 .../api/controllers/dashboard_controller.py   | 32 ++++++++----
 frontend/src/pages/AdminDashboard.jsx         | 51 +++++++++++--------
 .../src/tests/pages/AdminDashboard.test.jsx   | 36 +++++++++++++
 3 files changed, 88 insertions(+), 31 deletions(-)

diff --git a/backend/src/api/controllers/dashboard_controller.py b/backend/src/api/controllers/dashboard_controller.py
index 3f24b01..9e334af 100644
--- a/backend/src/api/controllers/dashboard_controller.py
+++ b/backend/src/api/controllers/dashboard_controller.py
@@ -11,6 +11,8 @@
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
 
+COMPLETED_TASK_STATUSES = {'done', 'completed'}
+
 
 def _safe_query_all(model):
     try:
@@ -22,6 +24,14 @@ def _safe_query_all(model):
 def _count(items, predicate):
     return sum(1 for item in items if predicate(item))
 
+
+def _is_completed_status(status):
+    return status in COMPLETED_TASK_STATUSES
+
+
+def _is_completed_task(task):
+    return _is_completed_status(getattr(task, 'status', None))
+
 def get_user_tasks(user_id):
     """Helper function to get all tasks for a user"""
     try:
@@ -38,7 +48,7 @@ def get_tasks_due_soon(user_id):
         return Task.query.filter_by(assigned_to=user_id)\
             .filter(Task.deadline.isnot(None))\
             .filter(Task.deadline.between(today, week_later))\
-            .filter(Task.status != 'done').all()
+            .filter(~Task.status.in_(COMPLETED_TASK_STATUSES)).all()
     except Exception as e:
         logger.error(f"Error fetching tasks due soon: {str(e)}")
         return []
@@ -61,8 +71,11 @@ def get_recent_completed_tasks(user_id, timeframe='month'):
             days = 30
 
         time_ago = today - timedelta(days=days)
-        return Task.query.filter_by(assigned_to=user_id, status='done')\
-            .filter(Task.updated_at >= time_ago).all()
+        return Task.query.filter_by(assigned_to=user_id)\
+            .filter(
+                Task.status.in_(COMPLETED_TASK_STATUSES),
+                Task.updated_at >= time_ago,
+            ).all()
     except Exception as e:
         logger.error(f"Error fetching completed tasks: {str(e)}")
         return []
@@ -83,7 +96,7 @@ def get_project_tasks_due_soon(project_id):
         return Task.query.filter_by(project_id=project_id)\
             .filter(Task.deadline.isnot(None))\
             .filter(Task.deadline.between(today, week_later))\
-            .filter(Task.status != 'done').all()
+            .filter(~Task.status.in_(COMPLETED_TASK_STATUSES)).all()
     except Exception as e:
         logger.error(f"Error fetching project tasks due soon: {str(e)}")
         return []
@@ -134,8 +147,8 @@ def get_user_dashboard():
             },
             'tasks': {
                 'assigned_count': len(assigned_tasks),
-                'pending_count': len([t for t in assigned_tasks if t.status != 'done']),
-                'completed_count': len([t for t in assigned_tasks if t.status == 'done']),
+                'pending_count': len([t for t in assigned_tasks if not _is_completed_task(t)]),
+                'completed_count': len([t for t in assigned_tasks if _is_completed_task(t)]),
                 'due_soon': [{
                     'id': task.id,
                     'title': task.title,
@@ -165,7 +178,7 @@ def get_user_dashboard():
             
             dashboard_data['team'] = {
                 'total_tasks': len(team_tasks),
-                'completed_tasks': len([t for t in team_tasks if t.status == 'done']),
+                'completed_tasks': len([t for t in team_tasks if _is_completed_task(t)]),
                 'in_progress_tasks': len([t for t in team_tasks if t.status == 'in_progress']),
                 'pending_tasks': len([t for t in team_tasks if t.status == 'todo'])
             }
@@ -278,10 +291,11 @@ def get_admin_dashboard():
         # Calculate task statistics
         task_stats = {
             'total': len(all_tasks),
+            'backlog': len([t for t in all_tasks if t.status == 'backlog']),
             'todo': len([t for t in all_tasks if t.status == 'todo']),
             'in_progress': len([t for t in all_tasks if t.status == 'in_progress']),
             'review': len([t for t in all_tasks if t.status == 'review']),
-            'done': len([t for t in all_tasks if t.status == 'done'])
+            'done': len([t for t in all_tasks if _is_completed_task(t)])
         }
         
         # Format response data
@@ -333,7 +347,7 @@ def get_project_dashboard(project_id):
             'todo': len([t for t in tasks if t.status == 'todo']),
             'in_progress': len([t for t in tasks if t.status == 'in_progress']),
             'review': len([t for t in tasks if t.status == 'review']),
-            'done': len([t for t in tasks if t.status == 'done'])
+            'done': len([t for t in tasks if _is_completed_task(t)])
         }
         
         # Calculate completion percentage
diff --git a/frontend/src/pages/AdminDashboard.jsx b/frontend/src/pages/AdminDashboard.jsx
index 79d556f..aea0b17 100644
--- a/frontend/src/pages/AdminDashboard.jsx
+++ b/frontend/src/pages/AdminDashboard.jsx
@@ -319,29 +319,36 @@ const AdminDashboard = () => {
               <Panel>
                 <PanelHeader title="Task Breakdown" />
                 <div className="p-5 space-y-4">
-                  {[
-                    { label: 'To Do',       value: dashboardData?.tasks?.todo      || 0, color: 'bg-slate-500'   },
-                    { label: 'In Progress', value: dashboardData?.tasks?.active     || 0, color: 'bg-sky-500'     },
-                    { label: 'In Review',   value: dashboardData?.tasks?.inReview   || 0, color: 'bg-amber-500'   },
-                    { label: 'Done',        value: dashboardData?.tasks?.done       || 0, color: 'bg-emerald-500' },
-                  ].map(({ label, value, color }) => {
-                    const total = (dashboardData?.tasks?.todo || 0)
-                      + (dashboardData?.tasks?.active || 0)
-                      + (dashboardData?.tasks?.inReview || 0)
-                      + (dashboardData?.tasks?.done || 0);
-                    const pct = total > 0 ? Math.round((value / total) * 100) : 0;
-                    return (
-                      <div key={label}>
-                        <div className="flex justify-between text-sm mb-1.5">
-                          <span className="text-slate-300">{label}</span>
-                          <span className="text-slate-400">{value} <span className="text-slate-600">({pct}%)</span></span>
-                        </div>
-                        <div className="w-full bg-slate-800 rounded-full h-1.5">
-                          <div className={`${color} h-1.5 rounded-full transition-all`} style={{ width: `${pct}%` }} />
+                  {(() => {
+                    const backlog = dashboardData?.tasks?.backlog || 0;
+                    const todo = dashboardData?.tasks?.todo || 0;
+                    const inProgress = dashboardData?.tasks?.in_progress ?? dashboardData?.tasks?.active ?? 0;
+                    const inReview = dashboardData?.tasks?.review ?? dashboardData?.tasks?.inReview ?? 0;
+                    const done = dashboardData?.tasks?.done || 0;
+                    const total = backlog + todo + inProgress + inReview + done;
+
+                    return [
+                      { label: 'Backlog', value: backlog, color: 'bg-orange-500' },
+                      { label: 'To Do', value: todo, color: 'bg-slate-500' },
+                      { label: 'In Progress', value: inProgress, color: 'bg-sky-500' },
+                      { label: 'In Review', value: inReview, color: 'bg-amber-500' },
+                      { label: 'Done', value: done, color: 'bg-emerald-500' },
+                    ].map(({ label, value, color }) => {
+                      const pct = total > 0 ? Math.round((value / total) * 100) : 0;
+
+                      return (
+                        <div key={label}>
+                          <div className="flex justify-between text-sm mb-1.5">
+                            <span className="text-slate-300">{label}</span>
+                            <span className="text-slate-400">{value} <span className="text-slate-600">({pct}%)</span></span>
+                          </div>
+                          <div className="w-full bg-slate-800 rounded-full h-1.5">
+                            <div className={`${color} h-1.5 rounded-full transition-all`} style={{ width: `${pct}%` }} />
+                          </div>
                         </div>
-                      </div>
-                    );
-                  })}
+                      );
+                    });
+                  })()}
                 </div>
               </Panel>
 
diff --git a/frontend/src/tests/pages/AdminDashboard.test.jsx b/frontend/src/tests/pages/AdminDashboard.test.jsx
index 6810eb1..e2b4f53 100644
--- a/frontend/src/tests/pages/AdminDashboard.test.jsx
+++ b/frontend/src/tests/pages/AdminDashboard.test.jsx
@@ -10,6 +10,9 @@ jest.mock('../../services/utils/api', () => ({
   dashboardService: {
     getAdminDashboardStats: jest.fn(),
   },
+  projectService: {
+    getAllProjects: jest.fn(),
+  },
 }));
 
 jest.mock('../../context/AuthContext', () => ({
@@ -68,6 +71,8 @@ describe('AdminDashboard page', () => {
 
     dashboardService.getAdminDashboardStats.mockReset();
     dashboardService.getAdminDashboardStats.mockResolvedValue(adminStatsPayload);
+    require('../../services/utils/api').projectService.getAllProjects.mockReset();
+    require('../../services/utils/api').projectService.getAllProjects.mockResolvedValue([]);
   });
 
   afterEach(() => {
@@ -87,6 +92,37 @@ describe('AdminDashboard page', () => {
     expect(screen.getByRole('link', { name: /DevSync Core/i })).toHaveAttribute('href', '/projects/1');
   });
 
+  test('renders review tasks in the task breakdown', async () => {
+    dashboardService.getAdminDashboardStats.mockResolvedValueOnce({
+      projects: { total: 5 },
+      tasks: {
+        total: 10,
+        backlog: 2,
+        todo: 2,
+        in_progress: 3,
+        review: 1,
+        done: 2,
+      },
+      users: { total: 8 },
+      recentProjects: [
+        {
+          id: 99,
+          name: 'Recent Project',
+          status: 'active',
+          created_at: '2099-01-01T00:00:00.000Z',
+          task_count: 4,
+        },
+      ],
+    });
+
+    renderAdminDashboard();
+
+    expect(await screen.findByText('In Review')).toBeInTheDocument();
+    expect(screen.getByText('Backlog')).toBeInTheDocument();
+    expect(screen.getAllByText('1', { selector: '.text-slate-400' }).length).toBeGreaterThan(0);
+    expect(screen.getAllByText('2', { selector: '.text-slate-400' }).length).toBeGreaterThan(0);
+  });
+
   test('refetches dashboard data when time range changes and when refresh is clicked', async () => {
     renderAdminDashboard();
 

From 28085be36cd4d8e76af7bb4efda0252bf46bb946 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:04:01 +0100
Subject: [PATCH 02/37] refactor: update task status handling in dashboard
 tests to include 'completed' and 'backlog' statuses

---
 .../test_auth_socket_dashboard_integration.py         | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/backend/tests/integration/test_auth_socket_dashboard_integration.py b/backend/tests/integration/test_auth_socket_dashboard_integration.py
index 616e91a..d2e1364 100644
--- a/backend/tests/integration/test_auth_socket_dashboard_integration.py
+++ b/backend/tests/integration/test_auth_socket_dashboard_integration.py
@@ -286,6 +286,7 @@ def test_dashboard_client_route_returns_computed_task_stats(client, app, monkeyp
     assigned_tasks = [
         SimpleNamespace(status='todo'),
         SimpleNamespace(status='done'),
+        SimpleNamespace(status='completed'),
     ]
 
     class StubUser:
@@ -301,9 +302,9 @@ class StubUser:
 
     assert response.status_code == 200
     payload = response.get_json()
-    assert payload['tasks']['total'] == 2
+    assert payload['tasks']['total'] == 3
     assert payload['tasks']['todo'] == 1
-    assert payload['tasks']['done'] == 1
+    assert payload['tasks']['done'] == 2
     assert payload['tasks_due_soon'][0]['id'] == 9
     assert payload['projects'][0]['name'] == 'Project A'
 
@@ -316,10 +317,12 @@ def test_dashboard_admin_route_returns_user_and_task_totals(client, app, monkeyp
         SimpleNamespace(role='team_lead'),
     ]
     tasks = [
+        SimpleNamespace(status='backlog'),
         SimpleNamespace(status='todo'),
         SimpleNamespace(status='in_progress'),
         SimpleNamespace(status='review'),
         SimpleNamespace(status='done'),
+        SimpleNamespace(status='completed'),
     ]
 
     class StubUser:
@@ -348,7 +351,9 @@ class StubProject:
     assert payload['users']['admin'] == 1
     assert payload['users']['developer'] == 1
     assert payload['users']['team_lead'] == 1
-    assert payload['tasks']['total'] == 4
+    assert payload['tasks']['total'] == 6
+    assert payload['tasks']['backlog'] == 1
+    assert payload['tasks']['done'] == 2
     assert payload['projects']['total'] == 4
 
 

From aad3939c3d55a35a1efad43e5cca59af9aa8e529 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:04:22 +0100
Subject: [PATCH 03/37] refactor: update report and task services to include
 backlog metrics and enhance API tests

---
 frontend/src/components/ReportTable.jsx |  2 +-
 frontend/src/services/utils/api.js      | 74 ++++++++++++++++++++++++-
 frontend/src/tests/services/api.test.js |  2 +
 3 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/frontend/src/components/ReportTable.jsx b/frontend/src/components/ReportTable.jsx
index 36d6b32..a1da999 100644
--- a/frontend/src/components/ReportTable.jsx
+++ b/frontend/src/components/ReportTable.jsx
@@ -70,7 +70,7 @@ const ReportTable = ({ data = [], type }) => {
         case 'Actions':
           return (
             <Link 
-              to={`/TaskDetailUser/${item.id}`}
+              to={`/Tasks/${item.id}`}
               className="text-rose-400 hover:text-rose-300"
             >
               View
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index a7a289f..b878f06 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -402,6 +402,7 @@ const normalizeTaskStatus = (status) => {
 };
 
 const normalizeAdminDashboardTasks = (tasks = {}) => {
+  const backlog = toSafeMetricValue(tasks.backlog, 0);
   const todo = toSafeMetricValue(tasks.todo, 0);
   const inProgress = toSafeMetricValue(tasks.in_progress, 0);
   const review = toSafeMetricValue(tasks.review, 0);
@@ -409,9 +410,10 @@ const normalizeAdminDashboardTasks = (tasks = {}) => {
 
   return {
     ...tasks,
-    total: toSafeMetricValue(tasks.total, todo + inProgress + review + done),
+    total: toSafeMetricValue(tasks.total, backlog + todo + inProgress + review + done),
     active: todo + inProgress + review,
     completed: done,
+    backlog,
     todo,
     in_progress: inProgress,
     review,
@@ -834,6 +836,73 @@ const notificationService = {
   }
 };
 
+
+// Report service
+const reportService = {
+  saveReport: async (reportType, dateRange, summary, details) => {
+    try {
+      const response = await fetchWithAuth('reports', {
+        method: 'POST',
+        body: JSON.stringify({
+          report_type: reportType,
+          date_range: dateRange,
+          summary,
+          details
+        })
+      });
+      return response;
+    } catch (error) {
+      console.error('Failed to save report:', error);
+      return { error: error.message };
+    }
+  },
+
+  getSavedReports: async (filter = {}) => {
+    try {
+      let endpoint = 'reports';
+      const params = new URLSearchParams();
+      
+      if (filter.type) params.append('type', filter.type);
+      if (filter.dateRange) params.append('dateRange', filter.dateRange);
+      if (filter.page) params.append('page', filter.page);
+      if (filter.per_page) params.append('per_page', filter.per_page);
+      
+      const queryString = params.toString();
+      if (queryString) {
+        endpoint = `${endpoint}?${queryString}`;
+      }
+      
+      const response = await fetchWithAuth(endpoint);
+      return response;
+    } catch (error) {
+      console.error('Failed to fetch saved reports:', error);
+      return { error: error.message, reports: [] };
+    }
+  },
+
+  getReportById: async (reportId) => {
+    try {
+      const response = await fetchWithAuth(`reports/${reportId}`);
+      return response;
+    } catch (error) {
+      console.error(`Failed to fetch report ${reportId}:`, error);
+      return { error: error.message };
+    }
+  },
+
+  deleteReport: async (reportId) => {
+    try {
+      const response = await fetchWithAuth(`reports/${reportId}`, {
+        method: 'DELETE'
+      });
+      return response;
+    } catch (error) {
+      console.error(`Failed to delete report ${reportId}:`, error);
+      return { error: error.message };
+    }
+  }
+};
+
 export {
   fetchWithAuth,
   taskService,
@@ -841,5 +910,6 @@ export {
   githubService,
   userService,
   dashboardService,
-  notificationService
+  notificationService,
+  reportService
 };
diff --git a/frontend/src/tests/services/api.test.js b/frontend/src/tests/services/api.test.js
index 9532de8..d002022 100644
--- a/frontend/src/tests/services/api.test.js
+++ b/frontend/src/tests/services/api.test.js
@@ -483,6 +483,7 @@ describe('api utilities', () => {
         projects: { total: 3 },
         tasks: {
           total: 9,
+          backlog: 1,
           todo: 2,
           in_progress: 3,
           review: 1,
@@ -498,6 +499,7 @@ describe('api utilities', () => {
     expect(stats.tasks.active).toBe(6);
     expect(stats.tasks.completed).toBe(3);
     expect(stats.tasks.total).toBe(9);
+    expect(stats.tasks.backlog).toBe(1);
   });
 
   test('dashboardService.getBasicDashboardStats returns fallback on error', async () => {

From 173b257868271b811d2378f8237f3017b59acc45 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:04:36 +0100
Subject: [PATCH 04/37] refactor: enhance Team Lead permissions to include task
 updates and deletions; update RBAC documentation and adjust TaskList header

---
 backend/src/auth/rbac.py        | 2 ++
 docs/backend/rbac.md            | 3 ++-
 frontend/src/pages/TaskList.jsx | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/backend/src/auth/rbac.py b/backend/src/auth/rbac.py
index 18be141..179e712 100644
--- a/backend/src/auth/rbac.py
+++ b/backend/src/auth/rbac.py
@@ -30,6 +30,8 @@ class Role(Enum):
     *DEVELOPER_PERMISSIONS,
     'can_create_tasks',
     'can_assign_tasks',
+    'can_update_any_task',
+    'can_delete_tasks',
     'can_view_team_metrics',
     'can_view_team_reports',
     'can_generate_reports',
diff --git a/docs/backend/rbac.md b/docs/backend/rbac.md
index ad6e959..b52c9e1 100644
--- a/docs/backend/rbac.md
+++ b/docs/backend/rbac.md
@@ -27,6 +27,8 @@ All Developer permissions, plus:
 
 - Create new tasks
 - Assign tasks to team members
+- Update any task
+- Delete any task
 - View team statistics and metrics
 - Generate reports
 - View all team member profiles
@@ -35,7 +37,6 @@ All Developer permissions, plus:
 
 All Team Lead permissions, plus:
 
-- Delete tasks
 - Manage users (create, update, delete)
 - Modify system settings
 - View audit logs
diff --git a/frontend/src/pages/TaskList.jsx b/frontend/src/pages/TaskList.jsx
index 33c9fc4..e0de0f6 100644
--- a/frontend/src/pages/TaskList.jsx
+++ b/frontend/src/pages/TaskList.jsx
@@ -140,7 +140,7 @@ const TaskList = () => {
       <div className="max-w-7xl mx-auto">
         <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 p-6 mb-6">
           <div className="flex flex-col md:flex-row md:justify-between md:items-center mb-6">
-            <h1 className="text-2xl font-bold mb-4 md:mb-0 text-slate-100">Your Tasks</h1>
+            <h1 className="text-2xl font-bold mb-4 md:mb-0 text-slate-100">Tasks</h1>
             <div className="flex flex-col md:flex-row gap-4">
               <button 
                 onClick={() => fetchTasks()}

From 8e977be48e71f5377eb6fb87a7eb5519d23d5eed Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:04:52 +0100
Subject: [PATCH 05/37] refactor: integrate report service for managing saved
 reports; implement loading, viewing, and deletion functionalities

---
 .../e2f4g5h6i7j8_add_reports_table.py         | 46 ++++++++++++++
 backend/src/db/models/__init__.py             |  5 +-
 frontend/src/pages/Reports.jsx                | 62 ++++++++++++++++++-
 3 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 backend/migrations/versions/e2f4g5h6i7j8_add_reports_table.py

diff --git a/backend/migrations/versions/e2f4g5h6i7j8_add_reports_table.py b/backend/migrations/versions/e2f4g5h6i7j8_add_reports_table.py
new file mode 100644
index 0000000..01d8427
--- /dev/null
+++ b/backend/migrations/versions/e2f4g5h6i7j8_add_reports_table.py
@@ -0,0 +1,46 @@
+"""Add reports table for storing generated reports
+
+Revision ID: e2f4g5h6i7j8
+Revises: 3c8d9e2f1a4b
+Create Date: 2026-05-06 15:30:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'e2f4g5h6i7j8'
+down_revision = '3c8d9e2f1a4b'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('reports',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('user_id', sa.Integer(), nullable=False),
+    sa.Column('report_type', sa.String(length=50), nullable=False),
+    sa.Column('date_range', sa.String(length=50), nullable=False),
+    sa.Column('summary', sa.JSON(), nullable=False),
+    sa.Column('details', sa.JSON(), nullable=False),
+    sa.Column('generated_at', sa.DateTime(), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_reports_generated_at', 'reports', ['generated_at'], unique=False)
+    op.create_index('idx_reports_type', 'reports', ['report_type'], unique=False)
+    op.create_index('idx_reports_user_generated', 'reports', ['user_id', 'generated_at'], unique=False)
+    op.create_index('idx_reports_user_id', 'reports', ['user_id'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index('idx_reports_user_id', table_name='reports')
+    op.drop_index('idx_reports_user_generated', table_name='reports')
+    op.drop_index('idx_reports_type', table_name='reports')
+    op.drop_index('idx_reports_generated_at', table_name='reports')
+    op.drop_table('reports')
+    # ### end Alembic commands ###
diff --git a/backend/src/db/models/__init__.py b/backend/src/db/models/__init__.py
index 8befcc6..e3af53c 100644
--- a/backend/src/db/models/__init__.py
+++ b/backend/src/db/models/__init__.py
@@ -7,7 +7,7 @@
 from ..db_connection import db
 
 # Import models to make them available when importing the package
-from .models import User, Task, Project, Comment, GitHubToken, GitHubRepository, TaskGitHubLink, Notification
+from .models import User, Task, Project, Comment, GitHubToken, GitHubRepository, TaskGitHubLink, Notification, Report
 
 # Export all models for easy importing
 __all__ = [
@@ -19,5 +19,6 @@
     'Notification',
     'GitHubToken',
     'GitHubRepository',
-    'TaskGitHubLink'
+    'TaskGitHubLink',
+    'Report'
 ]
diff --git a/frontend/src/pages/Reports.jsx b/frontend/src/pages/Reports.jsx
index c715f85..09f3b69 100644
--- a/frontend/src/pages/Reports.jsx
+++ b/frontend/src/pages/Reports.jsx
@@ -12,7 +12,7 @@ import {
   Filler
 } from 'chart.js';
 import { Bar, Doughnut, Line } from 'react-chartjs-2';
-import { dashboardService } from '../services/utils/api';
+import { dashboardService, reportService } from '../services/utils/api';
 import LoadingSpinner from '../components/LoadingSpinner';
 import ReportTable from '../components/ReportTable';
 
@@ -195,6 +195,45 @@ const Reports = () => {
     loadReportData();
   }, [loadReportData]);
 
+  useEffect(() => {
+    const loadSavedReports = async () => {
+      try {
+        const response = await reportService.getSavedReports();
+        if (response.error) {
+          console.warn('Failed to load saved reports:', response.error);
+        } else if (response.reports) {
+          setGeneratedReports(response.reports);
+        }
+      } catch (err) {
+        console.error('Error loading saved reports:', err);
+      }
+    };
+
+    loadSavedReports();
+  }, []);
+
+  const handleViewSavedReport = (report) => {
+    setReportData({
+      summary: report.summary,
+      details: report.details
+    });
+    setReportType(report.type);
+    setDateRange(report.dateRange);
+  };
+
+  const handleDeleteReport = async (reportId) => {
+    try {
+      const response = await reportService.deleteReport(reportId);
+      if (response.error) {
+        console.error('Failed to delete report:', response.error);
+      } else {
+        setGeneratedReports((prev) => prev.filter((r) => r.id !== reportId));
+      }
+    } catch (err) {
+      console.error('Error deleting report:', err);
+    }
+  };
+
   const handleGenerateReport = async () => {
     const data = reportData || await loadReportData();
     if (!data) return;
@@ -209,6 +248,26 @@ const Reports = () => {
       details: data.details || []
     };
 
+    try {
+      const saveResponse = await reportService.saveReport(
+        reportType,
+        dateRange,
+        reportEntry.summary,
+        reportEntry.details
+      );
+
+      if (saveResponse?.report) {
+        setGeneratedReports((prev) => [saveResponse.report, ...prev]);
+        return;
+      }
+
+      if (saveResponse?.error) {
+        console.warn('Failed to save report to backend:', saveResponse.error);
+      }
+    } catch (err) {
+      console.error('Error saving report to backend:', err);
+    }
+
     setGeneratedReports((prev) => [reportEntry, ...prev]);
   };
 
@@ -718,7 +777,6 @@ const Reports = () => {
     );
   }
 
-  // ─── Main render ───────────────────────────────────────────────────────────
   return (
     <div className="container mx-auto p-6 bg-slate-950 min-h-screen text-slate-100">
       <h1 className="text-2xl font-bold mb-6 text-slate-100">Reports & Analytics</h1>

From d5116edd71ca6dc56b1cf4b72764cc82a283e5ee Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:04:59 +0100
Subject: [PATCH 06/37] feat: add Report model for storing generated reports
 with relationships and indexing

---
 backend/src/db/models/models.py | 37 +++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/backend/src/db/models/models.py b/backend/src/db/models/models.py
index 818cdf6..d8aec9f 100644
--- a/backend/src/db/models/models.py
+++ b/backend/src/db/models/models.py
@@ -193,3 +193,40 @@ class Project(db.Model):
     
     def __repr__(self):
         return f'<Project {self.name}>'
+
+class Report(db.Model):
+    """Report model for storing generated reports"""
+    __tablename__ = 'reports'
+    
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
+    report_type = db.Column(db.String(50), nullable=False)  # 'tasks', 'developers', 'github'
+    date_range = db.Column(db.String(50), nullable=False)  # 'week', 'month', 'quarter', 'year'
+    summary = db.Column(db.JSON, nullable=False)  # JSON object with summary metrics
+    details = db.Column(db.JSON, nullable=False)  # JSON array with detailed data
+    generated_at = db.Column(db.DateTime, default=datetime.utcnow)
+    
+    __table_args__ = (
+        Index('idx_reports_user_id', 'user_id'),
+        Index('idx_reports_user_generated', 'user_id', 'generated_at'),
+        Index('idx_reports_type', 'report_type'),
+        Index('idx_reports_generated_at', 'generated_at'),
+    )
+    
+    # Relationships
+    user = db.relationship('User', backref='reports')
+    
+    def to_dict(self):
+        """Convert report to dictionary"""
+        return {
+            'id': self.id,
+            'user_id': self.user_id,
+            'type': self.report_type,
+            'dateRange': self.date_range,
+            'summary': self.summary,
+            'details': self.details,
+            'generatedAt': self.generated_at.isoformat() if self.generated_at else None
+        }
+    
+    def __repr__(self):
+        return f'<Report {self.id} ({self.report_type}) by User {self.user_id}>'

From 526566a3cd6535cce3278f6564da92662aa3989b Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 00:05:05 +0100
Subject: [PATCH 07/37] feat: add report management functionality with routes,
 controller, and validation

---
 backend/src/api/__init__.py                   |   3 +
 .../src/api/controllers/report_controller.py  | 141 ++++++++++++++++++
 backend/src/api/routes/report_routes.py       |  59 ++++++++
 .../src/api/validators/report_validator.py    |  33 ++++
 4 files changed, 236 insertions(+)
 create mode 100644 backend/src/api/controllers/report_controller.py
 create mode 100644 backend/src/api/routes/report_routes.py
 create mode 100644 backend/src/api/validators/report_validator.py

diff --git a/backend/src/api/__init__.py b/backend/src/api/__init__.py
index 5074dae..3928066 100644
--- a/backend/src/api/__init__.py
+++ b/backend/src/api/__init__.py
@@ -17,6 +17,9 @@
 notifications_routes.register_routes(api_bp)
 dashboard_routes.register_routes(api_bp)
 admin_routes.register_routes(api_bp)
+from .routes import report_routes
+
+report_routes.register_routes(api_bp)
 github_routes.register_routes(api_bp)  # Add GitHub routes
 
 def init_app(app):
diff --git a/backend/src/api/controllers/report_controller.py b/backend/src/api/controllers/report_controller.py
new file mode 100644
index 0000000..f3c89bd
--- /dev/null
+++ b/backend/src/api/controllers/report_controller.py
@@ -0,0 +1,141 @@
+# Report controller - business logic for report operations
+
+from flask import request, jsonify
+from flask_jwt_extended import get_jwt_identity, get_jwt
+from ...db.models import db, Report, User
+from ...auth.rbac import Role
+from ..validators.report_validator import validate_report_data
+
+def save_report():
+    """Controller function to save a generated report"""
+    user_id = get_jwt_identity()['user_id']
+    data = request.get_json()
+    
+    # Validate report data
+    validation_result = validate_report_data(data)
+    if validation_result:
+        return validation_result
+    
+    try:
+        # Create new report record
+        report = Report(
+            user_id=user_id,
+            report_type=data['report_type'],
+            date_range=data['date_range'],
+            summary=data['summary'],
+            details=data['details']
+        )
+        
+        db.session.add(report)
+        db.session.commit()
+        
+        return jsonify({
+            'message': 'Report saved successfully',
+            'report': report.to_dict()
+        }), 201
+        
+    except Exception as e:
+        db.session.rollback()
+        return jsonify({'message': f'Failed to save report: {str(e)}'}), 500
+
+def get_reports():
+    """Controller function to get saved reports for the current user or team"""
+    user_id = get_jwt_identity()['user_id']
+    claims = get_jwt()
+    user_role = claims.get('role')
+    
+    # Parse query parameters for filtering
+    report_type = request.args.get('type')
+    date_range = request.args.get('dateRange')
+    page = request.args.get('page', 1, type=int)
+    per_page = request.args.get('per_page', 50, type=int)
+    
+    try:
+        query = Report.query
+        
+        # Filter by user role
+        if user_role in [Role.ADMIN.value, Role.TEAM_LEAD.value]:
+            # Admins and team leads can see all reports
+            pass
+        else:
+            # Developers can only see their own reports
+            query = query.filter_by(user_id=user_id)
+        
+        # Apply optional filters
+        if report_type:
+            query = query.filter_by(report_type=report_type)
+        if date_range:
+            query = query.filter_by(date_range=date_range)
+        
+        # Sort by most recent first
+        query = query.order_by(Report.generated_at.desc())
+        
+        # Paginate results
+        paginated = query.paginate(page=page, per_page=per_page, error_out=False)
+        
+        reports = [report.to_dict() for report in paginated.items]
+        
+        return jsonify({
+            'message': 'Reports retrieved successfully',
+            'reports': reports,
+            'pagination': {
+                'page': page,
+                'per_page': per_page,
+                'total': paginated.total,
+                'pages': paginated.pages
+            }
+        }), 200
+        
+    except Exception as e:
+        return jsonify({'message': f'Failed to retrieve reports: {str(e)}'}), 500
+
+def get_report_by_id(report_id):
+    """Controller function to get a specific report by ID"""
+    user_id = get_jwt_identity()['user_id']
+    claims = get_jwt()
+    user_role = claims.get('role')
+    
+    try:
+        report = Report.query.get(report_id)
+        if not report:
+            return jsonify({'message': 'Report not found'}), 404
+        
+        # Check permissions
+        if user_role not in [Role.ADMIN.value, Role.TEAM_LEAD.value]:
+            if report.user_id != user_id:
+                return jsonify({'message': 'Unauthorized access to this report'}), 403
+        
+        return jsonify({
+            'message': 'Report retrieved successfully',
+            'report': report.to_dict()
+        }), 200
+        
+    except Exception as e:
+        return jsonify({'message': f'Failed to retrieve report: {str(e)}'}), 500
+
+def delete_report(report_id):
+    """Controller function to delete a report"""
+    user_id = get_jwt_identity()['user_id']
+    claims = get_jwt()
+    user_role = claims.get('role')
+    
+    try:
+        report = Report.query.get(report_id)
+        if not report:
+            return jsonify({'message': 'Report not found'}), 404
+        
+        # Check permissions - can only delete own reports unless admin
+        if user_role not in [Role.ADMIN.value]:
+            if report.user_id != user_id:
+                return jsonify({'message': 'Unauthorized to delete this report'}), 403
+        
+        db.session.delete(report)
+        db.session.commit()
+        
+        return jsonify({
+            'message': 'Report deleted successfully'
+        }), 200
+        
+    except Exception as e:
+        db.session.rollback()
+        return jsonify({'message': f'Failed to delete report: {str(e)}'}), 500
diff --git a/backend/src/api/routes/report_routes.py b/backend/src/api/routes/report_routes.py
new file mode 100644
index 0000000..97b61a1
--- /dev/null
+++ b/backend/src/api/routes/report_routes.py
@@ -0,0 +1,59 @@
+"""Report API routes"""
+
+from flask import request
+from flask_jwt_extended import jwt_required
+from ..controllers.report_controller import (
+    save_report,
+    get_reports,
+    get_report_by_id,
+    delete_report
+)
+from ..middlewares.validation_middleware import validate_json
+from ..middlewares import role_required
+from ..middlewares.api_usage_logger import log_api_usage
+from ..middlewares.request_logger import log_request
+from ...auth.rbac import Role
+
+# Only Team Lead and Admin can generate and view reports
+REPORT_ROLES = [Role.TEAM_LEAD, Role.ADMIN]
+AUTHENTICATED_ROLES = [Role.DEVELOPER, Role.TEAM_LEAD, Role.ADMIN]
+
+def register_routes(bp):
+    """Register all report routes with the provided Blueprint"""
+    
+    @bp.route('/reports', methods=['POST'])
+    @jwt_required()
+    @role_required(REPORT_ROLES)
+    @validate_json()
+    @log_api_usage()
+    @log_request()
+    def save_report_route():
+        """Route to save a generated report"""
+        return save_report()
+    
+    @bp.route('/reports', methods=['GET'])
+    @jwt_required()
+    @role_required(REPORT_ROLES)
+    @log_api_usage()
+    @log_request()
+    def get_reports_route():
+        """Route to get saved reports"""
+        return get_reports()
+    
+    @bp.route('/reports/<int:report_id>', methods=['GET'])
+    @jwt_required()
+    @role_required(REPORT_ROLES)
+    @log_api_usage()
+    @log_request()
+    def get_report_route(report_id):
+        """Route to get a specific report"""
+        return get_report_by_id(report_id)
+    
+    @bp.route('/reports/<int:report_id>', methods=['DELETE'])
+    @jwt_required()
+    @role_required(REPORT_ROLES)
+    @log_api_usage()
+    @log_request()
+    def delete_report_route(report_id):
+        """Route to delete a report"""
+        return delete_report(report_id)
diff --git a/backend/src/api/validators/report_validator.py b/backend/src/api/validators/report_validator.py
new file mode 100644
index 0000000..268543f
--- /dev/null
+++ b/backend/src/api/validators/report_validator.py
@@ -0,0 +1,33 @@
+# Report data validation
+
+from flask import jsonify
+
+VALID_REPORT_TYPES = ['tasks', 'developers', 'github']
+VALID_DATE_RANGES = ['week', 'month', 'quarter', 'year']
+
+def validate_report_data(data):
+    """Validate report save request data"""
+    # Check for required fields
+    required_fields = ['report_type', 'date_range', 'summary', 'details']
+    for field in required_fields:
+        if field not in data:
+            return jsonify({'message': f'Missing required {field} field'}), 400
+    
+    # Validate report_type
+    if data['report_type'] not in VALID_REPORT_TYPES:
+        return jsonify({'message': f'Invalid report_type. Must be one of: {", ".join(VALID_REPORT_TYPES)}'}), 400
+    
+    # Validate date_range
+    if data['date_range'] not in VALID_DATE_RANGES:
+        return jsonify({'message': f'Invalid date_range. Must be one of: {", ".join(VALID_DATE_RANGES)}'}), 400
+    
+    # Validate summary is a dictionary
+    if not isinstance(data['summary'], dict):
+        return jsonify({'message': 'Summary must be a JSON object'}), 400
+    
+    # Validate details is a list
+    if not isinstance(data['details'], list):
+        return jsonify({'message': 'Details must be a JSON array'}), 400
+    
+    # If validation passes, return None
+    return None

From f0867ff006f2f4dd0dd17a09d2e5a7dccc4acee6 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:37:52 +0100
Subject: [PATCH 08/37] refactor: add backend-rebuild target to Makefile for
 streamlined backend management

---
 Makefile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index ce392da..e7f6bf0 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@ DC_DB := docker compose -f $(COMPOSE_DB)
 DC_ALL := docker compose -f $(COMPOSE_DB) -f $(COMPOSE_BACKEND)
 
 .PHONY: db-up db-down db-inspect db-logs db-reset
-.PHONY: backend-build backend-up backend-down backend-logs
+.PHONY: backend-build backend-up backend-down backend-logs backend-rebuild
 .PHONY: up down reset
 
 # Database
@@ -38,6 +38,11 @@ backend-down:
 backend-logs:
 	$(DC_ALL) logs -f backend
 
+backend-rebuild:
+	$(DC_ALL) down
+	$(DC_ALL) build backend
+	$(DC_ALL) up -d --wait
+
 # Combined
 up:
 	$(DC_ALL) up -d --wait

From c23c7e3814c9d2ca144646e37ccced324469ec09 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:38:34 +0100
Subject: [PATCH 09/37] refactor: enhance task management features and
 permissions; add tests for task routes and controller

---
 .../src/api/controllers/tasks_controller.py   | 64 ++++++-------
 .../tests/integration/test_tasks_routes.py    | 93 +++++++++++++++++++
 .../unit/controllers/test_tasks_controller.py |  4 +-
 frontend/src/pages/TaskCreation.jsx           |  6 +-
 frontend/src/pages/TaskDetailsUser.jsx        | 54 +++++------
 frontend/src/pages/TaskList.jsx               | 46 +++++++--
 .../src/tests/pages/TaskDetailsUser.test.jsx  |  6 +-
 frontend/src/tests/pages/TaskList.test.jsx    | 29 +++---
 8 files changed, 214 insertions(+), 88 deletions(-)
 create mode 100644 backend/tests/integration/test_tasks_routes.py

diff --git a/backend/src/api/controllers/tasks_controller.py b/backend/src/api/controllers/tasks_controller.py
index f3cbed2..a5562db 100644
--- a/backend/src/api/controllers/tasks_controller.py
+++ b/backend/src/api/controllers/tasks_controller.py
@@ -5,6 +5,7 @@
 from ...db.models import db, Task, User  # Changed to relative import
 from ...auth.rbac import Role  # Changed to relative import
 from ..validators.task_validator import validate_task_data  # Changed to relative import
+from ...services import audit_service
 from unittest.mock import Mock
 
 MEMBER_ROLES = {
@@ -74,15 +75,8 @@ def get_all_tasks():
     if created_by:
         query = query.filter(Task.created_by == created_by)
     
-    # Apply role-based filtering
-    if user_role in TASK_MANAGER_ROLES:
-        # Team leads and admins can see all tasks for assignment and reporting.
-        tasks = query.all()
-    else:
-        # Developers can only see tasks assigned to them or created by them.
-        tasks = query.filter(
-            (Task.assigned_to == user_id) | (Task.created_by == user_id)
-        ).all()
+    # Apply role-based filtering - Developers can now see all tasks as well
+    tasks = query.all()
     
     # Convert tasks to JSON response
     tasks_data = [_serialize_task(task) for task in tasks]
@@ -97,11 +91,7 @@ def get_task_by_id(task_id):
     
     task = Task.query.get_or_404(task_id)
     
-    # Apply role-based access control
-    if (user_role in MEMBER_ROLES and 
-        task.assigned_to != user_id and task.created_by != user_id):
-        return jsonify({'message': 'You do not have permission to view this task'}), 403
-    
+    # Authenticated users can view any task
     # Format task data
     task_data = _serialize_task(task)
     
@@ -164,17 +154,16 @@ def create_new_task():
         project_id = int(project_id)
     
     # Create new task
-    new_task = Task(
-        title=data['title'],
-        description=data['description'],
-        status=data['status'],
-        priority=data.get('priority', 'medium'),
-        progress=data.get('progress', 0),
-        assigned_to=assigned_to,
-        created_by=user_id,
-        deadline=data.get('deadline'),
-        project_id=project_id
-    )
+    new_task = Task()
+    new_task.title = data['title']
+    new_task.description = data['description']
+    new_task.status = data['status']
+    new_task.priority = data.get('priority', 'medium')
+    new_task.progress = data.get('progress', 0)
+    new_task.assigned_to = assigned_to
+    new_task.created_by = user_id
+    new_task.deadline = data.get('deadline')
+    new_task.project_id = project_id
     
     db.session.add(new_task)
     db.session.commit()
@@ -198,14 +187,11 @@ def update_task_by_id(task_id):
     task = Task.query.get_or_404(task_id)
     
     # Check if user has permission to update this task
-    can_update_task = user_role == Role.ADMIN.value or task.assigned_to == user_id
+    # Admins and Team Leads can update any task (can_update_any_task)
+    can_update_task = user_role in TASK_MANAGER_ROLES or task.assigned_to == user_id
     can_assign_task = user_role in TASK_MANAGER_ROLES
 
-    if not can_update_task and not can_assign_task:
-        return jsonify({'message': 'You can only update tasks assigned to you'}), 403
-
-    non_assignment_fields = {'title', 'description', 'status', 'progress', 'priority'} & set(data.keys())
-    if non_assignment_fields and not can_update_task:
+    if not can_update_task:
         return jsonify({'message': 'You can only update tasks assigned to you'}), 403
     
     # Update allowed fields
@@ -220,10 +206,12 @@ def update_task_by_id(task_id):
     if 'priority' in data:
         task.priority = data['priority']
     
-    if 'assigned_to' in data and can_assign_task:
-        task.assigned_to = data['assigned_to']
-    elif 'assigned_to' in data:
-        return jsonify({'message': 'You do not have permission to assign tasks'}), 403
+    if 'assigned_to' in data:
+        # Only TL or Admins can change the assignee
+        if can_assign_task:
+            task.assigned_to = data['assigned_to']
+        elif data['assigned_to'] != task.assigned_to:
+            return jsonify({'message': 'You do not have permission to reassign tasks'}), 403
     
     db.session.commit()
     
@@ -245,4 +233,10 @@ def delete_task_by_id(task_id):
     db.session.delete(task)
     db.session.commit()
     
+    audit_service.record(
+        action='task_deleted',
+        resource_type='task',
+        resource_id=task_id
+    )
+    
     return jsonify({'message': 'Task deleted successfully'})
diff --git a/backend/tests/integration/test_tasks_routes.py b/backend/tests/integration/test_tasks_routes.py
new file mode 100644
index 0000000..6eda786
--- /dev/null
+++ b/backend/tests/integration/test_tasks_routes.py
@@ -0,0 +1,93 @@
+"""Tests for task routes — Team Lead can update any task field."""
+import os
+import sys
+
+import pytest
+from unittest.mock import MagicMock
+from flask_jwt_extended import create_access_token
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+from src.api.routes import tasks_routes
+
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-tasks-routes-32ch',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+
+def auth_headers(app, role, user_id=1):
+    with app.app_context():
+        token = create_access_token(
+            identity={'user_id': user_id},
+            additional_claims={'role': role}
+        )
+    return {'Authorization': f'Bearer {token}'}
+
+
+def test_team_lead_can_update_task(client, app, monkeypatch):
+    """Team Lead should reach the update handler."""
+    handler = MagicMock(return_value=({'message': 'Task updated'}, 200))
+    monkeypatch.setattr(tasks_routes, 'update_task_by_id', handler)
+
+    resp = client.put(
+        '/api/v1/tasks/1',
+        headers=auth_headers(app, 'team_lead'),
+        json={'title': 'Updated Title', 'priority': 'high'}
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(1)
+
+
+def test_admin_can_update_task(client, app, monkeypatch):
+    """Admin should reach the update handler."""
+    handler = MagicMock(return_value=({'message': 'Task updated'}, 200))
+    monkeypatch.setattr(tasks_routes, 'update_task_by_id', handler)
+
+    resp = client.put(
+        '/api/v1/tasks/1',
+        headers=auth_headers(app, 'admin'),
+        json={'title': 'Updated by Admin'}
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(1)
+
+
+def test_developer_can_update_own_assigned_task(client, app, monkeypatch):
+    """Developer should reach the update handler (controller enforces ownership)."""
+    handler = MagicMock(return_value=({'message': 'Task updated'}, 200))
+    monkeypatch.setattr(tasks_routes, 'update_task_by_id', handler)
+
+    resp = client.put(
+        '/api/v1/tasks/1',
+        headers=auth_headers(app, 'developer'),
+        json={'status': 'in_progress'}
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(1)
+
+
+def test_unauthenticated_cannot_update_task(client):
+    """Unauthenticated requests must be rejected."""
+    resp = client.put('/api/v1/tasks/1', json={'title': 'hack'})
+    assert resp.status_code == 401
diff --git a/backend/tests/unit/controllers/test_tasks_controller.py b/backend/tests/unit/controllers/test_tasks_controller.py
index 74f186a..e8f3dcf 100644
--- a/backend/tests/unit/controllers/test_tasks_controller.py
+++ b/backend/tests/unit/controllers/test_tasks_controller.py
@@ -110,8 +110,8 @@ def test_get_all_tasks_developer(app, mock_jwt_identity, mock_jwt):
             # Call the function
             response = get_all_tasks()
             
-            # Assert that filter was called (developer can only see their tasks)
-            mock_query.filter.assert_called_once()
+            # Assert that all() was called on the query (developers can now see all tasks)
+            mock_query.all.assert_called_once()
             
             # Assert the results
             data = response.get_json()
diff --git a/frontend/src/pages/TaskCreation.jsx b/frontend/src/pages/TaskCreation.jsx
index cfaf036..ba4a2df 100644
--- a/frontend/src/pages/TaskCreation.jsx
+++ b/frontend/src/pages/TaskCreation.jsx
@@ -61,9 +61,9 @@ const TaskCreation = () => {
   };
 
   return (
-    <div className="min-h-screen bg-slate-950 text-slate-100">
-      <div className="container mx-auto p-6 max-w-4xl">
-        <h1 className="text-2xl font-bold mb-6">Create New Task</h1>
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <h1 className="text-2xl font-bold mb-10 text-slate-100">Create New Task</h1>
       
         {error && (
           <div className="bg-rose-500/10 border border-rose-400/40 text-rose-200 px-4 py-3 rounded mb-4">
diff --git a/frontend/src/pages/TaskDetailsUser.jsx b/frontend/src/pages/TaskDetailsUser.jsx
index 87ebc68..fb83150 100644
--- a/frontend/src/pages/TaskDetailsUser.jsx
+++ b/frontend/src/pages/TaskDetailsUser.jsx
@@ -23,7 +23,6 @@ function TaskDetailsUser() {
   const [githubLinks, setGithubLinks] = useState([]);
   const [loadingIssues, setLoadingIssues] = useState(false);
   const [loadingRepos, setLoadingRepos] = useState(false);
-  const [showGithubLink, setShowGithubLink] = useState(false);
   
   // Comments state
   const [comments, setComments] = useState([]);
@@ -38,7 +37,9 @@ function TaskDetailsUser() {
   const [savingTaskEdit, setSavingTaskEdit] = useState(false);
   const [editError, setEditError] = useState(null);
 
-  const canEditTask = currentUser?.role === 'admin' || currentUser?.role === 'team_lead';
+  const isManager = currentUser?.role === 'admin' || currentUser?.role === 'team_lead';
+  const isAssigned = task?.assigned_to === currentUser?.id;
+  const canEditTask = isManager || isAssigned;
 
   useEffect(() => {
     const fetchTaskDetails = async () => {
@@ -77,7 +78,6 @@ function TaskDetailsUser() {
         console.error('Failed to fetch repositories:', err);
         setRepositories([]);
       } finally {
-        setShowGithubLink(true);
         setLoadingRepos(false);
       }
     };
@@ -211,7 +211,6 @@ function TaskDetailsUser() {
   };
 
   const handleOpenGithubLink = async () => {
-    setShowGithubLink(true);
     if (repositories.length === 0) {
       setLoadingRepos(true);
       try {
@@ -311,9 +310,9 @@ function TaskDetailsUser() {
   }
 
   return (
-    <div className="min-h-screen bg-slate-950 text-slate-100">
-      <div className="container mx-auto p-4 md:p-6 max-w-4xl">
-        <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 overflow-hidden">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 overflow-hidden shadow-md backdrop-blur-sm">
         {/* Task Header */}
         <div className="bg-slate-900/90 text-slate-100 p-6 border-b border-slate-800/70">
           <div className="flex justify-between items-start">
@@ -425,15 +424,15 @@ function TaskDetailsUser() {
             </div>
           </div>
           
-          {/* Progress Update (if task is not completed) */}
-          {task.status !== 'completed' && task.status !== 'done' && (
+          {/* Progress Update (if task is not completed and user can edit) */}
+          {task.status !== 'completed' && task.status !== 'done' && canEditTask && (
             <div className="mb-8">
               <h2 className="text-xl font-semibold mb-4 text-slate-100">Update Progress</h2>
               <div className="bg-slate-950/60 rounded-xl border border-slate-800/70 p-4">
                 <ProgressBar 
                   progress={task.progress || 0}
                   onChange={handleProgressUpdate}
-                  disabled={updateLoading}
+                  disabled={updateLoading || (currentUser.role === 'developer' && !isAssigned)}
                 />
               </div>
             </div>
@@ -480,21 +479,20 @@ function TaskDetailsUser() {
               
               {/* Link new GitHub Issue */}
               <div>
-                <h3 className="font-semibold mb-3 text-slate-100">Link GitHub Issue:</h3>
-                {repositories.length > 0 ? (
+                {canEditTask && repositories.length > 0 ? (
                   <>
-                    <div className="flex flex-col md:flex-row md:items-center gap-2">
+                    <h3 className="font-semibold mb-3 text-slate-100">Link GitHub Issue:</h3>
+                    <div className="flex flex-col sm:flex-row gap-3">
                       <div className="flex-1">
                         <select 
                           className="w-full p-2 border border-slate-700/60 rounded bg-slate-950/60 text-slate-100"
                           value={selectedRepo}
                           onChange={(e) => handleRepoSelect(e.target.value)}
-                          disabled={updateLoading}
                         >
                           <option value="">Select Repository</option>
                           {repositories.map((repo) => (
                             <option key={repo.id} value={repo.id}>
-                              {repo.full_name}
+                              {repo.full_name || repo.name}
                             </option>
                           ))}
                         </select>
@@ -522,11 +520,21 @@ function TaskDetailsUser() {
                       </div>
                     </div>
                   </>
-                ) : (
+                ) : canEditTask ? (
                   <div className="text-center py-4">
                     {loadingRepos ? (
                       <p className="text-slate-400">Loading repositories...</p>
-                    ) : !showGithubLink ? (
+                    ) : repositories.length === 0 ? (
+                      <>
+                        <p className="text-slate-400 mb-4">Connect your GitHub account to link issues</p>
+                        <a 
+                          href="/github" 
+                          className="px-4 py-2 rounded-full bg-rose-500/90 text-white hover:bg-rose-400"
+                        >
+                          Connect GitHub Account
+                        </a>
+                      </>
+                    ) : (
                       <>
                         <p className="text-slate-400 mb-4">Load your GitHub repositories to link issues</p>
                         <button 
@@ -537,18 +545,10 @@ function TaskDetailsUser() {
                           {loadingRepos ? 'Loading...' : 'Load Repositories'}
                         </button>
                       </>
-                    ) : (
-                      <>
-                        <p className="text-slate-400 mb-4">Connect your GitHub account to link issues</p>
-                        <a 
-                          href="/github" 
-                          className="px-4 py-2 rounded-full bg-rose-500/90 text-white hover:bg-rose-400"
-                        >
-                          Connect GitHub Account
-                        </a>
-                      </>
                     )}
                   </div>
+                ) : (
+                  <p className="text-sm text-slate-500 italic text-center py-4">Only the assignee can link GitHub items.</p>
                 )}
               </div>
             </div>
diff --git a/frontend/src/pages/TaskList.jsx b/frontend/src/pages/TaskList.jsx
index e0de0f6..429dbec 100644
--- a/frontend/src/pages/TaskList.jsx
+++ b/frontend/src/pages/TaskList.jsx
@@ -5,6 +5,8 @@ import { useAuth } from '../context/AuthContext';
 import LoadingSpinner from '../components/LoadingSpinner';
 
 const TaskList = () => {
+  const navigate = useNavigate();
+  const { currentUser } = useAuth();
   const [tasks, setTasks] = useState([]);
   const [loading, setLoading] = useState(true);
   const [updating, setUpdating] = useState(false);
@@ -12,11 +14,10 @@ const TaskList = () => {
   const [filters, setFilters] = useState({
     status: 'all',
     priority: 'all',
-    search: ''
+    search: '',
+    scope: 'all'
   });
   
-  const navigate = useNavigate();
-  const { currentUser } = useAuth();
   const canCreateTasks = currentUser?.role === 'admin' || currentUser?.role === 'team_lead';
 
   // Fetch tasks when component mounts
@@ -124,6 +125,11 @@ const TaskList = () => {
       return false;
     }
     
+    // Filter by scope (My Tasks vs All Tasks)
+    if (filters.scope === 'my' && task.assigned_to !== currentUser?.id) {
+      return false;
+    }
+    
     return true;
   });
 
@@ -136,9 +142,9 @@ const TaskList = () => {
   }
 
   return (
-    <div className="bg-slate-950 min-h-screen p-4 md:p-6 text-slate-100">
-      <div className="max-w-7xl mx-auto">
-        <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 p-6 mb-6">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 p-6 mb-10 shadow-md backdrop-blur-sm">
           <div className="flex flex-col md:flex-row md:justify-between md:items-center mb-6">
             <h1 className="text-2xl font-bold mb-4 md:mb-0 text-slate-100">Tasks</h1>
             <div className="flex flex-col md:flex-row gap-4">
@@ -235,6 +241,32 @@ const TaskList = () => {
               />
             </div>
           </div>
+
+          {/* Scope Toggle for Developers */}
+          <div className="mb-6 flex justify-end">
+            <div className="inline-flex bg-slate-950/60 border border-slate-800 p-1 rounded-xl shadow-inner">
+              <button
+                onClick={() => setFilters({...filters, scope: 'my'})}
+                className={`px-6 py-2 text-xs font-bold uppercase tracking-widest rounded-lg transition-all ${
+                  filters.scope === 'my' 
+                    ? 'bg-rose-500 text-white shadow-lg shadow-rose-500/20' 
+                    : 'text-slate-500 hover:text-slate-300'
+                }`}
+              >
+                My Tasks
+              </button>
+              <button
+                onClick={() => setFilters({...filters, scope: 'all'})}
+                className={`px-6 py-2 text-xs font-bold uppercase tracking-widest rounded-lg transition-all ${
+                  filters.scope === 'all' 
+                    ? 'bg-slate-900 text-white border border-slate-800' 
+                    : 'text-slate-500 hover:text-slate-300'
+                }`}
+              >
+                All Tasks
+              </button>
+            </div>
+          </div>
           
           {/* Task List */}
           {filteredTasks.length === 0 ? (
@@ -346,7 +378,7 @@ const TaskList = () => {
                                 e.stopPropagation();
                                 handleUpdateStatus(task.id, e.target.value);
                               }}
-                              disabled={updating}
+                              disabled={updating || (currentUser.role === 'developer' && task.assigned_to !== currentUser.id)}
                               className="text-sm border-slate-700/60 rounded-md bg-slate-950/60 text-slate-100 focus:outline-none focus:ring-rose-400/60 focus:border-rose-400/60 mr-2"
                             >
                               <option value="todo">To Do</option>
diff --git a/frontend/src/tests/pages/TaskDetailsUser.test.jsx b/frontend/src/tests/pages/TaskDetailsUser.test.jsx
index 3f562d9..0f086f6 100644
--- a/frontend/src/tests/pages/TaskDetailsUser.test.jsx
+++ b/frontend/src/tests/pages/TaskDetailsUser.test.jsx
@@ -56,6 +56,7 @@ describe('TaskDetailsUser page', () => {
     progress: 40,
     priority: 'high',
     assignee_name: 'Dev User',
+    assigned_to: 5,
     created_at: '2099-01-01T00:00:00.000Z',
     deadline: '2099-02-01T00:00:00.000Z',
     github_links: [],
@@ -357,6 +358,7 @@ describe('TaskDetailsUser page', () => {
   test('Connect GitHub account link shown when no repos available', async () => {
     taskService.getTaskComments.mockResolvedValue([]);
     githubService.getUserRepos.mockResolvedValue([]);
+    useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer', name: 'Dev User', email: 'dev@example.com' } });
 
     render(<TaskDetailsUser />);
     expect(await screen.findByText(/Connect GitHub Account/i)).toBeInTheDocument();
@@ -407,8 +409,8 @@ describe('TaskDetailsUser page', () => {
     expect(await screen.findByText('Updated notifications task')).toBeInTheDocument();
   });
 
-  test('hides edit task button for non-admin and non-team-lead users', async () => {
-    useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer', name: 'Dev User', email: 'dev@example.com' } });
+  test('hides edit task button for non-admin and non-team-lead users who are not assigned', async () => {
+    useAuth.mockReturnValue({ currentUser: { id: 999, role: 'developer', name: 'Other User', email: 'other@example.com' } });
 
     render(<TaskDetailsUser />);
 
diff --git a/frontend/src/tests/pages/TaskList.test.jsx b/frontend/src/tests/pages/TaskList.test.jsx
index 809597f..08a184d 100644
--- a/frontend/src/tests/pages/TaskList.test.jsx
+++ b/frontend/src/tests/pages/TaskList.test.jsx
@@ -49,6 +49,7 @@ describe('TaskList page', () => {
         status: 'todo',
         priority: 'high',
         progress: 10,
+        assigned_to: 5,
         deadline: '2099-02-01T00:00:00.000Z',
       },
       {
@@ -58,6 +59,7 @@ describe('TaskList page', () => {
         status: 'in_progress',
         priority: 'medium',
         progress: 60,
+        assigned_to: 5,
         deadline: '2099-02-03T00:00:00.000Z',
       },
     ]);
@@ -131,6 +133,7 @@ describe('TaskList page', () => {
         status: 'in_progress',
         priority: 'high',
         progress: 20,
+        assigned_to: 5,
         deadline: '2000-01-01T00:00:00.000Z', // past deadline
       },
       {
@@ -140,6 +143,7 @@ describe('TaskList page', () => {
         status: 'completed',
         priority: 'low',
         progress: 100,
+        assigned_to: 5,
         deadline: '2000-01-01T00:00:00.000Z', // past but completed — no overdue badge
       },
     ]);
@@ -159,6 +163,7 @@ describe('TaskList page', () => {
         status: 'todo',
         priority: 'medium',
         progress: 0,
+        assigned_to: 5,
         deadline: null,
       },
     ]);
@@ -173,10 +178,10 @@ describe('TaskList page', () => {
   test('renders all priority badge variants and progress colour thresholds', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([
-      { id: 1, title: 'High P',   status: 'todo',        priority: 'high',   progress: 100, deadline: null },
-      { id: 2, title: 'Med P',    status: 'in_progress', priority: 'medium', progress: 60,  deadline: null },
-      { id: 3, title: 'Low P',    status: 'review',      priority: 'low',    progress: 25,  deadline: null },
-      { id: 4, title: 'Unknown P',status: 'backlog',     priority: 'other',  progress: 0,   deadline: null },
+      { id: 1, title: 'High P',   status: 'todo',        priority: 'high',   progress: 100, assigned_to: 5, deadline: null },
+      { id: 2, title: 'Med P',    status: 'in_progress', priority: 'medium', progress: 60,  assigned_to: 5, deadline: null },
+      { id: 3, title: 'Low P',    status: 'review',      priority: 'low',    progress: 25,  assigned_to: 5, deadline: null },
+      { id: 4, title: 'Unknown P',status: 'backlog',     priority: 'other',  progress: 0,   assigned_to: 5, deadline: null },
     ]);
 
     render(<TaskList />);
@@ -196,11 +201,11 @@ describe('TaskList page', () => {
   test('renders all status badge variants including unknown', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([
-      { id: 1, title: 'T1', status: 'todo',        priority: 'low', progress: 0, deadline: null },
-      { id: 2, title: 'T2', status: 'backlog',     priority: 'low', progress: 0, deadline: null },
-      { id: 3, title: 'T3', status: 'review',      priority: 'low', progress: 0, deadline: null },
-      { id: 4, title: 'T4', status: 'completed',   priority: 'low', progress: 0, deadline: null },
-      { id: 5, title: 'T5', status: 'new_status',  priority: 'low', progress: 0, deadline: null },
+      { id: 1, title: 'T1', status: 'todo',        priority: 'low', progress: 0, assigned_to: 5, deadline: null },
+      { id: 2, title: 'T2', status: 'backlog',     priority: 'low', progress: 0, assigned_to: 5, deadline: null },
+      { id: 3, title: 'T3', status: 'review',      priority: 'low', progress: 0, assigned_to: 5, deadline: null },
+      { id: 4, title: 'T4', status: 'completed',   priority: 'low', progress: 0, assigned_to: 5, deadline: null },
+      { id: 5, title: 'T5', status: 'new_status',  priority: 'low', progress: 0, assigned_to: 5, deadline: null },
     ]);
 
     render(<TaskList />);
@@ -215,7 +220,7 @@ describe('TaskList page', () => {
   test('clear-filters button is shown when a filter is active, hidden when none', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([
-      { id: 1, title: 'Alpha', status: 'todo', priority: 'high', progress: 0, deadline: null },
+      { id: 1, title: 'Alpha', status: 'todo', priority: 'high', progress: 0, assigned_to: 5, deadline: null },
     ]);
 
     render(<TaskList />);
@@ -234,7 +239,7 @@ describe('TaskList page', () => {
   test('updating task status fails and shows update error', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([
-      { id: 1, title: 'Failing Task', status: 'todo', priority: 'medium', progress: 0, deadline: null },
+      { id: 1, title: 'Failing Task', status: 'todo', priority: 'medium', progress: 0, assigned_to: 5, deadline: null },
     ]);
     taskService.updateTask.mockRejectedValue(new Error('update failed'));
 
@@ -265,7 +270,7 @@ describe('TaskList page', () => {
   test('clicking a task row navigates to task detail', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([
-      { id: 7, title: 'Clickable Task', status: 'todo', priority: 'low', progress: 0, deadline: null },
+      { id: 7, title: 'Clickable Task', status: 'todo', priority: 'low', progress: 0, assigned_to: 5, deadline: null },
     ]);
 
     render(<TaskList />);

From 1a11507b0ec9e97b10ba004240e2b36f6a6fa26f Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:39:15 +0100
Subject: [PATCH 10/37] feat: implement audit log management with API routes
 and frontend integration

---
 .../src/api/controllers/audit_controller.py   |  68 ++++++++
 backend/src/api/routes/audit_routes.py        |  23 +++
 .../integration/test_audit_logs_routes.py     | 105 ++++++++++++
 frontend/src/pages/AdminAuditLogs.jsx         | 161 ++++++++++++++++++
 4 files changed, 357 insertions(+)
 create mode 100644 backend/src/api/controllers/audit_controller.py
 create mode 100644 backend/src/api/routes/audit_routes.py
 create mode 100644 backend/tests/integration/test_audit_logs_routes.py
 create mode 100644 frontend/src/pages/AdminAuditLogs.jsx

diff --git a/backend/src/api/controllers/audit_controller.py b/backend/src/api/controllers/audit_controller.py
new file mode 100644
index 0000000..8c996ea
--- /dev/null
+++ b/backend/src/api/controllers/audit_controller.py
@@ -0,0 +1,68 @@
+"""Audit Log Controller"""
+
+from flask import request, jsonify
+from ...db.models import AuditLog
+
+def get_audit_logs():
+    """Get paginated and filtered audit logs"""
+    action = request.args.get('action')
+    actor_id = request.args.get('actor')
+    from_date = request.args.get('from')
+    to_date = request.args.get('to')
+    
+    page = request.args.get('page', 1, type=int)
+    per_page = request.args.get('per_page', 50, type=int)
+    
+    query = AuditLog.query
+    
+    if action:
+        query = query.filter(AuditLog.action.ilike(f'%{action}%'))
+    if actor_id:
+        query = query.filter_by(actor_user_id=actor_id)
+    if from_date:
+        query = query.filter(AuditLog.created_at >= from_date)
+    if to_date:
+        query = query.filter(AuditLog.created_at <= to_date)
+        
+    pagination = query.order_by(AuditLog.created_at.desc()).paginate(
+        page=page, per_page=per_page, error_out=False
+    )
+    
+    logs_data = [{
+        'id': log.id,
+        'actor_user_id': log.actor_user_id,
+        'actor_role': log.actor_role,
+        'action': log.action,
+        'resource_type': log.resource_type,
+        'resource_id': log.resource_id,
+        'ip': log.ip,
+        'user_agent': log.user_agent,
+        'metadata': log.metadata_info,
+        'created_at': log.created_at.isoformat() if log.created_at else None
+    } for log in pagination.items]
+    
+    return jsonify({
+        'logs': logs_data,
+        'total': pagination.total,
+        'pages': pagination.pages,
+        'current_page': page
+    })
+
+def get_audit_log_by_id(log_id):
+    """Get a specific audit log"""
+    log = AuditLog.query.get_or_404(log_id)
+    
+    return jsonify({
+        'log': {
+            'id': log.id,
+            'actor_user_id': log.actor_user_id,
+            'actor_role': log.actor_role,
+            'action': log.action,
+            'resource_type': log.resource_type,
+            'resource_id': log.resource_id,
+            'ip': log.ip,
+            'user_agent': log.user_agent,
+            'metadata': log.metadata_info,
+            'created_at': log.created_at.isoformat() if log.created_at else None
+        }
+    })
diff --git a/backend/src/api/routes/audit_routes.py b/backend/src/api/routes/audit_routes.py
new file mode 100644
index 0000000..f892134
--- /dev/null
+++ b/backend/src/api/routes/audit_routes.py
@@ -0,0 +1,23 @@
+"""Audit Log API routes"""
+
+from flask import request
+from flask_jwt_extended import jwt_required
+from ..controllers.audit_controller import get_audit_logs, get_audit_log_by_id
+from ..middlewares import admin_required
+
+def register_routes(bp):
+    """Register all audit routes with the provided Blueprint"""
+    
+    @bp.route('/admin/audit-logs', methods=['GET'])
+    @jwt_required()
+    @admin_required()
+    def get_audit_logs_route():
+        """Route to get all audit logs (Admin only)"""
+        return get_audit_logs()
+        
+    @bp.route('/admin/audit-logs/<int:log_id>', methods=['GET'])
+    @jwt_required()
+    @admin_required()
+    def get_audit_log_route(log_id):
+        """Route to get a single audit log (Admin only)"""
+        return get_audit_log_by_id(log_id)
diff --git a/backend/tests/integration/test_audit_logs_routes.py b/backend/tests/integration/test_audit_logs_routes.py
new file mode 100644
index 0000000..994ccb6
--- /dev/null
+++ b/backend/tests/integration/test_audit_logs_routes.py
@@ -0,0 +1,105 @@
+"""Tests for audit log route access control, filters, and pagination."""
+import os
+import sys
+
+import pytest
+from unittest.mock import MagicMock
+from flask_jwt_extended import create_access_token
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+from src.api.routes import audit_routes
+
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-audit-logs-32chars',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+
+def auth_headers(app, role, user_id=1):
+    with app.app_context():
+        token = create_access_token(
+            identity={'user_id': user_id},
+            additional_claims={'role': role}
+        )
+    return {'Authorization': f'Bearer {token}'}
+
+
+def test_audit_logs_requires_auth(client):
+    """Unauthenticated requests must be rejected."""
+    resp = client.get('/api/v1/admin/audit-logs')
+    assert resp.status_code == 401
+
+
+def test_audit_logs_requires_admin(client, app):
+    """Developer and Team Lead must be denied."""
+    for role in ('developer', 'team_lead'):
+        resp = client.get(
+            '/api/v1/admin/audit-logs',
+            headers=auth_headers(app, role)
+        )
+        assert resp.status_code == 403, f'{role} should be denied'
+
+
+def test_audit_logs_admin_allowed(client, app, monkeypatch):
+    """Admin should reach the handler."""
+    handler = MagicMock(return_value=({
+        'logs': [],
+        'total': 0,
+        'pages': 0,
+        'current_page': 1
+    }, 200))
+    monkeypatch.setattr(audit_routes, 'get_audit_logs', handler)
+
+    resp = client.get(
+        '/api/v1/admin/audit-logs',
+        headers=auth_headers(app, 'admin')
+    )
+    assert resp.status_code == 200
+    data = resp.get_json()
+    assert 'logs' in data
+    handler.assert_called_once()
+
+
+def test_audit_log_detail_requires_admin(client, app):
+    """GET /admin/audit-logs/<id> must require admin."""
+    resp = client.get(
+        '/api/v1/admin/audit-logs/1',
+        headers=auth_headers(app, 'developer')
+    )
+    assert resp.status_code == 403
+
+
+def test_audit_log_detail_admin_allowed(client, app, monkeypatch):
+    """Admin should be able to fetch a single log."""
+    handler = MagicMock(return_value=({
+        'log': {'id': 1, 'action': 'user_login'}
+    }, 200))
+    monkeypatch.setattr(audit_routes, 'get_audit_log_by_id', handler)
+
+    resp = client.get(
+        '/api/v1/admin/audit-logs/1',
+        headers=auth_headers(app, 'admin')
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(1)
diff --git a/frontend/src/pages/AdminAuditLogs.jsx b/frontend/src/pages/AdminAuditLogs.jsx
new file mode 100644
index 0000000..f91810c
--- /dev/null
+++ b/frontend/src/pages/AdminAuditLogs.jsx
@@ -0,0 +1,161 @@
+import { useState, useEffect, useCallback } from 'react';
+import { auditLogService } from '../services/utils/api';
+
+const AdminAuditLogs = () => {
+  const [logs, setLogs] = useState([]);
+  const [total, setTotal] = useState(0);
+  const [pages, setPages] = useState(0);
+  const [page, setPage] = useState(1);
+  const [loading, setLoading] = useState(true);
+  const [actionFilter, setActionFilter] = useState('');
+  const [actorFilter, setActorFilter] = useState('');
+  const [selectedLog, setSelectedLog] = useState(null);
+
+  const perPage = 25;
+
+  const fetchLogs = useCallback(async () => {
+    setLoading(true);
+    try {
+      const filters = { page, per_page: perPage };
+      if (actionFilter) filters.action = actionFilter;
+      if (actorFilter) filters.actor = actorFilter;
+      const data = await auditLogService.getLogs(filters);
+      setLogs(data.logs || []);
+      setTotal(data.total || 0);
+      setPages(data.pages || 0);
+    } catch (err) {
+      console.error('Failed to fetch audit logs', err);
+    } finally {
+      setLoading(false);
+    }
+  }, [page, actionFilter, actorFilter]);
+
+  useEffect(() => { fetchLogs(); }, [fetchLogs]);
+
+  const handleViewDetail = async (logId) => {
+    const detail = await auditLogService.getLogById(logId);
+    setSelectedLog(detail);
+  };
+
+  const actionBadge = (action) => {
+    if (action?.includes('login')) return 'bg-blue-500/20 text-blue-300';
+    if (action?.includes('register')) return 'bg-emerald-500/20 text-emerald-300';
+    if (action?.includes('delete')) return 'bg-rose-500/20 text-rose-300';
+    if (action?.includes('role')) return 'bg-amber-500/20 text-amber-300';
+    return 'bg-slate-500/20 text-slate-300';
+  };
+
+  return (
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <h1 className="text-2xl font-bold mb-10 text-slate-100">Audit Logs</h1>
+
+        {/* Filters */}
+        <div className="flex flex-col sm:flex-row gap-4 mb-6">
+          <input type="text" placeholder="Filter by action..." value={actionFilter}
+            onChange={(e) => { setActionFilter(e.target.value); setPage(1); }}
+            className="flex-1 rounded-lg border border-slate-700/60 bg-slate-900/80 py-2 px-3 text-slate-100 placeholder:text-slate-500 focus:outline-none focus:ring-2 focus:ring-rose-400/60" />
+          <input type="text" placeholder="Filter by actor ID..." value={actorFilter}
+            onChange={(e) => { setActorFilter(e.target.value); setPage(1); }}
+            className="w-40 rounded-lg border border-slate-700/60 bg-slate-900/80 py-2 px-3 text-slate-100 placeholder:text-slate-500 focus:outline-none focus:ring-2 focus:ring-rose-400/60" />
+        </div>
+
+        {/* Table */}
+        {loading ? (
+          <div className="text-center py-12 text-slate-400">Loading audit logs...</div>
+        ) : (
+          <>
+            <div className="overflow-x-auto rounded-xl border border-slate-800/80">
+              <table className="w-full text-left">
+                <thead className="bg-slate-900/80 text-slate-400 text-sm uppercase">
+                  <tr>
+                    <th className="px-4 py-3">Time</th>
+                    <th className="px-4 py-3">Action</th>
+                    <th className="px-4 py-3">Actor</th>
+                    <th className="px-4 py-3">Resource</th>
+                    <th className="px-4 py-3 text-right">Details</th>
+                  </tr>
+                </thead>
+                <tbody className="divide-y divide-slate-800/60">
+                  {logs.map((log) => (
+                    <tr key={log.id} className="hover:bg-slate-800/30 transition">
+                      <td className="px-4 py-3 text-xs text-slate-400 whitespace-nowrap">
+                        {log.created_at ? new Date(log.created_at).toLocaleString() : '—'}
+                      </td>
+                      <td className="px-4 py-3">
+                        <span className={`text-xs px-2 py-1 rounded ${actionBadge(log.action)}`}>
+                          {log.action}
+                        </span>
+                      </td>
+                      <td className="px-4 py-3 text-sm">
+                        {log.actor_user_id ? `User ${log.actor_user_id}` : 'System'}
+                        {log.actor_role && <span className="ml-1 text-xs text-slate-500">({log.actor_role})</span>}
+                      </td>
+                      <td className="px-4 py-3 text-sm text-slate-300">
+                        {log.resource_type || '—'}{log.resource_id ? ` #${log.resource_id}` : ''}
+                      </td>
+                      <td className="px-4 py-3 text-right">
+                        <button onClick={() => handleViewDetail(log.id)}
+                          className="text-xs px-3 py-1 rounded bg-indigo-500/20 text-indigo-300 hover:bg-indigo-500/30 transition">
+                          View
+                        </button>
+                      </td>
+                    </tr>
+                  ))}
+                  {logs.length === 0 && (
+                    <tr><td colSpan="5" className="px-4 py-8 text-center text-slate-500">No audit logs found.</td></tr>
+                  )}
+                </tbody>
+              </table>
+            </div>
+
+            {/* Pagination */}
+            <div className="flex items-center justify-between mt-4 text-sm text-slate-400">
+              <span>Total: {total} entries</span>
+              <div className="flex gap-2">
+                <button disabled={page <= 1} onClick={() => setPage(page - 1)}
+                  className="px-3 py-1 rounded border border-slate-700 disabled:opacity-30 hover:bg-slate-800 transition">Prev</button>
+                <span className="px-3 py-1">Page {page} of {pages || 1}</span>
+                <button disabled={page >= pages} onClick={() => setPage(page + 1)}
+                  className="px-3 py-1 rounded border border-slate-700 disabled:opacity-30 hover:bg-slate-800 transition">Next</button>
+              </div>
+            </div>
+          </>
+        )}
+
+        {/* Detail Drawer */}
+        {selectedLog && (
+          <div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50">
+            <div className="bg-slate-900 border border-slate-700 rounded-xl p-6 w-full max-w-lg max-h-[80vh] overflow-y-auto">
+              <h2 className="text-lg font-semibold mb-4">Audit Log Detail</h2>
+              <dl className="space-y-3 text-sm">
+                {[['ID', selectedLog.id], ['Action', selectedLog.action], ['Actor', selectedLog.actor_user_id],
+                  ['Role', selectedLog.actor_role], ['Resource', `${selectedLog.resource_type || ''} ${selectedLog.resource_id || ''}`],
+                  ['IP', selectedLog.ip], ['User Agent', selectedLog.user_agent],
+                  ['Timestamp', selectedLog.created_at ? new Date(selectedLog.created_at).toLocaleString() : '—']
+                ].map(([label, val]) => (
+                  <div key={label} className="flex justify-between">
+                    <dt className="text-slate-400">{label}</dt>
+                    <dd className="text-slate-200 text-right max-w-xs truncate">{val || '—'}</dd>
+                  </div>
+                ))}
+                {selectedLog.metadata && (
+                  <div>
+                    <dt className="text-slate-400 mb-1">Metadata</dt>
+                    <dd><pre className="text-xs bg-slate-950 p-2 rounded overflow-x-auto">{JSON.stringify(selectedLog.metadata, null, 2)}</pre></dd>
+                  </div>
+                )}
+              </dl>
+              <div className="mt-6 text-right">
+                <button onClick={() => setSelectedLog(null)}
+                  className="px-4 py-2 rounded-lg border border-slate-600 text-slate-300 hover:bg-slate-800 transition">Close</button>
+              </div>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+};
+
+export default AdminAuditLogs;

From c51f99c634123d805c12d43a52c17b568de995af Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:39:35 +0100
Subject: [PATCH 11/37] refactor: enhance GitHub integration routes with
 role-based access control and update frontend styling

---
 backend/src/api/routes/github_routes.py         | 4 ++++
 backend/tests/unit/routes/test_github_routes.py | 5 ++++-
 frontend/src/pages/GitHubIntegration.jsx        | 8 ++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/backend/src/api/routes/github_routes.py b/backend/src/api/routes/github_routes.py
index 258b8d0..174a337 100644
--- a/backend/src/api/routes/github_routes.py
+++ b/backend/src/api/routes/github_routes.py
@@ -20,6 +20,8 @@
     delete_task_github_link,
 )
 from ..middlewares.validation_middleware import validate_json
+from ..middlewares import role_required
+from ...auth.rbac import Role, require_permission
 from ...db.models import db, User, GitHubToken
 from ...services.github_client import GitHubClient
 
@@ -133,6 +135,8 @@ def repositories_list():
     
     @bp.route('/github/repositories', methods=['POST'])
     @jwt_required()
+    @role_required([Role.ADMIN])
+    @require_permission('can_link_github_repos')
     @validate_json()
     def add_repository():
         """Route to add a GitHub repository for tracking"""
diff --git a/backend/tests/unit/routes/test_github_routes.py b/backend/tests/unit/routes/test_github_routes.py
index ad6c5f1..f865ddd 100644
--- a/backend/tests/unit/routes/test_github_routes.py
+++ b/backend/tests/unit/routes/test_github_routes.py
@@ -21,7 +21,10 @@ def app(monkeypatch):
     app.config['JWT_SECRET_KEY'] = 'jwt-secret-key'
 
     monkeypatch.setattr(github_routes, 'jwt_required', passthrough_decorator)
-    monkeypatch.setattr(github_routes, 'validate_json', passthrough_decorator)
+    monkeypatch.setattr(github_routes, 'validate_json', passthrough_decorator, raising=False)
+    monkeypatch.setattr(github_routes, 'admin_required', passthrough_decorator, raising=False)
+    monkeypatch.setattr(github_routes, 'role_required', passthrough_decorator, raising=False)
+    monkeypatch.setattr(github_routes, 'require_permission', passthrough_decorator, raising=False)
 
     bp = Blueprint('api', __name__, url_prefix='/api/v1')
     github_routes.register_routes(bp)
diff --git a/frontend/src/pages/GitHubIntegration.jsx b/frontend/src/pages/GitHubIntegration.jsx
index 4478940..aa625a9 100644
--- a/frontend/src/pages/GitHubIntegration.jsx
+++ b/frontend/src/pages/GitHubIntegration.jsx
@@ -331,10 +331,10 @@ const GitHubIntegration = () => {
   }
   
   return (
-    <div className="min-h-screen bg-slate-950 text-slate-100">
-      <div className="container mx-auto p-4 md:p-8">
-        <div className="mb-8">
-          <h1 className="text-2xl font-bold mb-4">GitHub Integration</h1>
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="mb-10">
+          <h1 className="text-2xl font-bold mb-6 text-slate-100">GitHub Integration</h1>
         
         {connectionStatus.rateLimitError ? renderRateLimitError() : connectionStatus.error && (
           <div className="bg-rose-500/10 border border-rose-400/40 text-rose-200 px-4 py-3 rounded mb-4">

From 0526b8465568af834c65d7cc1c0c031db5a36481 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:44:15 +0100
Subject: [PATCH 12/37] refactor: enhance authentication validation and role
 management; add Forbidden page and RBAC utilities

---
 backend/src/api/validators/auth_validator.py  |  26 +--
 backend/src/auth/auth.py                      | 189 +++++-------------
 backend/src/auth/rbac.py                      |  65 +++++-
 .../test_role_access_integration.py           |  30 ++-
 frontend/src/pages/Forbidden.jsx              |  30 +++
 frontend/src/utils/rbac.js                    |  49 +++++
 6 files changed, 218 insertions(+), 171 deletions(-)
 create mode 100644 frontend/src/pages/Forbidden.jsx
 create mode 100644 frontend/src/utils/rbac.js

diff --git a/backend/src/api/validators/auth_validator.py b/backend/src/api/validators/auth_validator.py
index 4a2c37c..d719751 100644
--- a/backend/src/api/validators/auth_validator.py
+++ b/backend/src/api/validators/auth_validator.py
@@ -9,29 +9,29 @@ def validate_login_data(data):
     if not all(k in data for k in ['email', 'password']):
         return jsonify({'message': 'Email and password required'}), 400
     
-    # Validate email format
-    email_pattern = r'^[\w\.-]+@[\w\.-]+\.\w+$'
+    # Relaxed email pattern to support plus signs, subdomains, etc.
+    email_pattern = r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'
     if not re.match(email_pattern, data['email']):
         return jsonify({'message': 'Invalid email format'}), 400
     
     return None
 
 def validate_registration_data(data):
-    """Validate user registration data"""
-    if not all(k in data for k in ['name', 'email', 'password', 'role']):
+    """Validate user registration data.
+
+    Note: the ``role`` field is **not** required.  The backend always forces
+    new registrations to the ``developer`` role for security.
+    """
+    if not all(k in data for k in ['name', 'email', 'password']):
         return jsonify({'message': 'Missing required fields'}), 400
-    
-    # Validate email format
-    email_pattern = r'^[\w\.-]+@[\w\.-]+\.\w+$'
+
+    # Relaxed email pattern to support plus signs, subdomains, etc.
+    email_pattern = r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'
     if not re.match(email_pattern, data['email']):
         return jsonify({'message': 'Invalid email format'}), 400
-    
+
     # Validate password length
     if len(data['password']) < 8:
         return jsonify({'message': 'Password must be at least 8 characters long'}), 400
-    
-    valid_roles = [role.value for role in Role]
-    if data['role'] not in valid_roles:
-        return jsonify({'message': f'Role must be one of: {", ".join(valid_roles)}'}), 400
-    
+
     return None
diff --git a/backend/src/auth/auth.py b/backend/src/auth/auth.py
index 87606fb..a93c968 100644
--- a/backend/src/auth/auth.py
+++ b/backend/src/auth/auth.py
@@ -4,55 +4,67 @@
 from flask_jwt_extended import (
     jwt_required, get_jwt_identity, get_jwt, 
     set_access_cookies, set_refresh_cookies, unset_jwt_cookies,
-    create_access_token  # Added missing import
+    create_access_token
 )
 from sqlalchemy.exc import IntegrityError
 
 from ..db.models import db, User  # Fix import path
 from .helpers import hash_password, verify_password, generate_tokens
 from .rbac import Role
+from ..services import audit_service, settings_service
 
-auth_bp = Blueprint('auth', __name__)
 
+def register_user():
+    """Function to register a new user.
 
-def _validate_role(role):
-    valid_roles = [item.value for item in Role]
-    if role not in valid_roles:
-        return jsonify({'message': f'Role must be one of: {", ".join(valid_roles)}'}), 400
-    return None
-
-@auth_bp.route('/register', methods=['POST'])
-def register():
+    Security: the role field from the request body is **ignored**.
+    All new accounts are created with the 'developer' role.
+    Admins can promote users after registration via PUT /admin/users/<id>/role.
+    """
     data = request.get_json()
-    
-    # Validate required fields
-    if not all(k in data for k in ['name', 'email', 'password', 'role']):
+
+    # Validate required fields (role is no longer required from the client)
+    if not all(k in data for k in ['name', 'email', 'password']):
         return jsonify({'message': 'Missing required fields'}), 400
 
-    role_validation = _validate_role(data['role'])
-    if role_validation:
-        return role_validation
-    
     # Check if email already exists
     existing_user = User.query.filter_by(email=data['email']).first()
     if existing_user:
         return jsonify({'message': 'Email already registered'}), 409
-    
-    # Create new user
+
+    # If this is the very first user, automatically make them an admin
+    user_count = User.query.count()
+    if user_count == 0:
+        forced_role = Role.ADMIN.value
+        print(f"First user registration detected! Automatically granting admin role to {data['email']}")
+    else:
+        # Otherwise get default role from settings
+        forced_role = settings_service.get_default_role()
+        
+    print(f"Registering user: {data['email']} with role: {forced_role} (ignoring any client-supplied role)")
+
     try:
         new_user = User(
             name=data['name'],
             email=data['email'],
             password=hash_password(data['password']),
-            role=data['role']
+            role=forced_role
         )
-        
+
         db.session.add(new_user)
         db.session.commit()
-        
+
+        # Record audit log
+        audit_service.record(
+            action='user_registered',
+            actor={'user_id': new_user.id, 'role': new_user.role},
+            resource_type='user',
+            resource_id=new_user.id
+        )
+
         # Generate tokens for the new user
         tokens = generate_tokens(new_user.id, {'role': new_user.role})
-        
+
         # Create response with tokens
         resp = jsonify({
             'message': 'User registered successfully',
@@ -60,21 +72,22 @@ def register():
                 'id': new_user.id,
                 'name': new_user.name,
                 'email': new_user.email,
-                'role': new_user.role
+                'role': new_user.role,
+                'token': tokens['access_token']
             }
         })
-        
+
         # Set cookies
         set_access_cookies(resp, tokens['access_token'])
         set_refresh_cookies(resp, tokens['refresh_token'])
-        
+
         return resp, 201
-    
-    except IntegrityError:
+
+    except Exception as e:
         db.session.rollback()
-        return jsonify({'message': 'An error occurred while registering the user'}), 500
+        print(f"Registration error: {str(e)}")
+        return jsonify({'message': f'An error occurred while registering the user: {str(e)}'}), 500
 
-@auth_bp.route('/login', methods=['POST'])
 def login():
     """Function to authenticate a user and create a session"""
     data = request.get_json()
@@ -106,6 +119,14 @@ def login():
     github_connected = github_token is not None
     github_username = user.github_username
     
+    # Record audit log
+    audit_service.record(
+        action='user_login',
+        actor={'user_id': user.id, 'role': user.role},
+        resource_type='user',
+        resource_id=user.id
+    )
+
     # Create response
     resp = jsonify({
         'message': 'Login successful',
@@ -126,114 +147,6 @@ def login():
     
     return resp
 
-@auth_bp.route('/refresh', methods=['POST'])
-@jwt_required(refresh=True)
-def refresh():
-    """Endpoint for refreshing an access token"""
-    current_user = get_jwt_identity()
-    
-    # Create new access token
-    access_token = create_access_token(identity=current_user)
-    
-    # Create response
-    resp = jsonify({
-        'message': 'Token refreshed successfully',
-        'token': access_token
-    })
-    
-    # Set new access cookie
-    set_access_cookies(resp, access_token)
-    
-    return resp
-
-@auth_bp.route('/logout', methods=['POST'])
-def logout():
-    """Endpoint for logging out a user"""
-    resp = jsonify({'message': 'Logout successful'})
-    
-    # Remove JWT cookies
-    unset_jwt_cookies(resp)
-    
-    return resp
-
-@auth_bp.route('/me', methods=['GET'])
-@jwt_required()
-def me():
-    """Get current user information"""
-    current_user = get_jwt_identity()
-    
-    user = User.query.get(current_user['user_id'])
-    if not user:
-        return jsonify({'message': 'User not found'}), 404
-    
-    return jsonify({
-        'user': {
-            'id': user.id,
-            'name': user.name,
-            'email': user.email,
-            'role': user.role
-        }
-    })
-
-def register_user():
-    """Function to register a new user"""
-    data = request.get_json()
-    
-    # Validate required fields
-    if not all(k in data for k in ['name', 'email', 'password', 'role']):
-        return jsonify({'message': 'Missing required fields'}), 400
-
-    role_validation = _validate_role(data['role'])
-    if role_validation:
-        return role_validation
-    
-    # Check if email already exists
-    existing_user = User.query.filter_by(email=data['email']).first()
-    if existing_user:
-        return jsonify({'message': 'Email already registered'}), 409
-    
-    # Create new user
-    try:
-        # Print debug information
-        print(f"Attempting to register user: {data['email']} with role: {data['role']}")
-        
-        new_user = User(
-            name=data['name'],
-            email=data['email'],
-            password=hash_password(data['password']),
-            role=data['role']
-        )
-        
-        db.session.add(new_user)
-        db.session.commit()
-        
-        # Generate tokens for the new user
-        tokens = generate_tokens(new_user.id, {'role': new_user.role})
-        
-        # Create response with tokens
-        resp = jsonify({
-            'message': 'User registered successfully',
-            'user': {
-                'id': new_user.id,
-                'name': new_user.name,
-                'email': new_user.email,
-                'role': new_user.role,
-                'token': tokens['access_token']  # Include token in response for frontend
-            }
-        })
-        
-        # Set cookies
-        set_access_cookies(resp, tokens['access_token'])
-        set_refresh_cookies(resp, tokens['refresh_token'])
-        
-        return resp, 201
-    
-    except Exception as e:
-        # Enhanced error handling to catch all exceptions
-        db.session.rollback()
-        print(f"Registration error: {str(e)}")
-        return jsonify({'message': f'An error occurred while registering the user: {str(e)}'}), 500
-
 def refresh_token():
     """Function to refresh an access token"""
     current_user = get_jwt_identity()
diff --git a/backend/src/auth/rbac.py b/backend/src/auth/rbac.py
index 179e712..8a97b92 100644
--- a/backend/src/auth/rbac.py
+++ b/backend/src/auth/rbac.py
@@ -2,7 +2,7 @@
 
 from enum import Enum
 from functools import wraps
-from flask_jwt_extended import get_jwt
+from flask_jwt_extended import get_jwt, get_jwt_identity
 from flask import jsonify
 
 class Role(Enum):
@@ -15,15 +15,12 @@ class Role(Enum):
 DEVELOPER_PERMISSIONS = [
     'can_view_tasks',
     'can_update_assigned_tasks',
-    'can_comment',
     'can_comment_on_tasks',
     'can_view_notifications',
     'can_manage_personal_notifications',
     'can_view_own_profile',
     'can_update_own_profile',
     'can_link_github_account',
-    'can_view_github_repos',
-    'can_link_github_commits',
 ]
 
 TEAM_LEAD_PERMISSIONS = [
@@ -31,21 +28,17 @@ class Role(Enum):
     'can_create_tasks',
     'can_assign_tasks',
     'can_update_any_task',
-    'can_delete_tasks',
-    'can_view_team_metrics',
-    'can_view_team_reports',
+    'can_view_all_users',
+    'can_view_system_stats',
     'can_generate_reports',
-    'can_view_team_profiles',
 ]
 
 ADMIN_PERMISSIONS = [
     *TEAM_LEAD_PERMISSIONS,
-    'can_update_any_task',
-    'can_delete_tasks',
     'can_manage_users',
+    'can_manage_projects',
     'can_manage_system_settings',
     'can_view_audit_logs',
-    'can_access_all_data',
     'can_link_github_repos',
 ]
 
@@ -57,6 +50,33 @@ class Role(Enum):
 }
 
 
+# ---------------------------------------------------------------------------
+# Role hierarchy – higher value = more privileged
+# ---------------------------------------------------------------------------
+ROLE_HIERARCHY = {
+    Role.DEVELOPER: 0,
+    Role.TEAM_LEAD: 1,
+    Role.ADMIN: 2,
+}
+
+
+def _role_level(role_value):
+    """Return the numeric hierarchy level for a role string value."""
+    for role_enum, level in ROLE_HIERARCHY.items():
+        if role_enum.value == role_value:
+            return level
+    return -1
+
+
+def has_permission(role_value, permission):
+    """Check whether *role_value* (a string such as 'admin') grants *permission*."""
+    return permission in ROLE_PERMISSIONS.get(role_value, [])
+
+
+# ---------------------------------------------------------------------------
+# Decorators
+# ---------------------------------------------------------------------------
+
 def require_role(role):
     """Decorator to require a specific role"""
     def decorator(fn):
@@ -88,3 +108,26 @@ def wrapper(*args, **kwargs):
             return fn(*args, **kwargs)
         return wrapper
     return decorator
+
+
+def role_at_least(min_role):
+    """Decorator that requires the caller's role to be *min_role* or higher.
+
+    Example::
+
+        @role_at_least(Role.TEAM_LEAD)
+        def some_view(): ...
+    """
+    min_role_enum = min_role if isinstance(min_role, Role) else Role(min_role)
+    min_level = ROLE_HIERARCHY[min_role_enum]
+
+    def decorator(fn):
+        @wraps(fn)
+        def wrapper(*args, **kwargs):
+            claims = get_jwt()
+            user_role = claims.get('role')
+            if not user_role or _role_level(user_role) < min_level:
+                return jsonify({'message': 'Insufficient permissions'}), 403
+            return fn(*args, **kwargs)
+        return wrapper
+    return decorator
diff --git a/backend/tests/integration/test_role_access_integration.py b/backend/tests/integration/test_role_access_integration.py
index 6931cf2..d3ab64a 100644
--- a/backend/tests/integration/test_role_access_integration.py
+++ b/backend/tests/integration/test_role_access_integration.py
@@ -55,7 +55,7 @@ def auth_headers(app, role, user_id=1):
     return {'Authorization': f'Bearer {token}'}
 
 
-def test_users_route_requires_admin_role(client, app, monkeypatch):
+def test_users_route_allows_developers(client, app, monkeypatch):
     handler = MagicMock(return_value=({'users': []}, 200))
     monkeypatch.setattr(users_routes, 'get_all_users', handler)
 
@@ -63,15 +63,22 @@ def test_users_route_requires_admin_role(client, app, monkeypatch):
     assert unauthorized_response.status_code == 401
     assert handler.call_count == 0
 
-    forbidden_response = client.get('/api/v1/users', headers=auth_headers(app, 'developer'))
-    assert forbidden_response.status_code == 403
-    assert forbidden_response.get_json()['message'] == 'Insufficient permissions'
-    assert handler.call_count == 0
-
+    # Developer should be allowed
+    dev_response = client.get('/api/v1/users', headers=auth_headers(app, 'developer'))
+    assert dev_response.status_code == 200
+    assert dev_response.get_json() == {'users': []}
+    assert handler.call_count == 1
+
+    # Team Lead should be allowed
+    team_lead_response = client.get('/api/v1/users', headers=auth_headers(app, 'team_lead'))
+    assert team_lead_response.status_code == 200
+    assert team_lead_response.get_json() == {'users': []}
+    
+    # Admin should also be allowed (hierarchy)
     allowed_response = client.get('/api/v1/users', headers=auth_headers(app, 'admin'))
     assert allowed_response.status_code == 200
     assert allowed_response.get_json() == {'users': []}
-    handler.assert_called_once_with()
+    assert handler.call_count == 3
 
 
 def test_admin_stats_route_requires_admin_role(client, app, monkeypatch):
@@ -84,13 +91,18 @@ def test_admin_stats_route_requires_admin_role(client, app, monkeypatch):
 
     forbidden_response = client.get('/api/v1/admin/stats', headers=auth_headers(app, 'developer'))
     assert forbidden_response.status_code == 403
-    assert forbidden_response.get_json()['message'] == 'Admin access required'
+    assert forbidden_response.get_json()['message'] == 'Insufficient permissions'
     assert handler.call_count == 0
 
+    # Team Lead should be allowed
+    team_lead_response = client.get('/api/v1/admin/stats', headers=auth_headers(app, 'team_lead'))
+    assert team_lead_response.status_code == 200
+    assert team_lead_response.get_json()['users']['total'] == 5
+
     allowed_response = client.get('/api/v1/admin/stats', headers=auth_headers(app, 'admin'))
     assert allowed_response.status_code == 200
     assert allowed_response.get_json()['users']['total'] == 5
-    handler.assert_called_once_with()
+    assert handler.call_count == 2
 
 
 def test_member_dashboard_route_requires_member_role(client, app, monkeypatch):
diff --git a/frontend/src/pages/Forbidden.jsx b/frontend/src/pages/Forbidden.jsx
new file mode 100644
index 0000000..91f5162
--- /dev/null
+++ b/frontend/src/pages/Forbidden.jsx
@@ -0,0 +1,30 @@
+import React from 'react';
+import { useNavigate } from 'react-router-dom';
+
+const Forbidden = () => {
+  const navigate = useNavigate();
+
+  return (
+    <div className="min-h-screen bg-gray-50 flex flex-col justify-center py-12 sm:px-6 lg:px-8">
+      <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
+        <div className="bg-white py-8 px-4 shadow sm:rounded-lg sm:px-10 text-center">
+          <svg className="mx-auto h-16 w-16 text-red-500 mb-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+          </svg>
+          <h2 className="text-2xl font-bold text-gray-900 mb-2">Access Denied</h2>
+          <p className="text-gray-600 mb-6">
+            You don't have the necessary permissions to access this page or perform this action.
+          </p>
+          <button
+            onClick={() => navigate('/dashboard')}
+            className="w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-indigo-600 hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500"
+          >
+            Return to Dashboard
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+};
+
+export default Forbidden;
diff --git a/frontend/src/utils/rbac.js b/frontend/src/utils/rbac.js
new file mode 100644
index 0000000..d7e3d29
--- /dev/null
+++ b/frontend/src/utils/rbac.js
@@ -0,0 +1,49 @@
+// RBAC Constants and Helpers
+
+export const ROLES = {
+  DEVELOPER: 'developer',
+  TEAM_LEAD: 'team_lead',
+  ADMIN: 'admin'
+};
+
+export const ROLE_HIERARCHY = {
+  [ROLES.DEVELOPER]: 0,
+  [ROLES.TEAM_LEAD]: 1,
+  [ROLES.ADMIN]: 2
+};
+
+// Available permissions matching backend
+export const PERMISSIONS = {
+  CAN_MANAGE_PROJECTS: 'can_manage_projects',
+  CAN_ASSIGN_TASKS: 'can_assign_tasks',
+  CAN_UPDATE_ANY_TASK: 'can_update_any_task',
+  CAN_VIEW_ALL_USERS: 'can_view_all_users',
+  CAN_MANAGE_USERS: 'can_manage_users',
+  CAN_MANAGE_SYSTEM_SETTINGS: 'can_manage_system_settings',
+  CAN_VIEW_SYSTEM_STATS: 'can_view_system_stats',
+  CAN_LINK_GITHUB_ACCOUNT: 'can_link_github_account',
+  CAN_LINK_GITHUB_REPOS: 'can_link_github_repos',
+  CAN_COMMENT_ON_TASKS: 'can_comment_on_tasks',
+  CAN_MANAGE_PERSONAL_NOTIFICATIONS: 'can_manage_personal_notifications'
+};
+
+// We don't redefine the map here, the backend controls the actual map and we fetch it.
+// These helpers just act on the user's role/permissions list.
+
+export const hasRole = (userRole, targetRole) => {
+  return userRole === targetRole;
+};
+
+export const hasAnyRole = (userRole, targetRoles) => {
+  return targetRoles.includes(userRole);
+};
+
+export const roleAtLeast = (userRole, minRole) => {
+  const userLevel = ROLE_HIERARCHY[userRole] ?? -1;
+  const minLevel = ROLE_HIERARCHY[minRole] ?? 0;
+  return userLevel >= minLevel;
+};
+
+export const hasPermission = (userPermissions, targetPermission) => {
+  return Array.isArray(userPermissions) && userPermissions.includes(targetPermission);
+};

From 7f3207cae09a9f5764897e30707a5ddaaf722c03 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:44:35 +0100
Subject: [PATCH 13/37] refactor: remove role selection from Register component
 and update related tests

---
 frontend/src/pages/Register.jsx            | 20 +-------------------
 frontend/src/tests/pages/Register.test.jsx |  4 ----
 2 files changed, 1 insertion(+), 23 deletions(-)

diff --git a/frontend/src/pages/Register.jsx b/frontend/src/pages/Register.jsx
index 048dc40..d6c2f09 100644
--- a/frontend/src/pages/Register.jsx
+++ b/frontend/src/pages/Register.jsx
@@ -19,7 +19,6 @@ const Register = () => {
     email: "",
     password: "",
     confirmPassword: "",
-    role: "developer",
   });
   const [formError, setFormError] = useState("");
   const [isSubmitting, setIsSubmitting] = useState(false);
@@ -96,7 +95,6 @@ const Register = () => {
         email: "",
         password: "",
         confirmPassword: "",
-        role: "developer",
       });
       
       // Redirect to login page after success
@@ -112,7 +110,7 @@ const Register = () => {
   };
 
   return (
-    <div className="flex justify-center items-center min-h-screen bg-slate-950">
+    <div className="flex justify-center items-center min-h-screen bg-slate-950 font-['Space_Grotesk']">
       <div className="w-full max-w-md rounded-2xl border border-slate-800/80 bg-slate-900/80 p-8 shadow-2xl">
         <div className="text-center mb-6">
           <p className="text-xs uppercase tracking-[0.35em] text-slate-500">DevSync</p>
@@ -194,22 +192,6 @@ const Register = () => {
             />
           </div>
           
-          <div className="mb-6">
-            <label className="block text-slate-300 text-sm font-medium mb-2">
-              Role
-            </label>
-            <select
-              name="role"
-              value={formData.role}
-              onChange={handleChange}
-              className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
-            >
-              <option value="developer">Developer</option>
-              <option value="team_lead">Team Lead</option>
-              <option value="admin">Admin</option>
-            </select>
-          </div>
-          
           <div className="flex items-center justify-between">
             <button
               type="submit"
diff --git a/frontend/src/tests/pages/Register.test.jsx b/frontend/src/tests/pages/Register.test.jsx
index 9c6cf94..0308134 100644
--- a/frontend/src/tests/pages/Register.test.jsx
+++ b/frontend/src/tests/pages/Register.test.jsx
@@ -125,9 +125,6 @@ describe('Register page', () => {
     renderRegister();
 
     fillRequiredFields();
-    fireEvent.change(screen.getByRole('combobox'), {
-      target: { name: 'role', value: 'admin' },
-    });
 
     fireEvent.click(screen.getByRole('button', { name: /register/i }));
 
@@ -142,7 +139,6 @@ describe('Register page', () => {
       name: 'Dev User',
       email: 'dev@example.com',
       password: 'password123',
-      role: 'admin',
     });
 
     expect(await screen.findByText(/Registration successful! Redirecting to login/i)).toBeInTheDocument();

From fc9a69c5b03a607a23e857445a78e1db158ad932 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:44:51 +0100
Subject: [PATCH 14/37] refactor: update role requirements for project routes
 and integrate audit logging for project creation and deletion

---
 backend/src/api/controllers/projects_controller.py | 13 +++++++++++++
 backend/src/api/routes/projects_routes.py          |  6 +++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/backend/src/api/controllers/projects_controller.py b/backend/src/api/controllers/projects_controller.py
index 25331b4..9501ac0 100644
--- a/backend/src/api/controllers/projects_controller.py
+++ b/backend/src/api/controllers/projects_controller.py
@@ -5,6 +5,7 @@
 from ...db.models import db, Project, Task, User  # Changed to relative import
 from ...auth.rbac import Role  # Changed to relative import
 from ..validators.project_validator import validate_project_data  # Changed to relative import
+from ...services import audit_service
 import json
 import time
 import uuid
@@ -193,6 +194,12 @@ def create_project():
                 new_project.team_members.append(member)
     
     db.session.commit()
+    
+    audit_service.record(
+        action='project_created',
+        resource_type='project',
+        resource_id=new_project.id
+    )
     # region agent log
     _debug_log(
         'H1-H2',
@@ -265,6 +272,12 @@ def delete_project(project_id):
     db.session.delete(project)
     db.session.commit()
     
+    audit_service.record(
+        action='project_deleted',
+        resource_type='project',
+        resource_id=project_id
+    )
+    
     # Updated to return 204
     return '', 204
 
diff --git a/backend/src/api/routes/projects_routes.py b/backend/src/api/routes/projects_routes.py
index 2947239..763c583 100644
--- a/backend/src/api/routes/projects_routes.py
+++ b/backend/src/api/routes/projects_routes.py
@@ -32,7 +32,7 @@ def projects_list():
     
     @bp.route('/projects', methods=['POST'])
     @jwt_required()
-    @role_required([Role.ADMIN])
+    @role_required([Role.TEAM_LEAD, Role.ADMIN])
     @validate_json()
     @log_api_usage()
     @log_request()
@@ -50,7 +50,7 @@ def get_project(project_id):
     
     @bp.route('/projects/<int:project_id>', methods=['PUT'])
     @jwt_required()
-    @role_required([Role.ADMIN])
+    @role_required([Role.TEAM_LEAD, Role.ADMIN])
     @validate_json()
     @log_api_usage()
     def update_project_route(project_id):
@@ -59,7 +59,7 @@ def update_project_route(project_id):
     
     @bp.route('/projects/<int:project_id>', methods=['DELETE'])
     @jwt_required()
-    @role_required([Role.ADMIN])
+    @role_required([Role.TEAM_LEAD, Role.ADMIN])
     @log_api_usage()
     def delete_project_route(project_id):
         """Route to delete a project"""

From 0b7fe4932ecf9c97d710b2c692b17cc112c0b30d Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:45:00 +0100
Subject: [PATCH 15/37] refactor: register audit routes with the API blueprint

---
 backend/src/api/__init__.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/src/api/__init__.py b/backend/src/api/__init__.py
index 3928066..fa6fcca 100644
--- a/backend/src/api/__init__.py
+++ b/backend/src/api/__init__.py
@@ -18,8 +18,10 @@
 dashboard_routes.register_routes(api_bp)
 admin_routes.register_routes(api_bp)
 from .routes import report_routes
+from .routes import audit_routes
 
 report_routes.register_routes(api_bp)
+audit_routes.register_routes(api_bp)
 github_routes.register_routes(api_bp)  # Add GitHub routes
 
 def init_app(app):

From 0d52c75f99735d96747accd56525792ed026b4b6 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:45:32 +0100
Subject: [PATCH 16/37] feat: Enhance Admin Dashboard with Team Overview and
 User Management

- Added team user overview section to Admin Dashboard.
- Integrated user fetching functionality to display team members.
- Updated dashboard layout and styling for improved UX.
- Introduced new System Settings page for managing application settings.
- Created Admin Users page for comprehensive user management, including role updates and user creation.
- Improved responsiveness and visual consistency across admin pages.
---
 .../src/api/controllers/admin_controller.py   |  37 +-
 backend/src/api/routes/admin_routes.py        |  34 +-
 backend/src/api/validators/admin_validator.py |  22 +-
 .../integration/test_admin_user_management.py | 102 +++++
 .../unit/controllers/test_admin_controller.py |  57 +--
 frontend/src/components/Navbar.jsx            | 255 ++++++------
 frontend/src/pages/AdminDashboard.jsx         | 128 ++++--
 frontend/src/pages/AdminProjectCreate.jsx     |   6 +-
 frontend/src/pages/AdminProjectEdit.jsx       |   6 +-
 frontend/src/pages/AdminProjects.jsx          |   6 +-
 frontend/src/pages/AdminSystemSettings.jsx    | 117 ++++++
 frontend/src/pages/AdminUsers.jsx             | 379 ++++++++++++++++++
 12 files changed, 894 insertions(+), 255 deletions(-)
 create mode 100644 backend/tests/integration/test_admin_user_management.py
 create mode 100644 frontend/src/pages/AdminSystemSettings.jsx
 create mode 100644 frontend/src/pages/AdminUsers.jsx

diff --git a/backend/src/api/controllers/admin_controller.py b/backend/src/api/controllers/admin_controller.py
index f207eee..aa58c4b 100644
--- a/backend/src/api/controllers/admin_controller.py
+++ b/backend/src/api/controllers/admin_controller.py
@@ -4,6 +4,8 @@
 from ...db.models import db, User, Project, Task
 from ..validators.admin_validator import validate_system_settings, validate_user_role_update
 from ...auth.rbac import Role
+from flask_jwt_extended import get_jwt_identity
+from ...services import audit_service, settings_service
 
 
 def _safe_query_all(model):
@@ -53,20 +55,7 @@ def get_system_stats():
 
 def get_system_settings():
     """Controller function to get system settings"""
-    # This would typically retrieve settings from a database
-    # For now, return placeholder settings
-    settings = {
-        'app_name': 'DevSync',
-        'allow_registration': True,
-        'default_user_role': Role.DEVELOPER.value,
-        'github_integration_enabled': True,
-        'notification_settings': {
-            'email_notifications': True,
-            'task_assignments': True,
-            'project_updates': True
-        }
-    }
-    
+    settings = settings_service.get_settings()
     return jsonify({'settings': settings})
 
 def update_system_settings():
@@ -78,8 +67,16 @@ def update_system_settings():
     if validation_result:
         return validation_result
     
-    # This would typically update settings in a database
-    # For now, just return success response
+    current_user = get_jwt_identity()
+    user_id = current_user.get('user_id') if isinstance(current_user, dict) else current_user
+
+    settings_service.update_settings(data, user_id)
+    
+    audit_service.record(
+        action='settings_updated',
+        resource_type='settings',
+        metadata={'settings_updated': list(data.keys())}
+    )
     
     return jsonify({
         'message': 'System settings updated successfully',
@@ -100,9 +97,17 @@ def update_user_role(user_id):
         return validation_result
     
     # Update user role
+    old_role = user.role
     user.role = data['role']
     db.session.commit()
     
+    audit_service.record(
+        action='user_role_changed',
+        resource_type='user',
+        resource_id=user.id,
+        metadata={'old_role': old_role, 'new_role': user.role}
+    )
+    
     return jsonify({
         'message': 'User role updated successfully',
         'user': {
diff --git a/backend/src/api/routes/admin_routes.py b/backend/src/api/routes/admin_routes.py
index 1faa8c7..a3621b8 100644
--- a/backend/src/api/routes/admin_routes.py
+++ b/backend/src/api/routes/admin_routes.py
@@ -11,13 +11,23 @@
 from ..middlewares import admin_required
 from ..middlewares.validation_middleware import validate_json
 from ..middlewares.rate_limiter import rate_limit
+from ..controllers.users_controller import get_all_users, create_user, update_user, delete_user
+from ...auth.rbac import Role, role_at_least
 
 def register_routes(bp):
     """Register all admin routes with the provided Blueprint"""
     
-    @bp.route('/admin/stats', methods=['GET'])
+    @bp.route('/admin/users', methods=['POST'])
     @jwt_required()
     @admin_required()
+    @validate_json()
+    def admin_create_user():
+        """Route to create a user"""
+        return create_user()
+
+    @bp.route('/admin/stats', methods=['GET'])
+    @jwt_required()
+    @role_at_least(Role.TEAM_LEAD)
     @rate_limit(requests_per_window=20, window_seconds=60)
     def system_stats():
         """Route to get system statistics"""
@@ -48,3 +58,25 @@ def update_settings():
     def user_role_update(user_id):
         """Route to update a user's role"""
         return update_user_role(user_id)
+
+    @bp.route('/admin/users', methods=['GET'])
+    @jwt_required()
+    @role_at_least(Role.TEAM_LEAD)
+    def admin_get_all_users():
+        """Route to get all users"""
+        return get_all_users()
+
+    @bp.route('/admin/users/<int:user_id>', methods=['PUT'])
+    @jwt_required()
+    @admin_required()
+    @validate_json()
+    def admin_update_user(user_id):
+        """Route to update a user"""
+        return update_user(user_id)
+
+    @bp.route('/admin/users/<int:user_id>', methods=['DELETE'])
+    @jwt_required()
+    @admin_required()
+    def admin_delete_user(user_id):
+        """Route to delete a user"""
+        return delete_user(user_id)
diff --git a/backend/src/api/validators/admin_validator.py b/backend/src/api/validators/admin_validator.py
index c617db4..f350d5d 100644
--- a/backend/src/api/validators/admin_validator.py
+++ b/backend/src/api/validators/admin_validator.py
@@ -10,23 +10,21 @@ def validate_system_settings(data):
         return jsonify({'message': 'No settings provided'}), 400
     
     # Validate app_name if provided
-    if 'app_name' in data and (len(data['app_name']) < 3 or len(data['app_name']) > 50):
-        return jsonify({'message': 'App name must be between 3 and 50 characters'}), 400
-    
-    # Validate allow_registration if provided
-    if 'allow_registration' in data and not isinstance(data['allow_registration'], bool):
-        return jsonify({'message': 'allow_registration must be a boolean value'}), 400
-    
+    if 'app_name' in data:
+        if not isinstance(data['app_name'], str) or len(data['app_name']) < 3:
+            return jsonify({'message': 'App name must be between 3 and 100 characters'}), 400
+
+    # Validate boolean fields
+    for bool_field in ['allow_registration', 'github_integration_enabled']:
+        if bool_field in data and not isinstance(data[bool_field], bool):
+            return jsonify({'message': f'{bool_field} must be a boolean value'}), 400
+
     # Validate default_user_role if provided
     if 'default_user_role' in data:
         valid_roles = [role.value for role in Role]
         if data['default_user_role'] not in valid_roles:
             return jsonify({'message': f'Default user role must be one of: {", ".join(valid_roles)}'}), 400
     
-    # Validate github_integration_enabled if provided
-    if 'github_integration_enabled' in data and not isinstance(data['github_integration_enabled'], bool):
-        return jsonify({'message': 'github_integration_enabled must be a boolean value'}), 400
-    
     # Validate notification_settings if provided
     if 'notification_settings' in data:
         if not isinstance(data['notification_settings'], dict):
@@ -36,7 +34,7 @@ def validate_system_settings(data):
         for key, value in data['notification_settings'].items():
             if not isinstance(value, bool):
                 return jsonify({'message': f'Notification setting "{key}" must be a boolean value'}), 400
-    
+
     # If validation passes, return None
     return None
 
diff --git a/backend/tests/integration/test_admin_user_management.py b/backend/tests/integration/test_admin_user_management.py
new file mode 100644
index 0000000..79dfdb7
--- /dev/null
+++ b/backend/tests/integration/test_admin_user_management.py
@@ -0,0 +1,102 @@
+import os
+import sys
+import pytest
+from flask_jwt_extended import create_access_token
+from unittest.mock import MagicMock
+
+# Add backend directory to import src.* modules
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+from src.api.routes import admin_routes
+from src.api.controllers import users_controller
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-for-integration-suite-32',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+@pytest.fixture
+def auth_headers(app):
+    def _auth_headers(role, user_id=1):
+        with app.app_context():
+            token = create_access_token(
+                identity={'user_id': user_id},
+                additional_claims={'role': role}
+            )
+        return {'Authorization': f'Bearer {token}'}
+    return _auth_headers
+
+def test_admin_create_user_rbac(client, app, auth_headers, monkeypatch):
+    """Test that only admins can create users via the admin endpoint"""
+    handler = MagicMock(return_value=({'message': 'User created', 'user': {'id': 2}}, 201))
+    monkeypatch.setattr(admin_routes, 'create_user', handler)
+
+    user_data = {
+        'name': 'New User',
+        'email': 'new@example.com',
+        'password': 'password123',
+        'role': 'developer'
+    }
+
+    # 1. Developer should be forbidden
+    resp = client.post('/api/v1/admin/users', json=user_data, headers=auth_headers('developer'))
+    assert resp.status_code == 403
+    
+    # 2. Team Lead should be forbidden
+    resp = client.post('/api/v1/admin/users', json=user_data, headers=auth_headers('team_lead'))
+    assert resp.status_code == 403
+
+    # 3. Admin should be allowed
+    resp = client.post('/api/v1/admin/users', json=user_data, headers=auth_headers('admin'))
+    assert resp.status_code == 201
+    assert resp.get_json()['message'] == 'User created'
+    assert handler.call_count == 1
+
+def test_admin_get_users_rbac(client, app, auth_headers, monkeypatch):
+    """Test that both admins and team leads can view the user list"""
+    handler = MagicMock(return_value=({'users': []}, 200))
+    monkeypatch.setattr(admin_routes, 'get_all_users', handler)
+
+    # 1. Developer should be forbidden
+    resp = client.get('/api/v1/admin/users', headers=auth_headers('developer'))
+    assert resp.status_code == 403
+
+    # 2. Team Lead should be allowed
+    resp = client.get('/api/v1/admin/users', headers=auth_headers('team_lead'))
+    assert resp.status_code == 200
+
+    # 3. Admin should be allowed
+    resp = client.get('/api/v1/admin/users', headers=auth_headers('admin'))
+    assert resp.status_code == 200
+    assert handler.call_count == 2
+
+def test_admin_delete_user_rbac(client, app, auth_headers, monkeypatch):
+    """Test that only admins can delete users"""
+    handler = MagicMock(return_value=({'message': 'User deleted'}, 200))
+    monkeypatch.setattr(admin_routes, 'delete_user', handler)
+
+    # 1. Team Lead should be forbidden
+    resp = client.delete('/api/v1/admin/users/2', headers=auth_headers('team_lead'))
+    assert resp.status_code == 403
+
+    # 2. Admin should be allowed
+    resp = client.delete('/api/v1/admin/users/2', headers=auth_headers('admin'))
+    assert resp.status_code == 200
+    assert handler.call_count == 1
diff --git a/backend/tests/unit/controllers/test_admin_controller.py b/backend/tests/unit/controllers/test_admin_controller.py
index 89b0d15..e0dab3e 100644
--- a/backend/tests/unit/controllers/test_admin_controller.py
+++ b/backend/tests/unit/controllers/test_admin_controller.py
@@ -346,62 +346,7 @@ def test_get_system_stats_actual(self, mock_task, mock_project, mock_user):
         self.assertEqual(data['tasks']['review'], 1)
         self.assertEqual(data['tasks']['done'], 1)
     
-    def test_get_system_settings_actual(self):
-        # Import the function directly to test
-        from backend.src.api.controllers.admin_controller import get_system_settings
-        from backend.src.auth.rbac import Role
-        
-        # Execute the function
-        with app.test_request_context():
-            response = get_system_settings()
-            data = json.loads(response.data)
-        
-        # Verify the results
-        self.assertIn('settings', data)
-        settings = data['settings']
-        
-        # Check settings fields
-        self.assertEqual(settings['app_name'], 'DevSync')
-        self.assertTrue(settings['allow_registration'])
-        self.assertEqual(settings['default_user_role'], Role.DEVELOPER.value)
-        self.assertTrue(settings['github_integration_enabled'])
-        
-        # Check notification settings
-        notification_settings = settings['notification_settings']
-        self.assertTrue(notification_settings['email_notifications'])
-        self.assertTrue(notification_settings['task_assignments'])
-        self.assertTrue(notification_settings['project_updates'])
-    
-    @patch('backend.src.api.controllers.admin_controller.validate_system_settings')
-    def test_update_system_settings_actual_success(self, mock_validate):
-        # Import the function directly to test
-        from backend.src.api.controllers.admin_controller import update_system_settings
-        from backend.src.auth.rbac import Role
-        
-        # Setup test data
-        test_data = {
-            'app_name': 'DevSync', 
-            'allow_registration': True, 
-            'default_user_role': Role.DEVELOPER.value,
-            'github_integration_enabled': True, 
-            'notification_settings': {
-                'email_notifications': True, 
-                'task_assignments': True, 
-                'project_updates': True
-            }
-        }
-        
-        # Configure validation mock
-        mock_validate.return_value = None  # Validation succeeds
-        
-        # Execute the function with test request context
-        with app.test_request_context(json=test_data):
-            response = update_system_settings()
-            data = json.loads(response.data)
-        
-        # Verify the results
-        self.assertEqual(data['message'], 'System settings updated successfully')
-        self.assertEqual(data['settings'], test_data)
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/frontend/src/components/Navbar.jsx b/frontend/src/components/Navbar.jsx
index c782ff7..5c89afe 100644
--- a/frontend/src/components/Navbar.jsx
+++ b/frontend/src/components/Navbar.jsx
@@ -5,8 +5,8 @@ import { useState, useEffect } from "react";
 import Notifications from "./Notifications";
 
 const Navbar = () => {
-  const { currentUser, logout } = useAuth();
-  const { notifications, unreadCount, markAsRead, markAllAsRead, refreshNotifications, isConnected } = useNotifications();
+  const { currentUser, logout, is } = useAuth();
+  const { notifications, unreadCount, markAsRead, markAllAsRead, refreshNotifications } = useNotifications();
   const [isLoggingOut, setIsLoggingOut] = useState(false);
   const [showMobileMenu, setShowMobileMenu] = useState(false);
   const [showNotifications, setShowNotifications] = useState(false);
@@ -45,182 +45,179 @@ const Navbar = () => {
   
   if (!currentUser) return null;
   
-  const isAdmin = currentUser.role === "admin";
-  const canCreateTasks = isAdmin || currentUser.role === "team_lead";
+  const isAdmin = is('admin');
+  const isTeamLead = is('team_lead');
+  const canCreateTasks = isAdmin || isTeamLead;
 
   return (
-    <nav className="bg-transparent p-4 text-white">
-      <div className="mx-auto flex w-full max-w-6xl items-center justify-between px-6">
-        <Link to="/" className="text-lg font-semibold tracking-wide">
+    <header className="bg-slate-950/80 backdrop-blur-md border-b border-slate-800/50 sticky top-0 z-50 font-['Space_Grotesk']">
+      <div className="mx-auto flex w-full max-w-6xl items-center justify-between px-6 py-4 md:px-10">
+        <Link to="/" className="flex-shrink-0 mr-8 text-lg font-semibold tracking-wide text-white hover:text-slate-300 transition">
           DevSync
         </Link>
         
-        {/* Desktop Navigation */}
-        <div className="hidden md:flex items-center space-x-6">
+        {/* Desktop Navigation - Centered */}
+        <nav className="hidden lg:flex flex-1 justify-center items-center gap-5 text-[13px] font-medium text-slate-300 px-4">
           {isAdmin ? (
             <>
-              <Link to="/admin" className="hover:text-gray-300 transition">
-                Dashboard
-              </Link>
-              <Link to="/admin/create-task" className="hover:text-gray-300 transition">
-                Create Task
-              </Link>
-              <Link to="/admin/developer-progress" className="hover:text-gray-300 transition">
-                Developer Progress
-              </Link>
-              <Link to="/admin/reports" className="hover:text-gray-300 transition">
-                Reports
-              </Link>
-              <Link to="/github" className="hover:text-gray-300 transition">
-                GitHub
-              </Link>
+              <Link to="/admin" className="transition hover:text-white">Dashboard</Link>
+              <Link to="/tasks" className="transition hover:text-white">Tasks</Link>
+              <Link to="/admin/projects" className="transition hover:text-white">Projects</Link>
+              <Link to="/admin/create-task" className="transition hover:text-white">Create Task</Link>
+              <Link to="/admin/developer-progress" className="transition hover:text-white text-nowrap">Developer Progress</Link>
+              <Link to="/admin/reports" className="transition hover:text-white">Reports</Link>
+              <div className="relative group/dropdown">
+                <button className="transition hover:text-white flex items-center gap-1">
+                  System
+                  <svg className="h-3 w-3 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M19 9l-7 7-7-7" /></svg>
+                </button>
+                <div className="absolute top-full left-0 mt-2 w-48 bg-slate-900 border border-slate-800 rounded-xl shadow-2xl opacity-0 invisible group-hover/dropdown:opacity-100 group-hover/dropdown:visible transition-all duration-200 z-[100] py-2">
+                  <Link to="/admin/users" className="block px-4 py-2 hover:bg-slate-800 transition text-slate-300 hover:text-white">Users</Link>
+                  <Link to="/admin/settings" className="block px-4 py-2 hover:bg-slate-800 transition text-slate-300 hover:text-white">Settings</Link>
+                  <Link to="/admin/audit-logs" className="block px-4 py-2 hover:bg-slate-800 transition text-slate-300 hover:text-white">Audit Logs</Link>
+                </div>
+              </div>
+              <Link to="/github" className="transition hover:text-white">GitHub</Link>
+            </>
+          ) : isTeamLead ? (
+            <>
+              <Link to="/admin" className="transition hover:text-white">Dashboard</Link>
+              <Link to="/tasks" className="transition hover:text-white">Tasks</Link>
+              <Link to="/admin/projects" className="transition hover:text-white">Projects</Link>
+              <Link to="/admin/create-task" className="transition hover:text-white text-nowrap">Create Task</Link>
+              <Link to="/admin/developer-progress" className="transition hover:text-white text-nowrap">Developer Progress</Link>
+              <Link to="/admin/reports" className="transition hover:text-white">Reports</Link>
+              <Link to="/github" className="transition hover:text-white">GitHub</Link>
             </>
           ) : (
             <>
-              <Link to="/BasicDashboard" className="hover:text-gray-300 transition">
-                Dashboard
-              </Link>
-              <Link to="/tasks" className="hover:text-gray-300 transition">
-                Tasks
-              </Link>
-              {canCreateTasks && (
-                <Link to="/admin/create-task" className="hover:text-gray-300 transition">
-                  Create Task
-                </Link>
-              )}
-              <Link to="/github" className="hover:text-gray-300 transition">
-                GitHub
-              </Link>
+              <Link to="/BasicDashboard" className="transition hover:text-white">Dashboard</Link>
+              <Link to="/tasks" className="transition hover:text-white">My Tasks</Link>
+              <Link to="/github" className="transition hover:text-white">GitHub</Link>
             </>
           )}
-          
-          {/* Connection Status Indicator */}
-          <div className="flex items-center">
-            <span className={`h-2 w-2 rounded-full ${isConnected ? 'bg-emerald-400' : 'bg-red-500'}`}></span>
-            <span className="ml-2 text-xs text-slate-300">
-              {isConnected ? 'Connected' : 'Disconnected'}
-            </span>
-          </div>
-          
+        </nav>
+        
+        <div className="flex-shrink-0 flex items-center gap-6">
           {/* Notification Bell */}
           <div className="relative">
             <button 
               onClick={toggleNotifications}
               aria-label="Notifications"
-              className="hover:text-gray-300 transition focus:outline-none"
+              className="p-1.5 text-slate-400 hover:text-white hover:bg-slate-800 rounded-lg transition-all focus:outline-none relative"
             >
-              <svg className="h-6 w-6" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+              <svg className="h-5 w-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                 <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M15 17h5l-1.405-1.405A2.032 2.032 0 0118 14.158V11a6.002 6.002 0 00-4-5.659V5a2 2 0 10-4 0v.341C7.67 6.165 6 8.388 6 11v3.159c0 .538-.214 1.055-.595 1.436L4 17h5m6 0v1a3 3 0 11-6 0v-1m6 0H9" />
               </svg>
-              
               {unreadCount > 0 && (
-                <span className="absolute -top-2 -right-2 bg-red-500 text-white text-xs rounded-full h-5 w-5 flex items-center justify-center">
+                <span className="absolute -top-1 -right-1 h-4 w-4 bg-red-500 text-[10px] font-bold text-white rounded-full flex items-center justify-center border border-slate-900 shadow-[0_0_8px_rgba(239,68,68,0.5)]">
                   {unreadCount}
                 </span>
               )}
             </button>
             
             {showNotifications && (
-              <div className="absolute right-0 mt-2 w-80 bg-slate-900/95 rounded-lg shadow-lg overflow-hidden z-20 border border-slate-800/70">
-                <div className="py-2 px-3 bg-slate-800/70 text-slate-100 font-semibold flex justify-between">
-                  <span>Notifications</span>
-                </div>
-                
-                <div className="max-h-64 overflow-y-auto">
-                  <Notifications 
-                    notifications={notifications}
-                    onNotificationUpdate={markAsRead}
-                  />
+              <div className="absolute right-0 mt-3 w-80 bg-slate-900 border border-slate-800 rounded-2xl shadow-2xl overflow-hidden z-[100]">
+                <div className="p-4 border-b border-slate-800 flex items-center justify-between bg-slate-900/50">
+                  <h3 className="text-sm font-bold text-white tracking-tight">Notifications</h3>
+                  <button 
+                    onClick={markAllAsRead}
+                    className="text-[10px] font-bold text-rose-400 hover:text-rose-300 uppercase tracking-wider transition"
+                  >
+                    Mark all as read
+                  </button>
                 </div>
-                
-                {notifications.length > 0 && (
-                  <div className="py-2 px-3 bg-slate-800/70 text-center">
-                    <button 
-                      onClick={markAllAsRead}
-                      className="text-sm text-rose-400 hover:text-rose-300"
-                    >
-                      Mark all as read
-                    </button>
-                  </div>
-                )}
+                <Notifications 
+                  notifications={notifications} 
+                  onClose={() => setShowNotifications(false)}
+                  onMarkRead={markAsRead}
+                  onMarkAllRead={markAllAsRead}
+                />
               </div>
             )}
           </div>
-          
-          {/* User Menu */}
-          <div className="flex items-center">
-            <span className="mr-4 text-sm text-slate-200">{currentUser.name || currentUser.email}</span>
+
+          <div className="flex items-center gap-4 text-sm">
+            <div className="text-right hidden sm:block">
+              <div className="text-xs font-semibold text-white tracking-tight">{currentUser.name}</div>
+              <div className="text-[10px] text-slate-400 uppercase tracking-widest opacity-60 font-medium">{currentUser.role?.replace('_', ' ')}</div>
+            </div>
             <button
               onClick={handleLogout}
               disabled={isLoggingOut}
-              className="rounded-full bg-red-500/90 px-3 py-1 text-white text-sm font-semibold hover:bg-red-400 transition"
+              className="rounded-full bg-red-500 px-4 py-2 font-semibold text-white transition hover:bg-red-400 disabled:opacity-50"
             >
               {isLoggingOut ? "Logging out..." : "Logout"}
             </button>
           </div>
         </div>
-        
+
         {/* Mobile Menu Button */}
         <button 
-          onClick={toggleMobileMenu} 
-          aria-label={showMobileMenu ? 'Close menu' : 'Open menu'}
-          className="md:hidden focus:outline-none"
+          onClick={toggleMobileMenu}
+          aria-label={showMobileMenu ? "Close menu" : "Open menu"}
+          className="lg:hidden p-2 text-slate-400 hover:text-white transition focus:outline-none"
         >
-          <svg className="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d={showMobileMenu ? "M6 18L18 6M6 6l12 12" : "M4 6h16M4 12h16M4 18h16"} />
+          <svg className="h-6 w-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            {showMobileMenu ? (
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M6 18L18 6M6 6l12 12" />
+            ) : (
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 6h16M4 12h16m-7 6h7" />
+            )}
           </svg>
         </button>
       </div>
-      
+
       {/* Mobile Menu */}
       {showMobileMenu && (
-        <div className="md:hidden mt-2 pt-2 pb-4 border-t border-blue-700">
-          {isAdmin ? (
-            <>
-              <Link to="/admin" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Dashboard
-              </Link>
-              <Link to="/admin/create-task" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Create Task
-              </Link>
-              <Link to="/admin/developer-progress" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Developer Progress
-              </Link>
-              <Link to="/admin/reports" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Reports
-              </Link>
-              <Link to="/github" className="block px-3 py-2 hover:bg-blue-700 transition">
-                GitHub
-              </Link>
-            </>
-          ) : (
-            <>
-              <Link to="/BasicDashboard" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Dashboard
-              </Link>
-              <Link to="/tasks" className="block px-3 py-2 hover:bg-blue-700 transition">
-                Tasks
-              </Link>
-              {canCreateTasks && (
-                <Link to="/admin/create-task" className="block px-3 py-2 hover:bg-blue-700 transition">
-                  Create Task
-                </Link>
-              )}
-              <Link to="/github" className="block px-3 py-2 hover:bg-blue-700 transition">
-                GitHub
-              </Link>
-            </>
-          )}
-          <button
-            onClick={handleLogout}
-            disabled={isLoggingOut}
-            className="block w-full text-left px-3 py-2 hover:bg-blue-700 transition"
-          >
-            {isLoggingOut ? "Logging out..." : "Logout"}
-          </button>
+        <div className="lg:hidden absolute top-full left-0 right-0 bg-slate-900 border-b border-slate-800 py-6 px-6 space-y-4 shadow-xl animate-in slide-in-from-top-4 duration-200 z-[100]">
+          <div className="grid grid-cols-2 gap-4">
+            {isAdmin ? (
+              <>
+                <Link to="/admin" className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
+                <Link to="/admin/create-task" className="text-slate-300 py-2 hover:text-white transition">Create Task</Link>
+                <Link to="/admin/developer-progress" className="text-slate-300 py-2 hover:text-white transition">Developer Progress</Link>
+                <Link to="/admin/reports" className="text-slate-300 py-2 hover:text-white transition">Reports</Link>
+                <Link to="/admin/users" className="text-slate-300 py-2 hover:text-white transition">Users</Link>
+                <Link to="/admin/settings" className="text-slate-300 py-2 hover:text-white transition">Settings</Link>
+                <Link to="/admin/audit-logs" className="text-slate-300 py-2 hover:text-white transition">Audit Logs</Link>
+                <Link to="/github" className="text-slate-300 py-2 hover:text-white transition">GitHub</Link>
+              </>
+            ) : isTeamLead ? (
+              <>
+                <Link to="/admin" className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
+                <Link to="/tasks" className="text-slate-300 py-2 hover:text-white transition">Tasks</Link>
+                {canCreateTasks && (
+                  <Link to="/admin/create-task" className="text-slate-300 py-2 hover:text-white transition">Create Task</Link>
+                )}
+                <Link to="/admin/reports" className="text-slate-300 py-2 hover:text-white transition">Reports</Link>
+                <Link to="/github" className="text-slate-300 py-2 hover:text-white transition">GitHub</Link>
+              </>
+            ) : (
+              <>
+                <Link to="/BasicDashboard" className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
+                <Link to="/tasks" className="text-slate-300 py-2 hover:text-white transition">Tasks</Link>
+                <Link to="/github" className="text-slate-300 py-2 hover:text-white transition">GitHub</Link>
+              </>
+            )}
+          </div>
+          <div className="pt-4 border-t border-slate-800 flex items-center justify-between">
+            <div className="flex items-center gap-3">
+              <div className="w-8 h-8 rounded-full bg-slate-800 flex items-center justify-center text-xs font-bold text-slate-300">
+                {currentUser.name?.charAt(0)}
+              </div>
+              <div className="text-sm font-medium text-white">{currentUser.name}</div>
+            </div>
+            <button
+              onClick={handleLogout}
+              className="text-sm font-semibold text-rose-400 hover:text-rose-300 transition"
+            >
+              Logout
+            </button>
+          </div>
         </div>
       )}
-    </nav>
+    </header>
   );
 };
 
diff --git a/frontend/src/pages/AdminDashboard.jsx b/frontend/src/pages/AdminDashboard.jsx
index aea0b17..80e7c80 100644
--- a/frontend/src/pages/AdminDashboard.jsx
+++ b/frontend/src/pages/AdminDashboard.jsx
@@ -1,48 +1,50 @@
 import React, { useState, useEffect, useCallback } from 'react';
 import { Link } from 'react-router-dom';
-import { dashboardService, projectService } from '../services/utils/api';
+import { dashboardService, projectService, userService } from '../services/utils/api';
 import LoadingSpinner from '../components/LoadingSpinner';
+import { useAuth } from '../context/AuthContext';
 
 // ─── Stat Card ────────────────────────────────────────────────────────────────
 const StatCard = ({ title, value, change, icon, color, currentTimeRange }) => {
-  const iconClass = {
-    primary:   'bg-rose-500/10    text-rose-300    border border-rose-400/20',
-    secondary: 'bg-sky-500/10     text-sky-300     border border-sky-400/20',
-    success:   'bg-emerald-500/10 text-emerald-300 border border-emerald-400/20',
-    warning:   'bg-amber-500/10   text-amber-300   border border-amber-400/20',
-    error:     'bg-rose-500/10    text-rose-300    border border-rose-400/20',
-  }[color] ?? 'bg-slate-800 text-slate-300 border border-slate-700';
+  const colorClasses = {
+    primary:   'bg-sky-500/15 text-sky-300 border border-sky-400/20',
+    secondary: 'bg-rose-500/15 text-rose-300 border border-rose-400/20',
+    success:   'bg-emerald-500/15 text-emerald-300 border border-emerald-400/20',
+    warning:   'bg-amber-500/15 text-amber-300 border border-amber-400/20',
+    error:     'bg-rose-500/15 text-rose-300 border border-rose-400/20',
+    purple:    'bg-purple-500/15 text-purple-300 border border-purple-400/20',
+  };
 
   return (
-    <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden">
-      <div className="p-5 flex items-center">
-        <div className={`flex-shrink-0 rounded-xl p-3 ${iconClass}`}>
+    <div className={`rounded-2xl p-6 shadow-md backdrop-blur-sm ${colorClasses[color] || 'bg-slate-900/70 text-slate-400 border border-slate-800/70'}`}>
+      <div className="flex items-center gap-5">
+        <div className="p-3 rounded-xl bg-slate-950/40 border border-white/5 text-slate-100">
           {icon}
         </div>
-        <div className="ml-5 w-0 flex-1">
-          <p className="text-sm font-medium text-slate-400 truncate">{title}</p>
-          <p className="text-xl font-bold text-slate-100 mt-0.5">{value}</p>
+        <div className="flex-1">
+          <p className="text-xs font-medium opacity-75 uppercase tracking-wider">{title}</p>
+          <p className="text-2xl font-bold mt-1 text-white">{value}</p>
           {change !== undefined && (
-            <p className="flex items-center text-xs mt-1">
+            <div className="flex items-center mt-1.5 text-[10px] font-bold uppercase tracking-tight">
               {change > 0 ? (
-                <span className="flex items-center text-emerald-300">
-                  <svg className="w-3 h-3 mr-1" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M5 10l7-7m0 0l7 7m-7-7v18" />
+                <span className="text-emerald-400 flex items-center">
+                  <svg className="w-3 h-3 mr-0.5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="3" d="M5 10l7-7m0 0l7 7m-7-7v18" />
                   </svg>
-                  {change}% increase
+                  {change}%
                 </span>
               ) : change < 0 ? (
-                <span className="flex items-center text-rose-300">
-                  <svg className="w-3 h-3 mr-1" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M19 14l-7 7m0 0l-7-7m7 7V3" />
+                <span className="text-rose-400 flex items-center">
+                  <svg className="w-3 h-3 mr-0.5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="3" d="M19 14l-7 7m0 0l-7-7m7 7V3" />
                   </svg>
-                  {Math.abs(change)}% decrease
+                  {Math.abs(change)}%
                 </span>
               ) : (
                 <span className="text-slate-500">No change</span>
               )}
-              <span className="ml-2 text-slate-500">since last {currentTimeRange}</span>
-            </p>
+              <span className="ml-1.5 text-slate-500 opacity-60">vs last {currentTimeRange}</span>
+            </div>
           )}
         </div>
       </div>
@@ -73,7 +75,7 @@ const StatusBadge = ({ status }) => {
 
 // ─── Panel wrapper ─────────────────────────────────────────────────────────────
 const Panel = ({ children, className = '' }) => (
-  <div className={`bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden ${className}`}>
+  <div className={`bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden shadow-md backdrop-blur-sm ${className}`}>
     {children}
   </div>
 );
@@ -91,7 +93,9 @@ const PanelHeader = ({ title, linkTo, linkLabel }) => (
 
 // ─── Admin Dashboard ───────────────────────────────────────────────────────────
 const AdminDashboard = () => {
+  const { currentUser } = useAuth();
   const [dashboardData, setDashboardData] = useState(null);
+  const [teamUsers, setTeamUsers]         = useState([]);
   const [loading, setLoading]             = useState(true);
   const [error, setError]                 = useState(null);
   const [timeRange, setTimeRange]         = useState('week');
@@ -101,6 +105,15 @@ const AdminDashboard = () => {
       setLoading(true);
       const data = await dashboardService.getAdminDashboardStats(timeRange);
       setDashboardData(data);
+      
+      // Fetch team users for the overview
+      try {
+        const users = await userService.getAllUsers();
+        setTeamUsers(users || []);
+      } catch (userErr) {
+        console.error('Failed to fetch team users:', userErr);
+      }
+      
       setError(null);
     } catch (err) {
       console.error('Dashboard fetch error:', err);
@@ -141,13 +154,15 @@ const AdminDashboard = () => {
   }, [dashboardData]);
 
   return (
-    <div className="min-h-screen bg-slate-950 text-slate-100">
-      <div className="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8 py-8">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
 
         {/* ── Header ── */}
         <div className="flex flex-col sm:flex-row sm:items-center sm:justify-between mb-8 gap-4">
           <div>
-            <h1 className="text-2xl font-bold text-slate-100">Admin Dashboard</h1>
+            <h1 className="text-2xl font-bold text-slate-100">
+              {currentUser?.role === 'team_lead' ? 'Management Dashboard' : 'Admin Dashboard'}
+            </h1>
             <p className="mt-1 text-sm text-slate-400">Overview of projects, tasks, and team progress</p>
           </div>
 
@@ -357,9 +372,13 @@ const AdminDashboard = () => {
                 <PanelHeader title="Admin Quick Actions" />
                 <div className="p-5 space-y-2">
                   {[
-                    { label: 'Manage Users',    to: '/admin/users'},
-                    { label: 'All Tasks',       to: '/tasks'},
-                  ].map(({ label, to, icon }) => (
+                    { label: 'Create New Task', to: '/admin/create-task', show: true },
+                    { label: 'Manage Projects', to: '/admin/projects',    show: true },
+                    { label: 'Manage Users',    to: '/admin/users',       show: true },
+                    { label: 'All Tasks',       to: '/tasks',             show: true },
+                    { label: 'Audit Logs',      to: '/admin/audit-logs',  show: currentUser?.role === 'admin' },
+                    { label: 'System Settings', to: '/admin/settings',    show: currentUser?.role === 'admin' },
+                  ].filter(action => action.show).map(({ label, to, icon }) => (
                     <Link
                       key={to}
                       to={to}
@@ -377,6 +396,51 @@ const AdminDashboard = () => {
               </Panel>
 
             </div>
+
+            {/* Team Overview Row */}
+            <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
+              <Panel>
+                <PanelHeader 
+                  title="Team Overview" 
+                  linkTo={currentUser?.role === 'admin' ? "/admin/users" : undefined} 
+                  linkLabel={currentUser?.role === 'admin' ? "Manage Users" : undefined} 
+                />
+                {teamUsers.length > 0 ? (
+                  <ul className="divide-y divide-slate-800">
+                    {teamUsers.slice(0, 5).map((user) => (
+                      <li key={user.id} className="px-5 py-4 flex items-center justify-between">
+                        <div className="flex items-center">
+                          <div className="h-9 w-9 rounded-full bg-slate-800 flex items-center justify-center text-sm font-bold text-slate-400 border border-slate-700">
+                            {user.name?.charAt(0) || 'U'}
+                          </div>
+                          <div className="ml-4">
+                            <p className="text-sm font-medium text-slate-200">{user.name}</p>
+                            <p className="text-xs text-slate-500 capitalize">{user.role}</p>
+                          </div>
+                        </div>
+                        <div className="text-right">
+                          <span className="text-xs text-slate-400">Active</span>
+                        </div>
+                      </li>
+                    ))}
+                  </ul>
+                ) : (
+                  <div className="px-5 py-10 text-center text-slate-500 text-sm">
+                    No team members found.
+                  </div>
+                )}
+              </Panel>
+
+              {/* Reports/Stats Placeholder */}
+              {currentUser?.role === 'admin' && (
+                <Panel>
+                  <PanelHeader title="Recent Activity" linkTo="/admin/audit-logs" />
+                  <div className="px-5 py-10 text-center text-slate-500 text-sm italic">
+                    Additional system metrics and audit highlights will appear here.
+                  </div>
+                </Panel>
+              )}
+            </div>
           </div>
         )}
       </div>
diff --git a/frontend/src/pages/AdminProjectCreate.jsx b/frontend/src/pages/AdminProjectCreate.jsx
index 56c908f..bac8256 100644
--- a/frontend/src/pages/AdminProjectCreate.jsx
+++ b/frontend/src/pages/AdminProjectCreate.jsx
@@ -69,9 +69,9 @@ const AdminProjectCreate = () => {
   };
 
   return (
-    <div className="bg-slate-950 min-h-screen p-4 md:p-6 text-slate-100">
-      <div className="max-w-4xl mx-auto">
-        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-6">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-8 backdrop-blur-sm">
           <div className="mb-6">
             <h1 className="text-2xl font-bold text-slate-100">Create Project</h1>
             <p className="mt-1 text-sm text-slate-400">Set up a new project and assign team members.</p>
diff --git a/frontend/src/pages/AdminProjectEdit.jsx b/frontend/src/pages/AdminProjectEdit.jsx
index b5f3312..02fce85 100644
--- a/frontend/src/pages/AdminProjectEdit.jsx
+++ b/frontend/src/pages/AdminProjectEdit.jsx
@@ -120,9 +120,9 @@ const AdminProjectEdit = () => {
   }
 
   return (
-    <div className="bg-slate-950 min-h-screen p-4 md:p-6 text-slate-100">
-      <div className="max-w-4xl mx-auto">
-        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-6">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-8 backdrop-blur-sm">
           <div className="mb-6">
             <h1 className="text-2xl font-bold text-slate-100">Edit Project</h1>
             <p className="mt-1 text-sm text-slate-400">Update project details and team assignments.</p>
diff --git a/frontend/src/pages/AdminProjects.jsx b/frontend/src/pages/AdminProjects.jsx
index 597d1f2..0301acb 100644
--- a/frontend/src/pages/AdminProjects.jsx
+++ b/frontend/src/pages/AdminProjects.jsx
@@ -81,9 +81,9 @@ const AdminProjects = () => {
   }
 
   return (
-    <div className="bg-slate-950 min-h-screen p-4 md:p-6 text-slate-100">
-      <div className="max-w-7xl mx-auto">
-        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-6">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="bg-slate-900/70 border border-slate-800/70 rounded-2xl shadow-md p-6 backdrop-blur-sm">
           <div className="flex flex-col gap-4 md:flex-row md:items-center md:justify-between mb-6">
             <div>
               <h1 className="text-2xl font-bold text-slate-100">Projects</h1>
diff --git a/frontend/src/pages/AdminSystemSettings.jsx b/frontend/src/pages/AdminSystemSettings.jsx
new file mode 100644
index 0000000..344da86
--- /dev/null
+++ b/frontend/src/pages/AdminSystemSettings.jsx
@@ -0,0 +1,117 @@
+import { useState, useEffect } from 'react';
+import { settingsService } from '../services/utils/api';
+
+const AdminSystemSettings = () => {
+  const [settings, setSettings] = useState({});
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState('');
+  const [successMsg, setSuccessMsg] = useState('');
+
+  useEffect(() => {
+    const load = async () => {
+      setLoading(true);
+      try {
+        const data = await settingsService.getSettings();
+        setSettings(data);
+      } catch (err) {
+        setError('Failed to load settings');
+      } finally {
+        setLoading(false);
+      }
+    };
+    load();
+  }, []);
+
+  const handleNestedToggle = (parent, key) => {
+    setSettings((prev) => ({
+      ...prev,
+      [parent]: { ...(prev[parent] || {}), [key]: !(prev[parent] || {})[key] },
+    }));
+  };
+
+  const handleChange = (key, value) => {
+    setSettings((prev) => ({ ...prev, [key]: value }));
+  };
+
+  const handleSave = async () => {
+    setSaving(true);
+    setError('');
+    try {
+      await settingsService.updateSettings(settings);
+      setSuccessMsg('Settings saved successfully');
+      setTimeout(() => setSuccessMsg(''), 3000);
+    } catch (err) {
+      setError(err.message || 'Failed to save settings');
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  if (loading) {
+    return (
+      <div className="min-h-screen bg-slate-950 flex items-center justify-center text-slate-400">
+        Loading settings...
+      </div>
+    );
+  }
+
+  const notifSettings = settings.notification_settings || {};
+
+  const Toggle = ({ active, onToggle }) => (
+    <button
+      onClick={onToggle}
+      className={`relative w-12 h-6 rounded-full transition ${active ? 'bg-emerald-500' : 'bg-slate-600'}`}
+    >
+      <span className={`absolute top-0.5 left-0.5 w-5 h-5 rounded-full bg-white transition-transform ${active ? 'translate-x-6' : ''}`} />
+    </button>
+  );
+
+  return (
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="max-w-4xl mx-auto">
+          <h1 className="text-2xl font-bold mb-10 text-slate-100">System Settings</h1>
+
+        {error && <div className="bg-rose-500/10 border border-rose-400/40 text-rose-200 px-4 py-3 rounded mb-4">{error}</div>}
+        {successMsg && <div className="bg-emerald-500/10 border border-emerald-400/40 text-emerald-200 px-4 py-3 rounded mb-4">{successMsg}</div>}
+
+        <div className="space-y-6 bg-slate-900/80 border border-slate-800/80 rounded-xl p-6">
+          <div>
+            <label className="block text-sm text-slate-400 mb-1">Default User Role</label>
+            <select value={settings.default_user_role || 'developer'} onChange={(e) => handleChange('default_user_role', e.target.value)}
+              className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60">
+              <option value="developer">Developer</option>
+              <option value="team_lead">Lead</option>
+              <option value="admin">Admin</option>
+            </select>
+          </div>
+
+          <div className="border-t border-slate-800 pt-4">
+            <h3 className="text-sm font-semibold mb-3 text-slate-300">Notification Settings</h3>
+            <div className="space-y-3">
+              {[{ key: 'email_notifications', label: 'Email Notifications' },
+                { key: 'task_assignments', label: 'Task Assignment Alerts' },
+                { key: 'project_updates', label: 'Project Update Alerts' }].map(({ key, label }) => (
+                <div key={key} className="flex items-center justify-between">
+                  <span className="text-sm">{label}</span>
+                  <Toggle active={notifSettings[key]} onToggle={() => handleNestedToggle('notification_settings', key)} />
+                </div>
+              ))}
+            </div>
+          </div>
+
+          <div className="pt-4">
+            <button onClick={handleSave} disabled={saving}
+              className="w-full rounded-lg bg-rose-500/90 py-2 px-4 text-white font-semibold hover:bg-rose-400 disabled:opacity-50 transition">
+              {saving ? 'Saving...' : 'Save Settings'}
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+  );
+};
+
+export default AdminSystemSettings;
diff --git a/frontend/src/pages/AdminUsers.jsx b/frontend/src/pages/AdminUsers.jsx
new file mode 100644
index 0000000..dcbb8cf
--- /dev/null
+++ b/frontend/src/pages/AdminUsers.jsx
@@ -0,0 +1,379 @@
+import { useState, useEffect, useCallback } from 'react';
+import { adminUserService } from '../services/utils/api';
+import { useAuth } from '../context/AuthContext';
+import { ROLES } from '../utils/rbac';
+
+const AdminUsers = () => {
+  const { currentUser, is } = useAuth();
+  const isAdmin = is('admin');
+  const [users, setUsers] = useState([]);
+  const [filteredUsers, setFilteredUsers] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [searchTerm, setSearchTerm] = useState('');
+  const [roleFilter, setRoleFilter] = useState('all');
+  const [editingUser, setEditingUser] = useState(null);
+  const [editForm, setEditForm] = useState({ name: '', email: '' });
+  const [showCreateModal, setShowCreateModal] = useState(false);
+  const [createForm, setCreateForm] = useState({ name: '', email: '', password: '', role: 'developer' });
+  const [deleteConfirm, setDeleteConfirm] = useState(null);
+  const [error, setError] = useState('');
+  const [successMsg, setSuccessMsg] = useState('');
+
+  const fetchUsers = useCallback(async () => {
+    setLoading(true);
+    try {
+      const data = await adminUserService.getAllUsers();
+      setUsers(data);
+      setFilteredUsers(data);
+    } catch (err) {
+      setError('Failed to fetch users');
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    fetchUsers();
+  }, [fetchUsers]);
+
+  useEffect(() => {
+    let result = users;
+    if (searchTerm) {
+      const term = searchTerm.toLowerCase();
+      result = result.filter(
+        (u) => u.name?.toLowerCase().includes(term) || u.email?.toLowerCase().includes(term)
+      );
+    }
+    if (roleFilter !== 'all') {
+      result = result.filter((u) => u.role === roleFilter);
+    }
+    setFilteredUsers(result);
+  }, [searchTerm, roleFilter, users]);
+
+  const handleRoleChange = async (userId, newRole) => {
+    if (!isAdmin) return;
+    try {
+      setError('');
+      await adminUserService.updateUserRole(userId, newRole);
+      setUsers((prev) => prev.map((u) => (u.id === userId ? { ...u, role: newRole } : u)));
+      setSuccessMsg('Role updated successfully');
+      setTimeout(() => setSuccessMsg(''), 3000);
+    } catch (err) {
+      setError(err.message || 'Failed to update role');
+    }
+  };
+
+  const handleCreateUser = async () => {
+    try {
+      setError('');
+      const response = await adminUserService.createUser(createForm);
+      setUsers((prev) => [...prev, response.user]);
+      setShowCreateModal(false);
+      setCreateForm({ name: '', email: '', password: '', role: 'developer' });
+      setSuccessMsg('User created successfully');
+      setTimeout(() => setSuccessMsg(''), 3000);
+    } catch (err) {
+      setError(err.message || 'Failed to create user');
+    }
+  };
+
+  const handleEditSave = async () => {
+    if (!editingUser || !isAdmin) return;
+    try {
+      setError('');
+      await adminUserService.updateUser(editingUser.id, editForm);
+      setUsers((prev) =>
+        prev.map((u) => (u.id === editingUser.id ? { ...u, ...editForm } : u))
+      );
+      setEditingUser(null);
+      setSuccessMsg('User updated successfully');
+      setTimeout(() => setSuccessMsg(''), 3000);
+    } catch (err) {
+      setError(err.message || 'Failed to update user');
+    }
+  };
+
+  const handleDelete = async (userId) => {
+    if (!isAdmin) return;
+    try {
+      setError('');
+      await adminUserService.deleteUser(userId);
+      setUsers((prev) => prev.filter((u) => u.id !== userId));
+      setDeleteConfirm(null);
+      setSuccessMsg('User deleted successfully');
+      setTimeout(() => setSuccessMsg(''), 3000);
+    } catch (err) {
+      setError(err.message || 'Failed to delete user');
+    }
+  };
+
+  const roleBadge = (role) => {
+    const colors = {
+      admin: 'bg-rose-500/20 text-rose-300 border-rose-500/30',
+      team_lead: 'bg-amber-500/20 text-amber-300 border-amber-500/30',
+      developer: 'bg-emerald-500/20 text-emerald-300 border-emerald-500/30',
+    };
+    return colors[role] || 'bg-slate-500/20 text-slate-300 border-slate-500/30';
+  };
+
+  return (
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <div className="flex justify-between items-center mb-10">
+          <h1 className="text-2xl font-bold text-slate-100">User Management</h1>
+          {isAdmin && (
+            <button
+              onClick={() => setShowCreateModal(true)}
+              className="px-4 py-2 rounded-lg bg-rose-500/90 text-white font-semibold hover:bg-rose-400 transition"
+            >
+              + Create User
+            </button>
+          )}
+        </div>
+
+        {error && (
+          <div className="bg-rose-500/10 border border-rose-400/40 text-rose-200 px-4 py-3 rounded mb-4">
+            {error}
+          </div>
+        )}
+        {successMsg && (
+          <div className="bg-emerald-500/10 border border-emerald-400/40 text-emerald-200 px-4 py-3 rounded mb-4">
+            {successMsg}
+          </div>
+        )}
+
+        {/* Filters */}
+        <div className="flex flex-col sm:flex-row gap-4 mb-6">
+          <input
+            type="text"
+            placeholder="Search by name or email..."
+            value={searchTerm}
+            onChange={(e) => setSearchTerm(e.target.value)}
+            className="flex-1 rounded-lg border border-slate-700/60 bg-slate-900/80 py-2 px-3 text-slate-100 placeholder:text-slate-500 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+          />
+          <select
+            value={roleFilter}
+            onChange={(e) => setRoleFilter(e.target.value)}
+            className="rounded-lg border border-slate-700/60 bg-slate-900/80 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+          >
+            <option value="all">All Roles</option>
+            <option value="admin">Admin</option>
+            <option value="team_lead">Team Lead</option>
+            <option value="developer">Developer</option>
+          </select>
+        </div>
+
+        {/* Users Table */}
+        {loading ? (
+          <div className="text-center py-12 text-slate-400">Loading users...</div>
+        ) : (
+          <div className="overflow-x-auto rounded-xl border border-slate-800/80">
+            <table className="w-full text-left">
+              <thead className="bg-slate-900/80 text-slate-400 text-sm uppercase">
+                <tr>
+                  <th className="px-4 py-3">ID</th>
+                  <th className="px-4 py-3">Name</th>
+                  <th className="px-4 py-3">Email</th>
+                  <th className="px-4 py-3">Role</th>
+                  {isAdmin && <th className="px-4 py-3 text-right">Actions</th>}
+                </tr>
+              </thead>
+              <tbody className="divide-y divide-slate-800/60">
+                {filteredUsers.map((user) => (
+                  <tr key={user.id} className="hover:bg-slate-800/30 transition">
+                    <td className="px-4 py-3 text-sm text-slate-400">{user.id}</td>
+                    <td className="px-4 py-3">{user.name}</td>
+                    <td className="px-4 py-3 text-sm text-slate-300">{user.email}</td>
+                    <td className="px-4 py-3">
+                      {!isAdmin || user.id === currentUser?.id ? (
+                        <span className={`text-xs px-2 py-1 rounded border ${roleBadge(user.role)}`}>
+                          {user.role}
+                        </span>
+                      ) : (
+                        <select
+                          value={user.role}
+                          onChange={(e) => handleRoleChange(user.id, e.target.value)}
+                          className="text-xs rounded border border-slate-700/60 bg-slate-900/80 py-1 px-2 text-slate-100 focus:outline-none focus:ring-1 focus:ring-rose-400/60"
+                        >
+                          <option value={ROLES.DEVELOPER}>Developer</option>
+                          <option value={ROLES.TEAM_LEAD}>Team Lead</option>
+                          <option value={ROLES.ADMIN}>Admin</option>
+                        </select>
+                      )}
+                    </td>
+                    {isAdmin && (
+                      <td className="px-4 py-3 text-right space-x-2">
+                        <button
+                          onClick={() => {
+                            setEditingUser(user);
+                            setEditForm({ name: user.name, email: user.email });
+                          }}
+                          className="text-xs px-3 py-1 rounded bg-indigo-500/20 text-indigo-300 hover:bg-indigo-500/30 transition"
+                        >
+                          Edit
+                        </button>
+                        {user.id !== currentUser?.id && (
+                          <button
+                            onClick={() => setDeleteConfirm(user)}
+                            className="text-xs px-3 py-1 rounded bg-rose-500/20 text-rose-300 hover:bg-rose-500/30 transition"
+                          >
+                            Delete
+                          </button>
+                        )}
+                      </td>
+                    )}
+                  </tr>
+                ))}
+                {filteredUsers.length === 0 && (
+                  <tr>
+                    <td colSpan={isAdmin ? 5 : 4} className="px-4 py-8 text-center text-slate-500">
+                      No users found.
+                    </td>
+                  </tr>
+                )}
+              </tbody>
+            </table>
+          </div>
+        )}
+
+        {/* Create Modal */}
+        {showCreateModal && (
+          <div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50 p-4">
+            <div className="bg-slate-900 border border-slate-700 rounded-xl p-6 w-full max-w-md shadow-2xl">
+              <h2 className="text-xl font-bold mb-4 text-slate-100">Create New User</h2>
+              <div className="space-y-4">
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Name</label>
+                  <input
+                    type="text"
+                    value={createForm.name}
+                    onChange={(e) => setCreateForm({ ...createForm, name: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                    placeholder="Full Name"
+                  />
+                </div>
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Email</label>
+                  <input
+                    type="email"
+                    value={createForm.email}
+                    onChange={(e) => setCreateForm({ ...createForm, email: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                    placeholder="email@example.com"
+                  />
+                </div>
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Password</label>
+                  <input
+                    type="password"
+                    value={createForm.password}
+                    onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                    placeholder="••••••••"
+                  />
+                </div>
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Initial Role</label>
+                  <select
+                    value={createForm.role}
+                    onChange={(e) => setCreateForm({ ...createForm, role: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                  >
+                    <option value={ROLES.DEVELOPER}>Developer</option>
+                    <option value={ROLES.TEAM_LEAD}>Team Lead</option>
+                    <option value={ROLES.ADMIN}>Admin</option>
+                  </select>
+                </div>
+              </div>
+              <div className="flex justify-end gap-3 mt-8">
+                <button
+                  onClick={() => setShowCreateModal(false)}
+                  className="px-4 py-2 rounded-lg border border-slate-600 text-slate-300 hover:bg-slate-800 transition"
+                >
+                  Cancel
+                </button>
+                <button
+                  onClick={handleCreateUser}
+                  className="px-4 py-2 rounded-lg bg-rose-500/90 text-white font-semibold hover:bg-rose-400 transition"
+                >
+                  Create User
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
+
+        {/* Edit Modal */}
+        {editingUser && (
+          <div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50 p-4">
+            <div className="bg-slate-900 border border-slate-700 rounded-xl p-6 w-full max-w-md">
+              <h2 className="text-lg font-semibold mb-4">Edit User</h2>
+              <div className="space-y-4">
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Name</label>
+                  <input
+                    type="text"
+                    value={editForm.name}
+                    onChange={(e) => setEditForm({ ...editForm, name: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                  />
+                </div>
+                <div>
+                  <label className="block text-sm text-slate-400 mb-1">Email</label>
+                  <input
+                    type="email"
+                    value={editForm.email}
+                    onChange={(e) => setEditForm({ ...editForm, email: e.target.value })}
+                    className="w-full rounded-lg border border-slate-700/60 bg-slate-950/60 py-2 px-3 text-slate-100 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+                  />
+                </div>
+              </div>
+              <div className="flex justify-end gap-3 mt-8">
+                <button
+                  onClick={() => setEditingUser(null)}
+                  className="px-4 py-2 rounded-lg border border-slate-600 text-slate-300 hover:bg-slate-800 transition"
+                >
+                  Cancel
+                </button>
+                <button
+                  onClick={handleEditSave}
+                  className="px-4 py-2 rounded-lg bg-indigo-600 text-white hover:bg-indigo-500 transition"
+                >
+                  Save Changes
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
+
+        {/* Delete Confirmation Modal */}
+        {deleteConfirm && (
+          <div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50 p-4">
+            <div className="bg-slate-900 border border-slate-700 rounded-xl p-6 w-full max-w-sm">
+              <h2 className="text-lg font-semibold mb-2 text-rose-300">Confirm Delete</h2>
+              <p className="text-slate-400 mb-6">
+                Are you sure you want to delete <strong className="text-slate-200">{deleteConfirm.name}</strong>? This action cannot be undone.
+              </p>
+              <div className="flex justify-end gap-3">
+                <button
+                  onClick={() => setDeleteConfirm(null)}
+                  className="px-4 py-2 rounded-lg border border-slate-600 text-slate-300 hover:bg-slate-800 transition"
+                >
+                  Cancel
+                </button>
+                <button
+                  onClick={() => handleDelete(deleteConfirm.id)}
+                  className="px-4 py-2 rounded-lg bg-rose-600 text-white hover:bg-rose-500 transition"
+                >
+                  Delete User
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+};
+
+export default AdminUsers;

From 5bcf0ca7f3011234cae1e5352fbc619f249aeebd Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:46:00 +0100
Subject: [PATCH 17/37] refactor: update authentication routes and enhance
 permission handling in AuthContext

---
 backend/src/api/routes/auth_routes.py         | 15 +++++++
 .../test_auth_socket_dashboard_integration.py |  3 ++
 backend/tests/unit/auth/test_auth_module.py   | 16 +++++---
 .../unit/validators/test_auth_validator.py    | 11 +-----
 frontend/src/context/AuthContext.jsx          | 39 +++++++++++++++++++
 5 files changed, 69 insertions(+), 15 deletions(-)

diff --git a/backend/src/api/routes/auth_routes.py b/backend/src/api/routes/auth_routes.py
index 31e7e81..0d4b85d 100644
--- a/backend/src/api/routes/auth_routes.py
+++ b/backend/src/api/routes/auth_routes.py
@@ -6,6 +6,7 @@
 from ...auth.auth import login, register_user, refresh_token, logout_user, get_token  # Added get_token
 from ..middlewares.validation_middleware import validate_json  # Changed to relative import
 from ..validators.auth_validator import validate_login_data, validate_registration_data  # Changed to relative import
+from ...auth.rbac import ROLE_PERMISSIONS
 
 def register_routes(bp):
     """Register all authentication routes with the provided Blueprint"""
@@ -58,3 +59,17 @@ def token_route():
         if validation_error:
             return validation_error
         return get_token()
+
+    @bp.route('/auth/permissions', methods=['GET'])
+    @jwt_required()
+    def get_permissions():
+        """Route to get permissions for the current user"""
+        from flask_jwt_extended import get_jwt
+        claims = get_jwt()
+        role = claims.get('role', 'developer')
+        permissions = ROLE_PERMISSIONS.get(role, [])
+        from flask import jsonify
+        return jsonify({
+            'role': role,
+            'permissions': permissions
+        })
diff --git a/backend/tests/integration/test_auth_socket_dashboard_integration.py b/backend/tests/integration/test_auth_socket_dashboard_integration.py
index d2e1364..9adbf02 100644
--- a/backend/tests/integration/test_auth_socket_dashboard_integration.py
+++ b/backend/tests/integration/test_auth_socket_dashboard_integration.py
@@ -73,6 +73,7 @@ def __init__(self, name, email, password, role):
             self.role = role
 
     StubUser.query.filter_by.return_value.first.return_value = None
+    StubUser.query.count.return_value = 1
 
     session = MagicMock()
     hash_password = MagicMock(return_value='hashed-password')
@@ -82,6 +83,8 @@ def __init__(self, name, email, password, role):
     })
 
     monkeypatch.setattr(auth_module, 'User', StubUser)
+    monkeypatch.setattr(auth_module.settings_service, 'get_default_role', MagicMock(return_value='developer'))
+    monkeypatch.setattr(auth_module.audit_service, 'record', MagicMock())
     monkeypatch.setattr(auth_module, 'hash_password', hash_password)
     monkeypatch.setattr(auth_module, 'generate_tokens', generate_tokens)
     monkeypatch.setattr(auth_module.db, 'session', session, raising=False)
diff --git a/backend/tests/unit/auth/test_auth_module.py b/backend/tests/unit/auth/test_auth_module.py
index 397b59c..168c68d 100644
--- a/backend/tests/unit/auth/test_auth_module.py
+++ b/backend/tests/unit/auth/test_auth_module.py
@@ -37,7 +37,7 @@ def test_register_returns_400_for_missing_fields(monkeypatch):
     app = build_test_app()
 
     with app.test_request_context(json={'email': 'incomplete@example.com'}):
-        response, status = auth_module.register()
+        response, status = auth_module.register_user()
 
     assert status == 400
     assert response.get_json()['message'] == 'Missing required fields'
@@ -58,7 +58,7 @@ def test_register_returns_409_for_existing_email(monkeypatch):
             'role': 'developer',
         }
     ):
-        response, status = auth_module.register()
+        response, status = auth_module.register_user()
 
     assert status == 409
     assert response.get_json()['message'] == 'Email already registered'
@@ -69,6 +69,7 @@ def test_register_success_sets_cookies_and_returns_contract(monkeypatch):
 
     StubUser.query = MagicMock()
     StubUser.query.filter_by.return_value.first.return_value = None
+    StubUser.query.count.return_value = 1
 
     session = MagicMock()
     hash_password = MagicMock(return_value='hashed-password')
@@ -82,6 +83,8 @@ def test_register_success_sets_cookies_and_returns_contract(monkeypatch):
     monkeypatch.setattr(auth_module.db, 'session', session, raising=False)
     monkeypatch.setattr(auth_module, 'set_access_cookies', set_access_cookies)
     monkeypatch.setattr(auth_module, 'set_refresh_cookies', set_refresh_cookies)
+    monkeypatch.setattr(auth_module.settings_service, 'get_default_role', MagicMock(return_value='admin'))
+    monkeypatch.setattr(auth_module.audit_service, 'record', MagicMock())
 
     with app.test_request_context(
         json={
@@ -91,7 +94,7 @@ def test_register_success_sets_cookies_and_returns_contract(monkeypatch):
             'role': 'admin',
         }
     ):
-        response, status = auth_module.register()
+        response, status = auth_module.register_user()
 
     assert status == 201
     payload = response.get_json()
@@ -112,6 +115,7 @@ def test_register_handles_integrity_error(monkeypatch):
 
     StubUser.query = MagicMock()
     StubUser.query.filter_by.return_value.first.return_value = None
+    StubUser.query.count.return_value = 1
 
     session = MagicMock()
     session.commit.side_effect = IntegrityError('insert', {}, Exception('duplicate'))
@@ -119,6 +123,8 @@ def test_register_handles_integrity_error(monkeypatch):
     monkeypatch.setattr(auth_module, 'User', StubUser)
     monkeypatch.setattr(auth_module, 'hash_password', MagicMock(return_value='hashed-password'))
     monkeypatch.setattr(auth_module.db, 'session', session, raising=False)
+    monkeypatch.setattr(auth_module.settings_service, 'get_default_role', MagicMock(return_value='developer'))
+    monkeypatch.setattr(auth_module.audit_service, 'record', MagicMock())
 
     with app.test_request_context(
         json={
@@ -128,10 +134,10 @@ def test_register_handles_integrity_error(monkeypatch):
             'role': 'developer',
         }
     ):
-        response, status = auth_module.register()
+        response, status = auth_module.register_user()
 
     assert status == 500
-    assert response.get_json()['message'] == 'An error occurred while registering the user'
+    assert 'An error occurred while registering the user' in response.get_json()['message']
     session.rollback.assert_called_once_with()
 
 
diff --git a/backend/tests/unit/validators/test_auth_validator.py b/backend/tests/unit/validators/test_auth_validator.py
index e8b068b..6c5a19f 100644
--- a/backend/tests/unit/validators/test_auth_validator.py
+++ b/backend/tests/unit/validators/test_auth_validator.py
@@ -80,16 +80,7 @@ def test_registration_validation(self):
             assert code == 400
             assert json.loads(response.data)['message'] == 'Password must be at least 8 characters long'
             
-            # Test invalid role
-            invalid_role = {
-                'name': 'Test User',
-                'email': 'test@example.com',
-                'password': 'password123',
-                'role': 'superuser'
-            }
-            response, code = validate_registration_data(invalid_role)
-            assert code == 400
-            assert 'Role must be one of' in json.loads(response.data)['message']
+
 
 if __name__ == '__main__':
     unittest.main()
\ No newline at end of file
diff --git a/frontend/src/context/AuthContext.jsx b/frontend/src/context/AuthContext.jsx
index a13d0ff..d4a5b89 100644
--- a/frontend/src/context/AuthContext.jsx
+++ b/frontend/src/context/AuthContext.jsx
@@ -2,6 +2,7 @@ import { createContext, useState, useContext, useEffect, useRef } from 'react';
 import { authApi } from '../services/utils/auth';
 import { githubService } from '../services/github';
 import { useNavigate, useLocation } from 'react-router-dom';
+import { hasRole, hasPermission } from '../utils/rbac';
 
 const AuthContext = createContext();
 
@@ -38,6 +39,7 @@ export const AuthProvider = ({ children }) => {
   const [githubConnected, setGithubConnected] = useState(initialUser?.github_connected || false);
   const [showGithubPrompt, setShowGithubPrompt] = useState(false);
   const [authInProgress, setAuthInProgress] = useState(false);
+  const [permissions, setPermissions] = useState(initialUser?.permissions || []);
 
   // Keep a ref to track initialization
   const isInitialized = useRef(false);
@@ -72,6 +74,22 @@ export const AuthProvider = ({ children }) => {
           if (verifyToken(user) && hasValidRole(user)) {
             // Update the state with the user
             setCurrentUser(user);
+            if (user.permissions) {
+              setPermissions(user.permissions);
+            } else {
+              // Fetch permissions if not in localStorage
+              fetch(`${process.env.REACT_APP_API_URL || 'http://localhost:8000/api/v1'}/auth/permissions`, {
+                headers: { 'Authorization': `Bearer ${user.token}` }
+              })
+                .then(res => res.json())
+                .then(data => {
+                  setPermissions(data.permissions || []);
+                  const updatedUser = { ...user, permissions: data.permissions || [] };
+                  localStorage.setItem('user', JSON.stringify(updatedUser));
+                  setCurrentUser(updatedUser);
+                })
+                .catch(err => console.error("Failed to fetch permissions:", err));
+            }
             // Set GitHub connection status if available
             if ("github_connected" in user) {
               setGithubConnected(user.github_connected);
@@ -153,6 +171,19 @@ export const AuthProvider = ({ children }) => {
           throw new Error("This account role is no longer supported. Please contact an administrator.");
         }
         
+        // Fetch permissions
+        try {
+          const permRes = await fetch(`${process.env.REACT_APP_API_URL || 'http://localhost:8000/api/v1'}/auth/permissions`, {
+            headers: { 'Authorization': `Bearer ${userWithToken.token}` }
+          });
+          const permData = await permRes.json();
+          userWithToken.permissions = permData.permissions || [];
+          setPermissions(permData.permissions || []);
+        } catch (err) {
+          console.error("Failed to fetch permissions during login:", err);
+          userWithToken.permissions = [];
+        }
+
         // Save to localStorage first to ensure persistence
         localStorage.setItem("user", JSON.stringify(userWithToken));
         
@@ -228,6 +259,7 @@ export const AuthProvider = ({ children }) => {
     } finally {
       localStorage.removeItem("user");
       setCurrentUser(null);
+      setPermissions([]);
       setGithubConnected(false);
       setShowGithubPrompt(false);
       setAuthInProgress(false);
@@ -394,9 +426,16 @@ export const AuthProvider = ({ children }) => {
     verify();
   }, [currentUserId, currentGithubConnected]);
 
+  // RBAC Helpers
+  const can = (permission) => hasPermission(permissions, permission);
+  const is = (role) => hasRole(currentUser?.role, role);
+
   const value = {
     currentUser,
     setCurrentUser: updateUser,
+    permissions,
+    can,
+    is,
     login,
     register,
     logout,

From b8a140cca5d5bc82059e56842b560fe4070ef930 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:46:19 +0100
Subject: [PATCH 18/37] feat: Enhance admin dashboard access for Team Leads and
 add Team Overview section

---
 .../api/controllers/dashboard_controller.py   |   6 +-
 backend/src/api/routes/dashboard_routes.py    |   2 +-
 frontend/src/pages/BasicDashboard.jsx         | 114 +++++++++++-------
 frontend/src/tests/components/Navbar.test.jsx |   6 +
 .../src/tests/pages/BasicDashboard.test.jsx   |  36 ++++++
 5 files changed, 119 insertions(+), 45 deletions(-)

diff --git a/backend/src/api/controllers/dashboard_controller.py b/backend/src/api/controllers/dashboard_controller.py
index 9e334af..dcdd566 100644
--- a/backend/src/api/controllers/dashboard_controller.py
+++ b/backend/src/api/controllers/dashboard_controller.py
@@ -254,9 +254,9 @@ def get_admin_dashboard():
         claims = get_jwt()
         user_role = claims.get('role')
         
-        # Check if user is admin
-        if user_role != Role.ADMIN.value:
-            logger.warning(f"Non-admin user {user_id} attempted to access admin dashboard")
+        # Check if user is admin or team lead
+        if user_role not in [Role.ADMIN.value, Role.TEAM_LEAD.value]:
+            logger.warning(f"Unauthorized user {user_id} with role {user_role} attempted to access admin dashboard")
             return jsonify({'message': 'Unauthorized access'}), 403
         
         # Log the request details for debugging
diff --git a/backend/src/api/routes/dashboard_routes.py b/backend/src/api/routes/dashboard_routes.py
index 7142f88..76735c8 100644
--- a/backend/src/api/routes/dashboard_routes.py
+++ b/backend/src/api/routes/dashboard_routes.py
@@ -31,7 +31,7 @@ def client_dashboard():
     
     @bp.route('/dashboard/admin', methods=['GET'])
     @jwt_required()
-    @role_required(Role.ADMIN)
+    @role_required([Role.ADMIN, Role.TEAM_LEAD])
     def admin_dashboard():
         """Route to get admin-specific dashboard data"""
         return get_admin_dashboard()
diff --git a/frontend/src/pages/BasicDashboard.jsx b/frontend/src/pages/BasicDashboard.jsx
index 3d3c705..8260458 100644
--- a/frontend/src/pages/BasicDashboard.jsx
+++ b/frontend/src/pages/BasicDashboard.jsx
@@ -5,23 +5,34 @@ import TaskCard from '../components/TaskCard';
 import LoadingSpinner from '../components/LoadingSpinner';
 import { useAuth } from '../context/AuthContext';
 
-const panelClass = "bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden shadow-[0_10px_30px_rgba(0,0,0,0.25)]";
-const panelHeaderClass = "px-4 py-5 sm:px-6 border-b border-slate-800 flex justify-between items-center";
+const panelClass = "bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden shadow-md backdrop-blur-sm";
+const panelHeaderClass = "px-6 py-5 border-b border-slate-800/70 flex justify-between items-center";
 const sectionTitleClass = "text-lg font-semibold text-slate-100";
 
 const BasicDashboard = () => {
   const [dashboardData, setDashboardData] = useState(null);
+  const [teamUsers, setTeamUsers] = useState([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState(null);
-  const { currentUser } = useAuth();
+  const { currentUser, is } = useAuth();
 
   const fetchDashboardData = useCallback(async () => {
     try {
       setLoading(true);
-      console.log("Fetching dashboard data with token:", JSON.stringify(currentUser?.token).substring(0, 20) + "...");
-      console.log("Fetching dashboard stats...");
       const data = await dashboardService.getBasicDashboardStats();
       setDashboardData(data);
+      
+      // Fetch team data if Team Lead or Admin
+      if (is('team_lead') || is('admin')) {
+        try {
+          const { userService } = await import('../services/utils/api');
+          const users = await userService.getAllUsers();
+          setTeamUsers(users);
+        } catch (err) {
+          console.error("Failed to fetch team users:", err);
+        }
+      }
+      
       setError(null);
     } catch (err) {
       console.error("Dashboard fetch error:", err);
@@ -29,7 +40,7 @@ const BasicDashboard = () => {
     } finally {
       setLoading(false);
     }
-  }, [currentUser]);
+  }, [is]);
 
   useEffect(() => {
     fetchDashboardData();
@@ -40,8 +51,8 @@ const BasicDashboard = () => {
   };
 
   return (
-    <div className="min-h-screen bg-slate-950 text-slate-100">
-      <div className="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8 py-8">
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
         <div className="flex flex-col md:flex-row md:items-center md:justify-between mb-6">
           <div>
             <h1 className="text-2xl font-bold text-slate-100">My Dashboard</h1>
@@ -214,7 +225,6 @@ const BasicDashboard = () => {
                           <p className="text-sm font-medium text-slate-100">
                             @{currentUser.github_username}
                           </p>
-                          <p className="text-xs text-emerald-400">Connected</p>
                         </div>
                       </div>
 
@@ -298,7 +308,7 @@ const BasicDashboard = () => {
 
                 {/* Upcoming Deadlines */}
                 <div className={panelClass}>
-                  <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
+                  <div className={panelHeaderClass}>
                     <h3 className={sectionTitleClass}>Upcoming Deadlines</h3>
                   </div>
 
@@ -326,6 +336,42 @@ const BasicDashboard = () => {
                     </div>
                   )}
                 </div>
+
+                {/* Team Overview - Visible to Team Leads and Admins */}
+                {(is('team_lead') || is('admin')) && (
+                  <div className={panelClass}>
+                    <div className={panelHeaderClass}>
+                      <h3 className={sectionTitleClass}>Team Overview</h3>
+                      <Link to="/admin/developer-progress" className="text-xs text-rose-300 hover:text-rose-200">
+                        View Progress
+                      </Link>
+                    </div>
+                    {teamUsers.length > 0 ? (
+                      <ul className="divide-y divide-slate-800">
+                        {teamUsers.slice(0, 5).map((user) => (
+                          <li key={user.id} className="px-4 py-3 flex items-center justify-between">
+                            <div className="flex items-center">
+                              <div className="h-8 w-8 rounded-full bg-slate-800 flex items-center justify-center text-xs font-bold text-slate-400 border border-slate-700">
+                                {user.name?.charAt(0) || 'U'}
+                              </div>
+                              <div className="ml-3">
+                                <p className="text-sm font-medium text-slate-200">{user.name}</p>
+                                <p className="text-xs text-slate-500 capitalize">{user.role}</p>
+                              </div>
+                            </div>
+                            <div className="text-right">
+                              <span className="text-xs text-slate-400">Active</span>
+                            </div>
+                          </li>
+                        ))}
+                      </ul>
+                    ) : (
+                      <div className="p-6 text-center text-slate-400">
+                        <p>No team members found</p>
+                      </div>
+                    )}
+                  </div>
+                )}
               </div>
             </div>
           </div>
@@ -338,41 +384,27 @@ const BasicDashboard = () => {
 // Helper Components
 const StatCard = ({ title, value, icon, color }) => {
   const colorClasses = {
-    primary: {
-      light: 'bg-sky-500/15 border-sky-400/20',
-      text: 'text-sky-300'
-    },
-    success: {
-      light: 'bg-emerald-500/15 border-emerald-400/20',
-      text: 'text-emerald-300'
-    },
-    warning: {
-      light: 'bg-amber-500/15 border-amber-400/20',
-      text: 'text-amber-300'
-    },
-    error: {
-      light: 'bg-rose-500/15 border-rose-400/20',
-      text: 'text-rose-300'
-    }
+    blue:   'bg-sky-500/15 text-sky-300 border border-sky-400/20',
+    green:  'bg-emerald-500/15 text-emerald-300 border border-emerald-400/20',
+    yellow: 'bg-amber-500/15 text-amber-300 border border-amber-400/20',
+    red:    'bg-rose-500/15 text-rose-300 border border-rose-400/20',
+    purple: 'bg-purple-500/15 text-purple-300 border border-purple-400/20',
   };
 
-  const classes = colorClasses[color] || colorClasses.primary;
+  const selectedColor = color === 'primary' ? 'blue' : 
+                       color === 'success' ? 'green' :
+                       color === 'warning' ? 'yellow' :
+                       color === 'error' ? 'red' : color;
 
   return (
-    <div className="bg-slate-900/70 overflow-hidden rounded-2xl border border-slate-800/70">
-      <div className="p-5">
-        <div className="flex items-center">
-          <div className={`flex-shrink-0 rounded-xl ${classes.light} p-3 border`}>
-            <div className={`${classes.text}`}>{icon}</div>
-          </div>
-          <div className="ml-5 w-0 flex-1">
-            <dl>
-              <dt className="text-sm font-medium text-slate-400 truncate">{title}</dt>
-              <dd>
-                <div className="text-xl font-bold text-slate-100">{value}</div>
-              </dd>
-            </dl>
-          </div>
+    <div className={`rounded-2xl p-6 shadow-md backdrop-blur-sm ${colorClasses[selectedColor] || 'bg-slate-900/70 text-slate-400 border border-slate-800/70'}`}>
+      <div className="flex items-center gap-5">
+        <div className="p-3 rounded-xl bg-slate-950/40 border border-white/5">
+          {icon}
+        </div>
+        <div>
+          <p className="text-xs font-medium opacity-75 uppercase tracking-wider">{title}</p>
+          <p className="text-2xl font-bold mt-1 text-white">{value}</p>
         </div>
       </div>
     </div>
diff --git a/frontend/src/tests/components/Navbar.test.jsx b/frontend/src/tests/components/Navbar.test.jsx
index 503892c..ae65398 100644
--- a/frontend/src/tests/components/Navbar.test.jsx
+++ b/frontend/src/tests/components/Navbar.test.jsx
@@ -47,6 +47,8 @@ describe('Navbar component', () => {
         email: 'admin@example.com',
       },
       logout: mockLogout,
+      is: (role) => role === 'admin',
+      can: (perm) => true,
     });
 
     useNotifications.mockReturnValue({
@@ -123,6 +125,8 @@ describe('Navbar component', () => {
         email: 'developer@example.com',
       },
       logout: mockLogout,
+      is: (role) => role === 'developer',
+      can: (perm) => false,
     });
 
     renderNavbar();
@@ -150,6 +154,8 @@ describe('Navbar component', () => {
         email: 'lead@example.com',
       },
       logout: mockLogout,
+      is: (role) => role === 'team_lead',
+      can: (perm) => perm === 'can_assign_tasks',
     });
 
     renderNavbar();
diff --git a/frontend/src/tests/pages/BasicDashboard.test.jsx b/frontend/src/tests/pages/BasicDashboard.test.jsx
index 08307c2..b637ffa 100644
--- a/frontend/src/tests/pages/BasicDashboard.test.jsx
+++ b/frontend/src/tests/pages/BasicDashboard.test.jsx
@@ -10,6 +10,9 @@ jest.mock('../../services/utils/api', () => ({
   dashboardService: {
     getBasicDashboardStats: jest.fn(),
   },
+  userService: {
+    getAllUsers: jest.fn().mockResolvedValue([]),
+  },
 }));
 
 jest.mock('../../context/AuthContext', () => ({
@@ -41,6 +44,8 @@ describe('BasicDashboard page', () => {
         github_connected: true,
         github_username: 'octocat',
       },
+      is: jest.fn().mockReturnValue(false),
+      can: jest.fn().mockReturnValue(false),
     });
 
     dashboardService.getBasicDashboardStats.mockReset();
@@ -118,6 +123,8 @@ describe('BasicDashboard page', () => {
         github_connected: false,
         github_username: '',
       },
+      is: jest.fn().mockReturnValue(false),
+      can: jest.fn().mockReturnValue(false),
     });
 
     dashboardService.getBasicDashboardStats.mockResolvedValue({
@@ -194,4 +201,33 @@ describe('BasicDashboard page', () => {
       expect(dashboardService.getBasicDashboardStats).toHaveBeenCalledTimes(2);
     });
   });
+
+  test('renders Team Overview for users with team_lead role', async () => {
+    const { userService } = require('../../services/utils/api');
+    userService.getAllUsers.mockResolvedValue([
+      { id: 1, name: 'Alice Developer', role: 'developer' },
+      { id: 2, name: 'Bob Developer', role: 'developer' },
+    ]);
+
+    useAuth.mockReturnValue({
+      currentUser: { id: 10, name: 'Lead User', role: 'team_lead' },
+      is: (role) => role === 'team_lead',
+      can: jest.fn(),
+    });
+
+    dashboardService.getBasicDashboardStats.mockResolvedValue({
+      taskCounts: { assigned: 0, inProgress: 0, completed: 0, dueSoon: 0 },
+      recentTasks: [],
+      githubActivity: [],
+      projects: [],
+      upcomingDeadlines: [],
+    });
+
+    renderDashboard();
+
+    expect(await screen.findByText('Team Overview')).toBeInTheDocument();
+    expect(await screen.findByText('Alice Developer')).toBeInTheDocument();
+    expect(screen.getByText('Bob Developer')).toBeInTheDocument();
+    expect(screen.getByText('View Progress')).toBeInTheDocument();
+  });
 });

From 2ecd75eb1aa83f50d91846b55b6a55ec4d43c92b Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:46:37 +0100
Subject: [PATCH 19/37] refactor: Clean up API routes and enhance permission
 handling in comments and notifications

---
 backend/src/api/routes/__init__.py            |   5 +-
 backend/src/api/routes/comments_routes.py     |   6 +-
 .../src/api/routes/notifications_routes.py    |   2 +
 backend/src/services/settings_service.py      |  44 ++++
 .../tests/unit/routes/test_admin_routes.py    |   1 +
 .../tests/unit/routes/test_comments_routes.py |   5 +-
 .../unit/routes/test_notifications_routes.py  |   4 +-
 frontend/src/pages/DeveloperProgress.jsx      | 199 +++++++++---------
 8 files changed, 155 insertions(+), 111 deletions(-)
 create mode 100644 backend/src/services/settings_service.py

diff --git a/backend/src/api/routes/__init__.py b/backend/src/api/routes/__init__.py
index e9ca72c..1f1dd3b 100644
--- a/backend/src/api/routes/__init__.py
+++ b/backend/src/api/routes/__init__.py
@@ -12,6 +12,7 @@
 from . import dashboard_routes
 from . import admin_routes
 from . import github_routes
+from . import audit_routes
 
 """API routes registration"""
 
@@ -25,7 +26,8 @@
     dashboard_routes,
     admin_routes,
     notifications_routes,
-    github_routes
+    github_routes,
+    audit_routes
 )
 
 def register_all_routes(app):
@@ -42,6 +44,7 @@ def register_all_routes(app):
     admin_routes.register_routes(api_bp)
     notifications_routes.register_routes(api_bp)
     github_routes.register_routes(api_bp)
+    audit_routes.register_routes(api_bp)
     
     # Register blueprint with app
     app.register_blueprint(api_bp, url_prefix='/api')
diff --git a/backend/src/api/routes/comments_routes.py b/backend/src/api/routes/comments_routes.py
index 079ac2d..2089ec4 100644
--- a/backend/src/api/routes/comments_routes.py
+++ b/backend/src/api/routes/comments_routes.py
@@ -10,8 +10,7 @@
 )
 from ..middlewares.validation_middleware import validate_json
 from ..middlewares import role_required
-from ...auth.rbac import Role
-
+from ...auth.rbac import Role, require_permission
 AUTHENTICATED_ROLES = [Role.DEVELOPER, Role.TEAM_LEAD, Role.ADMIN]
 
 def register_routes(bp):
@@ -27,7 +26,8 @@ def comments_list(task_id):
     @bp.route('/tasks/<int:task_id>/comments', methods=['POST'])
     @jwt_required()
     @role_required(AUTHENTICATED_ROLES)
-    @validate_json()  # Fixed: added parentheses
+    @require_permission('can_comment_on_tasks')
+    @validate_json()
     def create_comment(task_id):
         """Route to add a comment to a task"""
         return add_comment(task_id)
diff --git a/backend/src/api/routes/notifications_routes.py b/backend/src/api/routes/notifications_routes.py
index 99b21ee..1739ff2 100644
--- a/backend/src/api/routes/notifications_routes.py
+++ b/backend/src/api/routes/notifications_routes.py
@@ -10,6 +10,7 @@
     delete_notification
 )
 from ..middlewares.validation_middleware import validate_json
+from ...auth.rbac import require_permission
 
 def register_routes(bp):
     """Register all notification routes with the provided Blueprint"""
@@ -41,6 +42,7 @@ def mark_all_read():
     
     @bp.route('/notifications/<int:notification_id>', methods=['DELETE'])
     @jwt_required()
+    @require_permission('can_manage_personal_notifications')
     def delete_notification_route(notification_id):
         """Route to delete a notification"""
         return delete_notification(notification_id)
diff --git a/backend/src/services/settings_service.py b/backend/src/services/settings_service.py
new file mode 100644
index 0000000..1f7ccf6
--- /dev/null
+++ b/backend/src/services/settings_service.py
@@ -0,0 +1,44 @@
+"""System Settings Service"""
+from ..db.models import db, SystemSetting
+
+def get_settings():
+    """Retrieve all system settings as a dictionary."""
+    settings = SystemSetting.query.all()
+    if not settings:
+        # Fallback if DB is empty
+        return {
+            'default_user_role': 'developer',
+            'notification_settings': {
+                'email_notifications': True,
+                'task_assignments': True,
+                'project_updates': True
+            }
+        }
+    return {setting.key: setting.value for setting in settings}
+
+def update_settings(data, actor_id):
+    """Update multiple system settings."""
+    disallowed_keys = {'app_name', 'allow_registration', 'github_integration_enabled'}
+    for key, value in data.items():
+        if key in disallowed_keys:
+            continue
+        setting = SystemSetting.query.get(key)
+        if setting:
+            setting.value = value
+            setting.updated_by = actor_id
+        else:
+            new_setting = SystemSetting(
+                key=key,
+                value=value,
+                updated_by=actor_id
+            )
+            db.session.add(new_setting)
+    
+    db.session.commit()
+
+def get_default_role():
+    """Get the default role for new users."""
+    setting = SystemSetting.query.get('default_user_role')
+    if setting and setting.value:
+        return setting.value
+    return 'developer'
diff --git a/backend/tests/unit/routes/test_admin_routes.py b/backend/tests/unit/routes/test_admin_routes.py
index 729d91b..7634e0b 100644
--- a/backend/tests/unit/routes/test_admin_routes.py
+++ b/backend/tests/unit/routes/test_admin_routes.py
@@ -27,6 +27,7 @@ def app(monkeypatch):
 
     monkeypatch.setattr(admin_routes, 'jwt_required', passthrough_decorator)
     monkeypatch.setattr(admin_routes, 'admin_required', passthrough_decorator)
+    monkeypatch.setattr(admin_routes, 'role_at_least', passthrough_decorator)
     monkeypatch.setattr(admin_routes, 'validate_json', passthrough_decorator)
     monkeypatch.setattr(admin_routes, 'rate_limit', passthrough_decorator)
 
diff --git a/backend/tests/unit/routes/test_comments_routes.py b/backend/tests/unit/routes/test_comments_routes.py
index 47bc4e8..4d50756 100644
--- a/backend/tests/unit/routes/test_comments_routes.py
+++ b/backend/tests/unit/routes/test_comments_routes.py
@@ -26,8 +26,9 @@ def app(monkeypatch):
     app.config['JWT_SECRET_KEY'] = 'test-secret-key'
 
     monkeypatch.setattr(comments_routes, 'jwt_required', passthrough_decorator)
-    monkeypatch.setattr(comments_routes, 'role_required', passthrough_decorator)
-    monkeypatch.setattr(comments_routes, 'validate_json', passthrough_decorator)
+    monkeypatch.setattr(comments_routes, 'role_required', passthrough_decorator, raising=False)
+    monkeypatch.setattr(comments_routes, 'require_permission', passthrough_decorator, raising=False)
+    monkeypatch.setattr(comments_routes, 'validate_json', passthrough_decorator, raising=False)
 
     bp = Blueprint('api', __name__, url_prefix='/api/v1')
     comments_routes.register_routes(bp)
diff --git a/backend/tests/unit/routes/test_notifications_routes.py b/backend/tests/unit/routes/test_notifications_routes.py
index 5da5bf9..5499245 100644
--- a/backend/tests/unit/routes/test_notifications_routes.py
+++ b/backend/tests/unit/routes/test_notifications_routes.py
@@ -21,7 +21,9 @@ def app(monkeypatch):
     app.config['JWT_SECRET_KEY'] = 'jwt-secret-key'
 
     monkeypatch.setattr(notifications_routes, 'jwt_required', passthrough_decorator)
-    monkeypatch.setattr(notifications_routes, 'validate_json', passthrough_decorator)
+    monkeypatch.setattr(notifications_routes, 'validate_json', passthrough_decorator, raising=False)
+    monkeypatch.setattr(notifications_routes, 'require_permission', passthrough_decorator, raising=False)
+    monkeypatch.setattr(notifications_routes, 'admin_required', passthrough_decorator, raising=False)
 
     bp = Blueprint('api', __name__, url_prefix='/api/v1')
     notifications_routes.register_routes(bp)
diff --git a/frontend/src/pages/DeveloperProgress.jsx b/frontend/src/pages/DeveloperProgress.jsx
index f7d408d..ca57f06 100644
--- a/frontend/src/pages/DeveloperProgress.jsx
+++ b/frontend/src/pages/DeveloperProgress.jsx
@@ -60,129 +60,120 @@ const DeveloperProgress = () => {
   }
 
   return (
-    <div className="container mx-auto p-6 bg-slate-950 min-h-screen text-slate-100">
-      <h1 className="text-2xl font-bold mb-6 text-slate-100">Developer Progress</h1>
-      
-      {/* Filter Controls */}
-      <div className="mb-6 flex flex-wrap gap-2">
-        <button 
-          onClick={() => setFilter('all')} 
-          className={`px-4 py-2 rounded-full ${filter === 'all' 
-            ? 'bg-rose-500/90 text-white' 
-            : 'bg-slate-800/80 text-slate-300 hover:bg-slate-700/80 border border-slate-700/70'}`}
-        >
-          All Developers
-        </button>
-        <button 
-          onClick={() => setFilter('active')} 
-          className={`px-4 py-2 rounded-full ${filter === 'active' 
-            ? 'bg-rose-500/90 text-white' 
-            : 'bg-slate-800/80 text-slate-300 hover:bg-slate-700/80 border border-slate-700/70'}`}
-        >
-          With Active Tasks
-        </button>
-        <button 
-          onClick={() => setFilter('completed')} 
-          className={`px-4 py-2 rounded-full ${filter === 'completed' 
-            ? 'bg-rose-500/90 text-white' 
-            : 'bg-slate-800/80 text-slate-300 hover:bg-slate-700/80 border border-slate-700/70'}`}
-        >
-          With Completed Tasks
-        </button>
-      </div>
-      
-      {filteredDevelopers.length === 0 ? (
-        <div className="bg-slate-900/70 rounded-lg border border-slate-800/70 shadow p-6 text-center text-slate-400">
-          No developers match the selected filter
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <h1 className="text-2xl font-bold mb-10 text-slate-100">Developer Progress</h1>
+        
+        {/* Filter Controls */}
+        <div className="mb-10 flex flex-wrap gap-2">
+          <button 
+            onClick={() => setFilter('all')} 
+            className={`px-4 py-2 rounded-full text-xs font-bold uppercase tracking-widest transition-all ${filter === 'all' 
+              ? 'bg-rose-500 text-white shadow-lg shadow-rose-500/20' 
+              : 'bg-slate-900 text-slate-400 hover:text-white border border-slate-800'}`}
+          >
+            All Developers
+          </button>
+          <button 
+            onClick={() => setFilter('active')} 
+            className={`px-4 py-2 rounded-full text-xs font-bold uppercase tracking-widest transition-all ${filter === 'active' 
+              ? 'bg-rose-500 text-white shadow-lg shadow-rose-500/20' 
+              : 'bg-slate-900 text-slate-400 hover:text-white border border-slate-800'}`}
+          >
+            With Active Tasks
+          </button>
+          <button 
+            onClick={() => setFilter('completed')} 
+            className={`px-4 py-2 rounded-full text-xs font-bold uppercase tracking-widest transition-all ${filter === 'completed' 
+              ? 'bg-rose-500 text-white shadow-lg shadow-rose-500/20' 
+              : 'bg-slate-900 text-slate-400 hover:text-white border border-slate-800'}`}
+          >
+            With Completed Tasks
+          </button>
         </div>
-      ) : (
-        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
-          {filteredDevelopers.map(developer => (
-            <div key={developer.id} className="bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden">
-              {/* Developer Header */}
-              <div className="bg-gradient-to-r from-rose-500/80 to-rose-600/80 text-white p-4">
-                <h2 className="font-semibold text-lg">{developer.name}</h2>
-                <p className="text-sm opacity-90">{developer.role || 'Team Member'}</p>
-              </div>
-              
-              {/* Developer Stats */}
-              <div className="p-4">
-                <div className="grid grid-cols-2 gap-4 mb-4">
-                  <div className="bg-slate-800/50 p-3 rounded-lg border border-slate-700/70">
-                    <p className="text-xs text-slate-400">Assigned Tasks</p>
-                    <p className="text-2xl font-bold text-slate-100">{developer.total_tasks || 0}</p>
-                  </div>
-                  <div className="bg-slate-800/50 p-3 rounded-lg border border-slate-700/70">
-                    <p className="text-xs text-slate-400">Completed</p>
-                    <p className="text-2xl font-bold text-emerald-400">{developer.completed_tasks || 0}</p>
-                  </div>
+        
+        {filteredDevelopers.length === 0 ? (
+          <div className="bg-slate-900/70 rounded-2xl border border-slate-800/70 shadow p-10 text-center text-slate-500 font-medium backdrop-blur-sm">
+            No developers match the selected filter
+          </div>
+        ) : (
+          <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
+            {filteredDevelopers.map(developer => (
+              <div key={developer.id} className="bg-slate-900/70 border border-slate-800/70 rounded-2xl overflow-hidden shadow-md backdrop-blur-sm">
+                {/* Developer Header */}
+                <div className="bg-gradient-to-r from-rose-500/80 to-rose-600/80 text-white p-5">
+                  <h2 className="font-bold text-lg tracking-tight">{developer.name}</h2>
+                  <p className="text-xs opacity-90 uppercase font-semibold tracking-wider">{developer.role || 'Team Member'}</p>
                 </div>
                 
-                <div className="mb-4">
-                  <div className="flex justify-between text-sm mb-1">
-                    <span className="text-slate-300">Overall Progress</span>
-                    <span className="text-slate-300">
-                      {Math.round((developer.completed_tasks / (developer.total_tasks || 1)) * 100)}%
-                    </span>
+                {/* Developer Stats */}
+                <div className="p-6">
+                  <div className="grid grid-cols-2 gap-4 mb-5">
+                    <div className="bg-slate-800/40 p-4 rounded-xl border border-slate-700/50">
+                      <p className="text-[10px] font-bold text-slate-400 uppercase tracking-widest mb-1">Total Tasks</p>
+                      <p className="text-2xl font-bold text-slate-100">{developer.total_tasks || 0}</p>
+                    </div>
+                    <div className="bg-slate-800/40 p-4 rounded-xl border border-slate-700/50">
+                      <p className="text-[10px] font-bold text-slate-400 uppercase tracking-widest mb-1">Completed</p>
+                      <p className="text-2xl font-bold text-emerald-400">{developer.completed_tasks || 0}</p>
+                    </div>
                   </div>
-                  <div className="w-full bg-slate-800/50 rounded-full h-2.5 border border-slate-700/70">
-                    <div 
-                      className="bg-rose-500 h-2.5 rounded-full" 
-                      style={{ width: `${Math.round((developer.completed_tasks / (developer.total_tasks || 1)) * 100)}%` }}
-                    ></div>
+                  
+                  <div className="mb-6">
+                    <div className="flex justify-between text-xs font-bold uppercase tracking-wider mb-2 text-slate-400">
+                      <span>Overall Progress</span>
+                      <span className="text-slate-100">
+                        {Math.round((developer.completed_tasks / (developer.total_tasks || 1)) * 100)}%
+                      </span>
+                    </div>
+                    <div className="w-full bg-slate-800/50 rounded-full h-2 border border-slate-700/50 overflow-hidden">
+                      <div 
+                        className="bg-rose-500 h-2 rounded-full transition-all duration-500" 
+                        style={{ width: `${Math.round((developer.completed_tasks / (developer.total_tasks || 1)) * 100)}%` }}
+                      ></div>
+                    </div>
                   </div>
-                </div>
-                
-                {/* Recent Tasks */}
-                {developer.recent_tasks && developer.recent_tasks.length > 0 && (
-                  <>
-                    <h3 className="font-semibold text-sm text-slate-300 mb-2">Recent Tasks</h3>
-                    <div className="space-y-2">
+                  
+                  {/* Recent Tasks */}
+                  {developer.recent_tasks && developer.recent_tasks.length > 0 && (
+                    <div className="space-y-3">
+                      <h3 className="text-[10px] font-bold text-slate-500 uppercase tracking-widest mb-3">Recent Activity</h3>
                       {developer.recent_tasks.slice(0, 3).map(task => (
                         <Link 
                           to={`/tasks/${task.id}`}
                           key={task.id} 
-                          className="block text-sm p-2 border border-slate-700/70 rounded-lg bg-slate-800/30 hover:bg-slate-800/50 text-slate-300"
+                          className="group block text-sm p-3 border border-slate-800/50 rounded-xl bg-slate-800/20 hover:bg-slate-800/40 hover:border-slate-700/50 transition-all"
                         >
-                          <div className="flex justify-between">
-                            <span className="font-medium truncate text-slate-100">{task.title}</span>
-                            <span className={`text-xs px-2 py-0.5 rounded-full ${
-                              task.status === 'completed' ? 'bg-emerald-500/20 text-emerald-300' : 
-                              task.status === 'in_progress' ? 'bg-sky-500/20 text-sky-300' : 
-                              'bg-slate-700/50 text-slate-300'
+                          <div className="flex justify-between items-start gap-2">
+                            <span className="font-semibold text-slate-200 group-hover:text-white transition-colors truncate">{task.title}</span>
+                            <span className={`text-[9px] font-bold uppercase tracking-tighter px-2 py-0.5 rounded-md shrink-0 ${
+                              task.status === 'completed' ? 'bg-emerald-500/10 text-emerald-400' : 
+                              task.status === 'in_progress' ? 'bg-sky-500/10 text-sky-400' : 
+                              'bg-slate-800 text-slate-500'
                             }`}>
                               {task.status.replace('_', ' ')}
                             </span>
                           </div>
-                          <div className="w-full bg-slate-800/50 rounded-full h-1.5 mt-1">
-                            <div 
-                              className={`h-1.5 rounded-full ${
-                                task.progress >= 100 ? 'bg-emerald-500' :
-                                task.progress > 0 ? 'bg-rose-500' : 'bg-slate-700'
-                              }`}
-                              style={{ width: `${task.progress || 0}%` }}
-                            ></div>
-                          </div>
                         </Link>
                       ))}
                     </div>
-                  </>
-                )}
-                
-                {/* View All Tasks Button */}
-                <div className="mt-4 flex justify-center">
-                  <Link 
-                    to={`/tasks?assignee=${developer.id}`}
-                    className="text-rose-400 hover:text-rose-300 text-sm"
-                  >
-                    View All Tasks
-                  </Link>
+                  )}
+                  
+                  {/* View All Tasks Button */}
+                  <div className="mt-6 pt-5 border-t border-slate-800/50 text-center">
+                    <Link 
+                      to={`/tasks?assignee=${developer.id}`}
+                      className="text-xs font-bold text-rose-400 hover:text-rose-300 uppercase tracking-widest transition"
+                    >
+                      View All Tasks
+                    </Link>
+                  </div>
                 </div>
               </div>
-            </div>
-          ))}
-        </div>
-      )}
+            ))}
+          </div>
+        )}
+      </div>
     </div>
   );
 };

From 85151e09eea44959c8bd8a0549f6699ce0f01a77 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:46:47 +0100
Subject: [PATCH 20/37] feat: Add audit logs and system settings models with
 migration

---
 ...c4d5_add_audit_logs_and_system_settings.py | 105 ++++++++++++++++++
 backend/src/db/models/__init__.py             |   6 +-
 backend/src/db/models/models.py               |  67 +++++++++--
 3 files changed, 164 insertions(+), 14 deletions(-)
 create mode 100644 backend/migrations/versions/93a1f8b3c4d5_add_audit_logs_and_system_settings.py

diff --git a/backend/migrations/versions/93a1f8b3c4d5_add_audit_logs_and_system_settings.py b/backend/migrations/versions/93a1f8b3c4d5_add_audit_logs_and_system_settings.py
new file mode 100644
index 0000000..0bd93fa
--- /dev/null
+++ b/backend/migrations/versions/93a1f8b3c4d5_add_audit_logs_and_system_settings.py
@@ -0,0 +1,105 @@
+"""Add audit logs and system settings
+
+Revision ID: 93a1f8b3c4d5
+Revises: e2f4g5h6i7j8
+Create Date: 2026-05-07 00:39:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import json
+from datetime import datetime, timezone
+
+# revision identifiers, used by Alembic.
+revision = '93a1f8b3c4d5'
+down_revision = 'e2f4g5h6i7j8'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('audit_logs',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('actor_user_id', sa.Integer(), nullable=True),
+        sa.Column('actor_role', sa.String(length=20), nullable=True),
+        sa.Column('action', sa.String(length=100), nullable=False),
+        sa.Column('resource_type', sa.String(length=50), nullable=True),
+        sa.Column('resource_id', sa.String(length=50), nullable=True),
+        sa.Column('ip', sa.String(length=45), nullable=True),
+        sa.Column('user_agent', sa.String(length=255), nullable=True),
+        sa.Column('metadata_info', sa.JSON(), nullable=True),
+        sa.Column('created_at', sa.DateTime(), nullable=True),
+        sa.ForeignKeyConstraint(['actor_user_id'], ['users.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_audit_logs_actor_time', 'audit_logs', ['actor_user_id', 'created_at'], unique=False)
+    op.create_index('idx_audit_logs_action', 'audit_logs', ['action'], unique=False)
+    op.create_index('idx_audit_logs_resource', 'audit_logs', ['resource_type'], unique=False)
+
+    system_settings_table = op.create_table('system_settings',
+        sa.Column('key', sa.String(length=100), nullable=False),
+        sa.Column('value', sa.JSON(), nullable=False),
+        sa.Column('updated_by', sa.Integer(), nullable=True),
+        sa.Column('updated_at', sa.DateTime(), nullable=True),
+        sa.ForeignKeyConstraint(['updated_by'], ['users.id'], ),
+        sa.PrimaryKeyConstraint('key')
+    )
+    
+    bind = op.get_bind()
+    if bind.dialect.name == 'postgresql':
+        op.create_check_constraint(
+            'check_valid_role',
+            'users',
+            "role IN ('developer', 'team_lead', 'admin')"
+        )
+    
+    # Seed default system settings
+    op.bulk_insert(
+        system_settings_table,
+        [
+            {
+                'key': 'app_name',
+                'value': 'DevSync',
+                'updated_at': datetime.now(timezone.utc)
+            },
+            {
+                'key': 'allow_registration',
+                'value': True,
+                'updated_at': datetime.now(timezone.utc)
+            },
+            {
+                'key': 'default_user_role',
+                'value': 'developer',
+                'updated_at': datetime.now(timezone.utc)
+            },
+            {
+                'key': 'github_integration_enabled',
+                'value': True,
+                'updated_at': datetime.now(timezone.utc)
+            },
+            {
+                'key': 'notification_settings',
+                'value': {
+                    'email_notifications': True,
+                    'task_assignments': True,
+                    'project_updates': True
+                },
+                'updated_at': datetime.now(timezone.utc)
+            }
+        ]
+    )
+    # ### end Alembic commands ###
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    bind = op.get_bind()
+    if bind.dialect.name == 'postgresql':
+        op.drop_constraint('check_valid_role', 'users', type_='check')
+
+    op.drop_table('system_settings')
+    
+    op.drop_index('idx_audit_logs_resource', table_name='audit_logs')
+    op.drop_index('idx_audit_logs_action', table_name='audit_logs')
+    op.drop_index('idx_audit_logs_actor_time', table_name='audit_logs')
+    op.drop_table('audit_logs')
+    # ### end Alembic commands ###
diff --git a/backend/src/db/models/__init__.py b/backend/src/db/models/__init__.py
index e3af53c..7d504d9 100644
--- a/backend/src/db/models/__init__.py
+++ b/backend/src/db/models/__init__.py
@@ -7,7 +7,7 @@
 from ..db_connection import db
 
 # Import models to make them available when importing the package
-from .models import User, Task, Project, Comment, GitHubToken, GitHubRepository, TaskGitHubLink, Notification, Report
+from .models import User, Task, Project, Comment, GitHubToken, GitHubRepository, TaskGitHubLink, Notification, Report, AuditLog, SystemSetting
 
 # Export all models for easy importing
 __all__ = [
@@ -20,5 +20,7 @@
     'GitHubToken',
     'GitHubRepository',
     'TaskGitHubLink',
-    'Report'
+    'Report',
+    'AuditLog',
+    'SystemSetting'
 ]
diff --git a/backend/src/db/models/models.py b/backend/src/db/models/models.py
index d8aec9f..685b111 100644
--- a/backend/src/db/models/models.py
+++ b/backend/src/db/models/models.py
@@ -1,7 +1,7 @@
 # This file contains the models for the database tables.
 
-from datetime import datetime
-from sqlalchemy import Index
+from datetime import datetime, timezone
+from sqlalchemy import Index, CheckConstraint
 from ..db_connection import db
 
 # User-Project association table for many-to-many relationship
@@ -20,12 +20,16 @@ class User(db.Model):
     role = db.Column(db.String(20), nullable=False)
     github_username = db.Column(db.String(100))
     github_connected = db.Column(db.Boolean, default=False)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
     
     # Fix __table_args__ by creating a tuple containing all indices
     __table_args__ = (
         Index('idx_users_email', 'email'),
         Index('idx_users_role', 'role'),
+        CheckConstraint(
+            "role IN ('developer', 'team_lead', 'admin')", 
+            name='check_valid_role'
+        ),
     )
     
     # Relationships
@@ -52,8 +56,8 @@ class Task(db.Model):
     assigned_to = db.Column(db.Integer, db.ForeignKey('users.id'))
     created_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
     deadline = db.Column(db.DateTime)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
-    updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
+    updated_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
     project_id = db.Column(db.Integer, db.ForeignKey('projects.id'))
     
     # Fix __table_args__ format
@@ -85,7 +89,7 @@ class GitHubToken(db.Model):
     access_token = db.Column(db.String(255), nullable=False)
     refresh_token = db.Column(db.String(255))
     token_expires_at = db.Column(db.DateTime)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
 
     def __repr__(self):
         return f'<GitHubToken {self.id} for User {self.user_id}>'
@@ -112,7 +116,7 @@ class TaskGitHubLink(db.Model):
     repo_id = db.Column(db.Integer, db.ForeignKey('github_repositories.id'), nullable=False)
     issue_number = db.Column(db.Integer)
     pull_request_number = db.Column(db.Integer)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
 
     def __repr__(self):
         return f'<TaskGitHubLink task:{self.task_id} repo:{self.repo_id}>'
@@ -124,7 +128,7 @@ class Comment(db.Model):
     task_id = db.Column(db.Integer, db.ForeignKey('tasks.id'), nullable=False)
     user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
     content = db.Column(db.Text, nullable=False)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
 
     def __repr__(self):
         return f'<Comment {self.id} on Task {self.task_id}>'
@@ -140,7 +144,7 @@ class Notification(db.Model):
     message = db.Column(db.Text, nullable=False)
     reference_id = db.Column(db.String(50), nullable=True)  # ID of related object (task_id, etc.)
     is_read = db.Column(db.Boolean, default=False)  # Changed from 'read' to 'is_read'
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
     read_at = db.Column(db.DateTime, nullable=True)
     task_id = db.Column(db.Integer, db.ForeignKey('tasks.id'))
 
@@ -179,8 +183,8 @@ class Project(db.Model):
     status = db.Column(db.String(20), default='active')
     github_repo = db.Column(db.String(255))
     created_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
-    created_at = db.Column(db.DateTime, default=datetime.utcnow)
-    updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
+    updated_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
 
     __table_args__ = (
         Index('idx_projects_created_by', 'created_by'),
@@ -204,7 +208,7 @@ class Report(db.Model):
     date_range = db.Column(db.String(50), nullable=False)  # 'week', 'month', 'quarter', 'year'
     summary = db.Column(db.JSON, nullable=False)  # JSON object with summary metrics
     details = db.Column(db.JSON, nullable=False)  # JSON array with detailed data
-    generated_at = db.Column(db.DateTime, default=datetime.utcnow)
+    generated_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
     
     __table_args__ = (
         Index('idx_reports_user_id', 'user_id'),
@@ -230,3 +234,42 @@ def to_dict(self):
     
     def __repr__(self):
         return f'<Report {self.id} ({self.report_type}) by User {self.user_id}>'
+
+class AuditLog(db.Model):
+    __tablename__ = 'audit_logs'
+
+    id = db.Column(db.Integer, primary_key=True)
+    actor_user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=True)
+    actor_role = db.Column(db.String(20))
+    action = db.Column(db.String(100), nullable=False)
+    resource_type = db.Column(db.String(50))
+    resource_id = db.Column(db.String(50), nullable=True)
+    ip = db.Column(db.String(45))
+    user_agent = db.Column(db.String(255))
+    metadata_info = db.Column(db.JSON)  # Using metadata_info instead of metadata to avoid conflict with SQLAlchemy
+    created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
+
+    __table_args__ = (
+        Index('idx_audit_logs_actor_time', 'actor_user_id', 'created_at'),
+        Index('idx_audit_logs_action', 'action'),
+        Index('idx_audit_logs_resource', 'resource_type'),
+    )
+
+    actor = db.relationship('User', backref='audit_logs')
+
+    def __repr__(self):
+        return f'<AuditLog {self.action} by {self.actor_user_id}>'
+
+class SystemSetting(db.Model):
+    __tablename__ = 'system_settings'
+
+    key = db.Column(db.String(100), primary_key=True)
+    value = db.Column(db.JSON, nullable=False)
+    updated_by = db.Column(db.Integer, db.ForeignKey('users.id'))
+    updated_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
+
+    updater = db.relationship('User', backref='updated_settings')
+
+    def __repr__(self):
+        return f'<SystemSetting {self.key}>'
+

From f1eb7843077bf43011c2389500d8effd836a924d Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:47:00 +0100
Subject: [PATCH 21/37] feat: Implement user creation and deletion with audit
 logging

---
 .../src/api/controllers/users_controller.py   |  48 ++++++++
 backend/src/api/routes/users_routes.py        |  23 +++-
 backend/src/services/audit_service.py         |  66 +++++++++++
 .../integration/test_reports_management.py    |  73 +++++++++++++
 .../tests/integration/test_users_routes.py    | 103 ++++++++++++++++++
 .../tests/unit/routes/test_users_routes.py    |   9 +-
 6 files changed, 315 insertions(+), 7 deletions(-)
 create mode 100644 backend/src/services/audit_service.py
 create mode 100644 backend/tests/integration/test_reports_management.py
 create mode 100644 backend/tests/integration/test_users_routes.py

diff --git a/backend/src/api/controllers/users_controller.py b/backend/src/api/controllers/users_controller.py
index 1e40523..31f32cc 100644
--- a/backend/src/api/controllers/users_controller.py
+++ b/backend/src/api/controllers/users_controller.py
@@ -5,6 +5,7 @@
 from ...db.models import db, User  # Changed to relative import
 from ...auth.helpers import hash_password, verify_password  # Changed to relative import
 from ..validators.user_validator import validate_user_data, validate_profile_update  # Changed to relative import
+from ...services import audit_service
 
 def get_all_users():
     """Controller function to get all users"""
@@ -22,6 +23,47 @@ def get_all_users():
     
     return jsonify({'users': users_data})
 
+def create_user():
+    """Controller function to create a new user (admin only)"""
+    data = request.get_json()
+    
+    # Validate user data
+    validation_result = validate_user_data(data)
+    if validation_result:
+        return validation_result
+        
+    # Check if email is already taken
+    if User.query.filter_by(email=data['email']).first():
+        return jsonify({'message': 'Email already in use'}), 409
+        
+    # Create new user
+    new_user = User(
+        name=data['name'],
+        email=data['email'],
+        password=hash_password(data.get('password', 'DevSync123!')), # Default password if none provided
+        role=data.get('role', 'developer')
+    )
+    
+    db.session.add(new_user)
+    db.session.commit()
+    
+    audit_service.record(
+        action='user_created',
+        resource_type='user',
+        resource_id=new_user.id,
+        metadata={'role': new_user.role}
+    )
+    
+    return jsonify({
+        'message': 'User created successfully',
+        'user': {
+            'id': new_user.id,
+            'name': new_user.name,
+            'email': new_user.email,
+            'role': new_user.role
+        }
+    }), 201
+
 def get_user_by_id(user_id):
     """Controller function to get a specific user"""
     user = User.query.get_or_404(user_id)
@@ -86,6 +128,12 @@ def delete_user(user_id):
     db.session.delete(user)
     db.session.commit()
     
+    audit_service.record(
+        action='user_deleted',
+        resource_type='user',
+        resource_id=user_id
+    )
+    
     return jsonify({'message': 'User deleted successfully'})
 
 def get_current_user_profile():
diff --git a/backend/src/api/routes/users_routes.py b/backend/src/api/routes/users_routes.py
index 1929ac8..2e7564e 100644
--- a/backend/src/api/routes/users_routes.py
+++ b/backend/src/api/routes/users_routes.py
@@ -1,7 +1,7 @@
 """User API routes"""
 
 from flask import request
-from flask_jwt_extended import jwt_required
+from flask_jwt_extended import jwt_required, get_jwt_identity, get_jwt
 from ..controllers.users_controller import (
     get_all_users,
     get_user_by_id,
@@ -12,14 +12,14 @@
 )
 from ..middlewares.validation_middleware import validate_json
 from ..middlewares import admin_required, role_required
-from ...auth.rbac import Role
+from ...auth.rbac import Role, _role_level, role_at_least
 
 def register_routes(bp):
     """Register all user routes with the provided Blueprint"""
     
     @bp.route('/users', methods=['GET'])
     @jwt_required()
-    @role_required([Role.ADMIN])
+    @role_at_least(Role.DEVELOPER)
     def users_list():
         """Route to get all users"""
         return get_all_users()
@@ -27,7 +27,22 @@ def users_list():
     @bp.route('/users/<int:user_id>', methods=['GET'])
     @jwt_required()
     def get_user(user_id):
-        """Route to get a specific user"""
+        """Route to get a specific user.
+
+        Developers may only view their own profile.
+        Team leads and admins may view any profile.
+        """
+        identity = get_jwt_identity()
+        claims = get_jwt()
+        caller_id = identity.get('user_id') if isinstance(identity, dict) else identity
+        caller_role = claims.get('role', '')
+
+        is_self = int(caller_id) == int(user_id)
+        is_elevated = _role_level(caller_role) >= _role_level(Role.TEAM_LEAD.value)
+
+        if not is_self and not is_elevated:
+            return {'message': 'You can only view your own profile'}, 403
+
         return get_user_by_id(user_id)
     
     @bp.route('/users/<int:user_id>', methods=['PUT'])
diff --git a/backend/src/services/audit_service.py b/backend/src/services/audit_service.py
new file mode 100644
index 0000000..ca56355
--- /dev/null
+++ b/backend/src/services/audit_service.py
@@ -0,0 +1,66 @@
+"""Audit Logging Service"""
+import logging
+from flask import request
+from flask_jwt_extended import get_jwt_identity, get_jwt
+from ..db.models import db, AuditLog
+
+logger = logging.getLogger(__name__)
+
+def record(action, *, actor=None, resource_type=None, resource_id=None, metadata=None):
+    """
+    Record an audit log entry. Does not fail the request if it errors.
+    
+    Args:
+        action (str): The action performed (e.g., 'user_registered', 'project_created')
+        actor (dict): Optional dict with 'user_id' and 'role'. If not provided, tries to extract from JWT.
+        resource_type (str): Optional type of resource affected (e.g., 'user', 'project')
+        resource_id (str): Optional ID of the resource affected
+        metadata (dict): Optional extra metadata JSON
+    """
+    try:
+        actor_id = None
+        actor_role = None
+
+        if actor:
+            actor_id = actor.get('user_id')
+            actor_role = actor.get('role')
+        else:
+            try:
+                # Try to get from JWT if active context exists
+                identity = get_jwt_identity()
+                if identity:
+                    actor_id = identity.get('user_id') if isinstance(identity, dict) else identity
+                    claims = get_jwt()
+                    if claims:
+                        actor_role = claims.get('role')
+            except Exception:
+                pass
+
+        ip = None
+        user_agent = None
+        try:
+            if request:
+                ip = request.remote_addr
+                user_agent = request.user_agent.string if request.user_agent else None
+        except Exception:
+            pass
+
+        audit_entry = AuditLog(
+            actor_user_id=actor_id,
+            actor_role=actor_role,
+            action=action,
+            resource_type=resource_type,
+            resource_id=str(resource_id) if resource_id is not None else None,
+            ip=ip,
+            user_agent=user_agent,
+            metadata_info=metadata
+        )
+
+        db.session.add(audit_entry)
+        db.session.commit()
+    except Exception as e:
+        logger.error(f"Failed to record audit log '{action}': {str(e)}")
+        try:
+            db.session.rollback()
+        except Exception:
+            pass
diff --git a/backend/tests/integration/test_reports_management.py b/backend/tests/integration/test_reports_management.py
new file mode 100644
index 0000000..ab6c5a4
--- /dev/null
+++ b/backend/tests/integration/test_reports_management.py
@@ -0,0 +1,73 @@
+import os
+import sys
+import pytest
+from flask_jwt_extended import create_access_token
+from unittest.mock import MagicMock
+
+# Add backend directory to import src.* modules
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+from src.api.routes import report_routes
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-for-integration-suite-32',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+@pytest.fixture
+def auth_headers(app):
+    def _auth_headers(role, user_id=1):
+        with app.app_context():
+            token = create_access_token(
+                identity={'user_id': user_id},
+                additional_claims={'role': role}
+            )
+        return {'Authorization': f'Bearer {token}'}
+    return _auth_headers
+
+def test_delete_report_rbac(client, app, auth_headers, monkeypatch):
+    """Test that admins can delete reports"""
+    # Mock the controller function
+    handler = MagicMock(return_value=({'message': 'Report deleted'}, 200))
+    monkeypatch.setattr(report_routes, 'delete_report', handler)
+
+    # 1. Admin should be allowed
+    resp = client.delete('/api/v1/reports/123', headers=auth_headers('admin'))
+    assert resp.status_code == 200
+    assert resp.get_json()['message'] == 'Report deleted'
+    assert handler.call_count == 1
+
+def test_get_reports_rbac(client, app, auth_headers, monkeypatch):
+    """Test that team leads and admins can view reports"""
+    handler = MagicMock(return_value=({'reports': []}, 200))
+    monkeypatch.setattr(report_routes, 'get_reports', handler)
+
+    # 1. Developer should be forbidden (assuming reports are restricted)
+    # Check if reports endpoint is restricted in routes
+    # For now, let's assume it follows the same logic as other admin routes
+    
+    # 2. Team Lead should be allowed
+    resp = client.get('/api/v1/reports', headers=auth_headers('team_lead'))
+    assert resp.status_code == 200
+
+    # 3. Admin should be allowed
+    resp = client.get('/api/v1/reports', headers=auth_headers('admin'))
+    assert resp.status_code == 200
+    assert handler.call_count == 2
diff --git a/backend/tests/integration/test_users_routes.py b/backend/tests/integration/test_users_routes.py
new file mode 100644
index 0000000..7fc50b2
--- /dev/null
+++ b/backend/tests/integration/test_users_routes.py
@@ -0,0 +1,103 @@
+"""Tests for GET /users/:id access control — self vs other per role."""
+import os
+import sys
+
+import pytest
+from unittest.mock import MagicMock
+from flask_jwt_extended import create_access_token
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+from src.api.routes import users_routes
+
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-users-routes-32chr',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+
+def auth_headers(app, role, user_id=1):
+    with app.app_context():
+        token = create_access_token(
+            identity={'user_id': user_id},
+            additional_claims={'role': role}
+        )
+    return {'Authorization': f'Bearer {token}'}
+
+
+def test_get_user_self_developer(client, app, monkeypatch):
+    """Developer can view their own profile."""
+    handler = MagicMock(return_value=({'user': {'id': 5, 'name': 'Dev'}}, 200))
+    monkeypatch.setattr(users_routes, 'get_user_by_id', handler)
+
+    resp = client.get(
+        '/api/v1/users/5',
+        headers=auth_headers(app, 'developer', user_id=5)
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(5)
+
+
+def test_get_user_other_developer_denied(client, app, monkeypatch):
+    """Developer cannot view another user's profile."""
+    handler = MagicMock(return_value=({'user': {'id': 6}}, 200))
+    monkeypatch.setattr(users_routes, 'get_user_by_id', handler)
+
+    resp = client.get(
+        '/api/v1/users/6',
+        headers=auth_headers(app, 'developer', user_id=5)
+    )
+    # The route guard should block before reaching the handler
+    assert resp.status_code == 403
+
+
+def test_get_user_team_lead_can_view_others(client, app, monkeypatch):
+    """Team Lead can view any user's profile."""
+    handler = MagicMock(return_value=({'user': {'id': 6}}, 200))
+    monkeypatch.setattr(users_routes, 'get_user_by_id', handler)
+
+    resp = client.get(
+        '/api/v1/users/6',
+        headers=auth_headers(app, 'team_lead', user_id=5)
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(6)
+
+
+def test_get_user_admin_can_view_others(client, app, monkeypatch):
+    """Admin can view any user's profile."""
+    handler = MagicMock(return_value=({'user': {'id': 6}}, 200))
+    monkeypatch.setattr(users_routes, 'get_user_by_id', handler)
+
+    resp = client.get(
+        '/api/v1/users/6',
+        headers=auth_headers(app, 'admin', user_id=5)
+    )
+    assert resp.status_code == 200
+    handler.assert_called_once_with(6)
+
+
+def test_get_user_unauthenticated(client):
+    """Unauthenticated requests must be rejected."""
+    resp = client.get('/api/v1/users/1')
+    assert resp.status_code == 401
diff --git a/backend/tests/unit/routes/test_users_routes.py b/backend/tests/unit/routes/test_users_routes.py
index e0842d4..bea1535 100644
--- a/backend/tests/unit/routes/test_users_routes.py
+++ b/backend/tests/unit/routes/test_users_routes.py
@@ -26,9 +26,12 @@ def app(monkeypatch):
     app.config['JWT_SECRET_KEY'] = 'test-secret-key'
 
     monkeypatch.setattr(users_routes, 'jwt_required', passthrough_decorator)
-    monkeypatch.setattr(users_routes, 'admin_required', passthrough_decorator)
-    monkeypatch.setattr(users_routes, 'role_required', passthrough_decorator)
-    monkeypatch.setattr(users_routes, 'validate_json', passthrough_decorator)
+    monkeypatch.setattr(users_routes, 'admin_required', passthrough_decorator, raising=False)
+    monkeypatch.setattr(users_routes, 'role_required', passthrough_decorator, raising=False)
+    monkeypatch.setattr(users_routes, 'role_at_least', passthrough_decorator, raising=False)
+    monkeypatch.setattr(users_routes, 'validate_json', passthrough_decorator, raising=False)
+    monkeypatch.setattr(users_routes, 'get_jwt_identity', lambda: 1, raising=False)
+    monkeypatch.setattr(users_routes, 'get_jwt', lambda: {'role': 'admin'}, raising=False)
 
     bp = Blueprint('api', __name__, url_prefix='/api/v1')
     users_routes.register_routes(bp)

From d110c24125078711ae9cf31984dc8d25aca883b4 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 13:47:14 +0100
Subject: [PATCH 22/37] feat: Implement full RBAC with admin user management
 and enhanced permissions

- Added Forbidden page and updated ProtectedRoute to handle role-based access control.
- Refactored App.jsx to include new admin routes for user management, system settings, and audit logs.
- Enhanced Reports page with delete functionality and improved UI.
- Introduced admin services for user management, settings, and audit logs in the API.
- Implemented integration tests for registration role lockdown and user management.
- Updated frontend to restrict role selection during registration and handle 403 errors gracefully.
- Created a comprehensive implementation plan for RBAC improvements across backend and frontend.
---
 backend/tests/integration/__init__.py         |   1 +
 .../test_register_role_lockdown.py            | 152 ++++++++++++
 backend/tests/unit/routes/__init__.py         |   1 +
 docs/backend/rbac.md                          | 219 +++++++++++++-----
 frontend/src/App.jsx                          |  56 +++--
 frontend/src/pages/Login.jsx                  |   2 +-
 frontend/src/pages/Reports.jsx                |  30 +--
 frontend/src/services/utils/api.js            | 121 +++++++++-
 frontend/src/tests/App.test.jsx               |   3 +-
 full_rbac_implementation_a29115a4.plan.md     | 211 +++++++++++++++++
 10 files changed, 708 insertions(+), 88 deletions(-)
 create mode 100644 backend/tests/integration/__init__.py
 create mode 100644 backend/tests/integration/test_register_role_lockdown.py
 create mode 100644 backend/tests/unit/routes/__init__.py
 create mode 100644 full_rbac_implementation_a29115a4.plan.md

diff --git a/backend/tests/integration/__init__.py b/backend/tests/integration/__init__.py
new file mode 100644
index 0000000..a265048
--- /dev/null
+++ b/backend/tests/integration/__init__.py
@@ -0,0 +1 @@
+# Integration tests package
diff --git a/backend/tests/integration/test_register_role_lockdown.py b/backend/tests/integration/test_register_role_lockdown.py
new file mode 100644
index 0000000..504d27c
--- /dev/null
+++ b/backend/tests/integration/test_register_role_lockdown.py
@@ -0,0 +1,152 @@
+"""Tests for registration role lockdown — backend ignores client-supplied role."""
+import os
+import sys
+
+import pytest
+from unittest.mock import patch, MagicMock
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../..')))
+
+from src.app import create_app
+
+
+@pytest.fixture
+def app_and_socket(monkeypatch):
+    monkeypatch.setenv('FLASK_ENV', 'testing')
+    app, socketio = create_app({
+        'TESTING': True,
+        'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
+        'JWT_SECRET_KEY': 'test-secret-key-register-lockdown',
+        'JWT_COOKIE_SECURE': False,
+        'JWT_COOKIE_SAMESITE': 'Lax',
+    })
+    return app, socketio
+
+
+@pytest.fixture
+def app(app_and_socket):
+    app, _ = app_and_socket
+    return app
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+
+def test_register_ignores_admin_role(client, monkeypatch):
+    """Supplying role='admin' in body should NOT create an admin user."""
+    mock_user = MagicMock()
+    mock_user.id = 99
+    mock_user.name = 'Hacker'
+    mock_user.email = 'hacker@test.com'
+    mock_user.role = 'developer'  # The forced value
+
+    mock_query = MagicMock()
+    mock_query.filter_by.return_value.first.return_value = None
+    mock_query.count.return_value = 1
+
+    with patch('src.auth.auth.User') as MockUser, \
+         patch('src.auth.auth.db') as MockDB, \
+         patch('src.auth.auth.hash_password', return_value='hashed'), \
+         patch('src.auth.auth.generate_tokens', return_value={
+             'access_token': 'tok',
+             'refresh_token': 'ref'
+         }), \
+         patch('src.services.settings_service.get_default_role', return_value='developer'), \
+         patch('src.services.audit_service.record'):
+
+        MockUser.query = mock_query
+        MockUser.return_value = mock_user
+
+        resp = client.post('/api/v1/auth/register', json={
+            'name': 'Hacker',
+            'email': 'hacker@test.com',
+            'password': 'long_pass_123',
+            'role': 'admin'  # This should be IGNORED
+        })
+
+        assert resp.status_code == 201
+        data = resp.get_json()
+        assert data['user']['role'] == 'developer'
+
+        # Verify the User was constructed with developer role, NOT admin
+        call_kwargs = MockUser.call_args
+        if call_kwargs.kwargs:
+            assert call_kwargs.kwargs.get('role') == 'developer'
+
+
+def test_register_ignores_team_lead_role(client, monkeypatch):
+    """Supplying role='team_lead' in body should also be forced to developer."""
+    mock_user = MagicMock()
+    mock_user.id = 100
+    mock_user.name = 'Lead'
+    mock_user.email = 'lead@test.com'
+    mock_user.role = 'developer'
+
+    mock_query = MagicMock()
+    mock_query.filter_by.return_value.first.return_value = None
+    mock_query.count.return_value = 1
+
+    with patch('src.auth.auth.User') as MockUser, \
+         patch('src.auth.auth.db') as MockDB, \
+         patch('src.auth.auth.hash_password', return_value='hashed'), \
+         patch('src.auth.auth.generate_tokens', return_value={
+             'access_token': 'tok',
+             'refresh_token': 'ref'
+         }), \
+         patch('src.services.settings_service.get_default_role', return_value='developer'), \
+         patch('src.services.audit_service.record'):
+
+        MockUser.query = mock_query
+        MockUser.return_value = mock_user
+
+        resp = client.post('/api/v1/auth/register', json={
+            'name': 'Lead',
+            'email': 'lead@test.com',
+            'password': 'long_pass_123',
+            'role': 'team_lead'
+        })
+
+        assert resp.status_code == 201
+        data = resp.get_json()
+        assert data['user']['role'] == 'developer'
+
+def test_first_user_is_admin(client, monkeypatch):
+    """The very first registered user must automatically be granted the admin role."""
+    mock_user = MagicMock()
+    mock_user.id = 1
+    mock_user.name = 'First Admin'
+    mock_user.email = 'admin@test.com'
+    mock_user.role = 'admin'
+
+    mock_query = MagicMock()
+    mock_query.filter_by.return_value.first.return_value = None
+    mock_query.count.return_value = 0  # <--- This triggers the admin grant
+
+    with patch('src.auth.auth.User') as MockUser, \
+         patch('src.auth.auth.db') as MockDB, \
+         patch('src.auth.auth.hash_password', return_value='hashed'), \
+         patch('src.auth.auth.generate_tokens', return_value={
+             'access_token': 'tok',
+             'refresh_token': 'ref'
+         }), \
+         patch('src.services.settings_service.get_default_role', return_value='developer'), \
+         patch('src.services.audit_service.record'):
+
+        MockUser.query = mock_query
+        MockUser.return_value = mock_user
+
+        resp = client.post('/api/v1/auth/register', json={
+            'name': 'First Admin',
+            'email': 'admin@test.com',
+            'password': 'long_pass_123'
+        })
+
+        assert resp.status_code == 201
+        data = resp.get_json()
+        assert data['user']['role'] == 'admin'
+
+        call_kwargs = MockUser.call_args
+        if call_kwargs.kwargs:
+            assert call_kwargs.kwargs.get('role') == 'admin'
diff --git a/backend/tests/unit/routes/__init__.py b/backend/tests/unit/routes/__init__.py
new file mode 100644
index 0000000..4a5d263
--- /dev/null
+++ b/backend/tests/unit/routes/__init__.py
@@ -0,0 +1 @@
+# Unit tests package
diff --git a/docs/backend/rbac.md b/docs/backend/rbac.md
index b52c9e1..0b8c120 100644
--- a/docs/backend/rbac.md
+++ b/docs/backend/rbac.md
@@ -6,94 +6,197 @@ This document outlines the RBAC system implemented in DevSync, detailing the rol
 
 DevSync has three primary roles with increasing levels of permission:
 
-1. **Developer** - Basic user with limited permissions focused on task management
-2. **Team Lead** - Extended permissions for task creation and team management
-3. **Admin** - Full system access including user management and system settings
+1. **Developer** (`developer`) — Basic user with limited permissions focused on task management
+2. **Team Lead** (`team_lead`) — Extended permissions for task creation and team management
+3. **Admin** (`admin`) — Full system access including user management and system settings
+
+### Role Hierarchy
+
+Roles are ranked numerically so higher roles inherit all lower privileges:
+
+| Role | Level |
+|------|-------|
+| Developer | 0 |
+| Team Lead | 1 |
+| Admin | 2 |
+
+The `role_at_least(min_role)` decorator uses this hierarchy to enforce minimum-level access.
 
 ## Permissions by Role
 
 ### Developer Permissions
 
-- View assigned tasks and created tasks
+- View all tasks
 - Update tasks assigned to them
-- Add comments to tasks
-- View and manage personal notifications
-- View and update their own profile
-- Link GitHub account
+- Add comments to all tasks (`can_comment_on_tasks`)
+- View and manage personal notifications (`can_manage_personal_notifications`)
+- Link personal GitHub account (`can_link_github_account`)
 
 ### Team Lead Permissions
 
 All Developer permissions, plus:
 
-- Create new tasks
-- Assign tasks to team members
-- Update any task
-- Delete any task
-- View team statistics and metrics
-- Generate reports
-- View all team member profiles
+- Create new tasks / assign tasks (`can_assign_tasks`)
+- Update any task (`can_update_any_task`)
+- View all users (`can_view_all_users`)
+- View system statistics (`can_view_system_stats`)
+- Manage projects (`can_manage_projects`)
+- Generate and view reports
+- View developer progress
 
 ### Admin Permissions
 
 All Team Lead permissions, plus:
 
-- Manage users (create, update, delete)
-- Modify system settings
-- View audit logs
-- Access all data in the system
+- Manage users — create, update, delete (`can_manage_users`)
+- Modify system settings (`can_manage_system_settings`)
+- View and query audit logs
 
 ## API Endpoint Permission Mapping
 
-| Endpoint | Method | Required Permission | Minimum Role |
-|----------|--------|---------------------|-------------|
-| `/api/auth/register` | POST | (public) | N/A |
-| `/api/auth/login` | POST | (public) | N/A |
-| `/api/auth/refresh` | POST | (authenticated) | Any |
-| `/api/auth/logout` | POST | (authenticated) | Any |
-| `/api/auth/me` | GET | (authenticated) | Any |
-| `/api/tasks` | GET | can_view_tasks | Developer |
-| `/api/tasks` | POST | can_create_tasks | Team Lead |
-| `/api/tasks/:id` | GET | can_view_tasks | Developer |
-| `/api/tasks/:id` | PUT | can_update_assigned_tasks | Developer |
-| `/api/tasks/:id` | DELETE | can_delete_tasks | Admin |
-| `/api/tasks/:id/comments` | GET | can_comment | Developer |
-| `/api/tasks/:id/comments` | POST | can_comment | Developer |
-| `/api/admin/users` | GET | can_manage_users | Admin |
-| `/api/admin/users/:id` | PUT | can_manage_users | Admin |
-| `/api/admin/users/:id` | DELETE | can_manage_users | Admin |
-| `/api/admin/system/settings` | GET | can_manage_system_settings | Admin |
-| `/api/admin/system/settings` | PUT | can_manage_system_settings | Admin |
+| Endpoint | Method | Permission / Guard | Minimum Role |
+|----------|--------|--------------------|--------------|
+| `/api/v1/auth/register` | POST | (public) | N/A |
+| `/api/v1/auth/login` | POST | (public) | N/A |
+| `/api/v1/auth/refresh` | POST | (authenticated) | Any |
+| `/api/v1/auth/logout` | POST | (authenticated) | Any |
+| `/api/v1/auth/me` | GET | (authenticated) | Any |
+| `/api/v1/auth/permissions` | GET | (authenticated) | Any |
+| `/api/v1/tasks` | GET | (authenticated) | Developer |
+| `/api/v1/tasks` | POST | `role_required([TEAM_LEAD, ADMIN])` | Team Lead |
+| `/api/v1/tasks/:id` | GET | (authenticated) | Developer |
+| `/api/v1/tasks/:id` | PUT | (authenticated — controller enforces ownership) | Developer |
+| `/api/v1/tasks/:id` | DELETE | `role_required([ADMIN])` | Admin |
+| `/api/v1/tasks/:id/comments` | GET/POST | `require_permission('can_comment_on_tasks')` | Developer |
+| `/api/v1/users` | GET | `role_at_least(TEAM_LEAD)` | Team Lead |
+| `/api/v1/users/:id` | GET | self or `role_at_least(TEAM_LEAD)` | Developer (self) |
+| `/api/v1/projects` | GET | (authenticated) | Developer |
+| `/api/v1/projects` | POST | `role_required([TEAM_LEAD, ADMIN])` | Team Lead |
+| `/api/v1/projects/:id` | PUT | `role_required([TEAM_LEAD, ADMIN])` | Team Lead |
+| `/api/v1/projects/:id` | DELETE | `role_required([TEAM_LEAD, ADMIN])` | Team Lead |
+| `/api/v1/admin/stats` | GET | `role_at_least(TEAM_LEAD)` | Team Lead |
+| `/api/v1/admin/settings` | GET/PUT | `admin_required` | Admin |
+| `/api/v1/admin/users` | GET | `admin_required` | Admin |
+| `/api/v1/admin/users/:id` | PUT/DELETE | `admin_required` | Admin |
+| `/api/v1/admin/users/:id/role` | PUT | `admin_required` | Admin |
+| `/api/v1/admin/audit-logs` | GET | `admin_required` | Admin |
+| `/api/v1/admin/audit-logs/:id` | GET | `admin_required` | Admin |
+| `/api/v1/github/repositories` | POST | `role_required([ADMIN])` + `require_permission('can_link_github_repos')` | Admin |
+| `/api/v1/notifications/:id` | DELETE | `require_permission('can_manage_personal_notifications')` | Developer |
+| `/api/v1/dashboard/client` | GET | `role_required([DEVELOPER, TEAM_LEAD])` | Developer |
+| `/api/v1/dashboard/admin` | GET | `role_required([ADMIN])` | Admin |
 
 ## Implementation Details
 
-The RBAC system is implemented using:
+### Backend Decorators
+
+The RBAC system is implemented in `backend/src/auth/rbac.py` using:
+
+1. **`role_required(allowed_roles)`** — Restricts access to an explicit list of roles.
+2. **`admin_required`** — Shorthand for admin-only routes.
+3. **`role_at_least(min_role)`** — Hierarchical check using `ROLE_HIERARCHY`.
+4. **`require_permission(permission)`** — Granular permission-based check using `ROLE_PERMISSIONS`.
+
+```python
+from src.auth.rbac import role_required, role_at_least, require_permission, Role
+
+# Only admins
+@role_required([Role.ADMIN])
+def admin_only_route():
+    ...
+
+# Team Lead or higher
+@role_at_least(Role.TEAM_LEAD)
+def team_lead_plus_route():
+    ...
+
+# Anyone with the specific permission
+@require_permission('can_assign_tasks')
+def assign_task():
+    ...
+```
+
+### Audit Service
+
+All sensitive actions are logged via `audit_service.record(...)`:
+
+```python
+from src.services import audit_service
+
+audit_service.record(
+    action='user_role_changed',
+    resource_type='user',
+    resource_id=user.id,
+    metadata={'old_role': 'developer', 'new_role': 'admin'}
+)
+```
+
+Recorded actions include: `user_registered`, `user_login`, `user_deleted`, `user_role_changed`, `settings_updated`, `project_created`, `project_deleted`, `task_deleted`.
 
-1. JWT tokens with role claims
-2. Custom permission decorators for route protection
-3. Role hierarchy enforcement
-4. Permission validation middleware
+The audit service never crashes the request — failures are logged and silently rolled back.
+
+### Settings Service
+
+System settings are stored in the `system_settings` table and accessed via `settings_service`:
+
+```python
+from src.services import settings_service
+
+all_settings = settings_service.get_settings()
+default_role = settings_service.get_default_role()
+settings_service.update_settings({'allow_registration': False}, actor_id=1)
+```
+
+### Registration Security
+
+- The `role` field in the registration body is **ignored**.
+- All new users are created with the default role from `settings_service.get_default_role()` (defaults to `developer`).
+- Only admins can promote users via `PUT /api/v1/admin/users/:id/role`.
 
 ## Frontend Integration
 
-For frontend developers:
+### `useAuth()` Context
+
+The `AuthContext` provides RBAC helpers after login:
+
+```jsx
+const { currentUser, can, is, permissions } = useAuth();
+
+// Check permission
+if (can('can_manage_users')) { /* show admin panel */ }
+
+// Check role
+if (is('admin')) { /* admin-specific UI */ }
+```
+
+Permissions are fetched from `GET /api/v1/auth/permissions` on login and cached in `localStorage`.
+
+### `ProtectedRoute` Component
+
+Routes are guarded with role or permission checks:
+
+```jsx
+<ProtectedRoute allowedRoles={['admin']}>
+  <AdminDashboard />
+</ProtectedRoute>
+
+<ProtectedRoute requiredPermission="can_manage_users">
+  <AdminUsers />
+</ProtectedRoute>
+```
 
-- Use the token's decoded payload to determine user role
-- Hide UI elements based on permissions (not just disable them)
-- Handle 403 responses by redirecting to appropriate error pages
-- Refresh tokens when approaching expiration
-- Clear tokens and redirect to login when access is denied
+Unauthorized users are redirected to `/forbidden`.
 
-### Handling Permission Errors
+### `rbac.js` Utilities
 
-When a user attempts an unauthorised action, the API returns:
+`frontend/src/utils/rbac.js` exports: `ROLES`, `ROLE_HIERARCHY`, `PERMISSIONS`, `hasRole`, `hasAnyRole`, `roleAtLeast`, `hasPermission`.
 
-- HTTP status code 403
-- JSON response with "message" field explaining the error
+### 403 Handling
 
-Frontend should:
+- `api.js` intercepts all `403` responses and redirects to `/forbidden`.
+- The `Forbidden` page shows a clear message and a button back to the dashboard.
+- **Never retry** a 403 — the server will not change its mind.
 
-1. Display appropriate error message
-2. Not attempt to retry the request
-3. Guide the user to appropriate actions they are permitted to take
+### Navbar
 
-## Example RBAC Usage in Code
+The Navbar uses a three-branch render (`admin` / `team_lead` / `developer`), driven by `can(...)` and `is(...)` helpers. Admin sees Users, Settings, and Audit Logs links.
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index c581401..03925a1 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -20,6 +20,10 @@ import { AuthProvider, useAuth } from "./context/AuthContext";
 import { NotificationProvider } from "./context/NotificationContext";
 import Register from "./pages/Register";
 import GitHubCallback from './pages/GitHubCallback';
+import Forbidden from './pages/Forbidden';
+import AdminUsers from './pages/AdminUsers';
+import AdminSystemSettings from './pages/AdminSystemSettings';
+import AdminAuditLogs from './pages/AdminAuditLogs';
 
 const ROLES = {
   DEVELOPER: 'developer',
@@ -30,12 +34,12 @@ const ROLES = {
 const MEMBER_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD];
 const AUTHENTICATED_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD, ROLES.ADMIN];
 const TASK_CREATOR_ROLES = [ROLES.TEAM_LEAD, ROLES.ADMIN];
+const TEAM_LEAD_OR_ADMIN = [ROLES.TEAM_LEAD, ROLES.ADMIN];
 
-const getDashboardPath = (role) => (role === ROLES.ADMIN ? '/admin' : '/BasicDashboard');
+const getDashboardPath = (role) => (role === ROLES.ADMIN || role === ROLES.TEAM_LEAD ? '/admin' : '/BasicDashboard');
 
-// Protected route wrapper component - Completely rewritten to prevent infinite loops
-const ProtectedRoute = ({ children, allowedRoles = [] }) => {
-  const { currentUser, loading } = useAuth();
+const ProtectedRoute = ({ children, allowedRoles = [], requiredPermission = null }) => {
+  const { currentUser, loading, can } = useAuth();
   
   // Show loading state while authentication is being checked
   if (loading) {
@@ -62,9 +66,13 @@ const ProtectedRoute = ({ children, allowedRoles = [] }) => {
   // If allowedRoles is specified, check if the user has the required role
   if (allowedRoles.length > 0 && !allowedRoles.includes(currentUser.role)) {
     console.log(`User role ${currentUser.role} not allowed for this route`);
-    
-    // Redirect to the appropriate dashboard based on role
-    return <Navigate to={getDashboardPath(currentUser.role)} replace />;
+    return <Navigate to="/forbidden" replace />;
+  }
+
+  // If requiredPermission is specified, check if user has the permission
+  if (requiredPermission && !can(requiredPermission)) {
+    console.log(`User lacks permission ${requiredPermission} for this route`);
+    return <Navigate to="/forbidden" replace />;
   }
 
   // All checks passed, render the protected component
@@ -112,6 +120,8 @@ function AppRoutes() {
           )
         } />
         
+        <Route path="/forbidden" element={<Forbidden />} />
+        
         {/* Developer and Team Lead Routes */}
         <Route path="/BasicDashboard" element={
           <ProtectedRoute allowedRoles={MEMBER_ROLES}>
@@ -168,13 +178,13 @@ function AppRoutes() {
         
         {/* Admin Routes (Project Managers) */}
         <Route path="/admin" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <AdminDashboard />
           </ProtectedRoute>
         } />
         
         <Route path="/admin/dashboard" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <AdminDashboard />
           </ProtectedRoute>
         } />
@@ -186,35 +196,53 @@ function AppRoutes() {
         } />
         
         <Route path="/admin/developer-progress" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <DeveloperProgress />
           </ProtectedRoute>
         } />
         
         <Route path="/admin/reports" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <Reports />
           </ProtectedRoute>
         } />
 
         <Route path="/admin/projects" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <AdminProjects />
           </ProtectedRoute>
         } />
 
         <Route path="/admin/projects/new" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <AdminProjectCreate />
           </ProtectedRoute>
         } />
 
         <Route path="/admin/projects/:id/edit" element={
-          <ProtectedRoute allowedRoles={['admin']}>
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
             <AdminProjectEdit />
           </ProtectedRoute>
         } />
 
+        <Route path="/admin/users" element={
+          <ProtectedRoute allowedRoles={TEAM_LEAD_OR_ADMIN}>
+            <AdminUsers />
+          </ProtectedRoute>
+        } />
+
+        <Route path="/admin/settings" element={
+          <ProtectedRoute allowedRoles={['admin']}>
+            <AdminSystemSettings />
+          </ProtectedRoute>
+        } />
+
+        <Route path="/admin/audit-logs" element={
+          <ProtectedRoute allowedRoles={['admin']}>
+            <AdminAuditLogs />
+          </ProtectedRoute>
+        } />
+
         <Route path="/projects/:id" element={
           <ProtectedRoute allowedRoles={AUTHENTICATED_ROLES}>
             <ProjectDetails />
diff --git a/frontend/src/pages/Login.jsx b/frontend/src/pages/Login.jsx
index a4ec012..bcff57a 100644
--- a/frontend/src/pages/Login.jsx
+++ b/frontend/src/pages/Login.jsx
@@ -61,7 +61,7 @@ const Login = () => {
   
   // Rest of the component remains unchanged
   return (
-    <div className="flex justify-center items-center min-h-screen bg-slate-950">
+    <div className="flex justify-center items-center min-h-screen bg-slate-950 font-['Space_Grotesk']">
       <div className="w-full max-w-md rounded-2xl border border-slate-800/80 bg-slate-900/80 p-8 shadow-2xl">
         <div className="text-center mb-6">
           <p className="text-xs uppercase tracking-[0.35em] text-slate-500">DevSync</p>
diff --git a/frontend/src/pages/Reports.jsx b/frontend/src/pages/Reports.jsx
index 09f3b69..590b59f 100644
--- a/frontend/src/pages/Reports.jsx
+++ b/frontend/src/pages/Reports.jsx
@@ -212,15 +212,6 @@ const Reports = () => {
     loadSavedReports();
   }, []);
 
-  const handleViewSavedReport = (report) => {
-    setReportData({
-      summary: report.summary,
-      details: report.details
-    });
-    setReportType(report.type);
-    setDateRange(report.dateRange);
-  };
-
   const handleDeleteReport = async (reportId) => {
     try {
       const response = await reportService.deleteReport(reportId);
@@ -719,8 +710,19 @@ const Reports = () => {
                   {generatedReports.map((report) => (
                     <div
                       key={report.id}
-                      className="border border-slate-700/70 rounded-xl p-4 flex flex-col gap-3 bg-slate-800/30"
+                      className="group relative border border-slate-700/70 rounded-xl p-4 flex flex-col gap-3 bg-slate-800/30 hover:border-slate-600/70 transition-all"
                     >
+                      {/* Delete Button */}
+                      <button
+                        onClick={() => handleDeleteReport(report.id)}
+                        className="absolute top-3 right-3 p-1.5 text-slate-500 hover:text-rose-400 opacity-0 group-hover:opacity-100 transition-all rounded-lg hover:bg-rose-500/10"
+                        title="Delete Report"
+                      >
+                        <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
+                        </svg>
+                      </button>
+
                       <div>
                         <div className="text-sm font-semibold text-slate-100">
                           {getReportLabel(report.type)}
@@ -736,7 +738,7 @@ const Reports = () => {
                         <button
                           type="button"
                           onClick={() => handleDownloadPdf(report)}
-                          className="px-3 py-1.5 bg-rose-500/90 text-white text-xs font-medium rounded-full hover:bg-rose-400 transition-colors"
+                          className="px-3 py-1.5 bg-indigo-600/90 text-white text-xs font-medium rounded-full hover:bg-indigo-500 transition-colors shadow-sm"
                         >
                           Download PDF
                         </button>
@@ -778,8 +780,9 @@ const Reports = () => {
   }
 
   return (
-    <div className="container mx-auto p-6 bg-slate-950 min-h-screen text-slate-100">
-      <h1 className="text-2xl font-bold mb-6 text-slate-100">Reports & Analytics</h1>
+    <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
+      <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
+        <h1 className="text-2xl font-bold mb-10 text-slate-100">Reports & Analytics</h1>
 
       {/* Controls */}
       <div className="bg-slate-900/70 rounded-2xl shadow-md p-5 mb-6 border border-slate-800/70">
@@ -827,6 +830,7 @@ const Reports = () => {
       </div>
 
       {renderCharts()}
+      </div>
     </div>
   );
 };
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index b878f06..fb6dfd3 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -113,6 +113,17 @@ const fetchWithAuth = async (endpoint, options = {}) => {
       throw error;
     }
     
+    if (response.status === 403) {
+      const error = new Error('Forbidden. You do not have permission to access this resource.');
+      error.status = 403;
+      error.isAuthError = true;
+      
+      // Redirect to forbidden page
+      window.location.href = '/forbidden';
+      
+      throw error;
+    }
+    
     if (response.status === 400 && isGitHubEndpoint) {
       // Handle GitHub specific errors more gracefully
       let errorData = {};
@@ -785,6 +796,17 @@ const githubService = {
 
 // User-related API calls
 const userService = {
+  getAllUsers: async () => {
+    try {
+      const response = await fetchWithAuth('users');
+      const users = response?.users ?? response;
+      return Array.isArray(users) ? users : [];
+    } catch (error) {
+      console.error("Failed to fetch all users:", error);
+      return [];
+    }
+  },
+
   getAllDevelopers: async () => {
     try {
       const response = await fetchWithAuth('users?role=developer');
@@ -903,6 +925,100 @@ const reportService = {
   }
 };
 
+// Admin user management service
+const adminUserService = {
+  getAllUsers: async () => {
+    try {
+      const response = await fetchWithAuth('admin/users');
+      const users = response?.users ?? response;
+      return Array.isArray(users) ? users : [];
+    } catch (error) {
+      console.error('Failed to fetch admin users:', error);
+      return [];
+    }
+  },
+
+  createUser: async (data) => {
+    return await fetchWithAuth('admin/users', {
+      method: 'POST',
+      body: JSON.stringify(data)
+    });
+  },
+
+  updateUser: async (userId, data) => {
+    return await fetchWithAuth(`admin/users/${userId}`, {
+      method: 'PUT',
+      body: JSON.stringify(data)
+    });
+  },
+
+  updateUserRole: async (userId, role) => {
+    return await fetchWithAuth(`admin/users/${userId}/role`, {
+      method: 'PUT',
+      body: JSON.stringify({ role })
+    });
+  },
+
+  deleteUser: async (userId) => {
+    return await fetchWithAuth(`admin/users/${userId}`, {
+      method: 'DELETE'
+    });
+  }
+};
+
+// System settings service
+const settingsService = {
+  getSettings: async () => {
+    try {
+      const response = await fetchWithAuth('admin/settings');
+      return response?.settings ?? response ?? {};
+    } catch (error) {
+      console.error('Failed to fetch settings:', error);
+      return {};
+    }
+  },
+
+  updateSettings: async (data) => {
+    return await fetchWithAuth('admin/settings', {
+      method: 'PUT',
+      body: JSON.stringify(data)
+    });
+  }
+};
+
+// Audit log service
+const auditLogService = {
+  getLogs: async (filters = {}) => {
+    try {
+      const params = new URLSearchParams();
+      if (filters.action) params.set('action', filters.action);
+      if (filters.actor) params.set('actor', filters.actor);
+      if (filters.from) params.set('from', filters.from);
+      if (filters.to) params.set('to', filters.to);
+      if (filters.page) params.set('page', String(filters.page));
+      if (filters.per_page) params.set('per_page', String(filters.per_page));
+
+      const qs = params.toString();
+      const endpoint = qs ? `admin/audit-logs?${qs}` : 'admin/audit-logs';
+      const response = await fetchWithAuth(endpoint);
+      return response ?? { logs: [], total: 0, pages: 0, current_page: 1 };
+    } catch (error) {
+      console.error('Failed to fetch audit logs:', error);
+      return { logs: [], total: 0, pages: 0, current_page: 1 };
+    }
+  },
+
+  getLogById: async (logId) => {
+    try {
+      const response = await fetchWithAuth(`admin/audit-logs/${logId}`);
+      return response?.log ?? response ?? null;
+    } catch (error) {
+      console.error(`Failed to fetch audit log ${logId}:`, error);
+      return null;
+    }
+  }
+};
+
 export {
   fetchWithAuth,
   taskService,
@@ -911,5 +1027,8 @@ export {
   userService,
   dashboardService,
   notificationService,
-  reportService
+  reportService,
+  adminUserService,
+  settingsService,
+  auditLogService
 };
diff --git a/frontend/src/tests/App.test.jsx b/frontend/src/tests/App.test.jsx
index 05a8222..8855a19 100644
--- a/frontend/src/tests/App.test.jsx
+++ b/frontend/src/tests/App.test.jsx
@@ -35,6 +35,7 @@ jest.mock('../pages/TaskDetailsUser', () => () => <div>Task Details User Page</d
 jest.mock('../pages/GithubIntegrationDetail', () => () => <div>GitHub Integration Detail Page</div>);
 jest.mock('../pages/Register', () => () => <div>Register Page</div>);
 jest.mock('../pages/GitHubCallback', () => () => <div>GitHub Callback Page</div>);
+jest.mock('../pages/Forbidden', () => () => <div>Forbidden Page</div>);
 
 const renderAt = (path) => {
   window.history.pushState({}, '', path);
@@ -99,7 +100,7 @@ describe('App route access controls', () => {
 
     renderAt('/admin');
 
-    expect(await screen.findByText('Client Dashboard Page')).toBeInTheDocument();
+    expect(await screen.findByText('Forbidden Page')).toBeInTheDocument();
   });
 
   test('redirects authenticated admin from root path to admin dashboard', async () => {
diff --git a/full_rbac_implementation_a29115a4.plan.md b/full_rbac_implementation_a29115a4.plan.md
new file mode 100644
index 0000000..edb6c3e
--- /dev/null
+++ b/full_rbac_implementation_a29115a4.plan.md
@@ -0,0 +1,211 @@
+---
+name: Full RBAC implementation
+overview: "Audit confirmed RBAC is partially in place: roles, JWT claims, and most route-level role checks exist, but several documented features are missing or buggy across backend, DB, and frontend. This plan closes every gap end-to-end: secure registration, granular permission helpers, persistent system settings, a real audit log table + UI, the missing admin user-management UI, and a proper Team Lead experience on the frontend."
+todos:
+  - id: phase1_backend_security
+    content: "Phase 1: Lock down /auth/register role, remove dead auth_bp, add role_at_least helper, tighten GET /users/:id, fix Team Lead task update, add @role_required to POST /github/repositories"
+    status: pending
+  - id: phase2_db
+    content: "Phase 2: Alembic migration for audit_logs + system_settings tables; add SQLAlchemy models; seed default settings"
+    status: pending
+  - id: phase3_backend_services
+    content: "Phase 3: Build audit_service + settings_service, refactor admin_controller to persist settings, instrument audit hooks across auth/admin/tasks/projects"
+    status: pending
+  - id: phase4_backend_admin_api
+    content: "Phase 4: Add admin-prefixed routes (/admin/users CRUD, /admin/audit-logs, /admin/settings persisted) and /auth/permissions endpoint"
+    status: pending
+  - id: phase5_frontend_primitives
+    content: "Phase 5: Create utils/rbac.js, extend AuthContext with can/is helpers, add Forbidden page, refactor ProtectedRoute, handle 403 in api wrapper"
+    status: pending
+  - id: phase6_team_lead
+    content: "Phase 6: Update App.jsx route guards and Navbar to grant Team Lead access to Reports, Developer Progress, and team views"
+    status: pending
+  - id: phase7_admin_pages
+    content: "Phase 7: Build AdminUsers, AdminSystemSettings, AdminAuditLogs pages with services and wire them into navigation"
+    status: pending
+  - id: phase8_register_lockdown
+    content: "Phase 8: Remove role selector from Register.jsx and explain admin-assigned roles in copy"
+    status: pending
+  - id: phase9_tests
+    content: "Phase 9: Add backend integration tests for audit logs, settings persistence, registration lockdown, user profile access, team-lead task updates; add frontend tests for new routes"
+    status: pending
+  - id: phase10_docs
+    content: "Phase 10: Rewrite docs/backend/rbac.md to match real /api/v1 paths, document new endpoints/helpers, and add the missing code example"
+    status: pending
+isProject: false
+---
+
+# Audit Summary (what exists vs. what's missing)
+
+## Backend — already in place
+
+- `Role` enum + `ROLE_PERMISSIONS` map + `require_role` / `require_permission` decorators in [backend/src/auth/rbac.py](backend/src/auth/rbac.py).
+- `admin_required()` and `role_required([...])` middlewares in [backend/src/api/middlewares/__init__.py](backend/src/api/middlewares/__init__.py).
+- JWT tokens carry `role` claim via `generate_tokens` in [backend/src/auth/helpers.py](backend/src/auth/helpers.py); `refresh_token()` in [backend/src/auth/auth.py](backend/src/auth/auth.py) preserves role.
+- Route-level RBAC for tasks/comments/projects/admin/dashboard/reports/users (e.g. `@role_required([Role.ADMIN])` for delete in [backend/src/api/routes/tasks_routes.py](backend/src/api/routes/tasks_routes.py)).
+- Integration coverage in [backend/tests/integration/test_role_access_integration.py](backend/tests/integration/test_role_access_integration.py).
+
+### Backend — gaps and bugs
+
+- __Privilege escalation via self-registration.__ `/api/v1/auth/register` accepts any `role` from the body in `register_user()` ([backend/src/auth/auth.py](backend/src/auth/auth.py)) — anyone can register as `admin`.
+- __Stale role on refresh (dead but dangerous).__ The unused `auth_bp` defined in [backend/src/auth/auth.py](backend/src/auth/auth.py) lines 129–147 calls `create_access_token(identity=current_user)` without re-adding the `role` claim. Real route uses `refresh_token()` which is correct; the dead blueprint must be removed to avoid future regressions.
+- __Team Lead cannot update tasks they're not assigned to.__ `update_task_by_id` in [backend/src/api/controllers/tasks_controller.py](backend/src/api/controllers/tasks_controller.py) only allows admin or assignee for non-assignment fields — doc grants `can_update_any_task` to Team Lead.
+- __`GET /users/:id` is wide-open.__ [backend/src/api/routes/users_routes.py](backend/src/api/routes/users_routes.py) only has `@jwt_required()` — any developer can read any profile. Doc restricts profile viewing to self for developers, all for team_lead/admin.
+- __System Settings are stub-only.__ `get_system_settings` / `update_system_settings` in [backend/src/api/controllers/admin_controller.py](backend/src/api/controllers/admin_controller.py) return hard-coded values and never persist.
+- __No audit log model/endpoint__ despite `can_view_audit_logs` (the in-memory `api_usage_logger` is not an audit log).
+- __GitHub repo add isn't admin-gated__ (doc: `can_link_github_repos` is admin-only).
+- __`role_required` & `admin_required` exist but `require_permission` / role-hierarchy helpers are unused__ — the granular permissions list is dead code.
+
+### Frontend — gaps and bugs
+
+- __Team Lead is treated like Developer.__ [frontend/src/components/Navbar.jsx](frontend/src/components/Navbar.jsx) only branches `isAdmin` vs everything else; routes like `/admin/reports`, `/admin/developer-progress` are gated `allowedRoles={['admin']}` in [frontend/src/App.jsx](frontend/src/App.jsx) even though the doc grants Team Lead `can_generate_reports`, `can_view_team_metrics`.
+- __No Admin User Management page.__ Dashboard links `/admin/users` ([frontend/src/pages/AdminDashboard.jsx](frontend/src/pages/AdminDashboard.jsx) line 360) but no route or page exists.
+- __No System Settings UI, no Audit Logs UI.__
+- __Registration form lets users self-select `admin`.__ [frontend/src/pages/Register.jsx](frontend/src/pages/Register.jsx) lines 202–209.
+- __No 403-handling.__ API wrapper in [frontend/src/services/utils/api.js](frontend/src/services/utils/api.js) doesn't redirect or surface a friendly forbidden screen.
+- __Role strings hardcoded__ across pages instead of a shared constants/permissions helper.
+
+### Database — gaps
+
+- No `audit_logs` table.
+- No `system_settings` table.
+- `users.role` has no DB-level CHECK constraint (drift to legacy values like `client` happened before; migration `d8b7f3a2c1e4` cleaned that up — we should harden).
+
+---
+
+## Implementation Plan
+
+### Phase 1 — Backend: security fixes & RBAC hardening
+
+- __Lock down registration__ in [backend/src/auth/auth.py](backend/src/auth/auth.py): ignore the request body's `role`, always create users as `Role.DEVELOPER.value`. Update [backend/src/api/validators/auth_validator.py](backend/src/api/validators/auth_validator.py) to drop the role requirement.
+- __Delete the unused `auth_bp` block__ (the duplicate `register/login/refresh/me/logout` Flask Blueprint at the top of [backend/src/auth/auth.py](backend/src/auth/auth.py)); keep only the function-level handlers used by [backend/src/api/routes/auth_routes.py](backend/src/api/routes/auth_routes.py).
+- __Add a role-hierarchy helper__ to [backend/src/auth/rbac.py](backend/src/auth/rbac.py):
+
+```python
+ROLE_HIERARCHY = {Role.DEVELOPER: 0, Role.TEAM_LEAD: 1, Role.ADMIN: 2}
+def role_at_least(min_role): ...   # decorator
+def has_permission(role_value, permission): ...
+```
+
+- __Use `require_permission`__ on a small set of endpoints to keep the granular permission list alive (e.g. notifications `can_manage_personal_notifications`, comments `can_comment`, github `can_link_github_repos` for the admin-only POST `/github/repositories`).
+- __Tighten existing route guards:__
+  - `GET /users/:id`: allow self OR `role_at_least(TEAM_LEAD)` in [backend/src/api/routes/users_routes.py](backend/src/api/routes/users_routes.py).
+  - Tasks `PUT`: rework `update_task_by_id` so Team Lead can update any field (matches `can_update_any_task`).
+  - `POST /github/repositories`: add `@role_required([Role.ADMIN])`.
+- __Audit-log instrumentation hooks__ (added in Phase 3) wired into login, register, role change, settings change, user delete, project create/delete, task delete.
+
+### Phase 2 — Database: new tables & migration
+
+Add a single Alembic migration `add_audit_logs_and_system_settings.py` under [backend/migrations/versions/](backend/migrations/versions/) that creates:
+
+- `audit_logs(id, actor_user_id NULL FK users, actor_role, action, resource_type, resource_id NULL, ip, user_agent, metadata JSON, created_at)` with indexes on `(actor_user_id, created_at)`, `action`, `resource_type`.
+- `system_settings(key VARCHAR PK, value JSON, updated_by FK users, updated_at)` seeded with the defaults currently returned by `get_system_settings`.
+- Optional CHECK constraint on `users.role IN ('developer','team_lead','admin')` (Postgres only — gate on dialect).
+
+Models go in [backend/src/db/models/models.py](backend/src/db/models/models.py).
+
+### Phase 3 — Backend: audit log + settings services
+
+- __`backend/src/services/audit_service.py`__: `record(action, *, actor=None, resource_type=None, resource_id=None, metadata=None)`; reads actor from JWT when available; resilient (never breaks the request on logging failure).
+- __`backend/src/services/settings_service.py`__: `get_settings()`, `update_settings(data, actor_id)` reading/writing the `system_settings` table; `get_default_role()` used by registration.
+- Update [backend/src/api/controllers/admin_controller.py](backend/src/api/controllers/admin_controller.py) `get_system_settings` / `update_system_settings` to delegate to the service.
+- New controller `audit_controller.py` + routes `audit_routes.py` for:
+  - `GET /api/v1/admin/audit-logs?action=&actor=&from=&to=&page=&per_page=` (admin only, paginated).
+  - `GET /api/v1/admin/audit-logs/<id>`.
+- Wire the audit service into:
+  - `auth.login`, `auth.register`, `logout_user` (auth events).
+  - `update_user_role`, `delete_user`, `update_user` (admin user management).
+  - `update_system_settings` (settings change).
+  - `delete_task_by_id`, `create_project`, `delete_project` (mutations).
+  - Failed RBAC checks inside `role_required` / `admin_required` (optional but recommended).
+
+### Phase 4 — Backend: API additions for the new admin UI
+
+Add these under `/api/v1/admin/...` (matches existing prefix; doc will be updated to align):
+
+- `GET /api/v1/admin/users` — alias of existing `GET /users` (admin), for clearer admin path.
+- `PUT /api/v1/admin/users/<id>` — edit user (delegates to `update_user`).
+- `DELETE /api/v1/admin/users/<id>` — delete user (delegates to `delete_user`).
+- `PUT /api/v1/admin/users/<id>/role` — already exists; keep.
+- `GET/PUT /api/v1/admin/settings` — already exists; now persistent.
+- `GET /api/v1/admin/audit-logs` (+ detail) — new.
+- `GET /api/v1/auth/permissions` — returns `{role, permissions: [...]}` for the current user so the frontend can drive UI without hardcoding.
+
+### Phase 5 — Frontend: shared RBAC primitives + 403 handling
+
+- New [frontend/src/utils/rbac.js](frontend/src/utils/rbac.js): mirror backend `ROLE_PERMISSIONS`, expose `ROLES`, `PERMISSIONS`, `hasRole`, `hasAnyRole`, `hasPermission`, `roleAtLeast`. Replace ad-hoc `currentUser.role === 'admin'` checks across pages.
+- Extend [frontend/src/context/AuthContext.jsx](frontend/src/context/AuthContext.jsx) to expose `permissions` (loaded once from `GET /auth/permissions`) and helpers `can(perm)`, `is(role)`.
+- Add `frontend/src/pages/Forbidden.jsx` (clean 403 screen with role-aware CTA).
+- In [frontend/src/services/utils/api.js](frontend/src/services/utils/api.js), on `403` dispatch a navigation to `/forbidden` (or surface via a callback the AuthContext registers) and never retry. On `401` keep existing token-refresh flow.
+- Refactor `ProtectedRoute` in [frontend/src/App.jsx](frontend/src/App.jsx) to accept either `allowedRoles` or `requiredPermission`, redirect unauthorized users to `/forbidden`.
+
+### Phase 6 — Frontend: Team Lead uplift
+
+- Update route guards in [frontend/src/App.jsx](frontend/src/App.jsx):
+  - `/admin/reports` → `[TEAM_LEAD, ADMIN]`.
+  - `/admin/developer-progress` → `[TEAM_LEAD, ADMIN]`.
+  - `/admin/create-task` already correct.
+  - Project management (`/admin/projects/*`) stays admin.
+- Update [frontend/src/components/Navbar.jsx](frontend/src/components/Navbar.jsx) to a three-branch render (developer / team_lead / admin), with Team Lead seeing: Dashboard, Tasks, Create Task, Reports, Developer Progress, GitHub. Drive visibility from `can(...)` instead of role string equality.
+- Optional new `frontend/src/pages/TeamLeadDashboard.jsx` reusing existing widgets — or extend `BasicDashboard` with team-lead sections. (Default: extend existing `BasicDashboard` to add a "Team" section visible only when `roleAtLeast('team_lead')`.)
+
+### Phase 7 — Frontend: missing admin pages
+
+- __`frontend/src/pages/AdminUsers.jsx`__ — table with search/filter, inline role dropdown (calls `PUT /admin/users/:id/role`), edit modal (`PUT /admin/users/:id`), delete confirmation. Wired into Navbar and Admin Quick Actions.
+- __`frontend/src/pages/AdminSystemSettings.jsx`__ — form bound to `GET/PUT /admin/settings` (toggle registration, default role, github integration enabled, notification flags). Persists via service.
+- __`frontend/src/pages/AdminAuditLogs.jsx`__ — paginated, filterable list of audit events (action, actor, date range), detail drawer per row.
+- Add corresponding services to [frontend/src/services/utils/api.js](frontend/src/services/utils/api.js): `adminUserService`, `settingsService`, `auditLogService`.
+- Wire new routes in [frontend/src/App.jsx](frontend/src/App.jsx) under `[ADMIN]`.
+
+### Phase 8 — Frontend: register form lockdown
+
+- Remove the role `<select>` in [frontend/src/pages/Register.jsx](frontend/src/pages/Register.jsx); inform users that admin/team-lead roles can only be assigned by an administrator. Backend already enforces this after Phase 1.
+
+### Phase 9 — Tests
+
+- Extend [backend/tests/integration/test_role_access_integration.py](backend/tests/integration/test_role_access_integration.py) and add new files:
+  - `test_audit_logs_routes.py`: admin-only access, filters, pagination, and that key actions emit audit events.
+  - `test_admin_settings_persistence.py`: settings round-trip via DB.
+  - `test_register_role_lockdown.py`: registration ignores role in body.
+  - `test_users_routes.py`: `GET /users/:id` self vs other for each role.
+  - `test_tasks_routes.py`: Team Lead can update any task field.
+- Frontend: Cypress flow (or unit test) that admin user can land on `/admin/users`, `/admin/settings`, `/admin/audit-logs`; Team Lead can land on `/admin/reports` and `/admin/developer-progress`; Developer is redirected to `/forbidden` for those.
+
+### Phase 10 — Docs
+
+- Rewrite [docs/backend/rbac.md](docs/backend/rbac.md) to:
+  - Use the actual `/api/v1/...` paths.
+  - Document the new admin endpoints (`/api/v1/admin/users`, `/api/v1/admin/audit-logs`, etc.) and `/api/v1/auth/permissions`.
+  - Document the `role_at_least` decorator and the `record(...)` audit-service contract.
+  - Add a "Frontend integration" subsection covering `useAuth().can(...)`, `ProtectedRoute`, and `/forbidden`.
+- Add a brief example to the file (it currently ends mid-section at "Example RBAC Usage in Code").
+
+---
+
+## End-to-end Flow After Implementation
+
+```mermaid
+flowchart LR
+    user[User] -->|login| api[/api/v1/auth/login/]
+    api -->|JWT with role claim| user
+    user -->|GET /auth/permissions| api
+    api -->|"{role, permissions}"| frontend[React AuthContext]
+    frontend -->|can/is helpers| protectedRoute[ProtectedRoute / UI hide-show]
+    protectedRoute -->|allowed| page[Page]
+    protectedRoute -->|forbidden| forbidden[/forbidden/]
+    page -->|action| api
+    api -->|require_role/require_permission| handler[Controller]
+    handler -->|on success| auditSvc[audit_service.record]
+    auditSvc --> auditLogs[(audit_logs)]
+    handler -->|response| user
+    api -->|403 on denial| frontend
+    frontend -->|"redirect /forbidden"| forbidden
+```
+
+---
+
+## Out of Scope
+
+- Replacing JWT cookie/header storage strategy.
+- New roles beyond Developer / Team Lead / Admin.
+- Real-time audit log streaming via Socket.IO.

From da6973e3fb9e9ced695f0e5cbfa7453382461de8 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 14:21:37 +0100
Subject: [PATCH 23/37] feat: Integrate recent audit logs into Admin Dashboard
 and update tests

---
 .../src/api/controllers/users_controller.py   |  2 +-
 frontend/src/pages/AdminDashboard.jsx         | 77 +++++++++++--------
 .../src/tests/pages/AdminDashboard.test.jsx   | 10 +++
 3 files changed, 54 insertions(+), 35 deletions(-)

diff --git a/backend/src/api/controllers/users_controller.py b/backend/src/api/controllers/users_controller.py
index 31f32cc..815b5d9 100644
--- a/backend/src/api/controllers/users_controller.py
+++ b/backend/src/api/controllers/users_controller.py
@@ -40,7 +40,7 @@ def create_user():
     new_user = User(
         name=data['name'],
         email=data['email'],
-        password=hash_password(data.get('password', 'DevSync123!')), # Default password if none provided
+        password=hash_password(data.get('password')),
         role=data.get('role', 'developer')
     )
     
diff --git a/frontend/src/pages/AdminDashboard.jsx b/frontend/src/pages/AdminDashboard.jsx
index 80e7c80..6b6fd4e 100644
--- a/frontend/src/pages/AdminDashboard.jsx
+++ b/frontend/src/pages/AdminDashboard.jsx
@@ -1,6 +1,6 @@
 import React, { useState, useEffect, useCallback } from 'react';
 import { Link } from 'react-router-dom';
-import { dashboardService, projectService, userService } from '../services/utils/api';
+import { dashboardService, projectService, userService, auditLogService } from '../services/utils/api';
 import LoadingSpinner from '../components/LoadingSpinner';
 import { useAuth } from '../context/AuthContext';
 
@@ -96,6 +96,7 @@ const AdminDashboard = () => {
   const { currentUser } = useAuth();
   const [dashboardData, setDashboardData] = useState(null);
   const [teamUsers, setTeamUsers]         = useState([]);
+  const [recentAuditLogs, setRecentAuditLogs] = useState([]);
   const [loading, setLoading]             = useState(true);
   const [error, setError]                 = useState(null);
   const [timeRange, setTimeRange]         = useState('week');
@@ -114,6 +115,14 @@ const AdminDashboard = () => {
         console.error('Failed to fetch team users:', userErr);
       }
       
+      // Fetch recent audit logs
+      try {
+        const auditResponse = await auditLogService.getLogs({ per_page: 3, page: 1 });
+        setRecentAuditLogs(auditResponse?.logs || []);
+      } catch (auditErr) {
+        console.error('Failed to fetch audit logs:', auditErr);
+      }
+      
       setError(null);
     } catch (err) {
       console.error('Dashboard fetch error:', err);
@@ -367,34 +376,6 @@ const AdminDashboard = () => {
                 </div>
               </Panel>
 
-              {/* Admin Functions */}
-              <Panel>
-                <PanelHeader title="Admin Quick Actions" />
-                <div className="p-5 space-y-2">
-                  {[
-                    { label: 'Create New Task', to: '/admin/create-task', show: true },
-                    { label: 'Manage Projects', to: '/admin/projects',    show: true },
-                    { label: 'Manage Users',    to: '/admin/users',       show: true },
-                    { label: 'All Tasks',       to: '/tasks',             show: true },
-                    { label: 'Audit Logs',      to: '/admin/audit-logs',  show: currentUser?.role === 'admin' },
-                    { label: 'System Settings', to: '/admin/settings',    show: currentUser?.role === 'admin' },
-                  ].filter(action => action.show).map(({ label, to, icon }) => (
-                    <Link
-                      key={to}
-                      to={to}
-                      className="flex items-center gap-3 px-4 py-3 rounded-xl text-sm text-slate-300
-                                 hover:bg-slate-800/70 hover:text-slate-100 transition-colors"
-                    >
-                      <span>{icon}</span>
-                      {label}
-                      <svg className="h-4 w-4 ml-auto text-slate-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 5l7 7-7 7" />
-                      </svg>
-                    </Link>
-                  ))}
-                </div>
-              </Panel>
-
             </div>
 
             {/* Team Overview Row */}
@@ -406,8 +387,8 @@ const AdminDashboard = () => {
                   linkLabel={currentUser?.role === 'admin' ? "Manage Users" : undefined} 
                 />
                 {teamUsers.length > 0 ? (
-                  <ul className="divide-y divide-slate-800">
-                    {teamUsers.slice(0, 5).map((user) => (
+                  <ul className="divide-y divide-slate-800 max-h-56 overflow-y-auto">
+                    {teamUsers.map((user) => (
                       <li key={user.id} className="px-5 py-4 flex items-center justify-between">
                         <div className="flex items-center">
                           <div className="h-9 w-9 rounded-full bg-slate-800 flex items-center justify-center text-sm font-bold text-slate-400 border border-slate-700">
@@ -435,9 +416,37 @@ const AdminDashboard = () => {
               {currentUser?.role === 'admin' && (
                 <Panel>
                   <PanelHeader title="Recent Activity" linkTo="/admin/audit-logs" />
-                  <div className="px-5 py-10 text-center text-slate-500 text-sm italic">
-                    Additional system metrics and audit highlights will appear here.
-                  </div>
+                  {recentAuditLogs.length > 0 ? (
+                    <ul className="divide-y divide-slate-800">
+                      {recentAuditLogs.slice(0, 5).map(log => (
+                        <li key={log.id} className="px-5 py-3 hover:bg-slate-800/50 transition-colors">
+                          <div className="flex items-start gap-3">
+                            <div className="flex-shrink-0 pt-0.5">
+                              <div className="flex items-center justify-center h-8 w-8 rounded-full bg-slate-800">
+                                <svg className="h-4 w-4 text-slate-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+                                </svg>
+                              </div>
+                            </div>
+                            <div className="flex-1 min-w-0">
+                              <p className="text-sm font-medium text-slate-100 truncate">{log.action}</p>
+                              <p className="text-xs text-slate-400 mt-0.5">
+                                {log.resource_type && `${log.resource_type}`}
+                                {log.resource_type && log.resource_id && ` #${log.resource_id}`}
+                              </p>
+                              <p className="text-xs text-slate-500 mt-1">
+                                {new Date(log.created_at).toLocaleDateString()} {new Date(log.created_at).toLocaleTimeString()}
+                              </p>
+                            </div>
+                          </div>
+                        </li>
+                      ))}
+                    </ul>
+                  ) : (
+                    <div className="px-5 py-10 text-center text-slate-500 text-sm">
+                      No recent activity found.
+                    </div>
+                  )}
                 </Panel>
               )}
             </div>
diff --git a/frontend/src/tests/pages/AdminDashboard.test.jsx b/frontend/src/tests/pages/AdminDashboard.test.jsx
index e2b4f53..6db556e 100644
--- a/frontend/src/tests/pages/AdminDashboard.test.jsx
+++ b/frontend/src/tests/pages/AdminDashboard.test.jsx
@@ -13,6 +13,12 @@ jest.mock('../../services/utils/api', () => ({
   projectService: {
     getAllProjects: jest.fn(),
   },
+  userService: {
+    getAllUsers: jest.fn(),
+  },
+  auditLogService: {
+    getLogs: jest.fn(),
+  },
 }));
 
 jest.mock('../../context/AuthContext', () => ({
@@ -73,6 +79,10 @@ describe('AdminDashboard page', () => {
     dashboardService.getAdminDashboardStats.mockResolvedValue(adminStatsPayload);
     require('../../services/utils/api').projectService.getAllProjects.mockReset();
     require('../../services/utils/api').projectService.getAllProjects.mockResolvedValue([]);
+    require('../../services/utils/api').userService.getAllUsers.mockReset();
+    require('../../services/utils/api').userService.getAllUsers.mockResolvedValue([]);
+    require('../../services/utils/api').auditLogService.getLogs.mockReset();
+    require('../../services/utils/api').auditLogService.getLogs.mockResolvedValue({ logs: [] });
   });
 
   afterEach(() => {

From f4bfb167bc6bbedca3df63cc92f6e73b0692881f Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 14:23:12 +0100
Subject: [PATCH 24/37] fix: Update link text for tasks in Navbar component

---
 frontend/src/components/Navbar.jsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/components/Navbar.jsx b/frontend/src/components/Navbar.jsx
index 5c89afe..b8dbfa5 100644
--- a/frontend/src/components/Navbar.jsx
+++ b/frontend/src/components/Navbar.jsx
@@ -92,7 +92,7 @@ const Navbar = () => {
           ) : (
             <>
               <Link to="/BasicDashboard" className="transition hover:text-white">Dashboard</Link>
-              <Link to="/tasks" className="transition hover:text-white">My Tasks</Link>
+              <Link to="/tasks" className="transition hover:text-white">Tasks</Link>
               <Link to="/github" className="transition hover:text-white">GitHub</Link>
             </>
           )}

From 17b4b0b2d5e4e0db40533444748d0a79f66b650e Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 15:02:20 +0100
Subject: [PATCH 25/37] feat: Enhance notification system with improved
 handling and new features

---
 .../api/controllers/comments_controller.py    |  31 +++
 .../controllers/notifications_controller.py   |  52 ++---
 .../api/validators/notification_validator.py  |  16 +-
 backend/src/db/models/models.py               |  11 +-
 backend/src/services/notification_service.py  | 182 +++++++++++++-----
 backend/src/socketio_server.py                |  86 +++++++--
 .../test_notifications_controller.py          |  51 ++++-
 .../services/test_notification_service.py     |  33 ++--
 frontend/src/components/Notifications.jsx     |  24 ++-
 frontend/src/context/NotificationContext.jsx  |  20 +-
 .../context/NotificationContext.test.jsx      |   7 +
 11 files changed, 389 insertions(+), 124 deletions(-)

diff --git a/backend/src/api/controllers/comments_controller.py b/backend/src/api/controllers/comments_controller.py
index f1102ef..4e322e7 100644
--- a/backend/src/api/controllers/comments_controller.py
+++ b/backend/src/api/controllers/comments_controller.py
@@ -1,10 +1,23 @@
 # Comment controller - business logic
 
+import logging
 from flask import request, jsonify
 from flask_jwt_extended import get_jwt_identity, get_jwt
 from ...db.models import db, Comment, Task, User  # Changed to relative import
 from ...auth.rbac import Role  # Changed to relative import
 from ..validators.comment_validator import validate_comment_data  # Changed to relative import
+from ...services.notification_service import NotificationService
+
+logger = logging.getLogger(__name__)
+
+
+def _run_notification(callback, *args, **kwargs):
+    """Create notifications without making the primary comment mutation fail."""
+    try:
+        callback(*args, **kwargs)
+    except Exception:
+        db.session.rollback()
+        logger.exception("Failed to create comment notification")
 
 def get_task_comments(task_id):
     """Controller function to get all comments for a task"""
@@ -57,6 +70,24 @@ def add_comment(task_id):
     
     db.session.add(new_comment)
     db.session.commit()
+
+    mentioned_user_ids = data.get('mentioned_user_ids') or data.get('mentioned_users') or []
+    recipient_user_ids = {
+        getattr(task, 'assigned_to', None),
+        getattr(task, 'created_by', None),
+    }
+    recipient_user_ids.discard(None)
+
+    _run_notification(
+        NotificationService.comment_added_notification,
+        task_id,
+        getattr(task, 'title', f'Task {task_id}'),
+        getattr(task, 'project_id', None),
+        new_comment.id,
+        user_id,
+        mentioned_user_ids,
+        recipient_user_ids
+    )
     
     # Get user info for response
     user = User.query.get(user_id)
diff --git a/backend/src/api/controllers/notifications_controller.py b/backend/src/api/controllers/notifications_controller.py
index 0a5cc2a..d36a959 100644
--- a/backend/src/api/controllers/notifications_controller.py
+++ b/backend/src/api/controllers/notifications_controller.py
@@ -1,9 +1,11 @@
 # Notification controller - business logic
 
+from datetime import datetime, timezone
 from flask import jsonify, request
 from flask_jwt_extended import get_jwt_identity
-from ...db.models import db, Notification, User  # Changed to relative import
+from ...db.models import db, Notification  # Changed to relative import
 from ..validators.notification_validator import validate_notification_data  # Changed to relative import
+from ...services.notification_service import NotificationService
 
 def get_user_notifications():
     """Controller function to get all notifications for the current user"""
@@ -13,13 +15,7 @@ def get_user_notifications():
     notifications = Notification.query.filter_by(user_id=user_id)\
         .order_by(Notification.created_at.desc()).all()
     
-    notifications_data = [{
-        'id': notification.id,
-        'content': notification.content,
-        'is_read': notification.is_read,
-        'task_id': notification.task_id,
-        'created_at': notification.created_at.isoformat() if notification.created_at else None
-    } for notification in notifications]
+    notifications_data = [notification.to_dict() for notification in notifications]
     
     return jsonify({
         'notifications': notifications_data,
@@ -35,23 +31,30 @@ def create_notification():
     if validation_result:
         return validation_result
     
-    # Create new notification
-    new_notification = Notification(
-        content=data['content'],
+    message = data.get('message') or data.get('content')
+    title = data.get('title') or message[:80]
+    notification_type = data.get('notification_type') or data.get('type') or 'general'
+    task_id = data.get('task_id')
+    reference_id = data.get('reference_id') or task_id
+
+    # Create new notification and emit it when the target user is connected.
+    new_notification = NotificationService.send_to_user(
         user_id=data['user_id'],
-        task_id=data.get('task_id'),
-        is_read=data.get('is_read', False)
+        notification_type=notification_type,
+        title=title,
+        message=message,
+        reference_id=reference_id,
+        task_id=task_id
     )
-    
-    db.session.add(new_notification)
-    db.session.commit()
-    
+
+    if data.get('is_read') and new_notification:
+        new_notification.is_read = True
+        new_notification.read_at = datetime.now(timezone.utc)
+        db.session.commit()
+
     return jsonify({
         'message': 'Notification created successfully',
-        'notification': {
-            'id': new_notification.id,
-            'content': new_notification.content
-        }
+        'notification': new_notification.to_dict()
     }), 201
 
 def mark_notification_read(notification_id):
@@ -67,6 +70,7 @@ def mark_notification_read(notification_id):
     
     # Mark as read
     notification.is_read = True
+    notification.read_at = datetime.now(timezone.utc)
     db.session.commit()
     
     return jsonify({'message': 'Notification marked as read'})
@@ -74,10 +78,14 @@ def mark_notification_read(notification_id):
 def mark_all_notifications_read():
     """Controller function to mark all notifications as read for the current user"""
     user_id = get_jwt_identity()['user_id']
+    now = datetime.now(timezone.utc)
     
     # Update all unread notifications for this user
     Notification.query.filter_by(user_id=user_id, is_read=False)\
-        .update({Notification.is_read: True})
+        .update({
+            Notification.is_read: True,
+            Notification.read_at: now
+        })
     
     db.session.commit()
     
diff --git a/backend/src/api/validators/notification_validator.py b/backend/src/api/validators/notification_validator.py
index c7bc267..98109f6 100644
--- a/backend/src/api/validators/notification_validator.py
+++ b/backend/src/api/validators/notification_validator.py
@@ -5,12 +5,20 @@
 def validate_notification_data(data):
     """Validate notification data from requests"""
     # Check for required fields
-    if not all(k in data for k in ['content', 'user_id']):
+    if not data or 'user_id' not in data or not (data.get('content') or data.get('message')):
         return jsonify({'message': 'Missing required fields'}), 400
     
-    # Validate content
-    if len(data['content']) < 1 or len(data['content']) > 500:
-        return jsonify({'message': 'Notification content must be between 1 and 500 characters'}), 400
+    # Validate message/content
+    message = data.get('message') or data.get('content')
+    if not isinstance(message, str) or len(message) < 1 or len(message) > 500:
+        return jsonify({'message': 'Notification message must be between 1 and 500 characters'}), 400
+
+    if 'title' in data and (not isinstance(data['title'], str) or len(data['title']) > 255):
+        return jsonify({'message': 'Notification title must be a string up to 255 characters'}), 400
+
+    notification_type = data.get('notification_type') or data.get('type')
+    if notification_type is not None and (not isinstance(notification_type, str) or len(notification_type) > 50):
+        return jsonify({'message': 'Notification type must be a string up to 50 characters'}), 400
     
     # Validate user_id
     if not isinstance(data['user_id'], int):
diff --git a/backend/src/db/models/models.py b/backend/src/db/models/models.py
index 685b111..f7a0025 100644
--- a/backend/src/db/models/models.py
+++ b/backend/src/db/models/models.py
@@ -161,15 +161,21 @@ def __repr__(self):
 
     def to_dict(self):
         """Convert notification to dictionary"""
+        created_at = self.created_at.isoformat() if self.created_at else None
         return {
             'id': self.id,
             'user_id': self.user_id,
+            'notification_type': self.notification_type,
             'type': self.notification_type,
             'title': self.title,
             'message': self.message,
+            'content': self.message,
             'reference_id': self.reference_id,
-            'read': self.is_read,  # Changed to use is_read but keep API compatibility
-            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'task_id': self.task_id,
+            'is_read': self.is_read,
+            'read': self.is_read,  # Keep API compatibility with older frontend code.
+            'created_at': created_at,
+            'timestamp': created_at,
             'read_at': self.read_at.isoformat() if self.read_at else None
         }
 
@@ -272,4 +278,3 @@ class SystemSetting(db.Model):
 
     def __repr__(self):
         return f'<SystemSetting {self.key}>'
-
diff --git a/backend/src/services/notification_service.py b/backend/src/services/notification_service.py
index 40f51d3..9536df9 100644
--- a/backend/src/services/notification_service.py
+++ b/backend/src/services/notification_service.py
@@ -1,12 +1,19 @@
-from flask_socketio import emit
+import logging
 from datetime import datetime, timezone
-from src.socketio_server import connected_users, project_rooms
-from src.db.models import Notification
+from src.socketio_server import socketio, connected_users, project_rooms
+from src.db.models import Notification, Project
 from src.db.db_connection import db
 
+logger = logging.getLogger(__name__)
+
+
+def _ids_match(left, right):
+    return str(left) == str(right)
+
+
 class NotificationService:
     @staticmethod
-    def send_to_user(user_id, notification_type, title, message, reference_id=None):
+    def send_to_user(user_id, notification_type, title, message, reference_id=None, task_id=None):
         """
         Send notification to a specific user and save to database
         
@@ -16,7 +23,13 @@ def send_to_user(user_id, notification_type, title, message, reference_id=None):
             title: Notification title
             message: Notification content
             reference_id: ID of the related object (task_id, project_id, etc.)
+            task_id: Optional task ID related to the notification
         """
+        if user_id in (None, ''):
+            return None
+        if isinstance(user_id, str) and user_id.isdigit():
+            user_id = int(user_id)
+
         # Create notification in database
         notification = Notification(
             user_id=user_id,
@@ -24,6 +37,7 @@ def send_to_user(user_id, notification_type, title, message, reference_id=None):
             title=title,
             message=message,
             reference_id=reference_id,
+            task_id=task_id,
             is_read=False,
             created_at=datetime.now(timezone.utc)
         )
@@ -34,19 +48,56 @@ def send_to_user(user_id, notification_type, title, message, reference_id=None):
         
         # Send via Socket.IO if user is connected
         if user_id in connected_users:
-            emit('notification', {
-                'id': notification.id,
-                'type': notification_type,
-                'title': title,
-                'message': message,
-                'reference_id': reference_id,
-                'timestamp': notification.created_at.isoformat()
-            }, to=connected_users[user_id])
+            try:
+                socketio.emit('notification', notification.to_dict(), to=connected_users[user_id])
+            except Exception:
+                logger.exception("Failed to emit notification %s to user %s", notification.id, user_id)
         
         return notification
 
     @staticmethod
-    def send_to_project(project_id, notification_type, title, message, reference_id=None, exclude_user_id=None):
+    def _project_member_ids(project_id):
+        if project_id in (None, ''):
+            return []
+
+        user_ids = set()
+
+        try:
+            project = Project.query.get(project_id)
+            if project:
+                if getattr(project, 'created_by', None) is not None:
+                    user_ids.add(project.created_by)
+
+                members = getattr(project, 'team_members', []) or []
+                if hasattr(members, 'all'):
+                    members = members.all()
+
+                for member in members:
+                    member_id = getattr(member, 'id', None)
+                    if member_id is not None:
+                        user_ids.add(member_id)
+        except Exception:
+            # Unit tests and partially configured scripts may not have a DB-bound app context.
+            logger.debug("Falling back to socket room members for project notification", exc_info=True)
+
+        for key in (project_id, str(project_id)):
+            for user_id in project_rooms.get(key, []):
+                if user_id is not None:
+                    user_ids.add(user_id)
+
+        return list(user_ids)
+
+    @staticmethod
+    def send_to_project(
+        project_id,
+        notification_type,
+        title,
+        message,
+        reference_id=None,
+        exclude_user_id=None,
+        exclude_user_ids=None,
+        task_id=None
+    ):
         """
         Send notification to all members of a project
         
@@ -57,24 +108,36 @@ def send_to_project(project_id, notification_type, title, message, reference_id=
             message: Notification content  
             reference_id: ID of the related object (task_id, project_id, etc.)
             exclude_user_id: Optional user ID to exclude from notification (usually the initiator)
+            exclude_user_ids: Optional iterable of additional user IDs to exclude
+            task_id: Optional task ID related to the notification
         """
-        # Get all users in the project
-        user_ids = project_rooms.get(project_id, [])
+        user_ids = NotificationService._project_member_ids(project_id)
         
-        # Filter out excluded user
-        if exclude_user_id:
-            user_ids = [uid for uid in user_ids if uid != exclude_user_id]
+        excluded = set(str(uid) for uid in (exclude_user_ids or []) if uid is not None)
+        if exclude_user_id is not None:
+            excluded.add(str(exclude_user_id))
+
+        seen = set()
+        filtered_user_ids = []
+        for user_id in user_ids:
+            user_key = str(user_id)
+            if user_key in excluded or user_key in seen:
+                continue
+            seen.add(user_key)
+            filtered_user_ids.append(user_id)
         
         notifications = []
-        for user_id in user_ids:
+        for user_id in filtered_user_ids:
             notification = NotificationService.send_to_user(
                 user_id=user_id,
                 notification_type=notification_type,
                 title=title,
                 message=message,
-                reference_id=reference_id
+                reference_id=reference_id,
+                task_id=task_id
             )
-            notifications.append(notification)
+            if notification:
+                notifications.append(notification)
         
         return notifications
 
@@ -120,15 +183,20 @@ def get_user_notifications(user_id, page=1, per_page=10, unread_only=False):
     @staticmethod
     def task_created_notification(task_id, task_name, project_id, created_by_user_id, assignee_id=None):
         """Send notification for task creation"""
+        excluded_project_user_ids = [created_by_user_id]
+
         if assignee_id:
             # Notify the assigned user
-            NotificationService.send_to_user(
-                user_id=assignee_id,
-                notification_type='task_assigned',
-                title='New Task Assigned',
-                message=f'You were assigned to task: {task_name}',
-                reference_id=task_id
-            )
+            if not _ids_match(assignee_id, created_by_user_id):
+                NotificationService.send_to_user(
+                    user_id=assignee_id,
+                    notification_type='task_assigned',
+                    title='New Task Assigned',
+                    message=f'You were assigned to task: {task_name}',
+                    reference_id=task_id,
+                    task_id=task_id
+                )
+            excluded_project_user_ids.append(assignee_id)
         
         # Notify project members about the new task
         NotificationService.send_to_project(
@@ -137,22 +205,28 @@ def task_created_notification(task_id, task_name, project_id, created_by_user_id
             title='New Task Created',
             message=f'A new task was created: {task_name}',
             reference_id=task_id,
-            exclude_user_id=created_by_user_id
+            exclude_user_ids=excluded_project_user_ids,
+            task_id=task_id
         )
 
     @staticmethod
     def task_updated_notification(task_id, task_name, project_id, updated_by_user_id, 
                                   old_assignee_id=None, new_assignee_id=None):
         """Send notification for task updates"""
+        excluded_project_user_ids = [updated_by_user_id]
+
         # Notify about assignment change
         if new_assignee_id and new_assignee_id != old_assignee_id:
-            NotificationService.send_to_user(
-                user_id=new_assignee_id,
-                notification_type='task_assigned',
-                title='Task Assigned to You',
-                message=f'You were assigned to task: {task_name}',
-                reference_id=task_id
-            )
+            if not _ids_match(new_assignee_id, updated_by_user_id):
+                NotificationService.send_to_user(
+                    user_id=new_assignee_id,
+                    notification_type='task_assigned',
+                    title='Task Assigned to You',
+                    message=f'You were assigned to task: {task_name}',
+                    reference_id=task_id,
+                    task_id=task_id
+                )
+            excluded_project_user_ids.append(new_assignee_id)
         
         # Notify project members about the task update
         NotificationService.send_to_project(
@@ -161,23 +235,44 @@ def task_updated_notification(task_id, task_name, project_id, updated_by_user_id
             title='Task Updated',
             message=f'Task was updated: {task_name}',
             reference_id=task_id,
-            exclude_user_id=updated_by_user_id
+            exclude_user_ids=excluded_project_user_ids,
+            task_id=task_id
         )
 
     @staticmethod
     def comment_added_notification(task_id, task_name, project_id, comment_id, 
-                                  commenter_user_id, mentioned_user_ids=None):
+                                  commenter_user_id, mentioned_user_ids=None,
+                                  recipient_user_ids=None):
         """Send notification for new comments"""
+        excluded_project_user_ids = [commenter_user_id]
+
         # Notify specifically mentioned users
         if mentioned_user_ids:
             for user_id in mentioned_user_ids:
+                if not _ids_match(user_id, commenter_user_id):
+                    NotificationService.send_to_user(
+                        user_id=user_id,
+                        notification_type='user_mentioned',
+                        title='You Were Mentioned',
+                        message=f'You were mentioned in a comment on task: {task_name}',
+                        reference_id=comment_id,
+                        task_id=task_id
+                    )
+                excluded_project_user_ids.append(user_id)
+
+        if recipient_user_ids:
+            for user_id in recipient_user_ids:
+                if user_id in (None, '') or _ids_match(user_id, commenter_user_id):
+                    continue
                 NotificationService.send_to_user(
                     user_id=user_id,
-                    notification_type='user_mentioned',
-                    title='You Were Mentioned',
-                    message=f'You were mentioned in a comment on task: {task_name}',
-                    reference_id=comment_id
+                    notification_type='comment_added',
+                    title='New Comment',
+                    message=f'New comment on task: {task_name}',
+                    reference_id=comment_id,
+                    task_id=task_id
                 )
+                excluded_project_user_ids.append(user_id)
         
         # Notify project members about the new comment
         NotificationService.send_to_project(
@@ -186,5 +281,6 @@ def comment_added_notification(task_id, task_name, project_id, comment_id,
             title='New Comment',
             message=f'New comment on task: {task_name}',
             reference_id=comment_id,
-            exclude_user_id=commenter_user_id
+            exclude_user_ids=excluded_project_user_ids,
+            task_id=task_id
         )
diff --git a/backend/src/socketio_server.py b/backend/src/socketio_server.py
index 9c1b2aa..ef7a8c6 100644
--- a/backend/src/socketio_server.py
+++ b/backend/src/socketio_server.py
@@ -10,24 +10,61 @@
 # Store for connected users and project rooms
 connected_users = {}  # user_id -> session_id
 project_rooms = {}    # project_id -> [user_ids]
+sid_users = {}        # session_id -> user_id
+
+
+def _normalize_user_id(user_id):
+    """Keep JWT numeric identities consistent with database integer IDs."""
+    if isinstance(user_id, str) and user_id.isdigit():
+        return int(user_id)
+    return user_id
+
+
+def _extract_token(auth_payload=None):
+    """Read a bearer token from either Socket.IO auth payloads or headers."""
+    token = None
+
+    if isinstance(auth_payload, dict):
+        token = auth_payload.get('token') or auth_payload.get('access_token')
+        authorization = auth_payload.get('Authorization') or auth_payload.get('authorization')
+        if not token and isinstance(authorization, str):
+            token = authorization
+    elif isinstance(auth_payload, str):
+        token = auth_payload
+
+    if not token:
+        token = request.headers.get('Authorization')
+
+    if isinstance(token, str) and token.startswith('Bearer '):
+        token = token.split(' ', 1)[1]
+
+    return token
+
+
+def _decode_user_id(auth_payload=None):
+    token = _extract_token(auth_payload)
+    if not token:
+        return None
+
+    decoded_token = decode_token(token)
+    identity = decoded_token.get('identity', decoded_token.get('sub'))
+    user_id = identity.get('user_id') if isinstance(identity, dict) else identity
+    user_id = _normalize_user_id(user_id)
+    if not isinstance(user_id, (int, str)) or user_id in ('', None):
+        raise ValueError('Invalid user identity in token')
+    return user_id
 
 def authenticated_only(f):
     """Decorator that verifies JWT token for socket connections"""
     @functools.wraps(f)
     def wrapped(*args, **kwargs):
-        auth_header = request.headers.get('Authorization')
-        if not auth_header or not auth_header.startswith('Bearer '):
-            disconnect()
-            return False
-        
+        user_id = sid_users.get(request.sid)
+
         try:
-            token = auth_header.split(' ')[1]
-            decoded_token = decode_token(token)
-            identity = decoded_token.get('identity', decoded_token.get('sub'))
-            user_id = identity.get('user_id') if isinstance(identity, dict) else identity
-            if not isinstance(user_id, (int, str)) or user_id in ('', None):
-                raise ValueError('Invalid user identity in token')
-            
+            if user_id is None:
+                user_id = _decode_user_id()
+                sid_users[request.sid] = user_id
+
             # Add user_id to the kwargs so event handlers can use it
             kwargs['user_id'] = user_id
             return f(*args, **kwargs)
@@ -38,19 +75,33 @@ def wrapped(*args, **kwargs):
 
 # Connection event handlers
 @socketio.on('connect')
-def handle_connect():
+def handle_connect(auth=None):
     """Handle new connections"""
-    # Authentication is handled separately via @authenticated_only decorator
-    print("Client connected:", request.sid)
+    try:
+        user_id = _decode_user_id(auth)
+    except (InvalidTokenError, TypeError, ValueError):
+        print("Client rejected due to invalid socket token:", request.sid)
+        return False
+
+    if user_id is not None:
+        sid_users[request.sid] = user_id
+        connected_users[user_id] = request.sid
+        print(f"User {user_id} connected with socket ID {request.sid}")
+    else:
+        # Keep unauthenticated connections possible for tests/legacy clients; protected events still verify auth.
+        print("Client connected without socket auth:", request.sid)
     return True
 
 @socketio.on('disconnect')
 def handle_disconnect():
     """Handle client disconnections"""
     # Remove user from connected_users
-    user_id = next((uid for uid, sid in connected_users.items() if sid == request.sid), None)
+    user_id = sid_users.pop(request.sid, None)
+    if user_id is None:
+        user_id = next((uid for uid, sid in connected_users.items() if sid == request.sid), None)
+
     if user_id:
-        del connected_users[user_id]
+        connected_users.pop(user_id, None)
         
         # Remove user from all project rooms
         for project_id, members in project_rooms.items():
@@ -63,6 +114,7 @@ def handle_disconnect():
 @authenticated_only
 def handle_register(data, user_id):
     """Register a user's socket connection"""
+    sid_users[request.sid] = user_id
     connected_users[user_id] = request.sid
     print(f"User {user_id} registered with socket ID {request.sid}")
     return {"status": "success", "message": "Registered successfully"}
diff --git a/backend/tests/unit/controllers/test_notifications_controller.py b/backend/tests/unit/controllers/test_notifications_controller.py
index 7b2756c..23d8468 100644
--- a/backend/tests/unit/controllers/test_notifications_controller.py
+++ b/backend/tests/unit/controllers/test_notifications_controller.py
@@ -19,11 +19,22 @@ def mock_db_session():
 def mock_notification():
     notification = MagicMock()
     notification.id = 1
-    notification.content = "Test notification"
+    notification.title = "Test notification"
+    notification.message = "Test notification"
     notification.is_read = False
     notification.task_id = 2
     notification.user_id = 1
     notification.created_at = datetime.now(timezone.utc)
+    notification.to_dict.return_value = {
+        'id': 1,
+        'title': 'Test notification',
+        'message': 'Test notification',
+        'content': 'Test notification',
+        'is_read': False,
+        'read': False,
+        'task_id': 2,
+        'created_at': notification.created_at.isoformat(),
+    }
     return notification
 
 @pytest.fixture
@@ -45,10 +56,21 @@ def test_get_user_notifications(mock_get_jwt_identity, mock_db_session, app_cont
         
         notification = MagicMock()
         notification.id = 1
-        notification.content = "Test notification"
+        notification.title = "Test notification"
+        notification.message = "Test notification"
         notification.is_read = False
         notification.task_id = 2
         notification.created_at = datetime.now(timezone.utc)
+        notification.to_dict.return_value = {
+            'id': 1,
+            'title': 'Test notification',
+            'message': 'Test notification',
+            'content': 'Test notification',
+            'is_read': False,
+            'read': False,
+            'task_id': 2,
+            'created_at': notification.created_at.isoformat(),
+        }
         
         mock_order.all.return_value = [notification]
         
@@ -72,14 +94,19 @@ def test_create_notification(mock_db_session, app_context):
         'task_id': 2
     }
     with patch('src.api.controllers.notifications_controller.validate_notification_data') as mock_validate, \
-         patch('src.api.controllers.notifications_controller.Notification') as MockNotification:
+         patch('src.api.controllers.notifications_controller.NotificationService.send_to_user') as mock_send_to_user:
         # Setup mocks
         mock_validate.return_value = None  # No validation errors
         
         new_notification = MagicMock()
         new_notification.id = 1
-        new_notification.content = 'Test notification'
-        MockNotification.return_value = new_notification
+        new_notification.to_dict.return_value = {
+            'id': 1,
+            'title': 'Test notification',
+            'message': 'Test notification',
+            'content': 'Test notification',
+        }
+        mock_send_to_user.return_value = new_notification
         
         # Import inside test to use patched modules
         from src.api.controllers.notifications_controller import create_notification
@@ -91,9 +118,14 @@ def test_create_notification(mock_db_session, app_context):
         assert data['message'] == 'Notification created successfully'
         assert data['notification']['id'] == 1
         
-        # Verify database interaction
-        mock_db_session.add.assert_called_once()
-        mock_db_session.commit.assert_called_once()
+        mock_send_to_user.assert_called_once_with(
+            user_id=1,
+            notification_type='general',
+            title='Test notification',
+            message='Test notification',
+            reference_id=2,
+            task_id=2
+        )
 
 def test_mark_notification_read(mock_get_jwt_identity, mock_db_session, mock_notification, app_context):
     with patch('src.api.controllers.notifications_controller.Notification.query') as mock_query:
@@ -105,6 +137,7 @@ def test_mark_notification_read(mock_get_jwt_identity, mock_db_session, mock_not
         
         # Verify notification was marked as read
         assert mock_notification.is_read == True
+        assert mock_notification.read_at is not None
         mock_db_session.commit.assert_called_once()
         
         # Verify response
@@ -157,4 +190,4 @@ def test_notification_not_found_or_unauthorized(mock_get_jwt_identity, app_conte
         # Verify response
         assert status_code == 404
         data = response.get_json()
-        assert data['message'] == 'Notification not found'
\ No newline at end of file
+        assert data['message'] == 'Notification not found'
diff --git a/backend/tests/unit/services/test_notification_service.py b/backend/tests/unit/services/test_notification_service.py
index f5afa13..34875e4 100644
--- a/backend/tests/unit/services/test_notification_service.py
+++ b/backend/tests/unit/services/test_notification_service.py
@@ -11,7 +11,7 @@ def mock_db_session():
 
 @pytest.fixture
 def mock_emit():
-    with patch('src.services.notification_service.emit') as mock:
+    with patch('src.services.notification_service.socketio.emit') as mock:
         yield mock
 
 @pytest.fixture
@@ -63,14 +63,17 @@ def mock_add(notification):
     mock_db_session.commit.assert_called_once()
     
     # Verify the emit was called with right parameters
-    mock_emit.assert_called_once_with('notification', {
-        'id': 1,
-        'type': notification_data['notification_type'],
-        'title': notification_data['title'],
-        'message': notification_data['message'],
-        'reference_id': notification_data['reference_id'],
-        'timestamp': mock_notification.created_at.isoformat()
-    }, to='socket1')
+    mock_emit.assert_called_once()
+    event_name, payload = mock_emit.call_args.args
+    assert event_name == 'notification'
+    assert payload['id'] == 1
+    assert payload['type'] == notification_data['notification_type']
+    assert payload['title'] == notification_data['title']
+    assert payload['message'] == notification_data['message']
+    assert payload['content'] == notification_data['message']
+    assert payload['reference_id'] == notification_data['reference_id']
+    assert payload['timestamp'] == mock_notification.created_at.isoformat()
+    assert mock_emit.call_args.kwargs == {'to': 'socket1'}
 
 
 def test_send_to_user_not_connected(mock_db_session, mock_emit, mock_connected_users, notification_data):
@@ -127,7 +130,7 @@ def test_send_to_project(mock_project_rooms, notification_data):
     from src.services.notification_service import NotificationService
     
     with patch.object(NotificationService, 'send_to_user') as mock_send_to_user:
-        mock_send_to_user.return_value = MagicMock()
+        mock_send_to_user.return_value = object()
         
         # Call the method
         results = NotificationService.send_to_project(
@@ -143,14 +146,14 @@ def test_send_to_project(mock_project_rooms, notification_data):
         mock_send_to_user.assert_has_calls([
             call(user_id='user1', notification_type=notification_data['notification_type'],
                 title=notification_data['title'], message=notification_data['message'], 
-                reference_id=notification_data['reference_id']),
+                reference_id=notification_data['reference_id'], task_id=None),
             call(user_id='user2', notification_type=notification_data['notification_type'],
                 title=notification_data['title'], message=notification_data['message'], 
-                reference_id=notification_data['reference_id']),
+                reference_id=notification_data['reference_id'], task_id=None),
             call(user_id='user3', notification_type=notification_data['notification_type'],
                 title=notification_data['title'], message=notification_data['message'], 
-                reference_id=notification_data['reference_id'])
-        ])
+                reference_id=notification_data['reference_id'], task_id=None)
+        ], any_order=True)
         
         # Test exclusion logic
         mock_send_to_user.reset_mock()
@@ -236,4 +239,4 @@ def test_get_user_notifications():
         result = NotificationService.get_user_notifications(user_id=1, page=2, per_page=20, unread_only=True)
         # Should check mock_filter.filter_by (not mock_query.filter_by) since we call filter_by twice
         mock_filter.filter_by.assert_called_with(is_read=False)
-        mock_order.paginate.assert_called_with(page=2, per_page=20, error_out=False)
\ No newline at end of file
+        mock_order.paginate.assert_called_with(page=2, per_page=20, error_out=False)
diff --git a/frontend/src/components/Notifications.jsx b/frontend/src/components/Notifications.jsx
index 83c00cf..511caf7 100644
--- a/frontend/src/components/Notifications.jsx
+++ b/frontend/src/components/Notifications.jsx
@@ -2,14 +2,21 @@ import React from 'react';
 import { notificationService } from '../services/utils/api';
 import { useNotifications } from '../context/NotificationContext';
 
-function Notifications({ notifications = [], onNotificationUpdate }) {
-  const { isLoading, error, rateLimited, refreshNotifications } = useNotifications();
+function Notifications({ notifications = [], onNotificationUpdate, onMarkRead }) {
+  const { isLoading, error, rateLimited, refreshNotifications, markAsRead: markContextAsRead } = useNotifications();
 
   const handleNotificationClick = async (notificationId) => {
     if (!notificationId) return;
     
     try {
-      await notificationService.markAsRead(notificationId);
+      if (typeof onMarkRead === 'function') {
+        await onMarkRead(notificationId);
+      } else if (typeof markContextAsRead === 'function') {
+        await markContextAsRead(notificationId);
+      } else {
+        await notificationService.markAsRead(notificationId);
+      }
+
       // Callback to parent to refresh notifications
       if (typeof onNotificationUpdate === 'function') {
         onNotificationUpdate();
@@ -91,7 +98,9 @@ function Notifications({ notifications = [], onNotificationUpdate }) {
           const notificationId = notification?.id || `notification-${Math.random().toString(36).substr(2, 9)}`;
           const isRead = notification?.is_read || notification?.read || false;
           const content = notification?.content || notification?.message || 'No content';
-          const createdAt = notification?.created_at ? new Date(notification.created_at).toLocaleDateString() : 'Unknown date';
+          const title = notification?.title;
+          const timestamp = notification?.created_at || notification?.timestamp;
+          const createdAt = timestamp ? new Date(timestamp).toLocaleDateString() : 'Unknown date';
           
           return (
             <div 
@@ -100,7 +109,10 @@ function Notifications({ notifications = [], onNotificationUpdate }) {
               onClick={() => handleNotificationClick(notificationId)}
             >
               <div className="flex justify-between items-start">
-                <div className="text-slate-200">{content}</div>
+                <div>
+                  {title && <div className="text-sm font-semibold text-slate-100">{title}</div>}
+                  <div className="text-slate-200">{content}</div>
+                </div>
                 <div className="text-xs text-slate-500">
                   {createdAt}
                 </div>
@@ -113,4 +125,4 @@ function Notifications({ notifications = [], onNotificationUpdate }) {
   );
 }
 
-export default Notifications;
\ No newline at end of file
+export default Notifications;
diff --git a/frontend/src/context/NotificationContext.jsx b/frontend/src/context/NotificationContext.jsx
index d2a4af1..c815c2a 100644
--- a/frontend/src/context/NotificationContext.jsx
+++ b/frontend/src/context/NotificationContext.jsx
@@ -13,6 +13,8 @@ const RECONNECT_RETRY_DELAY = _isTestEnv ? 50 : 60000; // ms
 
 export const useNotifications = () => useContext(NotificationContext);
 
+const isNotificationRead = (notification) => Boolean(notification?.is_read || notification?.read);
+
 export const NotificationProvider = ({ children }) => {
   const [notifications, setNotifications] = useState([]);
   const [isConnected, setIsConnected] = useState(false);
@@ -223,6 +225,14 @@ export const NotificationProvider = ({ children }) => {
             clearTimeout(reconnectTimeoutRef.current);
             reconnectTimeoutRef.current = null;
           }
+
+          if (typeof socketConnection.emit === 'function') {
+            socketConnection.emit('register', {}, (ack) => {
+              if (ack?.status && ack.status !== 'success') {
+                console.warn('Socket.IO registration did not succeed:', ack);
+              }
+            });
+          }
         });
         
         socketConnection.on('disconnect', () => {
@@ -323,7 +333,7 @@ export const NotificationProvider = ({ children }) => {
   }, [currentUser, refreshNotifications, serverDown]);
   
   // Calculate unread count
-  const unreadCount = notifications.filter(notification => !notification.read).length;
+  const unreadCount = notifications.filter(notification => !isNotificationRead(notification)).length;
   
   // Mark a notification as read
   const markAsRead = async (notificationId) => {
@@ -334,9 +344,9 @@ export const NotificationProvider = ({ children }) => {
     
     try {
       // Optimistic UI update
-      setNotifications(notifications.map(notification => 
+      setNotifications(prev => prev.map(notification =>
         notification.id === notificationId 
-          ? { ...notification, read: true }
+          ? { ...notification, read: true, is_read: true }
           : notification
       ));
       
@@ -358,7 +368,7 @@ export const NotificationProvider = ({ children }) => {
     
     try {
       // Update UI immediately for better UX
-      setNotifications(notifications.map(notification => ({ ...notification, read: true })));
+      setNotifications(prev => prev.map(notification => ({ ...notification, read: true, is_read: true })));
       
       // API call to mark all as read
       await notificationService.markAllAsRead();
@@ -398,4 +408,4 @@ export const NotificationProvider = ({ children }) => {
   );
 };
 
-export default NotificationContext;
\ No newline at end of file
+export default NotificationContext;
diff --git a/frontend/src/tests/context/NotificationContext.test.jsx b/frontend/src/tests/context/NotificationContext.test.jsx
index 4c565fe..e5e3473 100644
--- a/frontend/src/tests/context/NotificationContext.test.jsx
+++ b/frontend/src/tests/context/NotificationContext.test.jsx
@@ -56,6 +56,7 @@ describe('NotificationContext', () => {
   const socketHandlers = {};
   const socketMock = {
     on: jest.fn(),
+    emit: jest.fn(),
     disconnect: jest.fn(),
   };
 
@@ -66,6 +67,7 @@ describe('NotificationContext', () => {
 
     Object.keys(socketHandlers).forEach((key) => delete socketHandlers[key]);
     socketMock.on.mockReset();
+    socketMock.emit.mockReset();
     socketMock.disconnect.mockReset();
     socketMock.on.mockImplementation((event, callback) => {
       socketHandlers[event] = callback;
@@ -100,6 +102,10 @@ describe('NotificationContext', () => {
       expect(notificationService.getNotifications).toHaveBeenCalled();
     });
 
+    expect(io).toHaveBeenCalledWith(expect.any(String), expect.objectContaining({
+      auth: { token: 'token-1' },
+    }));
+
     await waitFor(() => {
       expect(screen.getByTestId('total-count')).toHaveTextContent('2');
     });
@@ -113,6 +119,7 @@ describe('NotificationContext', () => {
     });
 
     expect(screen.getByTestId('is-connected')).toHaveTextContent('true');
+    expect(socketMock.emit).toHaveBeenCalledWith('register', {}, expect.any(Function));
   });
 
   test('marks notifications as read through API and optimistic state updates', async () => {

From cb0f6133877b9647f72fcf809b33536bdc624a79 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 19:18:03 +0100
Subject: [PATCH 26/37] feat: enhance Developer Dashboard

- Modified frontend role definitions to allow developers to create and update tasks.
- Enhanced TaskForm component to lock assignee selection for developers and auto-assign tasks if locked.
- Improved BasicDashboard to include project management and task deadline features, with better UI for task display.
- Implemented task creation logic to restrict assignee selection based on user role.
- Added delete task functionality in TaskDetailsUser for managers and assigned users.
- Updated TaskList to show New Task button for developers and ensure proper navigation.
- Enhanced API error handling and response structure for dashboard service.
- Updated tests to reflect changes in task creation and dashboard functionalities.
---
 .../api/controllers/dashboard_controller.py   |  79 ++++-
 .../src/api/controllers/tasks_controller.py   |  73 +++-
 backend/src/api/routes/tasks_routes.py        |   4 +-
 backend/src/services/notification_service.py  |   2 +-
 .../test_role_access_integration.py           |  23 +-
 .../tests/integration/test_tasks_routes.py    |  27 ++
 .../unit/controllers/test_tasks_controller.py |  60 +++-
 docs/backend/rbac.md                          |   2 +-
 frontend/src/App.jsx                          |   2 +-
 frontend/src/components/Navbar.jsx            |   2 +-
 frontend/src/components/TaskColumns.jsx       |   6 +-
 frontend/src/components/TaskForm.jsx          |  17 +-
 frontend/src/pages/BasicDashboard.jsx         | 327 ++++++++----------
 frontend/src/pages/TaskCreation.jsx           |  18 +-
 frontend/src/pages/TaskDetailsUser.jsx        |  57 ++-
 frontend/src/pages/TaskList.jsx               |   8 +-
 frontend/src/services/utils/api.js            |  31 +-
 .../src/tests/components/TaskColumns.test.jsx |   4 +-
 .../src/tests/pages/BasicDashboard.test.jsx   |  17 +-
 .../src/tests/pages/TaskCreation.test.jsx     |  21 +-
 frontend/src/tests/pages/TaskList.test.jsx    |   5 +-
 frontend/src/tests/services/api.test.js       |   5 +-
 22 files changed, 519 insertions(+), 271 deletions(-)

diff --git a/backend/src/api/controllers/dashboard_controller.py b/backend/src/api/controllers/dashboard_controller.py
index dcdd566..1de08ec 100644
--- a/backend/src/api/controllers/dashboard_controller.py
+++ b/backend/src/api/controllers/dashboard_controller.py
@@ -1,7 +1,7 @@
 # Dashboard controller - business logic for user dashboards
 from flask import jsonify
 from flask_jwt_extended import get_jwt_identity, get_jwt
-from ...db.models import db, User, Task, Project  # Changed to relative import
+from ...db.models import db, User, Task, Project, TaskGitHubLink, GitHubRepository  # Changed to relative import
 from ...auth.rbac import Role  # Changed to relative import
 from datetime import datetime, timedelta
 import traceback
@@ -32,6 +32,46 @@ def _is_completed_status(status):
 def _is_completed_task(task):
     return _is_completed_status(getattr(task, 'status', None))
 
+
+def _task_to_dashboard_item(task):
+    project = getattr(task, 'project', None)
+    return {
+        'id': getattr(task, 'id', None),
+        'title': getattr(task, 'title', None),
+        'description': getattr(task, 'description', None),
+        'status': getattr(task, 'status', None),
+        'priority': getattr(task, 'priority', None),
+        'progress': getattr(task, 'progress', 0) or 0,
+        'deadline': getattr(task, 'deadline', None).isoformat() if getattr(task, 'deadline', None) else None,
+        'project_id': getattr(task, 'project_id', None),
+        'project_name': project.name if project else None,
+        'updated_at': getattr(task, 'updated_at', None).isoformat() if getattr(task, 'updated_at', None) else None,
+        'created_at': getattr(task, 'created_at', None).isoformat() if getattr(task, 'created_at', None) else None,
+    }
+
+
+def _github_activity_to_item(link):
+    task = getattr(link, 'task', None)
+    repository = getattr(link, 'repository', None)
+    event_type = 'pull_request' if link.pull_request_number else 'issue' if link.issue_number else 'repository'
+    label_number = link.pull_request_number or link.issue_number
+    repo_url = repository.repo_url if repository else None
+    if repo_url and label_number:
+        if link.pull_request_number:
+            repo_url = f'{repo_url.rstrip("/")}/pull/{link.pull_request_number}'
+        elif link.issue_number:
+            repo_url = f'{repo_url.rstrip("/")}/issues/{link.issue_number}'
+
+    return {
+        'id': link.id,
+        'type': event_type,
+        'title': task.title if task else 'GitHub linked task',
+        'repo': repository.repo_name if repository else 'Unknown repository',
+        'url': repo_url,
+        'date': link.created_at.isoformat() if link.created_at else None,
+        'label': f'#{label_number}' if label_number else 'Linked repository',
+    }
+
 def get_user_tasks(user_id):
     """Helper function to get all tasks for a user"""
     try:
@@ -208,24 +248,44 @@ def get_client_dashboard():
         
         # Get tasks assigned to this user
         assigned_tasks = get_user_tasks(user_id)
-        
+        # Get tasks due soon
+        tasks_due_soon = get_tasks_due_soon(user_id)
+
+        recent_tasks = sorted(
+            assigned_tasks,
+            key=lambda task: getattr(task, 'updated_at', None) or getattr(task, 'created_at', None) or datetime.min,
+            reverse=True,
+        )[:5]
+
         task_stats = {
-            'total':       len(assigned_tasks),
-            'todo':        _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'todo'),
+            'total': len(assigned_tasks),
+            'assigned': len(assigned_tasks),
+            'todo': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'todo'),
             'in_progress': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'in_progress'),
-            'review':      _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'review'),
-            'done':        _count(assigned_tasks, lambda task: getattr(task, 'status', None) in {'done', 'completed'}),
+            'review': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'review'),
+            'done': _count(assigned_tasks, lambda task: getattr(task, 'status', None) in {'done', 'completed'}),
+            'due_soon': len(tasks_due_soon),
         }
-        
-        # Get tasks due soon
-        tasks_due_soon = get_tasks_due_soon(user_id)
+
+        github_activity = []
+        try:
+            recent_links = TaskGitHubLink.query.join(Task).outerjoin(GitHubRepository).filter(
+                Task.assigned_to == user_id
+            ).order_by(TaskGitHubLink.created_at.desc()).limit(5).all()
+            github_activity = [_github_activity_to_item(link) for link in recent_links]
+        except Exception as e:
+            logger.error(f"Error fetching GitHub activity for client dashboard: {str(e)}")
+            github_activity = []
         
         # Get projects user is part of
         user_projects = user.projects.all()
         
         # Format response data
         dashboard_data = {
+            'taskCounts': task_stats,
             'tasks': task_stats,
+            'recentTasks': [_task_to_dashboard_item(task) for task in recent_tasks],
+            'upcomingDeadlines': [_task_to_dashboard_item(task) for task in tasks_due_soon],
             'tasks_due_soon': [{
                 'id': task.id,
                 'title': task.title,
@@ -233,6 +293,7 @@ def get_client_dashboard():
                 'status': task.status,
                 'project_id': task.project_id
             } for task in tasks_due_soon],
+            'githubActivity': github_activity,
             'projects': [{
                 'id': project.id,
                 'name': project.name,
diff --git a/backend/src/api/controllers/tasks_controller.py b/backend/src/api/controllers/tasks_controller.py
index a5562db..802a307 100644
--- a/backend/src/api/controllers/tasks_controller.py
+++ b/backend/src/api/controllers/tasks_controller.py
@@ -1,13 +1,17 @@
 # Task controller - business logic
 
+import logging
 from flask import request, jsonify
 from flask_jwt_extended import get_jwt_identity, get_jwt
 from ...db.models import db, Task, User  # Changed to relative import
 from ...auth.rbac import Role  # Changed to relative import
 from ..validators.task_validator import validate_task_data  # Changed to relative import
 from ...services import audit_service
+from ...services.notification_service import NotificationService
 from unittest.mock import Mock
 
+logger = logging.getLogger(__name__)
+
 MEMBER_ROLES = {
     Role.DEVELOPER.value,
     Role.TEAM_LEAD.value,
@@ -19,6 +23,25 @@
 }
 
 
+def _run_notification(callback, *args, **kwargs):
+    """Create notifications without making the primary task mutation fail."""
+    try:
+        callback(*args, **kwargs)
+    except Exception:
+        db.session.rollback()
+        logger.exception("Failed to create task notification")
+
+
+def _coerce_int(value):
+    if value in (None, ''):
+        return None
+    if isinstance(value, int):
+        return value
+    if isinstance(value, str) and value.isdigit():
+        return int(value)
+    return value
+
+
 def _task_value(task, field, default=None):
     value = vars(task).get(field, getattr(task, field, default))
     if isinstance(value, Mock):
@@ -140,18 +163,18 @@ def create_new_task():
     if not identity or 'user_id' not in identity:
         return jsonify({'message': 'Invalid authentication token'}), 401
     user_id = identity['user_id']
+    user_role = get_jwt().get('role')
 
-    assigned_to = data.get('assigned_to')
-    if assigned_to in (None, ''):
+    assigned_to = _coerce_int(data.get('assigned_to'))
+    if user_role == Role.DEVELOPER.value:
+        assigned_to = user_id
+    elif assigned_to is None and user_role in TASK_MANAGER_ROLES:
         assigned_to = None
-    elif isinstance(assigned_to, str) and assigned_to.isdigit():
-        assigned_to = int(assigned_to)
 
-    project_id = data.get('project_id')
-    if project_id in (None, ''):
-        project_id = None
-    elif isinstance(project_id, str) and project_id.isdigit():
-        project_id = int(project_id)
+    project_id = _coerce_int(data.get('project_id'))
+
+    if user_role == Role.DEVELOPER.value and data.get('assigned_to') not in (None, '', user_id, str(user_id)):
+        return jsonify({'message': 'Developers can only create tasks assigned to themselves'}), 403
     
     # Create new task
     new_task = Task()
@@ -167,6 +190,15 @@ def create_new_task():
     
     db.session.add(new_task)
     db.session.commit()
+
+    _run_notification(
+        NotificationService.task_created_notification,
+        new_task.id,
+        new_task.title,
+        new_task.project_id,
+        user_id,
+        new_task.assigned_to
+    )
     
     return jsonify({
         'message': 'Task created successfully',
@@ -185,6 +217,7 @@ def update_task_by_id(task_id):
     user_role = claims.get('role')
     
     task = Task.query.get_or_404(task_id)
+    old_assignee_id = task.assigned_to
     
     # Check if user has permission to update this task
     # Admins and Team Leads can update any task (can_update_any_task)
@@ -209,11 +242,21 @@ def update_task_by_id(task_id):
     if 'assigned_to' in data:
         # Only TL or Admins can change the assignee
         if can_assign_task:
-            task.assigned_to = data['assigned_to']
-        elif data['assigned_to'] != task.assigned_to:
+            task.assigned_to = _coerce_int(data['assigned_to'])
+        elif _coerce_int(data['assigned_to']) != task.assigned_to:
             return jsonify({'message': 'You do not have permission to reassign tasks'}), 403
     
     db.session.commit()
+
+    _run_notification(
+        NotificationService.task_updated_notification,
+        task.id,
+        task.title,
+        task.project_id,
+        user_id,
+        old_assignee_id,
+        task.assigned_to
+    )
     
     return jsonify({
         'message': 'Task updated successfully',
@@ -228,7 +271,15 @@ def update_task_by_id(task_id):
 
 def delete_task_by_id(task_id):
     """Controller function to delete a task"""
+    user_id = get_jwt_identity()['user_id']
+    claims = get_jwt()
+    user_role = claims.get('role')
+
     task = Task.query.get_or_404(task_id)
+
+    can_delete_task = user_role in TASK_MANAGER_ROLES or task.assigned_to == user_id or task.created_by == user_id
+    if not can_delete_task:
+        return jsonify({'message': 'You can only delete tasks assigned to you'}), 403
     
     db.session.delete(task)
     db.session.commit()
diff --git a/backend/src/api/routes/tasks_routes.py b/backend/src/api/routes/tasks_routes.py
index 8efc275..4c6ae05 100644
--- a/backend/src/api/routes/tasks_routes.py
+++ b/backend/src/api/routes/tasks_routes.py
@@ -27,7 +27,7 @@ def tasks_list():
     
     @bp.route('/tasks', methods=['POST'])
     @jwt_required()
-    @role_required([Role.TEAM_LEAD, Role.ADMIN])
+    @role_required([Role.DEVELOPER, Role.TEAM_LEAD, Role.ADMIN])
     @validate_json()
     def create_task():
         """Route to create a new task"""
@@ -50,7 +50,7 @@ def update_task(task_id):
     
     @bp.route('/tasks/<int:task_id>', methods=['DELETE'])
     @jwt_required()
-    @role_required([Role.ADMIN])
+    @role_required([Role.DEVELOPER, Role.TEAM_LEAD, Role.ADMIN])
     def delete_task(task_id):
         """Route to delete a task"""
         return delete_task_by_id(task_id)
diff --git a/backend/src/services/notification_service.py b/backend/src/services/notification_service.py
index 9536df9..3e643e8 100644
--- a/backend/src/services/notification_service.py
+++ b/backend/src/services/notification_service.py
@@ -63,7 +63,7 @@ def _project_member_ids(project_id):
         user_ids = set()
 
         try:
-            project = Project.query.get(project_id)
+            project = db.session.get(Project, project_id)
             if project:
                 if getattr(project, 'created_by', None) is not None:
                     user_ids.add(project.created_by)
diff --git a/backend/tests/integration/test_role_access_integration.py b/backend/tests/integration/test_role_access_integration.py
index d3ab64a..79dea10 100644
--- a/backend/tests/integration/test_role_access_integration.py
+++ b/backend/tests/integration/test_role_access_integration.py
@@ -124,7 +124,7 @@ def test_member_dashboard_route_requires_member_role(client, app, monkeypatch):
     handler.assert_called_once_with()
 
 
-def test_task_create_route_requires_team_lead_or_admin_role(client, app, monkeypatch):
+def test_task_create_route_allows_developer_role(client, app, monkeypatch):
     handler = MagicMock(return_value=({'message': 'Task created'}, 201))
     monkeypatch.setattr(tasks_routes, 'create_new_task', handler)
 
@@ -132,14 +132,14 @@ def test_task_create_route_requires_team_lead_or_admin_role(client, app, monkeyp
     assert unauthorized_response.status_code == 401
     assert handler.call_count == 0
 
-    forbidden_response = client.post(
+    allowed_response = client.post(
         '/api/v1/tasks',
         headers=auth_headers(app, 'developer'),
         json={'title': 'New'},
     )
-    assert forbidden_response.status_code == 403
-    assert forbidden_response.get_json()['message'] == 'Insufficient permissions'
-    assert handler.call_count == 0
+    assert allowed_response.status_code == 201
+    assert allowed_response.get_json()['message'] == 'Task created'
+    handler.assert_called_once_with()
 
     allowed_response = client.post(
         '/api/v1/tasks',
@@ -148,10 +148,10 @@ def test_task_create_route_requires_team_lead_or_admin_role(client, app, monkeyp
     )
     assert allowed_response.status_code == 201
     assert allowed_response.get_json()['message'] == 'Task created'
-    handler.assert_called_once_with()
+    assert handler.call_count == 2
 
 
-def test_task_delete_route_requires_admin_role(client, app, monkeypatch):
+def test_task_delete_route_allows_developer_role(client, app, monkeypatch):
     handler = MagicMock(return_value=('', 204))
     monkeypatch.setattr(tasks_routes, 'delete_task_by_id', handler)
 
@@ -159,14 +159,13 @@ def test_task_delete_route_requires_admin_role(client, app, monkeypatch):
     assert unauthorized_response.status_code == 401
     assert handler.call_count == 0
 
-    forbidden_response = client.delete('/api/v1/tasks/1', headers=auth_headers(app, 'developer'))
-    assert forbidden_response.status_code == 403
-    assert forbidden_response.get_json()['message'] == 'Insufficient permissions'
-    assert handler.call_count == 0
+    allowed_response = client.delete('/api/v1/tasks/1', headers=auth_headers(app, 'developer'))
+    assert allowed_response.status_code == 204
+    handler.assert_called_once_with(1)
 
     allowed_response = client.delete('/api/v1/tasks/1', headers=auth_headers(app, 'admin'))
     assert allowed_response.status_code == 204
-    handler.assert_called_once_with(1)
+    assert handler.call_count == 2
 
 
 def test_project_create_route_requires_admin_role(client, app, monkeypatch):
diff --git a/backend/tests/integration/test_tasks_routes.py b/backend/tests/integration/test_tasks_routes.py
index 6eda786..7bdcbfc 100644
--- a/backend/tests/integration/test_tasks_routes.py
+++ b/backend/tests/integration/test_tasks_routes.py
@@ -87,6 +87,33 @@ def test_developer_can_update_own_assigned_task(client, app, monkeypatch):
     handler.assert_called_once_with(1)
 
 
+def test_developer_can_create_task(client, app, monkeypatch):
+    handler = MagicMock(return_value=({'message': 'Task created'}, 201))
+    monkeypatch.setattr(tasks_routes, 'create_new_task', handler)
+
+    resp = client.post(
+        '/api/v1/tasks',
+        headers=auth_headers(app, 'developer'),
+        json={'title': 'New Task', 'description': 'Desc', 'status': 'todo'}
+    )
+
+    assert resp.status_code == 201
+    handler.assert_called_once_with()
+
+
+def test_developer_can_delete_task_route(client, app, monkeypatch):
+    handler = MagicMock(return_value=({'message': 'Task deleted'}, 200))
+    monkeypatch.setattr(tasks_routes, 'delete_task_by_id', handler)
+
+    resp = client.delete(
+        '/api/v1/tasks/1',
+        headers=auth_headers(app, 'developer')
+    )
+
+    assert resp.status_code == 200
+    handler.assert_called_once_with(1)
+
+
 def test_unauthenticated_cannot_update_task(client):
     """Unauthenticated requests must be rejected."""
     resp = client.put('/api/v1/tasks/1', json={'title': 'hack'})
diff --git a/backend/tests/unit/controllers/test_tasks_controller.py b/backend/tests/unit/controllers/test_tasks_controller.py
index e8f3dcf..54b5980 100644
--- a/backend/tests/unit/controllers/test_tasks_controller.py
+++ b/backend/tests/unit/controllers/test_tasks_controller.py
@@ -149,7 +149,7 @@ def test_get_task_by_id(app, mock_jwt_identity, mock_jwt, mock_task):
             assert data['task']['creator_name'] == "Creator User"
             assert data['task']['assignee_name'] == "Assignee User"
 
-def test_create_new_task(app, client, mock_jwt_identity, mock_db):
+def test_create_new_task(app, client, mock_jwt_identity, mock_jwt, mock_db):
     # Test data for task creation
     test_data = {
         'title': 'New Task',
@@ -186,6 +186,41 @@ def test_create_new_task(app, client, mock_jwt_identity, mock_db):
             mock_db.session.add.assert_called_once()
             mock_db.session.commit.assert_called_once()
 
+
+def test_create_new_task_developer_forces_self_assignment(app, mock_jwt_identity, mock_db, mock_jwt):
+    mock_jwt.return_value = {'role': 'developer'}
+
+    test_data = {
+        'title': 'New Task',
+        'description': 'Task Description',
+        'status': 'todo',
+        'progress': 0,
+        'assigned_to': 1,
+    }
+
+    with app.test_request_context(json=test_data):
+        with patch('backend.src.api.controllers.tasks_controller.Task') as mock_task_class, \
+             patch('backend.src.api.controllers.tasks_controller.validate_task_data') as mock_validate:
+
+            mock_validate.return_value = None
+
+            new_task = MagicMock()
+            new_task.id = 1
+            new_task.title = 'New Task'
+            new_task.status = 'todo'
+
+            mock_task_class.return_value = new_task
+
+            from backend.src.api.controllers.tasks_controller import create_new_task
+
+            response, status_code = create_new_task()
+
+            assert status_code == 201
+            assert response.get_json()['task']['title'] == 'New Task'
+            assert new_task.assigned_to == 1
+            mock_db.session.add.assert_called_once()
+            mock_db.session.commit.assert_called_once()
+
 def test_update_task_by_id(app, mock_jwt_identity, mock_jwt, mock_db, mock_task):
     # Test data for task update
     test_data = {'title': 'Updated Task', 'progress': 75}
@@ -254,8 +289,11 @@ def test_team_lead_can_assign_unassigned_task(app, mock_jwt_identity, mock_jwt,
             mock_db.session.commit.assert_called_once()
 
 def test_delete_task_by_id(app, mock_jwt_identity, mock_db):
+    
     with app.test_request_context():
-        with patch('backend.src.api.controllers.tasks_controller.Task.query') as mock_query:
+        with patch('backend.src.api.controllers.tasks_controller.Task.query') as mock_query, \
+             patch('backend.src.api.controllers.tasks_controller.get_jwt') as mock_get_jwt:
+            mock_get_jwt.return_value = {'role': 'admin'}
             
             mock_task = MagicMock()
             mock_query.get_or_404.return_value = mock_task
@@ -270,3 +308,21 @@ def test_delete_task_by_id(app, mock_jwt_identity, mock_db):
             assert 'Task deleted successfully' in response.get_json()['message']
             mock_db.session.delete.assert_called_once_with(mock_task)
             mock_db.session.commit.assert_called_once()
+
+
+def test_delete_task_permission_denied_for_non_owner(app, mock_jwt_identity, mock_db, mock_jwt):
+    mock_jwt.return_value = {'role': 'developer'}
+
+    with app.test_request_context():
+        with patch('backend.src.api.controllers.tasks_controller.Task.query') as mock_query:
+            mock_task = MagicMock()
+            mock_task.assigned_to = 999
+            mock_task.created_by = 998
+            mock_query.get_or_404.return_value = mock_task
+
+            from backend.src.api.controllers.tasks_controller import delete_task_by_id
+
+            response, status_code = delete_task_by_id(1)
+
+            assert status_code == 403
+            assert 'You can only delete tasks assigned to you' in response.get_json()['message']
diff --git a/docs/backend/rbac.md b/docs/backend/rbac.md
index 0b8c120..7fc1222 100644
--- a/docs/backend/rbac.md
+++ b/docs/backend/rbac.md
@@ -27,7 +27,7 @@ The `role_at_least(min_role)` decorator uses this hierarchy to enforce minimum-l
 ### Developer Permissions
 
 - View all tasks
-- Update tasks assigned to them
+- Create and update tasks assigned to them
 - Add comments to all tasks (`can_comment_on_tasks`)
 - View and manage personal notifications (`can_manage_personal_notifications`)
 - Link personal GitHub account (`can_link_github_account`)
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index 03925a1..f7bf61c 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -33,7 +33,7 @@ const ROLES = {
 
 const MEMBER_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD];
 const AUTHENTICATED_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD, ROLES.ADMIN];
-const TASK_CREATOR_ROLES = [ROLES.TEAM_LEAD, ROLES.ADMIN];
+const TASK_CREATOR_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD, ROLES.ADMIN];
 const TEAM_LEAD_OR_ADMIN = [ROLES.TEAM_LEAD, ROLES.ADMIN];
 
 const getDashboardPath = (role) => (role === ROLES.ADMIN || role === ROLES.TEAM_LEAD ? '/admin' : '/BasicDashboard');
diff --git a/frontend/src/components/Navbar.jsx b/frontend/src/components/Navbar.jsx
index b8dbfa5..a6f7b49 100644
--- a/frontend/src/components/Navbar.jsx
+++ b/frontend/src/components/Navbar.jsx
@@ -50,7 +50,7 @@ const Navbar = () => {
   const canCreateTasks = isAdmin || isTeamLead;
 
   return (
-    <header className="bg-slate-950/80 backdrop-blur-md border-b border-slate-800/50 sticky top-0 z-50 font-['Space_Grotesk']">
+    <header className="bg-slate-950/80 backdrop-blur-md sticky top-0 z-50 font-['Space_Grotesk']">
       <div className="mx-auto flex w-full max-w-6xl items-center justify-between px-6 py-4 md:px-10">
         <Link to="/" className="flex-shrink-0 mr-8 text-lg font-semibold tracking-wide text-white hover:text-slate-300 transition">
           DevSync
diff --git a/frontend/src/components/TaskColumns.jsx b/frontend/src/components/TaskColumns.jsx
index f98f5dc..58ca270 100644
--- a/frontend/src/components/TaskColumns.jsx
+++ b/frontend/src/components/TaskColumns.jsx
@@ -71,9 +71,9 @@ function TaskColumns({ tasks = [] }) {
             </div>
           ) : (
             <span className="px-2 py-1 rounded-full bg-slate-700/70 text-slate-300 text-xs">
-              {taskPriority === 'high' ? '❗ High' : 
-               taskPriority === 'medium' ? '⚠️ Medium' : '🔽 Low'}
-            </span>
+                {taskPriority === 'high' ? 'High' : 
+                 taskPriority === 'medium' ? 'Medium' : 'Low'}
+              </span>
           )}
         </div>
       </Link>
diff --git a/frontend/src/components/TaskForm.jsx b/frontend/src/components/TaskForm.jsx
index 938c151..d1bec29 100644
--- a/frontend/src/components/TaskForm.jsx
+++ b/frontend/src/components/TaskForm.jsx
@@ -1,6 +1,6 @@
-import { useState } from "react";
+import { useEffect, useState } from "react";
 
-const TaskForm = ({ onSubmit, initialData = {}, users = [], projects = [] }) => {
+const TaskForm = ({ onSubmit, initialData = {}, users = [], projects = [], assigneeLocked = false }) => {
   const [task, setTask] = useState({
     title: initialData.title || "",
     description: initialData.description || "",
@@ -11,6 +11,15 @@ const TaskForm = ({ onSubmit, initialData = {}, users = [], projects = [] }) =>
     priority: initialData.priority || "medium"
   });
 
+  useEffect(() => {
+    if (assigneeLocked && task.assignee === "" && users.length > 0) {
+      setTask((currentTask) => ({
+        ...currentTask,
+        assignee: initialData.assigned_to || users[0].id,
+      }));
+    }
+  }, [assigneeLocked, initialData.assigned_to, task.assignee, users]);
+
   const statusOptions = [
     { value: "todo", label: "To Do" },
     { value: "in_progress", label: "In Progress" },
@@ -64,6 +73,7 @@ const TaskForm = ({ onSubmit, initialData = {}, users = [], projects = [] }) =>
             id="assignee"
             value={task.assignee}
             onChange={(e) => setTask({ ...task, assignee: e.target.value })}
+            disabled={assigneeLocked}
             className="w-full p-2 border border-slate-700/60 rounded bg-slate-950/60 text-slate-100 focus:ring-rose-400/60 focus:border-rose-400/60"
           >
             <option value="">Select Assignee</option>
@@ -73,6 +83,9 @@ const TaskForm = ({ onSubmit, initialData = {}, users = [], projects = [] }) =>
               </option>
             ))}
           </select>
+          {assigneeLocked && (
+            <p className="mt-1 text-xs text-slate-500">Developers can only create tasks for themselves.</p>
+          )}
         </div>
         
         <div>
diff --git a/frontend/src/pages/BasicDashboard.jsx b/frontend/src/pages/BasicDashboard.jsx
index 8260458..b0f2d54 100644
--- a/frontend/src/pages/BasicDashboard.jsx
+++ b/frontend/src/pages/BasicDashboard.jsx
@@ -1,7 +1,6 @@
 import React, { useState, useEffect, useCallback } from 'react';
 import { Link } from 'react-router-dom';
 import { dashboardService } from '../services/utils/api';
-import TaskCard from '../components/TaskCard';
 import LoadingSpinner from '../components/LoadingSpinner';
 import { useAuth } from '../context/AuthContext';
 
@@ -9,12 +8,64 @@ const panelClass = "bg-slate-900/70 border border-slate-800/70 rounded-2xl overf
 const panelHeaderClass = "px-6 py-5 border-b border-slate-800/70 flex justify-between items-center";
 const sectionTitleClass = "text-lg font-semibold text-slate-100";
 
+const getCount = (counts, keys, fallback = 0) => {
+  for (const key of keys) {
+    if (counts?.[key] !== undefined && counts?.[key] !== null) {
+      return counts[key];
+    }
+  }
+
+  return fallback;
+};
+
+const formatTaskDate = (dateValue) => {
+  if (!dateValue) return 'No deadline';
+
+  const date = new Date(dateValue);
+  if (Number.isNaN(date.getTime())) return 'No deadline';
+
+  return date.toLocaleDateString('en-US', {
+    month: 'short',
+    day: 'numeric',
+  });
+};
+
+const getTaskDeadline = (task) => task?.deadline || task?.due_date || null;
+
+const getTaskStatusClass = (status) => {
+  const styles = {
+    todo: 'bg-slate-800/80 text-slate-300 border border-slate-700',
+    backlog: 'bg-slate-800/80 text-slate-300 border border-slate-700',
+    in_progress: 'bg-amber-500/15 text-amber-300 border border-amber-400/20',
+    review: 'bg-sky-500/15 text-sky-300 border border-sky-400/20',
+    done: 'bg-emerald-500/15 text-emerald-300 border border-emerald-400/20',
+    completed: 'bg-emerald-500/15 text-emerald-300 border border-emerald-400/20',
+  };
+
+  return styles[status] || 'bg-slate-800/80 text-slate-300 border border-slate-700';
+};
+
+const getPriorityClass = (priority) => {
+  const styles = {
+    high: 'bg-rose-500/15 text-rose-300 border border-rose-400/20',
+    medium: 'bg-amber-500/15 text-amber-300 border border-amber-400/20',
+    low: 'bg-emerald-500/15 text-emerald-300 border border-emerald-400/20',
+  };
+
+  return styles[priority] || 'bg-slate-800/80 text-slate-300 border border-slate-700';
+};
+
+const getStatusLabel = (status) => {
+  const normalized = (status || 'unknown').replace(/[_-]/g, ' ');
+  return normalized.replace(/\b\w/g, (char) => char.toUpperCase());
+};
+
 const BasicDashboard = () => {
   const [dashboardData, setDashboardData] = useState(null);
   const [teamUsers, setTeamUsers] = useState([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState(null);
-  const { currentUser, is } = useAuth();
+  const { is } = useAuth();
 
   const fetchDashboardData = useCallback(async () => {
     try {
@@ -50,6 +101,16 @@ const BasicDashboard = () => {
     fetchDashboardData();
   };
 
+  // Use full tasks list if provided by API, otherwise fall back to recentTasks
+  // Limit to last 10 most recent tasks, sorted by most recent first
+  const tasksToShow = ((dashboardData?.tasks && dashboardData.tasks.length) ? dashboardData.tasks : (dashboardData?.recentTasks || []))
+    .sort((a, b) => {
+      const dateA = new Date(a.updated_at || a.created_at || 0).getTime();
+      const dateB = new Date(b.updated_at || b.created_at || 0).getTime();
+      return dateB - dateA;
+    })
+    .slice(0, 10);
+
   return (
     <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
       <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
@@ -61,15 +122,20 @@ const BasicDashboard = () => {
             </p>
           </div>
 
-          <button
-            onClick={handleRefresh}
-            className="mt-4 md:mt-0 inline-flex items-center px-4 py-2 rounded-full text-sm font-medium text-white bg-rose-500/90 hover:bg-rose-400 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
-          >
-            <svg xmlns="http://www.w3.org/2000/svg" className="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
-            </svg>
-            Refresh
-          </button>
+          <div className="mt-4 md:mt-0 flex items-center gap-3">
+            <Link to="/admin/create-task" className="inline-flex items-center px-4 py-2 rounded-full text-sm font-medium text-white bg-slate-800/60 hover:bg-slate-800/40 focus:outline-none">
+              Create Task
+            </Link>
+            <button
+              onClick={handleRefresh}
+              className="inline-flex items-center px-4 py-2 rounded-full text-sm font-medium text-white bg-rose-500/90 hover:bg-rose-400 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+            >
+              <svg xmlns="http://www.w3.org/2000/svg" className="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+              </svg>
+              Refresh
+            </button>
+          </div>
         </div>
 
         {loading ? (
@@ -97,7 +163,7 @@ const BasicDashboard = () => {
             <div className="grid grid-cols-1 md:grid-cols-3 lg:grid-cols-4 gap-4">
               <StatCard
                 title="Assigned Tasks"
-                value={dashboardData?.taskCounts?.assigned || 0}
+                value={getCount(dashboardData?.taskCounts || dashboardData?.tasks, ['assigned', 'assigned_count', 'total'])}
                 icon={
                   <svg xmlns="http://www.w3.org/2000/svg" className="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                     <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
@@ -108,7 +174,7 @@ const BasicDashboard = () => {
 
               <StatCard
                 title="In Progress"
-                value={dashboardData?.taskCounts?.inProgress || 0}
+                value={getCount(dashboardData?.taskCounts || dashboardData?.tasks, ['inProgress', 'in_progress'])}
                 icon={
                   <svg xmlns="http://www.w3.org/2000/svg" className="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                     <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
@@ -119,7 +185,7 @@ const BasicDashboard = () => {
 
               <StatCard
                 title="Completed"
-                value={dashboardData?.taskCounts?.completed || 0}
+                value={getCount(dashboardData?.taskCounts || dashboardData?.tasks, ['completed', 'done'])}
                 icon={
                   <svg xmlns="http://www.w3.org/2000/svg" className="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                     <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
@@ -130,7 +196,7 @@ const BasicDashboard = () => {
 
               <StatCard
                 title="Tasks Due Soon"
-                value={dashboardData?.taskCounts?.dueSoon || 0}
+                value={getCount(dashboardData?.taskCounts || dashboardData?.tasks, ['dueSoon', 'due_soon'])}
                 icon={
                   <svg xmlns="http://www.w3.org/2000/svg" className="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                     <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
@@ -141,142 +207,78 @@ const BasicDashboard = () => {
             </div>
 
             {/* Main Content Grid */}
-            <div className="grid grid-cols-1 lg:grid-cols-3 gap-6">
-              {/* My Tasks Section */}
-              <div className="lg:col-span-2">
-                <div className={`${panelClass} h-full`}>
+            <div className="grid grid-cols-1 lg:grid-cols-3 gap-6 items-stretch min-h-[720px]">
+              <div className="lg:col-span-2 flex flex-col gap-6 h-full">
+                <div className={`${panelClass} flex-1 min-h-[520px] max-h-[70vh]`}>
                   <div className={panelHeaderClass}>
-                    <h3 className={sectionTitleClass}>My Tasks</h3>
+                    <div>
+                      <h3 className={sectionTitleClass}>My Tasks</h3>
+                      <p className="mt-1 text-xs text-slate-500">Your latest assigned work, with the same fields you see on the tasks page.</p>
+                    </div>
                     <Link to="/tasks" className="text-sm text-rose-300 hover:text-rose-200 font-medium">
                       View all tasks
                     </Link>
                   </div>
-                  <div className="overflow-hidden">
-                    <div className="px-4 py-3 border-b border-slate-800 flex flex-wrap gap-2">
-                      <span className="bg-amber-500/15 text-amber-300 border border-amber-400/20 text-xs font-medium px-2.5 py-1 rounded-full">In Progress</span>
-                      <span className="bg-rose-500/15 text-rose-300 border border-rose-400/20 text-xs font-medium px-2.5 py-1 rounded-full">High Priority</span>
-                      <span className="bg-sky-500/15 text-sky-300 border border-sky-400/20 text-xs font-medium px-2.5 py-1 rounded-full">Due Soon</span>
-                    </div>
-
-                    {/* Task Cards */}
-                    <div className="divide-y divide-slate-800">
-                      {dashboardData?.recentTasks?.length > 0 ? (
-                        dashboardData.recentTasks.map((task) => (
-                          <TaskCard
-                            key={task.id}
-                            task={task}
-                            showProject={true}
-                            compact={true}
-                          />
-                        ))
-                      ) : (
-                        <div className="p-6 text-center text-slate-400">
-                          <svg className="mx-auto h-12 w-12 text-slate-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
-                          </svg>
-                          <h3 className="mt-2 text-sm font-medium text-slate-200">No tasks found</h3>
-                          <p className="mt-1 text-sm text-slate-400">You don't have any tasks assigned yet.</p>
-                        </div>
-                      )}
-                    </div>
-                  </div>
-                </div>
-              </div>
-
-              {/* Right Side Column */}
-              <div className="space-y-6">
-                {/* GitHub Section */}
-                <div className={panelClass}>
-                  <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
-                    <h3 className={sectionTitleClass}>GitHub Activity</h3>
-                  </div>
-
-                  {!currentUser.github_connected ? (
-                    <div className="p-6 flex flex-col items-center text-center">
-                      <svg className="h-12 w-12 text-slate-500" fill="currentColor" viewBox="0 0 24 24">
-                        <path fillRule="evenodd" d="M12 2C6.477 2 2 6.484 2 12.017c0 4.425 2.865 8.18 6.839 9.504.5.092.682-.217.682-.483 0-.237-.008-.868-.013-1.703-2.782.605-3.369-1.343-3.369-1.343-.454-1.158-1.11-1.466-1.11-1.466-.908-.62.069-.608.069-.608 1.003.07 1.531 1.032 1.531 1.032.892 1.53 2.341 1.088 2.91.832.092-.647.35-1.088.636-1.338-2.22-.253-4.555-1.113-4.555-4.951 0-1.093.39-1.988 1.029-2.688-.103-.253-.446-1.272.098-2.65 0 0 .84-.27 2.75 1.026A9.564 9.564 0 0112 6.844c.85.004 1.705.115 2.504.337 1.909-1.296 2.747-1.027 2.747-1.027.546 1.379.202 2.398.1 2.651.64.7 1.028 1.595 1.028 2.688 0 3.848-2.339 4.695-4.566 4.943.359.309.678.92.678 1.855 0 1.338-.012 2.419-.012 2.747 0 .268.18.58.688.482A10.019 10.019 0 0022 12.017C22 6.484 17.522 2 12 2z" clipRule="evenodd" />
-                      </svg>
-                      <h3 className="mt-2 text-sm font-medium text-slate-200">Connect GitHub</h3>
-                      <p className="mt-1 text-sm text-slate-400">
-                        Link your GitHub account to track contributions and sync tasks with issues.
-                      </p>
-                      <div className="mt-4">
-                        <Link
-                          to="/github"
-                          className="inline-flex items-center px-4 py-2 rounded-full text-sm font-medium text-white bg-rose-500/90 hover:bg-rose-400 focus:outline-none focus:ring-2 focus:ring-rose-400/60"
-                        >
-                          Connect Now
-                        </Link>
-                      </div>
-                    </div>
-                  ) : (
-                    <div>
-                      <div className="p-4 border-b border-slate-800 flex items-center">
-                        <img
-                          src={`https://github.com/${currentUser.github_username}.png`}
-                          alt={currentUser.github_username}
-                          className="h-8 w-8 rounded-full"
-                          onError={(e) => {
-                            e.target.onerror = null;
-                            e.target.src = "https://avatars.githubusercontent.com/u/0";
-                          }}
-                        />
-                        <div className="ml-3">
-                          <p className="text-sm font-medium text-slate-100">
-                            @{currentUser.github_username}
-                          </p>
-                        </div>
-                      </div>
 
-                      {dashboardData?.githubActivity?.length > 0 ? (
-                        <ul className="divide-y divide-slate-800">
-                          {dashboardData.githubActivity.map((activity, index) => (
-                            <li key={index} className="px-4 py-3 hover:bg-slate-800/60 transition-colors">
-                              <div className="flex items-start">
-                                <div className="min-w-0 flex-1">
-                                  <p className="text-sm text-slate-200">
-                                    {activity.type === 'issue' ? (
-                                      <span className="mr-1">🔍</span>
-                                    ) : activity.type === 'pull_request' ? (
-                                      <span className="mr-1">🔀</span>
-                                    ) : (
-                                      <span className="mr-1">📝</span>
-                                    )}
-                                    <a href={activity.url} target="_blank" rel="noopener noreferrer" className="font-medium text-rose-300 hover:text-rose-200">
-                                      {activity.title}
-                                    </a>
-                                  </p>
-                                  <p className="text-xs text-slate-400">
-                                    {activity.repo} • {new Date(activity.date).toLocaleDateString()}
-                                  </p>
+                  {tasksToShow.length > 0 ? (
+                    <ul className={`divide-y divide-slate-800 overflow-y-auto`} style={{ maxHeight: 'calc(100% - 96px)' }}>
+                      {tasksToShow.map((task) => (
+                        <li key={task.id} className="px-5 py-4 hover:bg-slate-800/60 transition-colors">
+                          <Link to={`/tasks/${task.id}`} className="block">
+                            <div className="flex items-start justify-between gap-4">
+                              <div className="min-w-0 flex-1">
+                                <div className="flex flex-wrap items-center gap-2">
+                                  <p className="text-sm font-semibold text-slate-100 truncate">{task.title}</p>
+                                  <span className={`px-2 py-0.5 rounded-full text-[11px] font-semibold ${getTaskStatusClass(task.status)}`}>
+                                    {getStatusLabel(task.status)}
+                                  </span>
+                                  <span className={`px-2 py-0.5 rounded-full text-[11px] font-semibold ${getPriorityClass(task.priority)}`}>
+                                    {getStatusLabel(task.priority)} Priority
+                                  </span>
+                                </div>
+                                <p className="mt-1 text-sm text-slate-400 line-clamp-2">
+                                  {task.description || 'No description provided'}
+                                </p>
+                                <div className="mt-3 flex flex-wrap items-center gap-3 text-xs text-slate-500">
+                                  <span>{task.project_name || 'No project'}</span>
+                                  <span>•</span>
+                                  <span>Due {formatTaskDate(getTaskDeadline(task))}</span>
+                                  <span>•</span>
+                                  <span>{task.progress || 0}% complete</span>
+                                </div>
+                                <div className="mt-3 w-full bg-slate-800 rounded-full h-1.5">
+                                  <div
+                                    className="bg-rose-400 h-1.5 rounded-full"
+                                    style={{ width: `${task.progress || 0}%` }}
+                                  />
                                 </div>
                               </div>
-                            </li>
-                          ))}
-                        </ul>
-                      ) : (
-                        <div className="p-4 text-center text-slate-400">
-                          <p>No recent GitHub activity</p>
-                        </div>
-                      )}
-
-                      <div className="px-4 py-3 bg-slate-900/80 border-t border-slate-800 text-right">
-                        <Link to="/github" className="text-sm font-medium text-rose-300 hover:text-rose-200">
-                          View all activity
-                        </Link>
-                      </div>
+                              <span className="shrink-0 text-xs text-rose-300 font-medium pt-1">View</span>
+                            </div>
+                          </Link>
+                        </li>
+                      ))}
+                    </ul>
+                  ) : (
+                    <div className="p-6 text-center text-slate-400">
+                      <svg className="mx-auto h-12 w-12 text-slate-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+                      </svg>
+                      <h3 className="mt-2 text-sm font-medium text-slate-200">No tasks found</h3>
+                      <p className="mt-1 text-sm text-slate-400">You don't have any tasks assigned yet.</p>
                     </div>
                   )}
                 </div>
+              </div>
 
-                {/* Projects Section */}
-                <div className={panelClass}>
+              <div className="flex flex-col gap-6 h-full">
+                <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
                   <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
                     <h3 className={sectionTitleClass}>My Projects</h3>
                   </div>
 
-                  {dashboardData?.projects?.length > 0 ? (
-                    <ul className="divide-y divide-slate-800">
+                    {dashboardData?.projects?.length > 0 ? (
+                    <ul className={`divide-y divide-slate-800 overflow-y-auto`} style={{ maxHeight: 'calc(100% - 96px)' }}>
                       {dashboardData.projects.map((project) => (
                         <li key={project.id} className="px-4 py-4 hover:bg-slate-800/60 transition-colors">
                           <Link to={`/projects/${project.id}`}>
@@ -285,14 +287,14 @@ const BasicDashboard = () => {
                               <ProjectStatusBadge status={project.status} />
                             </div>
                             <div className="mt-1 flex items-center text-xs text-slate-400">
-                              <span>{project.task_count} tasks</span>
+                              <span>{project.task_count ?? 0} tasks</span>
                               <span className="mx-1">•</span>
-                              <span>{project.completion_percentage}% complete</span>
+                              <span>{project.completion_percentage ?? 0}% complete</span>
                             </div>
                             <div className="mt-3 w-full bg-slate-800 rounded-full h-1.5">
                               <div
                                 className="bg-rose-400 h-1.5 rounded-full"
-                                style={{ width: `${project.completion_percentage}%` }}
+                                style={{ width: `${project.completion_percentage ?? 0}%` }}
                               />
                             </div>
                           </Link>
@@ -306,26 +308,24 @@ const BasicDashboard = () => {
                   )}
                 </div>
 
-                {/* Upcoming Deadlines */}
-                <div className={panelClass}>
-                  <div className={panelHeaderClass}>
+                <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
+                  <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
                     <h3 className={sectionTitleClass}>Upcoming Deadlines</h3>
                   </div>
-
                   {dashboardData?.upcomingDeadlines?.length > 0 ? (
-                    <ul className="divide-y divide-slate-800">
+                    <ul className={`divide-y divide-slate-800 overflow-y-auto`} style={{ maxHeight: 'calc(100% - 96px)' }}>
                       {dashboardData.upcomingDeadlines.map((task) => (
                         <li key={task.id} className="px-4 py-3 hover:bg-slate-800/60 transition-colors">
-                          <Link to={`/tasks/${task.id}`}>
-                            <div className="flex justify-between gap-2">
-                              <p className="text-sm font-medium text-slate-100 truncate">{task.title}</p>
+                          <Link to={`/tasks/${task.id}`} className="block">
+                            <div className="flex items-start justify-between gap-3">
+                              <div className="min-w-0 flex-1">
+                                <p className="text-sm font-medium text-slate-100 truncate">{task.title}</p>
+                                <p className="mt-1 text-xs text-slate-500">
+                                  Due {formatTaskDate(getTaskDeadline(task))} {task.project_name ? `• ${task.project_name}` : ''}
+                                </p>
+                              </div>
                               <TaskPriorityBadge priority={task.priority} />
                             </div>
-                            <div className="mt-1 flex items-center text-xs">
-                              <span className={isOverdue(task.due_date) ? 'text-rose-300 font-medium' : 'text-slate-400'}>
-                                Due {formatDueDate(task.due_date)}
-                              </span>
-                            </div>
                           </Link>
                         </li>
                       ))}
@@ -337,9 +337,8 @@ const BasicDashboard = () => {
                   )}
                 </div>
 
-                {/* Team Overview - Visible to Team Leads and Admins */}
                 {(is('team_lead') || is('admin')) && (
-                  <div className={panelClass}>
+                  <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
                     <div className={panelHeaderClass}>
                       <h3 className={sectionTitleClass}>Team Overview</h3>
                       <Link to="/admin/developer-progress" className="text-xs text-rose-300 hover:text-rose-200">
@@ -347,7 +346,7 @@ const BasicDashboard = () => {
                       </Link>
                     </div>
                     {teamUsers.length > 0 ? (
-                      <ul className="divide-y divide-slate-800">
+                      <ul className="divide-y divide-slate-800 overflow-y-auto" style={{ maxHeight: 'calc(100% - 96px)' }}>
                         {teamUsers.slice(0, 5).map((user) => (
                           <li key={user.id} className="px-4 py-3 flex items-center justify-between">
                             <div className="flex items-center">
@@ -447,24 +446,4 @@ const TaskPriorityBadge = ({ priority = 'medium' }) => {
   );
 };
 
-// Helper functions
-const isOverdue = (dueDate) => {
-  return new Date(dueDate) < new Date();
-};
-
-const formatDueDate = (dueDate) => {
-  const date = new Date(dueDate);
-  const today = new Date();
-  const tomorrow = new Date();
-  tomorrow.setDate(today.getDate() + 1);
-
-  if (date.toDateString() === today.toDateString()) {
-    return 'Today';
-  } else if (date.toDateString() === tomorrow.toDateString()) {
-    return 'Tomorrow';
-  } else {
-    return date.toLocaleDateString();
-  }
-};
-
 export default BasicDashboard;
\ No newline at end of file
diff --git a/frontend/src/pages/TaskCreation.jsx b/frontend/src/pages/TaskCreation.jsx
index ba4a2df..bdbddf6 100644
--- a/frontend/src/pages/TaskCreation.jsx
+++ b/frontend/src/pages/TaskCreation.jsx
@@ -3,6 +3,7 @@ import { useNavigate } from "react-router-dom";
 import TaskForm from "../components/TaskForm";
 import { taskService } from "../services/utils/api";
 import LoadingSpinner from "../components/LoadingSpinner";
+import { useAuth } from '../context/AuthContext';
 
 const TaskCreation = () => {
   const navigate = useNavigate();
@@ -10,13 +11,20 @@ const TaskCreation = () => {
   const [users, setUsers] = useState([]);
   const [error, setError] = useState(null);
   const [projects, setProjects] = useState([]);
+  const { currentUser } = useAuth();
+
+  const canAssignTasks = currentUser?.role === 'team_lead' || currentUser?.role === 'admin';
 
   useEffect(() => {
     // Fetch users and projects for the task assignment
     const fetchData = async () => {
       try {
-        const usersData = await taskService.getUsers();
-        setUsers(usersData || []);
+        if (canAssignTasks) {
+          const usersData = await taskService.getUsers();
+          setUsers(usersData || []);
+        } else if (currentUser) {
+          setUsers([currentUser]);
+        }
         
         const projectsData = await taskService.getProjects();
         setProjects(projectsData || []);
@@ -27,7 +35,7 @@ const TaskCreation = () => {
     };
 
     fetchData();
-  }, []);
+  }, [canAssignTasks, currentUser]);
 
   const handleSubmit = async (task) => {
     try {
@@ -40,7 +48,7 @@ const TaskCreation = () => {
         description: task.description,
         status: task.status || "todo",
         priority: task.priority || "medium",
-        assigned_to: task.assignee,
+        assigned_to: canAssignTasks ? task.assignee : currentUser?.id,
         project_id: task.project,
         deadline: task.deadline ? new Date(task.deadline).toISOString() : null
       };
@@ -81,6 +89,8 @@ const TaskCreation = () => {
               onSubmit={handleSubmit} 
               users={users}
               projects={projects}
+              assigneeLocked={!canAssignTasks}
+              initialData={!canAssignTasks && currentUser ? { assigned_to: currentUser.id } : {}}
             />
           </div>
         )}
diff --git a/frontend/src/pages/TaskDetailsUser.jsx b/frontend/src/pages/TaskDetailsUser.jsx
index fb83150..5414427 100644
--- a/frontend/src/pages/TaskDetailsUser.jsx
+++ b/frontend/src/pages/TaskDetailsUser.jsx
@@ -40,6 +40,7 @@ function TaskDetailsUser() {
   const isManager = currentUser?.role === 'admin' || currentUser?.role === 'team_lead';
   const isAssigned = task?.assigned_to === currentUser?.id;
   const canEditTask = isManager || isAssigned;
+  const canDeleteTask = isManager || isAssigned;
 
   useEffect(() => {
     const fetchTaskDetails = async () => {
@@ -162,6 +163,24 @@ function TaskDetailsUser() {
     setEditError(null);
   };
 
+  const handleDeleteTask = async () => {
+    const confirmDelete = window.confirm('Delete this task? This action cannot be undone.');
+    if (!confirmDelete) {
+      return;
+    }
+
+    try {
+      setUpdateLoading(true);
+      await taskService.deleteTask(id);
+      navigate('/tasks');
+    } catch (err) {
+      console.error('Failed to delete task:', err);
+      alert('Failed to delete task. Please try again.');
+    } finally {
+      setUpdateLoading(false);
+    }
+  };
+
   const handleTaskEditSubmit = async (editedTask) => {
     try {
       setSavingTaskEdit(true);
@@ -335,19 +354,31 @@ function TaskDetailsUser() {
                 )}
               </div>
             </div>
-            <span 
-              className={`px-3 py-1 rounded-full text-sm font-semibold ${
-                (task.status === 'completed' || task.status === 'done') ? 'bg-emerald-500/15 text-emerald-200' : 
-                task.status === 'in_progress' ? 'bg-amber-500/15 text-amber-200' : 
-                'bg-slate-800/70 text-slate-300'
-              }`}
-            >
-              {task.status === 'in_progress' ? 'In Progress' : 
-               (task.status === 'completed' || task.status === 'done') ? 'Completed' : 
-               task.status === 'todo' ? 'To Do' : 
-               task.status === 'backlog' ? 'Backlog' : 
-               task.status}
-            </span>
+            <div className="flex flex-col items-end gap-3">
+              <span 
+                className={`px-3 py-1 rounded-full text-sm font-semibold ${
+                  (task.status === 'completed' || task.status === 'done') ? 'bg-emerald-500/15 text-emerald-200' : 
+                  task.status === 'in_progress' ? 'bg-amber-500/15 text-amber-200' : 
+                  'bg-slate-800/70 text-slate-300'
+                }`}
+              >
+                {task.status === 'in_progress' ? 'In Progress' : 
+                 (task.status === 'completed' || task.status === 'done') ? 'Completed' : 
+                 task.status === 'todo' ? 'To Do' : 
+                 task.status === 'backlog' ? 'Backlog' : 
+                 task.status}
+              </span>
+              {canDeleteTask && (
+                <button
+                  type="button"
+                  onClick={handleDeleteTask}
+                  disabled={updateLoading}
+                  className="px-4 py-2 rounded-full border border-rose-400/30 text-rose-200 hover:bg-rose-500/10 disabled:opacity-60"
+                >
+                  Delete Task
+                </button>
+              )}
+            </div>
           </div>
         </div>
         
diff --git a/frontend/src/pages/TaskList.jsx b/frontend/src/pages/TaskList.jsx
index 429dbec..e22a4ba 100644
--- a/frontend/src/pages/TaskList.jsx
+++ b/frontend/src/pages/TaskList.jsx
@@ -18,7 +18,7 @@ const TaskList = () => {
     scope: 'all'
   });
   
-  const canCreateTasks = currentUser?.role === 'admin' || currentUser?.role === 'team_lead';
+  const canCreateTasks = Boolean(currentUser);
 
   // Fetch tasks when component mounts
   useEffect(() => {
@@ -100,9 +100,9 @@ const TaskList = () => {
   // Get priority badge
   const getPriorityBadge = (priority) => {
     const priorityMap = {
-      'high': { class: 'bg-rose-500/15 text-rose-200', text: 'High', icon: '❗' },
-      'medium': { class: 'bg-amber-500/15 text-amber-200', text: 'Medium', icon: '⚠️' },
-      'low': { class: 'bg-sky-500/15 text-sky-200', text: 'Low', icon: '🔽' }
+      'high': { class: 'bg-rose-500/15 text-rose-200', text: 'High'},
+      'medium': { class: 'bg-amber-500/15 text-amber-200', text: 'Medium' },
+      'low': { class: 'bg-sky-500/15 text-sky-200', text: 'Low' }
     };
     
     return priorityMap[priority] || { class: 'bg-gray-100 text-gray-800', text: priority };
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index fb6dfd3..de6783d 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -172,7 +172,7 @@ const fetchWithAuth = async (endpoint, options = {}) => {
       // For non-critical endpoints, return gracefully instead of throwing
       if (isNonCriticalEndpoint) {
         console.error(`Returning empty data for non-critical endpoint due to error`);
-        return { error: error.message };
+        return { error: error.message, status: error.status };
       }
       
       throw error;
@@ -506,9 +506,12 @@ const dashboardService = {
       console.error("Dashboard fetch error:", error);
       // Return fallback data structure
       return {
-        tasks: { active: 0, completed: 0 },
-        repositories: [],
-        recentActivity: []
+        taskCounts: { assigned: 0, inProgress: 0, completed: 0, dueSoon: 0 },
+        tasks: { assigned: 0, inProgress: 0, completed: 0, dueSoon: 0 },
+        recentTasks: [],
+        githubActivity: [],
+        projects: [],
+        upcomingDeadlines: []
       };
     }
   },
@@ -834,14 +837,30 @@ const notificationService = {
       const response = await fetchWithAuth('notifications');
       
       // Handle potential auth errors
-      if (response.error) {
+      if (response?.isConnectionError) {
+        return response;
+      }
+
+      if (response?.isAuthError || (response?.error && !response?.status)) {
         return [];
       }
+
+      if (response?.error) {
+        const error = new Error(response.error);
+        error.status = response.status;
+        throw error;
+      }
       
       return response?.notifications || response || [];
     } catch (error) {
       console.error("Failed to fetch notifications:", error);
-      return [];
+      if (error?.isConnectionError) {
+        return {
+          error: error.message,
+          isConnectionError: true
+        };
+      }
+      throw error;
     }
   },
   
diff --git a/frontend/src/tests/components/TaskColumns.test.jsx b/frontend/src/tests/components/TaskColumns.test.jsx
index e185f6f..1866ac1 100644
--- a/frontend/src/tests/components/TaskColumns.test.jsx
+++ b/frontend/src/tests/components/TaskColumns.test.jsx
@@ -82,7 +82,7 @@ describe('TaskColumns component', () => {
 
     expect(screen.getByText('Untitled Task')).toBeInTheDocument();
     expect(screen.getByText(/Due: No date set/i)).toBeInTheDocument();
-    expect(screen.getByText(/⚠️ Medium/i)).toBeInTheDocument();
+    expect(screen.getByText(/Medium/i)).toBeInTheDocument();
   });
 
   test('flags overdue tasks that are not completed', () => {
@@ -97,6 +97,6 @@ describe('TaskColumns component', () => {
     ]);
 
     expect(screen.getByText(/Due:/i)).toBeInTheDocument();
-    expect(screen.getByText(/❗ High/i)).toBeInTheDocument();
+    expect(screen.getByText(/High/i)).toBeInTheDocument();
   });
 });
diff --git a/frontend/src/tests/pages/BasicDashboard.test.jsx b/frontend/src/tests/pages/BasicDashboard.test.jsx
index b637ffa..10c8e9f 100644
--- a/frontend/src/tests/pages/BasicDashboard.test.jsx
+++ b/frontend/src/tests/pages/BasicDashboard.test.jsx
@@ -19,8 +19,6 @@ jest.mock('../../context/AuthContext', () => ({
   useAuth: jest.fn(),
 }));
 
-jest.mock('../../components/TaskCard', () => ({ task }) => <div>Task: {task.title}</div>);
-
 jest.mock('../../components/LoadingSpinner', () => () => <div>Loading spinner</div>);
 
 const renderDashboard = () => {
@@ -98,21 +96,17 @@ describe('BasicDashboard page', () => {
     renderDashboard();
 
     expect(await screen.findByText('My Dashboard')).toBeInTheDocument();
-    expect(await screen.findByText('Task: Implement webhook retry')).toBeInTheDocument();
-    expect(screen.getByText('Task: Refine dashboard metrics')).toBeInTheDocument();
+    expect(await screen.findByText('Implement webhook retry')).toBeInTheDocument();
+    expect(screen.getByText('Refine dashboard metrics')).toBeInTheDocument();
+    expect(screen.getByRole('link', { name: /Create Task/i })).toBeInTheDocument();
 
     expect(screen.getByText('Assigned Tasks')).toBeInTheDocument();
     expect(screen.getAllByText('In Progress').length).toBeGreaterThan(0);
     expect(screen.getByText('Completed')).toBeInTheDocument();
     expect(screen.getByText('Tasks Due Soon')).toBeInTheDocument();
 
-    expect(screen.getByText('Fix callback race condition')).toBeInTheDocument();
     expect(screen.getByText('DevSync Platform')).toBeInTheDocument();
     expect(screen.getByText('Finalize integration report')).toBeInTheDocument();
-
-    const avatar = screen.getByAltText('octocat');
-    fireEvent.error(avatar);
-    expect(avatar.src).toContain('avatars.githubusercontent.com/u/0');
   });
 
   test('renders disconnected and empty states when no dashboard records are available', async () => {
@@ -142,8 +136,7 @@ describe('BasicDashboard page', () => {
 
     renderDashboard();
 
-    expect(await screen.findByText(/Connect GitHub/i)).toBeInTheDocument();
-    expect(screen.getByText(/No tasks found/i)).toBeInTheDocument();
+    expect(await screen.findByText(/No tasks found/i)).toBeInTheDocument();
     expect(screen.getByText(/You are not assigned to any projects yet/i)).toBeInTheDocument();
     expect(screen.getByText(/No upcoming deadlines/i)).toBeInTheDocument();
   });
@@ -174,7 +167,7 @@ describe('BasicDashboard page', () => {
       expect(dashboardService.getBasicDashboardStats).toHaveBeenCalledTimes(2);
     });
 
-    expect(await screen.findByText('Task: Retry fetched task')).toBeInTheDocument();
+    expect(await screen.findByText('Retry fetched task')).toBeInTheDocument();
   });
 
   test('refresh button triggers a re-fetch when dashboard is already loaded', async () => {
diff --git a/frontend/src/tests/pages/TaskCreation.test.jsx b/frontend/src/tests/pages/TaskCreation.test.jsx
index 2930527..17361e2 100644
--- a/frontend/src/tests/pages/TaskCreation.test.jsx
+++ b/frontend/src/tests/pages/TaskCreation.test.jsx
@@ -3,6 +3,7 @@ import { fireEvent, render, screen, waitFor } from '@testing-library/react';
 
 import TaskCreation from '../../pages/TaskCreation';
 import { taskService } from '../../services/utils/api';
+import { useAuth } from '../../context/AuthContext';
 
 const mockNavigate = jest.fn();
 
@@ -19,12 +20,17 @@ jest.mock('../../services/utils/api', () => ({
   },
 }));
 
+jest.mock('../../context/AuthContext', () => ({
+  useAuth: jest.fn(),
+}));
+
 jest.mock('../../components/LoadingSpinner', () => () => <div>Loading spinner</div>);
 
-jest.mock('../../components/TaskForm', () => ({ onSubmit, users, projects }) => (
+jest.mock('../../components/TaskForm', () => ({ onSubmit, users, projects, assigneeLocked }) => (
   <div>
     <div>users loaded: {users.length}</div>
     <div>projects loaded: {projects.length}</div>
+    <div>assignee locked: {String(assigneeLocked)}</div>
     <button
       onClick={() =>
         onSubmit({
@@ -48,13 +54,13 @@ describe('TaskCreation page', () => {
     jest.spyOn(console, 'error').mockImplementation(() => {});
 
     mockNavigate.mockReset();
+    useAuth.mockReturnValue({
+      currentUser: { id: 11, name: 'Developer One', role: 'developer' },
+    });
     taskService.getUsers.mockReset();
     taskService.getProjects.mockReset();
     taskService.createTask.mockReset();
 
-    taskService.getUsers.mockResolvedValue([
-      { id: 4, name: 'Developer One' },
-    ]);
     taskService.getProjects.mockResolvedValue([
       { id: 7, name: 'Core Platform' },
     ]);
@@ -72,7 +78,8 @@ describe('TaskCreation page', () => {
 
     expect(await screen.findByText('Create New Task')).toBeInTheDocument();
     expect(await screen.findByText('users loaded: 1')).toBeInTheDocument();
-    expect(screen.getByText('projects loaded: 1')).toBeInTheDocument();
+    expect(await screen.findByText('projects loaded: 1')).toBeInTheDocument();
+    expect(screen.getByText('assignee locked: true')).toBeInTheDocument();
   });
 
   test('submits formatted task payload and navigates to task details on success', async () => {
@@ -88,7 +95,7 @@ describe('TaskCreation page', () => {
         description: 'Task details',
         status: 'in_progress',
         priority: 'high',
-        assigned_to: '4',
+        assigned_to: 11,
         project_id: '7',
         deadline: '2099-03-10T00:00:00.000Z',
       });
@@ -102,7 +109,7 @@ describe('TaskCreation page', () => {
   });
 
   test('shows preload error when users/projects fetch fails', async () => {
-    taskService.getUsers.mockRejectedValueOnce(new Error('users failed'));
+    taskService.getProjects.mockRejectedValueOnce(new Error('projects failed'));
 
     render(<TaskCreation />);
 
diff --git a/frontend/src/tests/pages/TaskList.test.jsx b/frontend/src/tests/pages/TaskList.test.jsx
index 08a184d..cab9761 100644
--- a/frontend/src/tests/pages/TaskList.test.jsx
+++ b/frontend/src/tests/pages/TaskList.test.jsx
@@ -102,14 +102,15 @@ describe('TaskList page', () => {
     expect(await screen.findByText(/Failed to load tasks/i)).toBeInTheDocument();
   });
 
-  test('does NOT show New Task button for developers', async () => {
+  test('shows New Task button for developers', async () => {
     useAuth.mockReturnValue({ currentUser: { id: 5, role: 'developer' } });
     taskService.getAllTasks.mockResolvedValue([]);
 
     render(<TaskList />);
     await screen.findByText(/No tasks found/i);
 
-    expect(screen.queryByRole('button', { name: /new task/i })).not.toBeInTheDocument();
+    fireEvent.click(screen.getByRole('button', { name: /new task/i }));
+    expect(mockNavigate).toHaveBeenCalledWith('/admin/create-task');
   });
 
   test('shows New Task button for team leads', async () => {
diff --git a/frontend/src/tests/services/api.test.js b/frontend/src/tests/services/api.test.js
index d002022..e40b29f 100644
--- a/frontend/src/tests/services/api.test.js
+++ b/frontend/src/tests/services/api.test.js
@@ -506,8 +506,9 @@ describe('api utilities', () => {
     global.fetch.mockRejectedValue(new Error('client down'));
 
     const stats = await dashboardService.getBasicDashboardStats();
-    expect(stats.tasks.active).toBe(0);
-    expect(stats.repositories).toEqual([]);
+    expect(stats.taskCounts.assigned).toBe(0);
+    expect(stats.recentTasks).toEqual([]);
+    expect(stats.githubActivity).toEqual([]);
   });
 
   test('dashboardService.getDeveloperProgressStats returns empty array on error', async () => {

From a84579ad42668c0d7655f0d2b1eb721ebb8ef664 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Thu, 7 May 2026 19:49:05 +0100
Subject: [PATCH 27/37] refactor: rename open_prs to total_prs across GitHub
 integration and related components

---
 .../src/api/controllers/github_controller.py  |  10 +-
 backend/src/services/github_client.py         | 119 ++++++--
 .../controllers/test_github_controller.py     |   8 +-
 .../tests/unit/services/test_github_client.py |  21 +-
 frontend/src/components/Navbar.jsx            |  14 +-
 frontend/src/components/ReportTable.jsx       |   2 +-
 frontend/src/context/AuthContext.jsx          |  47 ++++
 frontend/src/pages/Reports.jsx                |  79 ++++--
 frontend/src/services/utils/api.js            | 254 +++++++++++++-----
 .../src/tests/components/ReportTable.test.jsx |   2 +-
 .../src/tests/context/AuthContext.test.jsx    |  15 +-
 frontend/src/tests/pages/Reports.test.jsx     |  33 ++-
 frontend/src/tests/services/api.test.js       |  94 ++++++-
 13 files changed, 547 insertions(+), 151 deletions(-)

diff --git a/backend/src/api/controllers/github_controller.py b/backend/src/api/controllers/github_controller.py
index 4c0e2bb..1552191 100644
--- a/backend/src/api/controllers/github_controller.py
+++ b/backend/src/api/controllers/github_controller.py
@@ -189,7 +189,7 @@ def get_github_repositories():
     per_page = request.args.get('per_page', 30, type=int)
     all_pages_arg = request.args.get('all_pages')
     fetch_all_pages = all_pages_arg is not None and all_pages_arg.lower() == 'true'
-    activity_window_days = max(request.args.get('activity_window_days', 7, type=int) or 7, 1)
+    activity_window_days = max(request.args.get('activity_window_days', 365, type=int) or 365, 1)
     include_activity_arg = request.args.get('include_activity')
     # Default to lightweight repository data unless activity is explicitly requested.
     include_activity = include_activity_arg is not None and include_activity_arg.lower() == 'true'
@@ -300,7 +300,7 @@ def get_github_repositories():
                     repo_info = next((r for r in repos_needing_activity if f"{r['owner']}/{r['repo_name']}" == key), {})
                     activity_results[key] = {
                         'open_issues': repo_info.get('fallback_open_issues', 0),
-                        'open_prs': 0,
+                        'total_prs': 0,
                         'recent_commits': 0,
                     }
         
@@ -319,14 +319,14 @@ def get_github_repositories():
         if include_activity:
             activity_metrics = activity_results.get(key, {
                 'open_issues': repo.get('open_issues_count', 0),
-                'open_prs': 0,
+                'total_prs': 0,
                 'recent_commits': 0,
             })
         else:
             # Return lightweight metrics without making additional GitHub API calls
             activity_metrics = {
                 'open_issues': repo.get('open_issues_count', 0),
-                'open_prs': 0,
+                'total_prs': 0,
                 'recent_commits': 0,
             }
         
@@ -372,7 +372,7 @@ def get_github_repositories():
             'default_branch': repo['default_branch'],
             'open_issues_count': repo['open_issues_count'],
             'open_issues': activity_metrics['open_issues'],
-            'open_prs': activity_metrics['open_prs'],
+            'total_prs': activity_metrics['total_prs'],
             'recent_commits': activity_metrics['recent_commits'],
             'last_updated': repo.get('pushed_at') or repo.get('updated_at'),
             'stargazers_count': repo.get('stargazers_count', 0),
diff --git a/backend/src/services/github_client.py b/backend/src/services/github_client.py
index 7da1d6c..f68d4d4 100644
--- a/backend/src/services/github_client.py
+++ b/backend/src/services/github_client.py
@@ -10,6 +10,7 @@
 import uuid
 from datetime import datetime, timedelta, timezone
 from flask import current_app, g, request, redirect
+from urllib.parse import parse_qs, urlparse
 
 # Configure logging
 logging.basicConfig(level=logging.INFO)
@@ -401,24 +402,104 @@ def get_open_issues_count(self, owner, repo):
             item_filter=lambda item: 'pull_request' not in item,
         )
 
-    def get_open_pulls_count(self, owner, repo):
-        """Get count of open pull requests for a repository."""
+    @staticmethod
+    def _extract_last_page_from_link_header(link_header):
+        """Return the last page number from GitHub's Link header."""
+        if not link_header:
+            return None
+
+        for link_part in link_header.split(','):
+            if 'rel="last"' not in link_part:
+                continue
+
+            url_start = link_part.find('<')
+            url_end = link_part.find('>')
+            if url_start == -1 or url_end == -1 or url_end <= url_start:
+                return None
+
+            query = parse_qs(urlparse(link_part[url_start + 1:url_end]).query)
+            page_values = query.get('page')
+            if not page_values:
+                return None
+
+            try:
+                return int(page_values[0])
+            except (TypeError, ValueError):
+                return None
+
+        return None
+
+    def get_total_pulls_count(self, owner, repo, since_days=None):
+        """Get count of pull requests for a repository.
+
+        By default this uses a single-request optimization (per_page=1) and
+        extracts the total from GitHub's Link header. If `since_days` is
+        provided we fall back to iterating the paginated pulls endpoint and
+        filtering by `created_at` to count PRs within the requested window.
+        """
         try:
-            pulls = self._make_request(
-                'GET',
-                f"{self.BASE_API_URL}/repos/{owner}/{repo}/pulls",
-                params={
-                    'state': 'open',
+            # Fast path: no time window requested, use Link header optimization
+            if not since_days:
+                url = f"{self.BASE_API_URL}/repos/{owner}/{repo}/pulls"
+                params = {
+                    'state': 'all',
+                    'page': 1,
                     'per_page': 1,
-                },
-                use_cache=True,
-                cache_ttl=300,
-            )
+                }
+                cache_key = f"COUNT:GET:{url}:{json.dumps(params, sort_keys=True)}"
 
-            if pulls is None or not isinstance(pulls, list):
-                return None
+                if cache_key in self._cache and datetime.now() < self._cache_expiry.get(cache_key, datetime.min):
+                    return self._cache[cache_key]
+
+                response = requests.get(
+                    url,
+                    params=params,
+                    headers=self.get_headers(),
+                )
+
+                if self._handle_rate_limit(response):
+                    response = requests.get(
+                        url,
+                        params=params,
+                        headers=self.get_headers(),
+                    )
+
+                if not 200 <= response.status_code < 300:
+                    logger.error(f"GitHub API error: {response.status_code} - {response.text}")
+                    return None
+
+                pulls = response.json()
+
+                if pulls is None or not isinstance(pulls, list):
+                    return None
+
+                # With per_page=1, the rel="last" page number is the total item count.
+                pull_count = self._extract_last_page_from_link_header(response.headers.get('Link'))
+                if pull_count is None:
+                    pull_count = len(pulls)
+
+                self._cache[cache_key] = pull_count
+                self._cache_expiry[cache_key] = datetime.now() + timedelta(seconds=300)
+                return pull_count
+
+            # Windowed path: count PRs created within the window by filtering pages
+            url = f"{self.BASE_API_URL}/repos/{owner}/{repo}/pulls"
+            params = {'state': 'all'}
+
+            window_days = max(int(since_days or 0), 1)
+            since_dt = datetime.now(timezone.utc) - timedelta(days=window_days)
+
+            def item_filter(item):
+                created_at = item.get('created_at')
+                if not created_at:
+                    return False
+                try:
+                    created_dt = datetime.fromisoformat(created_at.replace('Z', '+00:00'))
+                except Exception:
+                    return False
+                return created_dt >= since_dt
 
-            return len(pulls)
+            return self._count_paginated_results(url, params=params, item_filter=item_filter)
         except Exception:
             return None
     
@@ -473,14 +554,14 @@ def get_repository_activity_summary(self, owner, repo, fallback_open_issues=0, s
         # The repository list payload already includes open_issues_count.
         # Reusing it prevents an extra API call per repo and reduces rate-limit pressure.
         open_issues = fallback_open_issues or 0
-        open_prs = 0
+        total_prs = 0
         recent_commits = 0
 
-        pull_count = self.get_open_pulls_count(owner, repo)
+        pull_count = self.get_total_pulls_count(owner, repo, since_days=since_days)
         if pull_count is None:
-            logger.warning(f"Failed to fetch open PRs for {owner}/{repo}; defaulting to 0")
+            logger.warning(f"Failed to fetch total PRs for {owner}/{repo}; defaulting to 0")
         else:
-            open_prs = pull_count
+            total_prs = pull_count
 
         commit_count = self.get_recent_commits(owner, repo, since_days=since_days)
         if commit_count is None:
@@ -490,6 +571,6 @@ def get_repository_activity_summary(self, owner, repo, fallback_open_issues=0, s
 
         return {
             'open_issues': open_issues,
-            'open_prs': open_prs,
+            'total_prs': total_prs,
             'recent_commits': recent_commits,
         }
diff --git a/backend/tests/unit/controllers/test_github_controller.py b/backend/tests/unit/controllers/test_github_controller.py
index 5ecad1b..cf8fbc9 100644
--- a/backend/tests/unit/controllers/test_github_controller.py
+++ b/backend/tests/unit/controllers/test_github_controller.py
@@ -136,7 +136,7 @@ def test_get_github_repositories(self, mock_github_client, mock_token_class, moc
         mock_github_client.return_value = mock_client_instance
         mock_client_instance.get_repository_activity_summary.return_value = {
             'open_issues': 4,
-            'open_prs': 2,
+            'total_prs': 2,
             'recent_commits': 7,
         }
         
@@ -180,14 +180,14 @@ def get(self, key, default=None, type=None):
         self.assertEqual(result['repositories'][0]['id'], 101)
         self.assertEqual(result['repositories'][0]['name'], 'repo1')
         self.assertEqual(result['repositories'][0]['open_issues'], 4)
-        self.assertEqual(result['repositories'][0]['open_prs'], 2)
+        self.assertEqual(result['repositories'][0]['total_prs'], 2)
         self.assertEqual(result['repositories'][0]['recent_commits'], 7)
         mock_client_instance.get_user_repositories.assert_called_with(page=1, per_page=10)
         mock_client_instance.get_repository_activity_summary.assert_called_with(
             'user',
             'repo1',
             fallback_open_issues=5,
-            since_days=7,
+            since_days=365,
         )
         mock_db.session.add.assert_called_once()
         mock_db.session.commit.assert_called_once()
@@ -247,7 +247,7 @@ def get(self, key, default=None, type=None):
 
         self.assertEqual(len(result['repositories']), 1)
         self.assertEqual(result['repositories'][0]['open_issues'], 5)
-        self.assertEqual(result['repositories'][0]['open_prs'], 0)
+        self.assertEqual(result['repositories'][0]['total_prs'], 0)
         self.assertEqual(result['repositories'][0]['recent_commits'], 0)
         mock_client_instance.get_repository_activity_summary.assert_not_called()
 
diff --git a/backend/tests/unit/services/test_github_client.py b/backend/tests/unit/services/test_github_client.py
index 89af0ec..8ce506a 100644
--- a/backend/tests/unit/services/test_github_client.py
+++ b/backend/tests/unit/services/test_github_client.py
@@ -203,21 +203,26 @@ def test_get_recent_commits_uses_commits_endpoint(self, mock_get):
         self.assertEqual(called_kwargs['headers'], self.client.get_headers())
 
     @patch('backend.src.services.github_client.requests.get')
-    def test_get_open_pulls_count_uses_repository_pulls_endpoint(self, mock_get):
+    def test_get_total_pulls_count_uses_repository_pulls_endpoint(self, mock_get):
         mock_response = MagicMock()
         mock_response.status_code = 200
         mock_response.json.return_value = [{'number': 1}]
-        mock_response.headers = {}
+        mock_response.headers = {
+            'Link': (
+                '<https://api.github.com/repos/owner/repo1/pulls?state=all&page=2&per_page=1>; rel="next", '
+                '<https://api.github.com/repos/owner/repo1/pulls?state=all&page=42&per_page=1>; rel="last"'
+            )
+        }
         mock_get.return_value = mock_response
 
-        pull_count = self.client.get_open_pulls_count('owner', 'repo1')
+        pull_count = self.client.get_total_pulls_count('owner', 'repo1')
 
-        # New optimized behavior: returns count from first page only (not paginated)
-        self.assertEqual(pull_count, 1)
+        self.assertEqual(pull_count, 42)
         called_url = mock_get.call_args.args[0]
         called_kwargs = mock_get.call_args.kwargs
         self.assertEqual(called_url, 'https://api.github.com/repos/owner/repo1/pulls')
-        self.assertEqual(called_kwargs['params']['state'], 'open')
+        self.assertEqual(called_kwargs['params']['state'], 'all')
+        self.assertEqual(called_kwargs['params']['page'], 1)
         self.assertEqual(called_kwargs['params']['per_page'], 1)
 
     @patch('backend.src.services.github_client.requests.get')
@@ -240,7 +245,7 @@ def test_get_open_issues_count_filters_out_pull_requests(self, mock_get):
         self.assertEqual(called_kwargs['params']['state'], 'open')
 
     @patch.object(GitHubClient, 'get_recent_commits', return_value=None)
-    @patch.object(GitHubClient, 'get_open_pulls_count', return_value=3)
+    @patch.object(GitHubClient, 'get_total_pulls_count', return_value=3)
     @patch.object(GitHubClient, 'get_open_issues_count', return_value=None)
     def test_get_repository_activity_summary_keeps_fallback_issue_count(
         self,
@@ -256,7 +261,7 @@ def test_get_repository_activity_summary_keeps_fallback_issue_count(
         )
 
         self.assertEqual(summary['open_issues'], 9)
-        self.assertEqual(summary['open_prs'], 3)
+        self.assertEqual(summary['total_prs'], 3)
         self.assertEqual(summary['recent_commits'], 0)
 
     def test_parse_state_param_invalid(self):
diff --git a/frontend/src/components/Navbar.jsx b/frontend/src/components/Navbar.jsx
index a6f7b49..3ffbdea 100644
--- a/frontend/src/components/Navbar.jsx
+++ b/frontend/src/components/Navbar.jsx
@@ -127,12 +127,14 @@ const Navbar = () => {
                     Mark all as read
                   </button>
                 </div>
-                <Notifications 
-                  notifications={notifications} 
-                  onClose={() => setShowNotifications(false)}
-                  onMarkRead={markAsRead}
-                  onMarkAllRead={markAllAsRead}
-                />
+                <div className="max-h-64 overflow-y-auto">
+                  <Notifications 
+                    notifications={notifications} 
+                    onClose={() => setShowNotifications(false)}
+                    onMarkRead={markAsRead}
+                    onMarkAllRead={markAllAsRead}
+                  />
+                </div>
               </div>
             )}
           </div>
diff --git a/frontend/src/components/ReportTable.jsx b/frontend/src/components/ReportTable.jsx
index a1da999..647bc7f 100644
--- a/frontend/src/components/ReportTable.jsx
+++ b/frontend/src/components/ReportTable.jsx
@@ -91,7 +91,7 @@ const ReportTable = ({ data = [], type }) => {
         case 'Issues':
           return item.open_issues ?? item.open_issues_count ?? 0;
         case 'PRs':
-          return item.open_prs || 0;
+          return item.total_prs || 0;
         case 'Commits':
           return item.recent_commits || 0;
         case 'Last Updated':
diff --git a/frontend/src/context/AuthContext.jsx b/frontend/src/context/AuthContext.jsx
index d4a5b89..1d5c5a3 100644
--- a/frontend/src/context/AuthContext.jsx
+++ b/frontend/src/context/AuthContext.jsx
@@ -1,6 +1,7 @@
 import { createContext, useState, useContext, useEffect, useRef } from 'react';
 import { authApi } from '../services/utils/auth';
 import { githubService } from '../services/github';
+import { dashboardService } from '../services/utils/api';
 import { useNavigate, useLocation } from 'react-router-dom';
 import { hasRole, hasPermission } from '../utils/rbac';
 
@@ -10,6 +11,7 @@ export const useAuth = () => useContext(AuthContext);
 
 const VALID_ROLES = new Set(["developer", "team_lead", "admin"]);
 const DEFAULT_ROLE = "developer";
+const REPORT_WARMUP_ROLES = new Set(["team_lead", "admin"]);
 
 const hasValidRole = (user) => user?.role && VALID_ROLES.has(user.role);
 
@@ -43,6 +45,7 @@ export const AuthProvider = ({ children }) => {
 
   // Keep a ref to track initialization
   const isInitialized = useRef(false);
+  const reportWarmupKeyRef = useRef(null);
   const navigate = useNavigate();
   const location = useLocation();
 
@@ -257,6 +260,7 @@ export const AuthProvider = ({ children }) => {
     } catch (err) {
       console.error("Logout error:", err);
     } finally {
+      dashboardService.clearReportDataCache();
       localStorage.removeItem("user");
       setCurrentUser(null);
       setPermissions([]);
@@ -297,6 +301,7 @@ export const AuthProvider = ({ children }) => {
     
     // Update GitHub connection status if that information is included
     if (userData && "github_connected" in userData) {
+      dashboardService.clearReportDataCache();
       setGithubConnected(userData.github_connected);
       if (userData.github_connected) {
         // If GitHub is now connected, make sure to hide the prompt
@@ -426,6 +431,48 @@ export const AuthProvider = ({ children }) => {
     verify();
   }, [currentUserId, currentGithubConnected]);
 
+  useEffect(() => {
+    const canAccessReports = currentUser?.role && REPORT_WARMUP_ROLES.has(currentUser.role);
+    const isGithubReady = Boolean(currentUser?.github_connected || githubConnected);
+
+    if (!currentUserId || !canAccessReports || !isGithubReady) {
+      return undefined;
+    }
+
+    const warmupKey = `${currentUserId}:github:week`;
+    if (reportWarmupKeyRef.current === warmupKey) {
+      return undefined;
+    }
+
+    let cancelled = false;
+    const runWarmup = () => {
+      if (cancelled) {
+        return;
+      }
+
+      reportWarmupKeyRef.current = warmupKey;
+      dashboardService.prefetchReportData('github', 'week').catch((error) => {
+        console.error('Error warming GitHub report data', error);
+      });
+    };
+
+    if (typeof window !== 'undefined' && typeof window.requestIdleCallback === 'function') {
+      const idleId = window.requestIdleCallback(runWarmup, { timeout: 5000 });
+      return () => {
+        cancelled = true;
+        if (typeof window.cancelIdleCallback === 'function') {
+          window.cancelIdleCallback(idleId);
+        }
+      };
+    }
+
+    const timeoutId = window.setTimeout(runWarmup, 1000);
+    return () => {
+      cancelled = true;
+      window.clearTimeout(timeoutId);
+    };
+  }, [currentUserId, currentUser?.role, currentUser?.github_connected, githubConnected]);
+
   // RBAC Helpers
   const can = (permission) => hasPermission(permissions, permission);
   const is = (role) => hasRole(currentUser?.role, role);
diff --git a/frontend/src/pages/Reports.jsx b/frontend/src/pages/Reports.jsx
index 590b59f..2c59422 100644
--- a/frontend/src/pages/Reports.jsx
+++ b/frontend/src/pages/Reports.jsx
@@ -35,6 +35,7 @@ const Reports = () => {
   const [reportType, setReportType] = useState('tasks');
   const [dateRange, setDateRange] = useState('week');
   const [generatedReports, setGeneratedReports] = useState([]);
+  const [refreshing, setRefreshing] = useState(false);
   const reportCacheRef = useRef({});
   const latestRequestRef = useRef(0);
 
@@ -106,7 +107,7 @@ const Reports = () => {
       });
     } else if (report.type === 'github') {
       details.slice(0, 8).forEach((repo) => {
-        lines.push(`- ${repo.name || 'Repo'} (${repo.owner || 'owner'}) issues: ${repo.open_issues || 0} prs: ${repo.open_prs || 0}`);
+        lines.push(`- ${repo.name || 'Repo'} (${repo.owner || 'owner'}) issues: ${repo.open_issues || 0} prs: ${repo.total_prs || 0}`);
       });
     } else {
       details.slice(0, 8).forEach((item) => {
@@ -153,13 +154,13 @@ const Reports = () => {
     return new Blob([pdf], { type: 'application/pdf' });
   };
 
-  const loadReportData = useCallback(async () => {
+  const loadReportData = useCallback(async ({ forceRefresh = false } = {}) => {
     const cacheKey = `${reportType}:${dateRange}`;
     const cachedReport = reportCacheRef.current[cacheKey];
     const requestId = latestRequestRef.current + 1;
     latestRequestRef.current = requestId;
 
-    if (cachedReport) {
+    if (cachedReport && reportType !== 'github' && !forceRefresh) {
       setReportData(cachedReport);
       setLoading(false);
       setError(null);
@@ -167,9 +168,13 @@ const Reports = () => {
     }
 
     try {
-      setLoading(true);
+      if (forceRefresh) {
+        setRefreshing(true);
+      } else {
+        setLoading(true);
+      }
       setError(null);
-      const data = await dashboardService.getReportData(reportType, dateRange);
+      const data = await dashboardService.getReportData(reportType, dateRange, { forceRefresh });
       // Ignore stale responses from previous report/date selections.
       if (requestId !== latestRequestRef.current) {
         return null;
@@ -187,6 +192,7 @@ const Reports = () => {
     } finally {
       if (requestId === latestRequestRef.current) {
         setLoading(false);
+        setRefreshing(false);
       }
     }
   }, [reportType, dateRange]);
@@ -262,6 +268,10 @@ const Reports = () => {
     setGeneratedReports((prev) => [reportEntry, ...prev]);
   };
 
+  const handleRefreshReport = async () => {
+    await loadReportData({ forceRefresh: true });
+  };
+
   const handleDownloadPdf = (report) => {
     const lines = buildPdfLines(report);
     const blob = createPdfBlob(lines);
@@ -348,12 +358,12 @@ const Reports = () => {
     if (type === 'github') {
       const repos = Array.isArray(details) ? details : [];
       const openIssues = repos.reduce((sum, repo) => sum + getGithubRepoMetrics(repo).openIssues, 0);
-      const openPrs = repos.reduce((sum, repo) => sum + getGithubRepoMetrics(repo).openPrs, 0);
+      const totalPrs = repos.reduce((sum, repo) => sum + getGithubRepoMetrics(repo).totalPrs, 0);
       const recentCommits = repos.reduce((sum, repo) => sum + getGithubRepoMetrics(repo).recentCommits, 0);
       return {
         repos: summary?.repos ?? repos.length,
         open_issues: summary?.open_issues ?? openIssues,
-        open_prs: summary?.open_prs ?? openPrs,
+        total_prs: summary?.total_prs ?? totalPrs,
         recent_commits: summary?.recent_commits ?? recentCommits
       };
     }
@@ -376,12 +386,21 @@ const Reports = () => {
   };
 
   const hasNonZero = (values = []) => values.some((v) => Number(v) > 0);
+  const getGithubUpdatedLabel = () => {
+    if (reportType !== 'github') {
+      return null;
+    }
+
+    const fetchedAt = reportData?.meta?.fetched_at;
+    return fetchedAt ? `GitHub stats updated ${formatGeneratedAt(fetchedAt)}` : 'GitHub stats ready for live refresh';
+  };
+
   const getRepoLabel = (repo) => repo?.name || repo?.full_name || 'Repo';
   const getGithubRepoMetrics = (repo) => {
     const openIssues = Number(repo?.open_issues ?? repo?.open_issues_count ?? 0) || 0;
-    const openPrs = Number(repo?.open_prs ?? 0) || 0;
+    const totalPrs = Number(repo?.total_prs ?? 0) || 0;
     const recentCommits = Number(repo?.recent_commits ?? 0) || 0;
-    return { openIssues, openPrs, recentCommits, total: openIssues + openPrs + recentCommits };
+    return { openIssues, totalPrs, recentCommits, total: openIssues + totalPrs + recentCommits };
   };
 
   // ─── Chart theme tokens ───────────────────────────────────────────────────
@@ -532,7 +551,7 @@ const Reports = () => {
               <SummaryCard title="Open Issues" value={summarySnapshot.open_issues || 0} color="blue"
                 icon={<svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M21 13.255A23.931 23.931 0 0112 15c-3.183 0-6.22-.62-9-1.745M16 6V4a2 2 0 00-2-2h-4a2 2 0 00-2 2v2m4 6h.01M5 20h14a2 2 0 002-2V8a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" /></svg>}
               />
-              <SummaryCard title="Open PRs" value={summarySnapshot.open_prs || 0} color="green"
+              <SummaryCard title="Total PRs" value={summarySnapshot.total_prs || 0} color="green"
                 icon={<svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M7 16V4m0 0L3 8m4-4l4 4m6 0v12m0 0l4-4m-4 4l-4-4" /></svg>}
               />
               <SummaryCard title="Recent Commits" value={summarySnapshot.recent_commits || 0} color="yellow"
@@ -619,17 +638,17 @@ const Reports = () => {
               labels: topRepos.map((r) => r.label),
               datasets: [
                 { label: 'Open Issues',     data: topRepos.map((r) => r.openIssues),    backgroundColor: chartPalette.blue   },
-                { label: 'Open PRs',        data: topRepos.map((r) => r.openPrs),       backgroundColor: chartPalette.green  },
+                { label: 'Total PRs',        data: topRepos.map((r) => r.totalPrs),       backgroundColor: chartPalette.green  },
                 { label: 'Recent Commits',  data: topRepos.map((r) => r.recentCommits), backgroundColor: chartPalette.yellow }
               ]
             };
 
             const issuesTotal  = repos.reduce((s, r) => s + getGithubRepoMetrics(r).openIssues, 0);
-            const prsTotal     = repos.reduce((s, r) => s + getGithubRepoMetrics(r).openPrs, 0);
+            const prsTotal     = repos.reduce((s, r) => s + getGithubRepoMetrics(r).totalPrs, 0);
             const commitsTotal = repos.reduce((s, r) => s + getGithubRepoMetrics(r).recentCommits, 0);
             const githubMixValues = [issuesTotal, prsTotal, commitsTotal];
             const githubMixData = {
-              labels: ['Open Issues', 'Open PRs', 'Recent Commits'],
+              labels: ['Open Issues', 'Total PRs', 'Recent Commits'],
               datasets: [{
                 data: githubMixValues,
                 backgroundColor: [chartPalette.blue, chartPalette.green, chartPalette.yellow],
@@ -819,13 +838,31 @@ const Reports = () => {
           </div>
         </div>
 
-        <div className="mt-4 flex justify-end">
-          <button
-            onClick={handleGenerateReport}
-            className="px-5 py-2 bg-rose-500/90 text-white text-sm font-medium rounded-full hover:bg-rose-400 transition-colors focus:outline-none focus:ring-2 focus:ring-rose-400/60"
-          >
-            Generate Report
-          </button>
+        <div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
+          <div className="min-h-[1.25rem] text-xs text-slate-500">
+            {reportType === 'github' && (
+              <span>{refreshing ? 'Refreshing GitHub stats...' : getGithubUpdatedLabel()}</span>
+            )}
+          </div>
+
+          <div className="flex flex-col gap-2 sm:flex-row sm:justify-end">
+            {reportType === 'github' && (
+              <button
+                type="button"
+                onClick={handleRefreshReport}
+                disabled={refreshing}
+                className="px-4 py-2 border border-slate-700/70 text-slate-200 text-sm font-medium rounded-full hover:border-slate-500 hover:text-white disabled:cursor-not-allowed disabled:opacity-60 transition-colors focus:outline-none focus:ring-2 focus:ring-slate-500/50"
+              >
+                Refresh GitHub Stats
+              </button>
+            )}
+            <button
+              onClick={handleGenerateReport}
+              className="px-5 py-2 bg-rose-500/90 text-white text-sm font-medium rounded-full hover:bg-rose-400 transition-colors focus:outline-none focus:ring-2 focus:ring-rose-400/60"
+            >
+              Generate Report
+            </button>
+          </div>
         </div>
       </div>
 
@@ -835,4 +872,4 @@ const Reports = () => {
   );
 };
 
-export default Reports;
\ No newline at end of file
+export default Reports;
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index de6783d..158fcad 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -390,14 +390,14 @@ const normalizeGithubRepository = (repository = {}) => {
     repository.open_issues ?? repository.open_issues_count,
     0
   );
-  const openPrs = toSafeMetricValue(repository.open_prs, 0);
+  const totalPrs = toSafeMetricValue(repository.total_prs, 0);
   const recentCommits = toSafeMetricValue(repository.recent_commits, 0);
 
   return {
     ...repository,
     open_issues: openIssues,
     open_issues_count: toSafeMetricValue(repository.open_issues_count, openIssues),
-    open_prs: openPrs,
+    total_prs: totalPrs,
     recent_commits: recentCommits,
     last_updated: repository.last_updated || repository.pushed_at || repository.updated_at || null,
   };
@@ -477,6 +477,117 @@ const buildDeveloperProgress = (users, tasks) => {
     });
 };
 
+const GITHUB_REPORT_CACHE_TTL_MS = 2 * 60 * 1000;
+const reportDataCache = new Map();
+
+const getReportCacheScope = () => {
+  try {
+    const user = JSON.parse(localStorage.getItem('user') || 'null');
+    return user?.id ? `user:${user.id}` : 'anonymous';
+  } catch {
+    return 'anonymous';
+  }
+};
+
+const getReportCacheKey = (reportType, dateRange) => `${getReportCacheScope()}:${reportType}:${dateRange}`;
+
+const addReportMeta = (reportData, meta = {}) => ({
+  ...reportData,
+  meta: {
+    ...(reportData?.meta || {}),
+    ...meta,
+  },
+});
+
+const getFreshCachedReport = (cacheKey) => {
+  const cached = reportDataCache.get(cacheKey);
+  if (!cached?.data || !cached.fetchedAt) {
+    return null;
+  }
+
+  if (Date.now() - cached.fetchedAt > GITHUB_REPORT_CACHE_TTL_MS) {
+    return null;
+  }
+
+  return addReportMeta(cached.data, { cache_hit: true });
+};
+
+const getReportDataFromNetwork = async (reportType = 'tasks', dateRange = 'week') => {
+  if (reportType === 'github') {
+    const githubStatus = await fetchWithAuth('github/status').catch(() => ({ connected: false }));
+    const connected = Boolean(githubStatus?.connected);
+    const activityWindowDays = getActivityWindowDays(dateRange);
+    const repositories = connected
+      ? await githubService.getUserRepos({
+        perPage: 100,
+        fetchAll: true,
+        activityWindowDays
+      })
+      : [];
+
+    const openIssuesTotal = repositories.reduce((sum, repo) => sum + (repo.open_issues || 0), 0);
+    const totalPrsTotal = repositories.reduce((sum, repo) => sum + (repo.total_prs || 0), 0);
+    const recentCommitsTotal = repositories.reduce((sum, repo) => sum + (repo.recent_commits || 0), 0);
+
+    return {
+      summary: {
+        repos: repositories.length,
+        open_issues: openIssuesTotal,
+        total_prs: totalPrsTotal,
+        recent_commits: recentCommitsTotal
+      },
+      details: repositories
+    };
+  }
+
+  const rangeStart = getDateRangeStart(dateRange);
+  const [tasks, usersResponse] = await Promise.all([
+    taskService.getAllTasks(),
+    fetchWithAuth('users').catch(() => ({ users: [] }))
+  ]);
+
+  const users = Array.isArray(usersResponse?.users) ? usersResponse.users : [];
+  const scopedTasks = tasks.filter((task) => isWithinDateRange(task.created_at, rangeStart));
+
+  if (reportType === 'developers') {
+    const developers = buildDeveloperProgress(users, tasks);
+    const totalTasks = developers.reduce((sum, developer) => sum + (developer.total_tasks || 0), 0);
+    const completedTasks = developers.reduce((sum, developer) => sum + (developer.completed_tasks || 0), 0);
+    const avgCompletion = totalTasks > 0 ? Math.round((completedTasks / totalTasks) * 100) : 0;
+
+    return {
+      summary: {
+        developers: developers.length,
+        avg_tasks: developers.length > 0 ? Math.round(totalTasks / developers.length) : 0,
+        avg_completion: avgCompletion,
+        active_devs: developers.filter((developer) => developer.active_tasks > 0).length
+      },
+      details: developers
+    };
+  }
+
+  const completed = scopedTasks.filter((task) => normalizeTaskStatus(task.status) === 'done').length;
+  const inProgress = scopedTasks.filter((task) => normalizeTaskStatus(task.status) === 'in_progress').length;
+  const overdue = scopedTasks.filter((task) => {
+    if (!task.deadline) {
+      return false;
+    }
+
+    return new Date(task.deadline) < new Date() && normalizeTaskStatus(task.status) !== 'done';
+  }).length;
+
+  return {
+    summary: {
+      total: scopedTasks.length,
+      completed,
+      in_progress: inProgress,
+      overdue,
+      team_members: users.length
+    },
+    details: scopedTasks
+  };
+};
+
 // Dashboard service for admin and member dashboards
 const dashboardService = {
   getAdminDashboardStats: async (timeRange = 'week') => {
@@ -533,90 +644,89 @@ const dashboardService = {
     }
   },
 
-  getReportData: async (reportType = 'tasks', dateRange = 'week') => {
-    try {
-      const rangeStart = getDateRangeStart(dateRange);
-      const [tasks, usersResponse] = await Promise.all([
-        taskService.getAllTasks(),
-        fetchWithAuth('users').catch(() => ({ users: [] }))
-      ]);
-
-      const users = Array.isArray(usersResponse?.users) ? usersResponse.users : [];
-      const scopedTasks = tasks.filter((task) => isWithinDateRange(task.created_at, rangeStart));
+  getReportData: async (reportType = 'tasks', dateRange = 'week', options = {}) => {
+    const cacheKey = getReportCacheKey(reportType, dateRange);
+    const isGithubReport = reportType === 'github';
+    const forceRefresh = Boolean(options?.forceRefresh);
 
-      if (reportType === 'developers') {
-        const developers = buildDeveloperProgress(users, tasks);
-        const totalTasks = developers.reduce((sum, developer) => sum + (developer.total_tasks || 0), 0);
-        const completedTasks = developers.reduce((sum, developer) => sum + (developer.completed_tasks || 0), 0);
-        const avgCompletion = totalTasks > 0 ? Math.round((completedTasks / totalTasks) * 100) : 0;
+    if (isGithubReport && !forceRefresh) {
+      const cachedReport = getFreshCachedReport(cacheKey);
+      if (cachedReport) {
+        return cachedReport;
+      }
 
-        return {
-          summary: {
-            developers: developers.length,
-            avg_tasks: developers.length > 0 ? Math.round(totalTasks / developers.length) : 0,
-            avg_completion: avgCompletion,
-            active_devs: developers.filter((developer) => developer.active_tasks > 0).length
-          },
-          details: developers
-        };
+      const pendingReport = reportDataCache.get(cacheKey)?.promise;
+      if (pendingReport) {
+        return pendingReport;
       }
+    }
 
-      if (reportType === 'github') {
-        const githubStatus = await fetchWithAuth('github/status').catch(() => ({ connected: false }));
-        const connected = Boolean(githubStatus?.connected);
-        const activityWindowDays = getActivityWindowDays(dateRange);
-        const repositories = connected
-          ? await githubService.getUserRepos({
-            perPage: 100,
-            fetchAll: true,
-            activityWindowDays
-          })
-          : [];
-
-        // Calculate totals from enriched repo data
-        const openIssuesTotal = repositories.reduce((sum, repo) => sum + (repo.open_issues || 0), 0);
-        const openPrsTotal = repositories.reduce((sum, repo) => sum + (repo.open_prs || 0), 0);
-        const recentCommitsTotal = repositories.reduce((sum, repo) => sum + (repo.recent_commits || 0), 0);
+    const reportPromise = (async () => {
+      try {
+        const data = await getReportDataFromNetwork(reportType, dateRange);
+        const fetchedAt = Date.now();
+        const report = addReportMeta(data, {
+          cache_hit: false,
+          fetched_at: new Date(fetchedAt).toISOString(),
+          live: true,
+        });
+
+        if (isGithubReport) {
+          reportDataCache.set(cacheKey, {
+            data: report,
+            fetchedAt,
+          });
+        }
+
+        return report;
+      } catch (error) {
+        console.error('Failed to fetch report data:', error);
+        if (isGithubReport) {
+          reportDataCache.delete(cacheKey);
+        }
 
         return {
-          summary: {
-            repos: repositories.length,
-            open_issues: openIssuesTotal,
-            open_prs: openPrsTotal,
-            recent_commits: recentCommitsTotal
+          summary: {},
+          details: [],
+          meta: {
+            cache_hit: false,
+            fetched_at: new Date().toISOString(),
+            live: false,
           },
-          details: repositories
         };
       }
+    })();
 
-      const completed = scopedTasks.filter((task) => normalizeTaskStatus(task.status) === 'done').length;
-      const inProgress = scopedTasks.filter((task) => normalizeTaskStatus(task.status) === 'in_progress').length;
-      const overdue = scopedTasks.filter((task) => {
-        if (!task.deadline) {
-          return false;
-        }
+    if (isGithubReport) {
+      reportDataCache.set(cacheKey, {
+        promise: reportPromise,
+        fetchedAt: 0,
+      });
+    }
 
-        return new Date(task.deadline) < new Date() && normalizeTaskStatus(task.status) !== 'done';
-      }).length;
+    return reportPromise;
+  },
 
-      return {
-        summary: {
-          total: scopedTasks.length,
-          completed,
-          in_progress: inProgress,
-          overdue,
-          team_members: users.length
-        },
-        details: scopedTasks
-      };
+  prefetchReportData: async (reportType = 'github', dateRange = 'year') => {
+    try {
+      return await dashboardService.getReportData(reportType, dateRange);
     } catch (error) {
-      console.error('Failed to fetch report data:', error);
-      return {
-        summary: {},
-        details: []
-      };
+      console.error('Failed to prefetch report data:', error);
+      return null;
     }
-  }
+  },
+
+  invalidateReportData: (reportType = 'github', dateRange = 'year') => {
+    reportDataCache.delete(getReportCacheKey(reportType, dateRange));
+  },
+
+  clearReportDataCache: () => {
+    reportDataCache.clear();
+  },
+
+  refreshReportData: async (reportType = 'github', dateRange = 'year') => (
+    dashboardService.getReportData(reportType, dateRange, { forceRefresh: true })
+  )
 };
 
 // Enhanced GitHub service with better error handling
diff --git a/frontend/src/tests/components/ReportTable.test.jsx b/frontend/src/tests/components/ReportTable.test.jsx
index 0000c30..019cd57 100644
--- a/frontend/src/tests/components/ReportTable.test.jsx
+++ b/frontend/src/tests/components/ReportTable.test.jsx
@@ -55,7 +55,7 @@ describe('ReportTable', () => {
         name: 'devsync',
         owner: 'ahmedikram',
         open_issues_count: 3,
-        open_prs: 2,
+        total_prs: 2,
         recent_commits: 6,
         updated_at: '2099-03-01T00:00:00.000Z',
         html_url: 'https://github.com/AhmedIkram05/devsync',
diff --git a/frontend/src/tests/context/AuthContext.test.jsx b/frontend/src/tests/context/AuthContext.test.jsx
index 1c98e2c..0d087b7 100644
--- a/frontend/src/tests/context/AuthContext.test.jsx
+++ b/frontend/src/tests/context/AuthContext.test.jsx
@@ -4,6 +4,7 @@ import { MemoryRouter } from 'react-router-dom';
 
 import { AuthProvider, useAuth } from '../../context/AuthContext';
 import { authApi } from '../../services/utils/auth';
+import { dashboardService } from '../../services/utils/api';
 import { githubService } from '../../services/github';
 
 jest.mock('../../services/utils/auth', () => ({
@@ -15,6 +16,13 @@ jest.mock('../../services/utils/auth', () => ({
   },
 }));
 
+jest.mock('../../services/utils/api', () => ({
+  dashboardService: {
+    prefetchReportData: jest.fn(),
+    clearReportDataCache: jest.fn(),
+  },
+}));
+
 jest.mock('../../services/github', () => ({
   githubService: {
     initiateOAuthFlow: jest.fn(),
@@ -105,6 +113,9 @@ describe('AuthContext', () => {
     authApi.login.mockReset();
     authApi.register.mockReset();
     authApi.logout.mockReset();
+    dashboardService.prefetchReportData.mockReset();
+    dashboardService.prefetchReportData.mockResolvedValue(null);
+    dashboardService.clearReportDataCache.mockReset();
     githubService.initiateOAuthFlow.mockReset();
     githubService.completeOAuthFlow.mockReset();
     githubService.checkConnection.mockResolvedValue({ connected: false });
@@ -344,7 +355,9 @@ describe('AuthContext', () => {
     renderWithProvider();
 
     fireEvent.click(screen.getByRole('button', { name: 'Login' }));
-    await waitFor(() => screen.getByTestId('show-prompt').textContent === 'true');
+    await waitFor(() => {
+      expect(screen.getByTestId('show-prompt')).toHaveTextContent('true');
+    });
 
     // Clicking prompt with connect=true should call connectGitHub
     const acceptBtn = screen.queryByRole('button', { name: /Skip Prompt/i });
diff --git a/frontend/src/tests/pages/Reports.test.jsx b/frontend/src/tests/pages/Reports.test.jsx
index 23fb00b..e066341 100644
--- a/frontend/src/tests/pages/Reports.test.jsx
+++ b/frontend/src/tests/pages/Reports.test.jsx
@@ -39,7 +39,7 @@ describe('Reports page', () => {
     summary: {
       repos: 4,
       open_issues: 12,
-      open_prs: 3,
+      total_prs: 3,
       recent_commits: 18,
     },
     details: [
@@ -48,7 +48,7 @@ describe('Reports page', () => {
         name: 'devsync',
         owner: 'ahmedikram',
         open_issues_count: 12,
-        open_prs: 3,
+        total_prs: 3,
         recent_commits: 18,
       },
     ],
@@ -101,7 +101,7 @@ describe('Reports page', () => {
     render(<Reports />);
 
     await waitFor(() => {
-      expect(dashboardService.getReportData).toHaveBeenCalledWith('tasks', 'week');
+      expect(dashboardService.getReportData).toHaveBeenCalledWith('tasks', 'week', { forceRefresh: false });
     });
 
     expect(await screen.findByText('Reports & Analytics')).toBeInTheDocument();
@@ -122,7 +122,7 @@ describe('Reports page', () => {
     });
 
     await waitFor(() => {
-      expect(dashboardService.getReportData).toHaveBeenCalledWith('github', 'week');
+      expect(dashboardService.getReportData).toHaveBeenCalledWith('github', 'week', { forceRefresh: false });
     });
 
     expect(await screen.findByText('Connected Repos')).toBeInTheDocument();
@@ -134,7 +134,7 @@ describe('Reports page', () => {
     });
 
     await waitFor(() => {
-      expect(dashboardService.getReportData).toHaveBeenCalledWith('github', 'month');
+      expect(dashboardService.getReportData).toHaveBeenCalledWith('github', 'month', { forceRefresh: false });
     });
 
     fireEvent.change(await screen.findByDisplayValue('GitHub Activity'), {
@@ -142,7 +142,7 @@ describe('Reports page', () => {
     });
 
     await waitFor(() => {
-      expect(dashboardService.getReportData).toHaveBeenCalledWith('developers', 'month');
+      expect(dashboardService.getReportData).toHaveBeenCalledWith('developers', 'month', { forceRefresh: false });
     });
 
     expect(await screen.findByText('Team Members')).toBeInTheDocument();
@@ -198,4 +198,25 @@ describe('Reports page', () => {
     createElementSpy.mockRestore();
     clickSpy.mockRestore();
   });
+
+  test('github report displays total_prs summary card', async () => {
+    render(<Reports />);
+
+    expect(await screen.findByText('Reports & Analytics')).toBeInTheDocument();
+
+    // Switch to GitHub report using the report type select
+    const reportSelects = screen.getAllByRole('combobox');
+    fireEvent.change(reportSelects[0], { target: { value: 'github' } });
+
+    // Verify GitHub report is displayed with correct summary cards
+    await waitFor(() => {
+      expect(dashboardService.getReportData).toHaveBeenCalledWith('github', 'week', { forceRefresh: false });
+    });
+
+    // Verify all GitHub summary cards are rendered including Total PRs
+    expect(await screen.findByText('Total PRs')).toBeInTheDocument();
+    expect(screen.getByText('Connected Repos')).toBeInTheDocument();
+    expect(screen.getByText('Open Issues')).toBeInTheDocument();
+    expect(screen.getByText('Recent Commits')).toBeInTheDocument();
+  });
 });
diff --git a/frontend/src/tests/services/api.test.js b/frontend/src/tests/services/api.test.js
index e40b29f..1783973 100644
--- a/frontend/src/tests/services/api.test.js
+++ b/frontend/src/tests/services/api.test.js
@@ -29,6 +29,7 @@ describe('api utilities', () => {
 
     localStorage.clear();
     global.fetch = jest.fn();
+    dashboardService.clearReportDataCache();
   });
 
   afterEach(() => {
@@ -341,8 +342,6 @@ describe('api utilities', () => {
 
   test('getReportData github branch when connected returns normalized repos', async () => {
     global.fetch
-      .mockResolvedValueOnce(buildResponse({ tasks: [] }))
-      .mockResolvedValueOnce(buildResponse({ users: [] }))
       .mockResolvedValueOnce(buildResponse({ connected: true }))
       .mockResolvedValueOnce(
         buildResponse({
@@ -351,7 +350,7 @@ describe('api utilities', () => {
               id: 1,
               full_name: 'org/r',
               open_issues_count: 5,
-              open_prs: 2,
+              total_prs: 2,
               recent_commits: 4,
               updated_at: '2099-01-01T00:00:00.000Z',
             },
@@ -362,11 +361,13 @@ describe('api utilities', () => {
     const report = await dashboardService.getReportData('github', 'month');
     expect(report.summary.repos).toBe(1);
     expect(report.summary.open_issues).toBe(5);
+    expect(report.summary.total_prs).toBe(2);
     expect(report.details[0].open_issues).toBe(5);
+    expect(report.details[0].total_prs).toBe(2);
     expect(report.details[0].last_updated).toBe('2099-01-01T00:00:00.000Z');
-    expect(global.fetch.mock.calls[3][0]).toContain('include_activity=true');
-    expect(global.fetch.mock.calls[3][0]).toContain('all_pages=true');
-    expect(global.fetch.mock.calls[3][0]).toContain('per_page=100');
+    expect(global.fetch.mock.calls[1][0]).toContain('include_activity=true');
+    expect(global.fetch.mock.calls[1][0]).toContain('all_pages=true');
+    expect(global.fetch.mock.calls[1][0]).toContain('per_page=100');
   });
 
   test('buildDeveloperProgress: task with no assigned_to is skipped', async () => {
@@ -387,6 +388,85 @@ describe('api utilities', () => {
     expect(dev.total_tasks).toBe(1);
   });
 
+  test('getReportData github: aggregates total_prs across multiple repositories', async () => {
+    global.fetch
+      .mockResolvedValueOnce(buildResponse({ connected: true }))
+      .mockResolvedValueOnce(
+        buildResponse({
+          repositories: [
+            {
+              id: 1,
+              name: 'repo1',
+              owner: 'org',
+              full_name: 'org/repo1',
+              open_issues_count: 5,
+              total_prs: 3,
+              recent_commits: 10,
+              updated_at: '2099-01-01T00:00:00.000Z',
+            },
+            {
+              id: 2,
+              name: 'repo2',
+              owner: 'org',
+              full_name: 'org/repo2',
+              open_issues_count: 2,
+              total_prs: 8,
+              recent_commits: 5,
+              updated_at: '2099-01-02T00:00:00.000Z',
+            },
+            {
+              id: 3,
+              name: 'repo3',
+              owner: 'user',
+              full_name: 'user/repo3',
+              open_issues_count: 10,
+              total_prs: 0,
+              recent_commits: 2,
+              updated_at: '2099-01-03T00:00:00.000Z',
+            },
+          ],
+        })
+      );
+
+    const report = await dashboardService.getReportData('github', 'month');
+    
+    expect(report.summary.repos).toBe(3);
+    expect(report.summary.open_issues).toBe(17); // 5 + 2 + 10
+    expect(report.summary.total_prs).toBe(11); // 3 + 8 + 0
+    expect(report.summary.recent_commits).toBe(17); // 10 + 5 + 2
+    expect(report.details).toHaveLength(3);
+    expect(report.details[0].total_prs).toBe(3);
+    expect(report.details[1].total_prs).toBe(8);
+    expect(report.details[2].total_prs).toBe(0);
+  });
+
+  test('prefetchReportData warms the GitHub report cache', async () => {
+    localStorage.setItem('user', JSON.stringify({ id: 77, token: 'token-77' }));
+    global.fetch
+      .mockResolvedValueOnce(buildResponse({ connected: true }))
+      .mockResolvedValueOnce(
+        buildResponse({
+          repositories: [
+            {
+              id: 1,
+              name: 'repo1',
+              open_issues_count: 1,
+              total_prs: 6,
+              recent_commits: 2,
+            },
+          ],
+        })
+      );
+
+    const warmedReport = await dashboardService.prefetchReportData('github', 'week');
+    const cachedReport = await dashboardService.getReportData('github', 'week');
+
+    expect(global.fetch).toHaveBeenCalledTimes(2);
+    expect(warmedReport.summary.total_prs).toBe(6);
+    expect(cachedReport.summary.total_prs).toBe(6);
+    expect(cachedReport.meta.cache_hit).toBe(true);
+  });
+
   test('buildDeveloperProgress: admin role is excluded, team_lead included', async () => {
     global.fetch.mockResolvedValueOnce(
       buildResponse({ users: [
@@ -575,7 +655,7 @@ describe('api utilities', () => {
         id: 5,
         open_issues_count: 4,
         open_issues: 4,
-        open_prs: 0,
+        total_prs: 0,
         recent_commits: 0,
         pushed_at: '2099-02-01T00:00:00.000Z',
         last_updated: '2099-02-01T00:00:00.000Z',

From ef9dee4b3ee8cac9311d73ebafb59cf8e4655b48 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:10:35 +0100
Subject: [PATCH 28/37] feat: update BasicDashboard to enhance role-based views
 and remove team overview card

---
 .../api/controllers/dashboard_controller.py   |  71 +++++++-----
 frontend/src/pages/BasicDashboard.jsx         | 102 ++++++++----------
 .../src/tests/pages/BasicDashboard.test.jsx   |  15 +--
 3 files changed, 96 insertions(+), 92 deletions(-)

diff --git a/backend/src/api/controllers/dashboard_controller.py b/backend/src/api/controllers/dashboard_controller.py
index 1de08ec..cb3ce98 100644
--- a/backend/src/api/controllers/dashboard_controller.py
+++ b/backend/src/api/controllers/dashboard_controller.py
@@ -80,15 +80,21 @@ def get_user_tasks(user_id):
         logger.error(f"Error fetching user tasks: {str(e)}")
         return []
 
-def get_tasks_due_soon(user_id):
-    """Helper function to get tasks due soon for a user"""
+def get_tasks_due_soon(user_id=None, project_ids=None):
+    """Helper function to get tasks due soon for a user or a set of projects"""
     try:
         today = datetime.now().date()
         week_later = today + timedelta(days=7)
-        return Task.query.filter_by(assigned_to=user_id)\
-            .filter(Task.deadline.isnot(None))\
+        query = Task.query.filter(Task.deadline.isnot(None))\
             .filter(Task.deadline.between(today, week_later))\
-            .filter(~Task.status.in_(COMPLETED_TASK_STATUSES)).all()
+            .filter(~Task.status.in_(COMPLETED_TASK_STATUSES))
+
+        if project_ids:
+            query = query.filter(Task.project_id.in_(project_ids))
+        elif user_id is not None:
+            query = query.filter(Task.assigned_to == user_id)
+
+        return query.all()
     except Exception as e:
         logger.error(f"Error fetching tasks due soon: {str(e)}")
         return []
@@ -245,41 +251,58 @@ def get_client_dashboard():
         if not user:
             logger.error(f"User not found: {user_id}")
             return jsonify({'message': 'User not found'}), 404
-        
-        # Get tasks assigned to this user
-        assigned_tasks = get_user_tasks(user_id)
-        # Get tasks due soon
-        tasks_due_soon = get_tasks_due_soon(user_id)
+
+        user_projects = list(user.projects.all())
+        if user_role == Role.TEAM_LEAD.value:
+            seen_project_ids = {project.id for project in user_projects}
+            for project in Project.query.filter_by(created_by=user_id).all():
+                if project.id not in seen_project_ids:
+                    user_projects.append(project)
+                    seen_project_ids.add(project.id)
+
+        project_ids = [project.id for project in user_projects]
+        is_team_lead = user_role == Role.TEAM_LEAD.value
+
+        # Get tasks in the correct scope for the current role
+        if is_team_lead:
+            scoped_tasks = Task.query.filter(Task.project_id.in_(project_ids)).all() if project_ids else []
+            tasks_due_soon = get_tasks_due_soon(project_ids=project_ids)
+        else:
+            scoped_tasks = get_user_tasks(user_id)
+            tasks_due_soon = get_tasks_due_soon(user_id=user_id)
 
         recent_tasks = sorted(
-            assigned_tasks,
+            scoped_tasks,
             key=lambda task: getattr(task, 'updated_at', None) or getattr(task, 'created_at', None) or datetime.min,
             reverse=True,
-        )[:5]
+        )
+        if not is_team_lead:
+            recent_tasks = recent_tasks[:10]
 
         task_stats = {
-            'total': len(assigned_tasks),
-            'assigned': len(assigned_tasks),
-            'todo': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'todo'),
-            'in_progress': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'in_progress'),
-            'review': _count(assigned_tasks, lambda task: getattr(task, 'status', None) == 'review'),
-            'done': _count(assigned_tasks, lambda task: getattr(task, 'status', None) in {'done', 'completed'}),
+            'total': len(scoped_tasks),
+            'assigned': len(scoped_tasks),
+            'todo': _count(scoped_tasks, lambda task: getattr(task, 'status', None) == 'todo'),
+            'in_progress': _count(scoped_tasks, lambda task: getattr(task, 'status', None) == 'in_progress'),
+            'review': _count(scoped_tasks, lambda task: getattr(task, 'status', None) == 'review'),
+            'done': _count(scoped_tasks, lambda task: getattr(task, 'status', None) in {'done', 'completed'}),
             'due_soon': len(tasks_due_soon),
         }
 
         github_activity = []
         try:
-            recent_links = TaskGitHubLink.query.join(Task).outerjoin(GitHubRepository).filter(
-                Task.assigned_to == user_id
-            ).order_by(TaskGitHubLink.created_at.desc()).limit(5).all()
+            recent_links_query = TaskGitHubLink.query.join(Task).outerjoin(GitHubRepository)
+            if is_team_lead and project_ids:
+                recent_links_query = recent_links_query.filter(Task.project_id.in_(project_ids))
+            else:
+                recent_links_query = recent_links_query.filter(Task.assigned_to == user_id)
+
+            recent_links = recent_links_query.order_by(TaskGitHubLink.created_at.desc()).limit(5).all()
             github_activity = [_github_activity_to_item(link) for link in recent_links]
         except Exception as e:
             logger.error(f"Error fetching GitHub activity for client dashboard: {str(e)}")
             github_activity = []
         
-        # Get projects user is part of
-        user_projects = user.projects.all()
-        
         # Format response data
         dashboard_data = {
             'taskCounts': task_stats,
diff --git a/frontend/src/pages/BasicDashboard.jsx b/frontend/src/pages/BasicDashboard.jsx
index b0f2d54..f2e0ea2 100644
--- a/frontend/src/pages/BasicDashboard.jsx
+++ b/frontend/src/pages/BasicDashboard.jsx
@@ -62,10 +62,15 @@ const getStatusLabel = (status) => {
 
 const BasicDashboard = () => {
   const [dashboardData, setDashboardData] = useState(null);
-  const [teamUsers, setTeamUsers] = useState([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState(null);
-  const { is } = useAuth();
+  const { is, currentUser } = useAuth();
+  const isTeamLead = is('team_lead');
+  const isAdmin = is('admin');
+  const dashboardTitle = isTeamLead ? 'Team Lead Workspace' : 'My Dashboard';
+  const dashboardSubtitle = isTeamLead
+    ? 'Track your own work and keep an eye on the team without switching into the admin console.'
+    : 'View your tasks, projects, and GitHub activity';
 
   const fetchDashboardData = useCallback(async () => {
     try {
@@ -73,17 +78,6 @@ const BasicDashboard = () => {
       const data = await dashboardService.getBasicDashboardStats();
       setDashboardData(data);
       
-      // Fetch team data if Team Lead or Admin
-      if (is('team_lead') || is('admin')) {
-        try {
-          const { userService } = await import('../services/utils/api');
-          const users = await userService.getAllUsers();
-          setTeamUsers(users);
-        } catch (err) {
-          console.error("Failed to fetch team users:", err);
-        }
-      }
-      
       setError(null);
     } catch (err) {
       console.error("Dashboard fetch error:", err);
@@ -91,7 +85,7 @@ const BasicDashboard = () => {
     } finally {
       setLoading(false);
     }
-  }, [is]);
+  }, []);
 
   useEffect(() => {
     fetchDashboardData();
@@ -103,23 +97,21 @@ const BasicDashboard = () => {
 
   // Use full tasks list if provided by API, otherwise fall back to recentTasks
   // Limit to last 10 most recent tasks, sorted by most recent first
-  const tasksToShow = ((dashboardData?.tasks && dashboardData.tasks.length) ? dashboardData.tasks : (dashboardData?.recentTasks || []))
+  const orderedTasksToShow = ((dashboardData?.tasks && dashboardData.tasks.length) ? dashboardData.tasks : (dashboardData?.recentTasks || []))
     .sort((a, b) => {
       const dateA = new Date(a.updated_at || a.created_at || 0).getTime();
       const dateB = new Date(b.updated_at || b.created_at || 0).getTime();
       return dateB - dateA;
-    })
-    .slice(0, 10);
+    });
+  const tasksToShow = isTeamLead ? orderedTasksToShow : orderedTasksToShow.slice(0, 10);
 
   return (
     <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
       <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
         <div className="flex flex-col md:flex-row md:items-center md:justify-between mb-6">
           <div>
-            <h1 className="text-2xl font-bold text-slate-100">My Dashboard</h1>
-            <p className="mt-1 text-sm text-slate-400">
-              View your tasks, projects, and GitHub activity
-            </p>
+            <h1 className="text-2xl font-bold text-slate-100">{dashboardTitle}</h1>
+            <p className="mt-1 text-sm text-slate-400">{dashboardSubtitle}</p>
           </div>
 
           <div className="mt-4 md:mt-0 flex items-center gap-3">
@@ -159,6 +151,36 @@ const BasicDashboard = () => {
           </div>
         ) : (
           <div className="space-y-6">
+            {(isTeamLead || isAdmin) && (
+              <div className="rounded-2xl border border-slate-800/70 bg-slate-900/70 p-5 shadow-md backdrop-blur-sm">
+                <div className="flex flex-col gap-4 md:flex-row md:items-center md:justify-between">
+                  <div>
+                    <p className="text-xs font-semibold uppercase tracking-[0.2em] text-rose-300">Management Snapshot</p>
+                    <h2 className="mt-1 text-lg font-semibold text-slate-100">Keep the team moving without leaving this dashboard</h2>
+                    <p className="mt-1 text-sm text-slate-400">
+                      {isAdmin
+                        ? 'Admin users can manage users, reports, and progress from the admin console.'
+                        : 'Team Leads can review progress, spot blockers, and create tasks from the same workspace.'}
+                    </p>
+                  </div>
+
+                  <div className="flex flex-wrap gap-3">
+                    <Link to="/admin/developer-progress" className="inline-flex items-center rounded-full border border-slate-700 bg-slate-950/40 px-4 py-2 text-sm font-medium text-slate-100 hover:border-slate-600 hover:bg-slate-800/60">
+                      Developer progress
+                    </Link>
+                    <Link to="/admin/reports" className="inline-flex items-center rounded-full border border-slate-700 bg-slate-950/40 px-4 py-2 text-sm font-medium text-slate-100 hover:border-slate-600 hover:bg-slate-800/60">
+                      Reports
+                    </Link>
+                    {currentUser?.role === 'admin' && (
+                      <Link to="/admin/users" className="inline-flex items-center rounded-full border border-slate-700 bg-slate-950/40 px-4 py-2 text-sm font-medium text-slate-100 hover:border-slate-600 hover:bg-slate-800/60">
+                        Manage users
+                      </Link>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )}
+
             {/* Stats Summary */}
             <div className="grid grid-cols-1 md:grid-cols-3 lg:grid-cols-4 gap-4">
               <StatCard
@@ -272,7 +294,7 @@ const BasicDashboard = () => {
               </div>
 
               <div className="flex flex-col gap-6 h-full">
-                <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
+                <div className={`${panelClass} flex-1 min-h-[220px] max-h-[68vh]`}>
                   <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
                     <h3 className={sectionTitleClass}>My Projects</h3>
                   </div>
@@ -308,7 +330,7 @@ const BasicDashboard = () => {
                   )}
                 </div>
 
-                <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
+                <div className={`${panelClass} flex-1 min-h-[200px] max-h-[68vh]`}>
                   <div className="px-4 py-5 sm:px-6 border-b border-slate-800">
                     <h3 className={sectionTitleClass}>Upcoming Deadlines</h3>
                   </div>
@@ -337,40 +359,6 @@ const BasicDashboard = () => {
                   )}
                 </div>
 
-                {(is('team_lead') || is('admin')) && (
-                  <div className={`${panelClass} flex-1 min-h-[220px] max-h-[70vh]`}>
-                    <div className={panelHeaderClass}>
-                      <h3 className={sectionTitleClass}>Team Overview</h3>
-                      <Link to="/admin/developer-progress" className="text-xs text-rose-300 hover:text-rose-200">
-                        View Progress
-                      </Link>
-                    </div>
-                    {teamUsers.length > 0 ? (
-                      <ul className="divide-y divide-slate-800 overflow-y-auto" style={{ maxHeight: 'calc(100% - 96px)' }}>
-                        {teamUsers.slice(0, 5).map((user) => (
-                          <li key={user.id} className="px-4 py-3 flex items-center justify-between">
-                            <div className="flex items-center">
-                              <div className="h-8 w-8 rounded-full bg-slate-800 flex items-center justify-center text-xs font-bold text-slate-400 border border-slate-700">
-                                {user.name?.charAt(0) || 'U'}
-                              </div>
-                              <div className="ml-3">
-                                <p className="text-sm font-medium text-slate-200">{user.name}</p>
-                                <p className="text-xs text-slate-500 capitalize">{user.role}</p>
-                              </div>
-                            </div>
-                            <div className="text-right">
-                              <span className="text-xs text-slate-400">Active</span>
-                            </div>
-                          </li>
-                        ))}
-                      </ul>
-                    ) : (
-                      <div className="p-6 text-center text-slate-400">
-                        <p>No team members found</p>
-                      </div>
-                    )}
-                  </div>
-                )}
               </div>
             </div>
           </div>
diff --git a/frontend/src/tests/pages/BasicDashboard.test.jsx b/frontend/src/tests/pages/BasicDashboard.test.jsx
index 10c8e9f..0a64c9c 100644
--- a/frontend/src/tests/pages/BasicDashboard.test.jsx
+++ b/frontend/src/tests/pages/BasicDashboard.test.jsx
@@ -195,13 +195,7 @@ describe('BasicDashboard page', () => {
     });
   });
 
-  test('renders Team Overview for users with team_lead role', async () => {
-    const { userService } = require('../../services/utils/api');
-    userService.getAllUsers.mockResolvedValue([
-      { id: 1, name: 'Alice Developer', role: 'developer' },
-      { id: 2, name: 'Bob Developer', role: 'developer' },
-    ]);
-
+  test('shows the TL management snapshot without the old team overview card', async () => {
     useAuth.mockReturnValue({
       currentUser: { id: 10, name: 'Lead User', role: 'team_lead' },
       is: (role) => role === 'team_lead',
@@ -218,9 +212,8 @@ describe('BasicDashboard page', () => {
 
     renderDashboard();
 
-    expect(await screen.findByText('Team Overview')).toBeInTheDocument();
-    expect(await screen.findByText('Alice Developer')).toBeInTheDocument();
-    expect(screen.getByText('Bob Developer')).toBeInTheDocument();
-    expect(screen.getByText('View Progress')).toBeInTheDocument();
+    expect(await screen.findByText('Management Snapshot')).toBeInTheDocument();
+    expect(screen.queryByText('Team Overview')).not.toBeInTheDocument();
+    expect(screen.getByText('Developer progress')).toBeInTheDocument();
   });
 });

From a9a2e0672ddd7f7c53f2fbe944c8c7cacda7ac30 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:10:59 +0100
Subject: [PATCH 29/37] feat: enhance project and task serialization with
 additional fields; update DeveloperProgress for role-based data fetching

---
 .../api/controllers/projects_controller.py    |  5 ++++
 .../src/api/controllers/tasks_controller.py   |  1 +
 .../controllers/test_dashboard_controller.py  | 30 ++++++++-----------
 frontend/src/pages/AdminDashboard.jsx         | 12 +++++---
 frontend/src/pages/DeveloperProgress.jsx      | 14 +++++++--
 .../tests/pages/DeveloperProgress.test.jsx    | 21 +++++++++++++
 6 files changed, 58 insertions(+), 25 deletions(-)

diff --git a/backend/src/api/controllers/projects_controller.py b/backend/src/api/controllers/projects_controller.py
index 9501ac0..b510acc 100644
--- a/backend/src/api/controllers/projects_controller.py
+++ b/backend/src/api/controllers/projects_controller.py
@@ -59,6 +59,11 @@ def get_all_projects():
         'status': project.status,
         'github_repo': project.github_repo,
         'created_by': project.created_by,
+        'team_members': [{
+            'id': member.id,
+            'name': member.name,
+            'role': member.role,
+        } for member in _relationship_items(project.team_members)],
         'created_at': project.created_at.isoformat() if project.created_at else None,
         'updated_at': project.updated_at.isoformat() if project.updated_at else None
     } for project in projects]
diff --git a/backend/src/api/controllers/tasks_controller.py b/backend/src/api/controllers/tasks_controller.py
index 802a307..f02cb65 100644
--- a/backend/src/api/controllers/tasks_controller.py
+++ b/backend/src/api/controllers/tasks_controller.py
@@ -69,6 +69,7 @@ def _serialize_task(task):
         'status': _task_value(task, 'status'),
         'priority': _task_value(task, 'priority', 'medium'),
         'progress': _task_value(task, 'progress', 0),
+        'project_id': _task_value(task, 'project_id'),
         'assigned_to': _task_value(task, 'assigned_to'),
         'created_by': _task_value(task, 'created_by'),
         'deadline': _task_datetime(task, 'deadline'),
diff --git a/backend/tests/unit/controllers/test_dashboard_controller.py b/backend/tests/unit/controllers/test_dashboard_controller.py
index f92d048..a03f9f0 100644
--- a/backend/tests/unit/controllers/test_dashboard_controller.py
+++ b/backend/tests/unit/controllers/test_dashboard_controller.py
@@ -248,18 +248,18 @@ def test_get_tasks_due_soon_success(self, mock_logger, mock_datetime, mock_task)
         mock_now.date.return_value = today_date
         mock_datetime.now.return_value = mock_now
         
-        # Create the filter chain properly (deep mocking)
-        mock_filter_by = MagicMock()
+        # Create the filter chain properly (deep mocking) for 4 filters + all()
         mock_filter1 = MagicMock()
         mock_filter2 = MagicMock()
         mock_filter3 = MagicMock()
+        mock_filter4 = MagicMock()
         
-        # Link the mocks in the chain
-        mock_task.query.filter_by.return_value = mock_filter_by
-        mock_filter_by.filter.return_value = mock_filter1
+        # Link the mocks in the chain: query.filter().filter().filter().filter().all()
+        mock_task.query.filter.return_value = mock_filter1
         mock_filter1.filter.return_value = mock_filter2
         mock_filter2.filter.return_value = mock_filter3
-        mock_filter3.all.return_value = expected_tasks
+        mock_filter3.filter.return_value = mock_filter4
+        mock_filter4.all.return_value = expected_tasks
         
         # Call the function
         result = get_tasks_due_soon(user_id=1)
@@ -269,9 +269,6 @@ def test_get_tasks_due_soon_success(self, mock_logger, mock_datetime, mock_task)
         self.assertEqual(result, expected_tasks)
         self.assertEqual(result[0].id, 1)
         self.assertEqual(result[1].id, 2)
-        
-        # Verify the Task query was called correctly
-        mock_task.query.filter_by.assert_called_once_with(assigned_to=1)
 
     @patch('backend.src.api.controllers.dashboard_controller.Task')
     @patch('backend.src.api.controllers.dashboard_controller.datetime')
@@ -287,18 +284,18 @@ def test_get_tasks_due_soon_no_tasks(self, mock_logger, mock_datetime, mock_task
         mock_now.date.return_value = today_date
         mock_datetime.now.return_value = mock_now
         
-        # Create the filter chain properly (deep mocking) that returns empty list
-        mock_filter_by = MagicMock()
+        # Create the filter chain properly (deep mocking) for 4 filters + all()
         mock_filter1 = MagicMock()
         mock_filter2 = MagicMock()
         mock_filter3 = MagicMock()
+        mock_filter4 = MagicMock()
         
-        # Link the mocks in the chain
-        mock_task.query.filter_by.return_value = mock_filter_by
-        mock_filter_by.filter.return_value = mock_filter1
+        # Link the mocks in the chain: query.filter().filter().filter().filter().all()
+        mock_task.query.filter.return_value = mock_filter1
         mock_filter1.filter.return_value = mock_filter2
         mock_filter2.filter.return_value = mock_filter3
-        mock_filter3.all.return_value = []
+        mock_filter3.filter.return_value = mock_filter4
+        mock_filter4.all.return_value = []
         
         # Call the function
         result = get_tasks_due_soon(user_id=1)
@@ -306,9 +303,6 @@ def test_get_tasks_due_soon_no_tasks(self, mock_logger, mock_datetime, mock_task
         # Assertions
         self.assertEqual(len(result), 0)
         self.assertEqual(result, [])
-        
-        # Verify the Task query was called correctly
-        mock_task.query.filter_by.assert_called_once_with(assigned_to=1)
 
     @patch('backend.src.api.controllers.dashboard_controller.Task')
     @patch('backend.src.api.controllers.dashboard_controller.datetime')
diff --git a/frontend/src/pages/AdminDashboard.jsx b/frontend/src/pages/AdminDashboard.jsx
index 6b6fd4e..ff7ae15 100644
--- a/frontend/src/pages/AdminDashboard.jsx
+++ b/frontend/src/pages/AdminDashboard.jsx
@@ -115,10 +115,14 @@ const AdminDashboard = () => {
         console.error('Failed to fetch team users:', userErr);
       }
       
-      // Fetch recent audit logs
+      // Fetch recent audit logs (admin-only)
       try {
-        const auditResponse = await auditLogService.getLogs({ per_page: 3, page: 1 });
-        setRecentAuditLogs(auditResponse?.logs || []);
+        if (currentUser?.role === 'admin') {
+          const auditResponse = await auditLogService.getLogs({ per_page: 3, page: 1 });
+          setRecentAuditLogs(auditResponse?.logs || []);
+        } else {
+          setRecentAuditLogs([]);
+        }
       } catch (auditErr) {
         console.error('Failed to fetch audit logs:', auditErr);
       }
@@ -130,7 +134,7 @@ const AdminDashboard = () => {
     } finally {
       setLoading(false);
     }
-  }, [timeRange]);
+  }, [currentUser?.role, timeRange]);
 
   useEffect(() => { fetchDashboardData(); }, [fetchDashboardData]);
 
diff --git a/frontend/src/pages/DeveloperProgress.jsx b/frontend/src/pages/DeveloperProgress.jsx
index ca57f06..56fa509 100644
--- a/frontend/src/pages/DeveloperProgress.jsx
+++ b/frontend/src/pages/DeveloperProgress.jsx
@@ -2,12 +2,15 @@ import React, { useState, useEffect } from 'react';
 import { Link } from 'react-router-dom';
 import { dashboardService } from '../services/utils/api';
 import LoadingSpinner from '../components/LoadingSpinner';
+import { useAuth } from '../context/AuthContext';
 
 const DeveloperProgress = () => {
   const [developers, setDevelopers] = useState([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState(null);
   const [filter, setFilter] = useState('all'); // all, active, completed
+  const { currentUser, is } = useAuth();
+  const isTeamLead = is('team_lead');
 
   useEffect(() => {
     const fetchDevelopersProgress = async () => {
@@ -15,7 +18,7 @@ const DeveloperProgress = () => {
         setLoading(true);
         
         // Fetch developers with their tasks and progress stats
-        const developersData = await dashboardService.getDeveloperProgressStats();
+        const developersData = await dashboardService.getDeveloperProgressStats({ currentUser });
         setDevelopers(developersData || []);
         
       } catch (err) {
@@ -27,7 +30,7 @@ const DeveloperProgress = () => {
     };
     
     fetchDevelopersProgress();
-  }, []);
+  }, [currentUser]);
 
   // Filter developers based on selected filter
   const filteredDevelopers = developers.filter(developer => {
@@ -62,7 +65,12 @@ const DeveloperProgress = () => {
   return (
     <div className="min-h-screen bg-slate-950 text-slate-100 font-['Space_Grotesk']">
       <div className="max-w-6xl mx-auto px-6 py-10 md:px-10">
-        <h1 className="text-2xl font-bold mb-10 text-slate-100">Developer Progress</h1>
+        <div className="mb-10">
+          <h1 className="text-2xl font-bold text-slate-100">Developer Progress</h1>
+          <p className="mt-2 text-sm text-slate-400">
+            {isTeamLead ? 'Showing developers on your shared project teams.' : 'Showing all developers.'}
+          </p>
+        </div>
         
         {/* Filter Controls */}
         <div className="mb-10 flex flex-wrap gap-2">
diff --git a/frontend/src/tests/pages/DeveloperProgress.test.jsx b/frontend/src/tests/pages/DeveloperProgress.test.jsx
index 3444d0b..517c592 100644
--- a/frontend/src/tests/pages/DeveloperProgress.test.jsx
+++ b/frontend/src/tests/pages/DeveloperProgress.test.jsx
@@ -4,6 +4,7 @@ import { MemoryRouter } from 'react-router-dom';
 
 import DeveloperProgress from '../../pages/DeveloperProgress';
 import { dashboardService } from '../../services/utils/api';
+import { useAuth } from '../../context/AuthContext';
 
 jest.mock('../../services/utils/api', () => ({
   dashboardService: {
@@ -11,6 +12,10 @@ jest.mock('../../services/utils/api', () => ({
   },
 }));
 
+jest.mock('../../context/AuthContext', () => ({
+  useAuth: jest.fn(),
+}));
+
 jest.mock('../../components/LoadingSpinner', () => () => <div>Loading spinner</div>);
 
 const renderDeveloperProgress = () => {
@@ -25,6 +30,11 @@ describe('DeveloperProgress page', () => {
   beforeEach(() => {
     jest.spyOn(console, 'error').mockImplementation(() => {});
 
+    useAuth.mockReturnValue({
+      currentUser: { id: 1, role: 'admin' },
+      is: jest.fn().mockReturnValue(false),
+    });
+
     dashboardService.getDeveloperProgressStats.mockReset();
     dashboardService.getDeveloperProgressStats.mockResolvedValue([
       {
@@ -125,4 +135,15 @@ describe('DeveloperProgress page', () => {
 
     expect(await screen.findByText(/Failed to load developer progress data. Please try again./i)).toBeInTheDocument();
   });
+
+  test('shows team lead scope message when the user is a team lead', async () => {
+    useAuth.mockReturnValue({
+      currentUser: { id: 2, role: 'team_lead' },
+      is: (role) => role === 'team_lead',
+    });
+
+    renderDeveloperProgress();
+
+    expect(await screen.findByText(/Showing developers on your shared project teams/i)).toBeInTheDocument();
+  });
 });

From 7e1e5d44de6cf641a7a35fc8dbbc6cbabcabeff8 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:11:11 +0100
Subject: [PATCH 30/37] feat: enhance dashboard functionality for team leads;
 update routing and task visibility

---
 .../test_auth_socket_dashboard_integration.py |  71 +++++++++
 frontend/src/App.jsx                          |   3 +-
 frontend/src/components/Navbar.jsx            |  12 +-
 frontend/src/services/utils/api.js            | 146 ++++++++++++++++--
 frontend/src/tests/components/Navbar.test.jsx |   5 +-
 frontend/src/tests/services/api.test.js       |   7 +-
 6 files changed, 213 insertions(+), 31 deletions(-)

diff --git a/backend/tests/integration/test_auth_socket_dashboard_integration.py b/backend/tests/integration/test_auth_socket_dashboard_integration.py
index 9adbf02..99a1e1b 100644
--- a/backend/tests/integration/test_auth_socket_dashboard_integration.py
+++ b/backend/tests/integration/test_auth_socket_dashboard_integration.py
@@ -312,6 +312,77 @@ class StubUser:
     assert payload['projects'][0]['name'] == 'Project A'
 
 
+def test_dashboard_client_route_scopes_team_leads_to_their_projects(client, app, monkeypatch):
+    shared_project = SimpleNamespace(id=5, name='Shared Project', status='active', created_by=21)
+    created_project = SimpleNamespace(id=8, name='Created Project', status='active', created_by=21)
+    user = SimpleNamespace(
+        id=21,
+        name='Team Lead',
+        role='team_lead',
+        projects=SimpleNamespace(all=lambda: [shared_project]),
+    )
+
+    scoped_tasks = [
+        SimpleNamespace(id=1, title='One', status='todo', project_id=5, updated_at=datetime(2099, 1, 3), created_at=datetime(2099, 1, 2), deadline=datetime(2099, 1, 6), assigned_to=None),
+        SimpleNamespace(id=2, title='Two', status='done', project_id=8, updated_at=datetime(2099, 1, 4), created_at=datetime(2099, 1, 1), deadline=datetime(2099, 1, 7), assigned_to=None),
+        SimpleNamespace(id=3, title='Three', status='in_progress', project_id=8, updated_at=datetime(2099, 1, 5), created_at=datetime(2099, 1, 5), deadline=datetime(2099, 1, 8), assigned_to=None),
+    ]
+    due_tasks = [SimpleNamespace(id=2, title='Two', deadline=datetime(2099, 1, 7), status='done', project_id=8)]
+    github_link = SimpleNamespace(id=1, task=SimpleNamespace(title='Two'), repository=SimpleNamespace(repo_name='Repo', repo_url='https://github.com/org/repo'), pull_request_number=None, issue_number=7, created_at=datetime(2099, 1, 6))
+
+    class StubUser:
+        query = MagicMock()
+
+    class StubProject:
+        query = MagicMock()
+
+    class StubTask:
+        query = MagicMock()
+        project_id = MagicMock()
+        assigned_to = MagicMock()
+
+    class StubLink:
+        query = MagicMock()
+
+    class StubRepo:
+        pass
+
+    StubUser.query.get.return_value = user
+    StubProject.query.filter_by.return_value.all.return_value = [created_project]
+
+    task_query = MagicMock()
+    task_query.filter.return_value = task_query
+    task_query.all.return_value = scoped_tasks
+    StubTask.query = task_query
+    StubTask.project_id.in_.return_value = MagicMock()
+
+    link_query = MagicMock()
+    link_query.join.return_value = link_query
+    link_query.outerjoin.return_value = link_query
+    link_query.filter.return_value = link_query
+    link_query.order_by.return_value = link_query
+    link_query.limit.return_value = link_query
+    link_query.all.return_value = [github_link]
+    StubLink.query = link_query
+
+    monkeypatch.setattr(dashboard_controller, 'User', StubUser)
+    monkeypatch.setattr(dashboard_controller, 'Project', StubProject)
+    monkeypatch.setattr(dashboard_controller, 'Task', StubTask)
+    monkeypatch.setattr(dashboard_controller, 'TaskGitHubLink', StubLink)
+    monkeypatch.setattr(dashboard_controller, 'GitHubRepository', StubRepo)
+    monkeypatch.setattr(dashboard_controller, 'get_tasks_due_soon', MagicMock(return_value=due_tasks))
+
+    response = client.get('/api/v1/dashboard/client', headers=auth_headers(app, role='team_lead', user_id=21))
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload['tasks']['total'] == 3
+    assert payload['tasks']['done'] == 1
+    assert [project['name'] for project in payload['projects']] == ['Shared Project', 'Created Project']
+    assert len(payload['recentTasks']) == 3
+    assert payload['tasks_due_soon'][0]['id'] == 2
+
+
 def test_dashboard_admin_route_returns_user_and_task_totals(client, app, monkeypatch):
     admin_user = SimpleNamespace(id=1, name='Admin User', role='admin')
     users = [
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index f7bf61c..1566284 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -36,7 +36,8 @@ const AUTHENTICATED_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD, ROLES.ADMIN];
 const TASK_CREATOR_ROLES = [ROLES.DEVELOPER, ROLES.TEAM_LEAD, ROLES.ADMIN];
 const TEAM_LEAD_OR_ADMIN = [ROLES.TEAM_LEAD, ROLES.ADMIN];
 
-const getDashboardPath = (role) => (role === ROLES.ADMIN || role === ROLES.TEAM_LEAD ? '/admin' : '/BasicDashboard');
+// Team Leads should see the basic developer dashboard by default.
+const getDashboardPath = (role) => (role === ROLES.ADMIN ? '/admin' : '/BasicDashboard');
 
 const ProtectedRoute = ({ children, allowedRoles = [], requiredPermission = null }) => {
   const { currentUser, loading, can } = useAuth();
diff --git a/frontend/src/components/Navbar.jsx b/frontend/src/components/Navbar.jsx
index 3ffbdea..6265fe8 100644
--- a/frontend/src/components/Navbar.jsx
+++ b/frontend/src/components/Navbar.jsx
@@ -47,7 +47,7 @@ const Navbar = () => {
   
   const isAdmin = is('admin');
   const isTeamLead = is('team_lead');
-  const canCreateTasks = isAdmin || isTeamLead;
+  const dashboardPath = isAdmin ? '/admin' : '/BasicDashboard';
 
   return (
     <header className="bg-slate-950/80 backdrop-blur-md sticky top-0 z-50 font-['Space_Grotesk']">
@@ -63,7 +63,6 @@ const Navbar = () => {
               <Link to="/admin" className="transition hover:text-white">Dashboard</Link>
               <Link to="/tasks" className="transition hover:text-white">Tasks</Link>
               <Link to="/admin/projects" className="transition hover:text-white">Projects</Link>
-              <Link to="/admin/create-task" className="transition hover:text-white">Create Task</Link>
               <Link to="/admin/developer-progress" className="transition hover:text-white text-nowrap">Developer Progress</Link>
               <Link to="/admin/reports" className="transition hover:text-white">Reports</Link>
               <div className="relative group/dropdown">
@@ -81,10 +80,9 @@ const Navbar = () => {
             </>
           ) : isTeamLead ? (
             <>
-              <Link to="/admin" className="transition hover:text-white">Dashboard</Link>
+              <Link to={dashboardPath} className="transition hover:text-white">Dashboard</Link>
               <Link to="/tasks" className="transition hover:text-white">Tasks</Link>
               <Link to="/admin/projects" className="transition hover:text-white">Projects</Link>
-              <Link to="/admin/create-task" className="transition hover:text-white text-nowrap">Create Task</Link>
               <Link to="/admin/developer-progress" className="transition hover:text-white text-nowrap">Developer Progress</Link>
               <Link to="/admin/reports" className="transition hover:text-white">Reports</Link>
               <Link to="/github" className="transition hover:text-white">GitHub</Link>
@@ -177,7 +175,6 @@ const Navbar = () => {
             {isAdmin ? (
               <>
                 <Link to="/admin" className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
-                <Link to="/admin/create-task" className="text-slate-300 py-2 hover:text-white transition">Create Task</Link>
                 <Link to="/admin/developer-progress" className="text-slate-300 py-2 hover:text-white transition">Developer Progress</Link>
                 <Link to="/admin/reports" className="text-slate-300 py-2 hover:text-white transition">Reports</Link>
                 <Link to="/admin/users" className="text-slate-300 py-2 hover:text-white transition">Users</Link>
@@ -187,11 +184,8 @@ const Navbar = () => {
               </>
             ) : isTeamLead ? (
               <>
-                <Link to="/admin" className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
+                <Link to={dashboardPath} className="text-slate-300 py-2 hover:text-white transition">Dashboard</Link>
                 <Link to="/tasks" className="text-slate-300 py-2 hover:text-white transition">Tasks</Link>
-                {canCreateTasks && (
-                  <Link to="/admin/create-task" className="text-slate-300 py-2 hover:text-white transition">Create Task</Link>
-                )}
                 <Link to="/admin/reports" className="text-slate-300 py-2 hover:text-white transition">Reports</Link>
                 <Link to="/github" className="text-slate-300 py-2 hover:text-white transition">GitHub</Link>
               </>
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index 158fcad..7405c98 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -200,8 +200,23 @@ const fetchWithAuth = async (endpoint, options = {}) => {
 // Task related API calls
 const taskService = {
   getAllTasks: async () => {
+    getAllTasks: async (params) => {
     try {
-      const response = await fetchWithAuth('tasks');
+      let endpoint = 'tasks';
+      if (params) {
+        if (typeof params === 'string') {
+          endpoint = `tasks${params.startsWith('?') ? params : `?${params}`}`;
+        } else if (typeof params === 'object') {
+          const ps = new URLSearchParams();
+          Object.keys(params).forEach((k) => {
+            if (params[k] !== undefined && params[k] !== null) ps.set(k, String(params[k]));
+          });
+          const qs = ps.toString();
+          if (qs) endpoint = `tasks?${qs}`;
+        }
+      }
+
+      const response = await fetchWithAuth(endpoint);
       const tasks = response?.tasks ?? response;
       return Array.isArray(tasks) ? tasks : [];
     } catch (error) {
@@ -433,26 +448,34 @@ const normalizeAdminDashboardTasks = (tasks = {}) => {
 };
 
 const buildDeveloperProgress = (users, tasks) => {
-  const progressTrackingRoles = new Set(['developer', 'team_lead']);
+  const progressTrackingRoles = new Set(['admin', 'developer', 'team_lead']);
   const tasksByAssignee = new Map();
 
-  tasks.forEach((task) => {
-    if (task?.assigned_to === null || task?.assigned_to === undefined) {
-      return;
-    }
-
-    const assigneeKey = String(task.assigned_to);
-    if (!tasksByAssignee.has(assigneeKey)) {
-      tasksByAssignee.set(assigneeKey, []);
-    }
+  const getAssigneeId = (task) => {
+    if (!task) return null;
+    if (task.assigned_to !== undefined && task.assigned_to !== null) return task.assigned_to;
+    if (task.assignedTo !== undefined && task.assignedTo !== null) return task.assignedTo;
+    if (task.assignee !== undefined && task.assignee !== null) return task.assignee;
+    return null;
+  };
 
+  tasks.forEach((task) => {
+    const assignee = getAssigneeId(task);
+    if (assignee === null || assignee === undefined) return;
+    const assigneeKey = String(assignee);
+    if (!tasksByAssignee.has(assigneeKey)) tasksByAssignee.set(assigneeKey, []);
     tasksByAssignee.get(assigneeKey).push(task);
   });
 
+  console.log('[buildDeveloperProgress] Tasks by assignee:', tasksByAssignee);
+  console.log('[buildDeveloperProgress] Total tasks with assignees:', Array.from(tasksByAssignee.values()).flat().length);
+
   return users
     .filter((user) => progressTrackingRoles.has(user.role))
     .map((user) => {
       const userTasks = tasksByAssignee.get(String(user.id)) || [];
+      console.log(`[buildDeveloperProgress] User ${user.id} (${user.name}): ${userTasks.length} tasks`);
+      
       let completedCount = 0;
 
       userTasks.forEach((task) => {
@@ -627,17 +650,110 @@ const dashboardService = {
     }
   },
 
-  getDeveloperProgressStats: async () => {
+  getDeveloperProgressStats: async (options = {}) => {
     try {
-      const [usersResponse, tasks] = await Promise.all([
+      const [usersResponse, tasks, projects] = await Promise.all([
         fetchWithAuth('users'),
-        taskService.getAllTasks()
+        taskService.getAllTasks(),
+        projectService.getAllProjects()
       ]);
 
       const users = Array.isArray(usersResponse?.users) ? usersResponse.users : [];
       const allTasks = Array.isArray(tasks) ? tasks : [];
+      const allProjects = Array.isArray(projects) ? projects : [];
+      const currentUser = options.currentUser || null;
+
+      console.log('[getDeveloperProgressStats] Users:', users.length);
+      console.log('[getDeveloperProgressStats] Tasks:', allTasks.length, allTasks.slice(0, 3));
+      console.log('[getDeveloperProgressStats] Projects:', allProjects.length);
+      console.log('[getDeveloperProgressStats] currentUser:', currentUser);
+
+      const scopedProjectIds = new Set();
+      if (currentUser?.role === 'team_lead' && currentUser?.id) {
+        allProjects.forEach((project) => {
+          const teamMembers = Array.isArray(project?.team_members) ? project.team_members : [];
+          const teamMemberIds = teamMembers.map((member) => Number(member?.id)).filter(Number.isFinite);
+          const isProjectCreator = Number(project?.created_by) === Number(currentUser.id);
+          const isOnProjectTeam = teamMemberIds.includes(Number(currentUser.id));
+
+          if (isProjectCreator || isOnProjectTeam) {
+            scopedProjectIds.add(Number(project.id));
+          }
+        });
+      }
+
+      const isTeamLead = currentUser?.role === 'team_lead';
+      // Debug: show sample task/project fields to help diagnose scoping issues
+      try {
+        console.log('[getDeveloperProgressStats] Sample tasks:', allTasks.slice(0, 5).map(t => ({ id: t.id, project_id: t.project_id, assigned_to: t.assigned_to })));
+        console.log('[getDeveloperProgressStats] Sample projects:', allProjects.map(p => ({ id: p.id, created_by: p.created_by, team_members: (p.team_members || []).map(m => ({ id: m.id, role: m.role })) })).slice(0,5));
+      } catch (e) {
+        console.warn('[getDeveloperProgressStats] Debug logging failed', e);
+      }
+
+      if (isTeamLead && scopedProjectIds.size === 0) {
+        console.log('[getDeveloperProgressStats] TL with no scoped projects, returning []');
+        return [];
+      }
+
+      const scopedUsers = isTeamLead && scopedProjectIds.size > 0
+        ? users.filter((user) => {
+          if (!['admin', 'developer', 'team_lead'].includes(user.role)) {
+            return false;
+          }
+
+          return allProjects.some((project) => {
+            if (!scopedProjectIds.has(Number(project.id))) {
+              return false;
+            }
+
+            return Array.isArray(project?.team_members)
+              ? project.team_members.some((member) => Number(member?.id) === Number(user.id) && ['admin', 'developer', 'team_lead'].includes(member?.role))
+              : false;
+          });
+        })
+        : users;
+
+      const getTaskProjectId = (task) => {
+        if (!task) return null;
+        if (task.project_id !== undefined && task.project_id !== null) return task.project_id;
+        if (task.projectId !== undefined && task.projectId !== null) return task.projectId;
+        if (task.project && task.project.id !== undefined && task.project.id !== null) return task.project.id;
+        return null;
+      };
+
+      const scopedUserIds = new Set((isTeamLead ? scopedUsers.map(u => Number(u.id)).filter(Number.isFinite) : []));
+
+      const getTaskAssigneeId = (task) => {
+        if (!task) return null;
+        if (task.assigned_to !== undefined && task.assigned_to !== null) return task.assigned_to;
+        if (task.assignedTo !== undefined && task.assignedTo !== null) return task.assignedTo;
+        if (task.assignee !== undefined && task.assignee !== null) return task.assignee;
+        return null;
+      };
+
+      const scopedTasks = isTeamLead && scopedProjectIds.size > 0
+        ? allTasks.filter((task) => {
+          const pid = getTaskProjectId(task);
+          const aid = getTaskAssigneeId(task);
+          const inProject = pid !== null && scopedProjectIds.has(Number(pid));
+          const assignedToTeam = aid !== null && scopedUserIds.has(Number(aid));
+          return inProject || assignedToTeam;
+        })
+        : allTasks;
+      if (isTeamLead && scopedProjectIds.size > 0 && scopedTasks.length === 0) {
+        console.warn('[getDeveloperProgressStats] No scoped tasks found for TL - inspecting all tasks vs scopedProjectIds', Array.from(scopedProjectIds));
+        allTasks.forEach((task) => {
+          console.log('[getDeveloperProgressStats] task:', task.id, 'project_id:', task.project_id, 'Number(project_id):', Number(task.project_id));
+        });
+      }
+
+      console.log('[getDeveloperProgressStats] Scoped users:', scopedUsers.length);
+      console.log('[getDeveloperProgressStats] Scoped tasks:', scopedTasks.length, scopedTasks.slice(0, 3));
 
-      return buildDeveloperProgress(users, allTasks);
+      const result = buildDeveloperProgress(scopedUsers, scopedTasks);
+      console.log('[getDeveloperProgressStats] Result:', result);
+      return result;
     } catch (error) {
       console.error('Failed to fetch developer progress stats:', error);
       return [];
diff --git a/frontend/src/tests/components/Navbar.test.jsx b/frontend/src/tests/components/Navbar.test.jsx
index ae65398..57e867c 100644
--- a/frontend/src/tests/components/Navbar.test.jsx
+++ b/frontend/src/tests/components/Navbar.test.jsx
@@ -91,7 +91,6 @@ describe('Navbar component', () => {
     renderNavbar();
 
     expect(screen.getAllByText('Dashboard').length).toBeGreaterThan(0);
-    expect(screen.getAllByText('Create Task').length).toBeGreaterThan(0);
     expect(screen.getAllByText('Developer Progress').length).toBeGreaterThan(0);
     expect(screen.getAllByText('Reports').length).toBeGreaterThan(0);
     expect(screen.getAllByText('GitHub').length).toBeGreaterThan(0);
@@ -145,7 +144,7 @@ describe('Navbar component', () => {
     expect(screen.queryByText('Create Task')).not.toBeInTheDocument();
   });
 
-  test('shows task creation link for team leads', () => {
+  test('does not show task creation link for team leads', () => {
     useAuth.mockReturnValue({
       currentUser: {
         id: 3,
@@ -160,7 +159,7 @@ describe('Navbar component', () => {
 
     renderNavbar();
 
-    expect(screen.getAllByText('Create Task').length).toBeGreaterThan(0);
+    expect(screen.queryByText('Create Task')).not.toBeInTheDocument();
   });
 
   test('shows logging out state while logout is in progress', async () => {
diff --git a/frontend/src/tests/services/api.test.js b/frontend/src/tests/services/api.test.js
index 1783973..32baffb 100644
--- a/frontend/src/tests/services/api.test.js
+++ b/frontend/src/tests/services/api.test.js
@@ -234,8 +234,9 @@ describe('api utilities', () => {
 
     const progress = await dashboardService.getDeveloperProgressStats();
 
-    expect(progress).toHaveLength(2);
+    expect(progress).toHaveLength(3);
     expect(progress.find((item) => item.id === 1).completed_tasks).toBe(1);
+    expect(progress.find((item) => item.id === 2)).toBeDefined();
     expect(progress.find((item) => item.id === 3).completed_tasks).toBe(1);
   });
 
@@ -467,7 +468,7 @@ describe('api utilities', () => {
     expect(cachedReport.meta.cache_hit).toBe(true);
   });
 
-  test('buildDeveloperProgress: admin role is excluded, team_lead included', async () => {
+  test('buildDeveloperProgress: admin role is included along with team_lead', async () => {
     global.fetch.mockResolvedValueOnce(
       buildResponse({ users: [
         { id: 1, name: 'Admin', role: 'admin' },
@@ -477,7 +478,7 @@ describe('api utilities', () => {
     global.fetch.mockResolvedValueOnce(buildResponse({ tasks: [] }));
 
     const progress = await dashboardService.getDeveloperProgressStats();
-    expect(progress.find((p) => p.id === 1)).toBeUndefined();
+    expect(progress.find((p) => p.id === 1)).toBeDefined();
     expect(progress.find((p) => p.id === 2)).toBeDefined();
   });
 

From d934d3cd7e0693e75f83b75b6015b5428d3271f9 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:11:17 +0100
Subject: [PATCH 31/37] refactor: clean up task status styling in TaskList
 component

---
 docs/backend/rbac.md            |  1 -
 frontend/src/pages/TaskList.jsx | 10 +++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/docs/backend/rbac.md b/docs/backend/rbac.md
index 7fc1222..5f8006f 100644
--- a/docs/backend/rbac.md
+++ b/docs/backend/rbac.md
@@ -39,7 +39,6 @@ All Developer permissions, plus:
 - Create new tasks / assign tasks (`can_assign_tasks`)
 - Update any task (`can_update_any_task`)
 - View all users (`can_view_all_users`)
-- View system statistics (`can_view_system_stats`)
 - Manage projects (`can_manage_projects`)
 - Generate and view reports
 - View developer progress
diff --git a/frontend/src/pages/TaskList.jsx b/frontend/src/pages/TaskList.jsx
index e22a4ba..0693e38 100644
--- a/frontend/src/pages/TaskList.jsx
+++ b/frontend/src/pages/TaskList.jsx
@@ -87,11 +87,11 @@ const TaskList = () => {
   // Get status badge color and format status text
   const getStatusInfo = (status) => {
     const statusMap = {
-      'todo': { class: 'bg-slate-800/70 text-slate-300', text: 'To Do' },
-      'backlog': { class: 'bg-slate-800/70 text-slate-300', text: 'Backlog' },
-      'in_progress': { class: 'bg-amber-500/15 text-amber-200', text: 'In Progress' },
-      'review': { class: 'bg-sky-500/15 text-sky-200', text: 'Review' },
-      'completed': { class: 'bg-emerald-500/15 text-emerald-200', text: 'Completed' }
+      'todo': { class: 'text-slate-300', text: 'To Do' },
+      'backlog': { class: 'text-slate-300', text: 'Backlog' },
+      'in_progress': { class: 'text-amber-200', text: 'In Progress' },
+      'review': { class: 'text-sky-200', text: 'Review' },
+      'completed': { class: 'text-emerald-200', text: 'Completed' }
     };
     
     return statusMap[status] || { class: 'bg-gray-100 text-gray-800', text: status };

From 49a2d89c65df144a233f7326195670fd2e9c666a Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:17:38 +0100
Subject: [PATCH 32/37] feat: enhance task fetching with support for query
 parameters and deep-linking

---
 frontend/src/pages/TaskList.jsx    | 31 ++++++++++++++++++++++++------
 frontend/src/services/utils/api.js | 18 ++++++++++-------
 2 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/frontend/src/pages/TaskList.jsx b/frontend/src/pages/TaskList.jsx
index 0693e38..cbdd899 100644
--- a/frontend/src/pages/TaskList.jsx
+++ b/frontend/src/pages/TaskList.jsx
@@ -20,15 +20,27 @@ const TaskList = () => {
   
   const canCreateTasks = Boolean(currentUser);
 
-  // Fetch tasks when component mounts
+  const urlParams = new URLSearchParams(window.location.search);
+  const requestedAssignee = urlParams.get('assigned_to') || urlParams.get('assignee');
+
+  // Fetch tasks once; honor deep-link assignee query if provided
   useEffect(() => {
+    const initialUrlParams = new URLSearchParams(window.location.search);
+    const initialAssignee = initialUrlParams.get('assigned_to') || initialUrlParams.get('assignee');
+
+    if (initialAssignee) {
+      setFilters((prev) => ({ ...prev, scope: 'my' }));
+      fetchTasks({ assigned_to: initialAssignee });
+      return;
+    }
+
     fetchTasks();
   }, []);
 
-  const fetchTasks = async () => {
+  const fetchTasks = async (params = null) => {
     try {
       setLoading(true);
-      const tasksData = await taskService.getAllTasks();
+      const tasksData = await taskService.getAllTasks(params);
       setTasks(Array.isArray(tasksData) ? tasksData : []);
       setError(null);
     } catch (err) {
@@ -126,8 +138,15 @@ const TaskList = () => {
     }
     
     // Filter by scope (My Tasks vs All Tasks)
-    if (filters.scope === 'my' && task.assigned_to !== currentUser?.id) {
-      return false;
+    if (filters.scope === 'my') {
+      const targetAssigneeId = requestedAssignee ?? currentUser?.id;
+      if (targetAssigneeId === undefined || targetAssigneeId === null) {
+        return false;
+      }
+
+      if (Number(task.assigned_to) !== Number(targetAssigneeId)) {
+        return false;
+      }
     }
     
     return true;
@@ -277,7 +296,7 @@ const TaskList = () => {
               <p className="mt-2 text-lg">No tasks found matching your filters</p>
               {filters.status !== 'all' || filters.priority !== 'all' || filters.search ? (
                 <button
-                  onClick={() => setFilters({ status: 'all', priority: 'all', search: '' })}
+                  onClick={() => setFilters({ status: 'all', priority: 'all', search: '', scope: requestedAssignee ? 'my' : 'all' })}
                   className="mt-3 text-rose-300 hover:text-rose-200"
                 >
                   Clear filters
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index 7405c98..e140d7b 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -199,20 +199,24 @@ const fetchWithAuth = async (endpoint, options = {}) => {
 
 // Task related API calls
 const taskService = {
-  getAllTasks: async () => {
-    getAllTasks: async (params) => {
+  getAllTasks: async (params = null) => {
     try {
       let endpoint = 'tasks';
+
       if (params) {
         if (typeof params === 'string') {
           endpoint = `tasks${params.startsWith('?') ? params : `?${params}`}`;
         } else if (typeof params === 'object') {
-          const ps = new URLSearchParams();
-          Object.keys(params).forEach((k) => {
-            if (params[k] !== undefined && params[k] !== null) ps.set(k, String(params[k]));
+          const queryParams = new URLSearchParams();
+          Object.entries(params).forEach(([key, value]) => {
+            if (value !== undefined && value !== null && value !== '') {
+              queryParams.set(key, String(value));
+            }
           });
-          const qs = ps.toString();
-          if (qs) endpoint = `tasks?${qs}`;
+          const queryString = queryParams.toString();
+          if (queryString) {
+            endpoint = `tasks?${queryString}`;
+          }
         }
       }
 

From b600eafa3c4c27dd616105f6dc43430c99c751ae Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:21:35 +0100
Subject: [PATCH 33/37] feat: integrate authentication context and update
 dashboard navigation in AdminProjects

---
 frontend/src/pages/AdminProjects.jsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/src/pages/AdminProjects.jsx b/frontend/src/pages/AdminProjects.jsx
index 0301acb..96bb46e 100644
--- a/frontend/src/pages/AdminProjects.jsx
+++ b/frontend/src/pages/AdminProjects.jsx
@@ -1,6 +1,7 @@
 import React, { useEffect, useMemo, useState } from 'react';
 import { Link } from 'react-router-dom';
 import LoadingSpinner from '../components/LoadingSpinner';
+import { useAuth } from '../context/AuthContext';
 import { projectService } from '../services/utils/api';
 
 const statusClasses = {
@@ -35,10 +36,12 @@ const formatDate = (value) => {
 };
 
 const AdminProjects = () => {
+  const { currentUser } = useAuth();
   const [projects, setProjects] = useState([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState(null);
   const [search, setSearch] = useState('');
+  const dashboardPath = currentUser?.role === 'admin' ? '/admin' : '/BasicDashboard';
 
   const loadProjects = async () => {
     try {
@@ -103,7 +106,7 @@ const AdminProjects = () => {
                 Create Project
               </Link>
               <Link
-                to="/admin"
+                to={dashboardPath}
                 className="inline-flex items-center px-4 py-2 rounded-full border border-slate-700/70 text-slate-300 hover:text-slate-100 hover:border-slate-500"
               >
                 Back to Dashboard

From 0a9c95d19d980acb78d3acd8928f64fd71d3bd7d Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:30:32 +0100
Subject: [PATCH 34/37] feat: add delete notification functionality and enhance
 Notifications component

---
 frontend/src/components/Notifications.jsx    | 49 ++++++++++++++++++--
 frontend/src/context/NotificationContext.jsx | 18 +++++++
 frontend/src/services/utils/api.js           | 34 +++++++++++++-
 3 files changed, 96 insertions(+), 5 deletions(-)

diff --git a/frontend/src/components/Notifications.jsx b/frontend/src/components/Notifications.jsx
index 511caf7..6f2e480 100644
--- a/frontend/src/components/Notifications.jsx
+++ b/frontend/src/components/Notifications.jsx
@@ -1,9 +1,17 @@
-import React from 'react';
+import React, { useState } from 'react';
 import { notificationService } from '../services/utils/api';
 import { useNotifications } from '../context/NotificationContext';
 
-function Notifications({ notifications = [], onNotificationUpdate, onMarkRead }) {
-  const { isLoading, error, rateLimited, refreshNotifications, markAsRead: markContextAsRead } = useNotifications();
+function Notifications({ notifications = [], onNotificationUpdate, onMarkRead, onDelete }) {
+  const [deletingId, setDeletingId] = useState(null);
+  const {
+    isLoading,
+    error,
+    rateLimited,
+    refreshNotifications,
+    markAsRead: markContextAsRead,
+    deleteNotification: deleteContextNotification
+  } = useNotifications();
 
   const handleNotificationClick = async (notificationId) => {
     if (!notificationId) return;
@@ -26,6 +34,31 @@ function Notifications({ notifications = [], onNotificationUpdate, onMarkRead })
     }
   };
 
+  const handleDeleteNotification = async (event, notificationId) => {
+    event.stopPropagation();
+    if (!notificationId || deletingId === notificationId) return;
+
+    try {
+      setDeletingId(notificationId);
+
+      if (typeof onDelete === 'function') {
+        await onDelete(notificationId);
+      } else if (typeof deleteContextNotification === 'function') {
+        await deleteContextNotification(notificationId);
+      } else {
+        await notificationService.deleteNotification(notificationId);
+      }
+
+      if (typeof onNotificationUpdate === 'function') {
+        onNotificationUpdate();
+      }
+    } catch (error) {
+      console.error('Failed to delete notification:', error);
+    } finally {
+      setDeletingId(null);
+    }
+  };
+
   // Handle rate limited state
   if (rateLimited) {
     return (
@@ -117,6 +150,16 @@ function Notifications({ notifications = [], onNotificationUpdate, onMarkRead })
                   {createdAt}
                 </div>
               </div>
+              <div className="mt-3 flex justify-end">
+                <button
+                  type="button"
+                  onClick={(event) => handleDeleteNotification(event, notificationId)}
+                  disabled={deletingId === notificationId}
+                  className="rounded-md border border-rose-400/30 px-2 py-1 text-[11px] font-medium text-rose-300 transition hover:border-rose-300 hover:text-rose-200 disabled:cursor-not-allowed disabled:opacity-60"
+                >
+                  {deletingId === notificationId ? 'Deleting...' : 'Delete'}
+                </button>
+              </div>
             </div>
           );
         })}
diff --git a/frontend/src/context/NotificationContext.jsx b/frontend/src/context/NotificationContext.jsx
index c815c2a..fd35f99 100644
--- a/frontend/src/context/NotificationContext.jsx
+++ b/frontend/src/context/NotificationContext.jsx
@@ -358,6 +358,23 @@ export const NotificationProvider = ({ children }) => {
       refreshNotifications(true);
     }
   };
+
+  const deleteNotification = async (notificationId) => {
+    if (serverDown) {
+      console.log('Server appears to be down, cannot delete notification');
+      return;
+    }
+
+    const previousNotifications = notifications;
+
+    try {
+      setNotifications((prev) => prev.filter((notification) => notification.id !== notificationId));
+      await notificationService.deleteNotification(notificationId);
+    } catch (error) {
+      console.error('Failed to delete notification:', error);
+      setNotifications(previousNotifications);
+    }
+  };
   
   // Mark all notifications as read
   const markAllAsRead = async () => {
@@ -391,6 +408,7 @@ export const NotificationProvider = ({ children }) => {
     notifications,
     unreadCount,
     markAsRead,
+    deleteNotification,
     markAllAsRead,
     refreshNotifications,
     isConnected,
diff --git a/frontend/src/services/utils/api.js b/frontend/src/services/utils/api.js
index e140d7b..e2ebbdb 100644
--- a/frontend/src/services/utils/api.js
+++ b/frontend/src/services/utils/api.js
@@ -518,6 +518,29 @@ const getReportCacheScope = () => {
 
 const getReportCacheKey = (reportType, dateRange) => `${getReportCacheScope()}:${reportType}:${dateRange}`;
 
+const normalizeTaskReportDetails = (tasks = [], users = []) => {
+  const usersById = new Map(
+    (Array.isArray(users) ? users : []).map((user) => [Number(user?.id), user?.name])
+  );
+
+  return (Array.isArray(tasks) ? tasks : []).map((task) => {
+    const assigneeId = task?.assigned_to ?? task?.assignedTo ?? null;
+    const explicitAssigneeName = typeof task?.assignee === 'object'
+      ? task?.assignee?.name
+      : null;
+
+    return {
+      ...task,
+      assignee_name:
+        task?.assignee_name
+        || task?.assigneeName
+        || explicitAssigneeName
+        || usersById.get(Number(assigneeId))
+        || null,
+    };
+  });
+};
+
 const addReportMeta = (reportData, meta = {}) => ({
   ...reportData,
   meta: {
@@ -611,7 +634,7 @@ const getReportDataFromNetwork = async (reportType = 'tasks', dateRange = 'week'
       overdue,
       team_members: users.length
     },
-    details: scopedTasks
+    details: normalizeTaskReportDetails(scopedTasks, users)
   };
 };
 
@@ -1104,6 +1127,12 @@ const notificationService = {
     return await fetchWithAuth('notifications/read-all', {
       method: 'PUT'
     });
+  },
+
+  deleteNotification: async (notificationId) => {
+    return await fetchWithAuth(`notifications/${notificationId}`, {
+      method: 'DELETE'
+    });
   }
 };
 
@@ -1279,5 +1308,6 @@ export {
   reportService,
   adminUserService,
   settingsService,
-  auditLogService
+  auditLogService,
+  normalizeTaskReportDetails
 };

From 64151537c27bcd5e2a61029187e46cc49267f380 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:37:41 +0100
Subject: [PATCH 35/37] feat: enhance audit log functionality with actor name
 resolution and add tests for AdminAuditLogs

---
 .../src/api/controllers/audit_controller.py   |  60 +++++----
 .../unit/controllers/test_audit_controller.py | 123 ++++++++++++++++++
 frontend/src/components/ReportTable.jsx       |   6 +-
 frontend/src/pages/AdminAuditLogs.jsx         |   4 +-
 frontend/src/pages/Reports.jsx                |  12 +-
 .../src/tests/components/ReportTable.test.jsx |   1 +
 .../src/tests/pages/AdminAuditLogs.test.jsx   |  68 ++++++++++
 .../src/tests/pages/AdminProjects.test.jsx    |   9 ++
 .../src/tests/services/utils/api.test.jsx     |  24 ++++
 9 files changed, 274 insertions(+), 33 deletions(-)
 create mode 100644 backend/tests/unit/controllers/test_audit_controller.py
 create mode 100644 frontend/src/tests/pages/AdminAuditLogs.test.jsx
 create mode 100644 frontend/src/tests/services/utils/api.test.jsx

diff --git a/backend/src/api/controllers/audit_controller.py b/backend/src/api/controllers/audit_controller.py
index 8c996ea..3a98064 100644
--- a/backend/src/api/controllers/audit_controller.py
+++ b/backend/src/api/controllers/audit_controller.py
@@ -1,7 +1,35 @@
 """Audit Log Controller"""
 
 from flask import request, jsonify
-from ...db.models import AuditLog
+from ...db.models import AuditLog, User
+
+
+def _build_actor_name_map(logs):
+    actor_ids = {log.actor_user_id for log in logs if getattr(log, 'actor_user_id', None) is not None}
+    if not actor_ids:
+        return {}
+
+    users = User.query.filter(User.id.in_(actor_ids)).all()
+    return {user.id: user.name for user in users}
+
+
+def _serialize_audit_log(log, actor_name_map=None):
+    actor_name_map = actor_name_map or {}
+    actor_user_id = log.actor_user_id
+
+    return {
+        'id': log.id,
+        'actor_user_id': actor_user_id,
+        'actor_name': actor_name_map.get(actor_user_id),
+        'actor_role': log.actor_role,
+        'action': log.action,
+        'resource_type': log.resource_type,
+        'resource_id': log.resource_id,
+        'ip': log.ip,
+        'user_agent': log.user_agent,
+        'metadata': log.metadata_info,
+        'created_at': log.created_at.isoformat() if log.created_at else None
+    }
 
 def get_audit_logs():
     """Get paginated and filtered audit logs"""
@@ -28,18 +56,8 @@ def get_audit_logs():
         page=page, per_page=per_page, error_out=False
     )
     
-    logs_data = [{
-        'id': log.id,
-        'actor_user_id': log.actor_user_id,
-        'actor_role': log.actor_role,
-        'action': log.action,
-        'resource_type': log.resource_type,
-        'resource_id': log.resource_id,
-        'ip': log.ip,
-        'user_agent': log.user_agent,
-        'metadata': log.metadata_info,
-        'created_at': log.created_at.isoformat() if log.created_at else None
-    } for log in pagination.items]
+    actor_name_map = _build_actor_name_map(pagination.items)
+    logs_data = [_serialize_audit_log(log, actor_name_map) for log in pagination.items]
     
     return jsonify({
         'logs': logs_data,
@@ -51,18 +69,14 @@ def get_audit_logs():
 def get_audit_log_by_id(log_id):
     """Get a specific audit log"""
     log = AuditLog.query.get_or_404(log_id)
+    actor_name = None
+
+    if log.actor_user_id is not None:
+        actor = User.query.get(log.actor_user_id)
+        actor_name = actor.name if actor else None
     
     return jsonify({
         'log': {
-            'id': log.id,
-            'actor_user_id': log.actor_user_id,
-            'actor_role': log.actor_role,
-            'action': log.action,
-            'resource_type': log.resource_type,
-            'resource_id': log.resource_id,
-            'ip': log.ip,
-            'user_agent': log.user_agent,
-            'metadata': log.metadata_info,
-            'created_at': log.created_at.isoformat() if log.created_at else None
+            **_serialize_audit_log(log, {log.actor_user_id: actor_name} if actor_name else {}),
         }
     })
diff --git a/backend/tests/unit/controllers/test_audit_controller.py b/backend/tests/unit/controllers/test_audit_controller.py
new file mode 100644
index 0000000..b8e3a80
--- /dev/null
+++ b/backend/tests/unit/controllers/test_audit_controller.py
@@ -0,0 +1,123 @@
+"""Tests for audit controller name resolution."""
+from types import SimpleNamespace
+
+import pytest
+
+from src.api.controllers import audit_controller
+
+
+class FakePagination:
+    def __init__(self, items):
+        self.items = items
+        self.total = len(items)
+        self.pages = 1
+
+
+class FakeQuery:
+    def __init__(self, items):
+        self.items = items
+
+    def filter(self, *args, **kwargs):
+        return self
+
+    def filter_by(self, *args, **kwargs):
+        return self
+
+    def order_by(self, *args, **kwargs):
+        return self
+
+    def paginate(self, *args, **kwargs):
+        return FakePagination(self.items)
+
+    def get_or_404(self, log_id):
+        for item in self.items:
+            if item.id == log_id:
+                return item
+        raise LookupError(log_id)
+
+
+class FakeUserColumn:
+    def in_(self, values):
+        return values
+
+
+class FakeAuditColumn:
+    def desc(self):
+        return self
+
+    def ilike(self, value):
+        return value
+
+
+class FakeUserQuery:
+    def __init__(self, users):
+        self.users = users
+
+    def filter(self, *args, **kwargs):
+        return self
+
+    def all(self):
+        return self.users
+
+    def get(self, user_id):
+        for user in self.users:
+            if user.id == user_id:
+                return user
+        return None
+
+
+@pytest.fixture
+def audit_logs():
+    return [
+        SimpleNamespace(
+            id=1,
+            actor_user_id=7,
+            actor_role='admin',
+            action='user_created',
+            resource_type='user',
+            resource_id='42',
+            ip='127.0.0.1',
+            user_agent='pytest',
+            metadata_info=None,
+            created_at=None,
+        )
+    ]
+
+
+@pytest.fixture
+def users():
+    return [SimpleNamespace(id=7, name='Admin User')]
+
+
+@pytest.fixture
+def fake_models(monkeypatch, audit_logs, users):
+    monkeypatch.setattr(
+        audit_controller,
+        'AuditLog',
+        SimpleNamespace(query=FakeQuery(audit_logs), created_at=FakeAuditColumn(), action=FakeAuditColumn()),
+    )
+    monkeypatch.setattr(
+        audit_controller,
+        'User',
+        SimpleNamespace(query=FakeUserQuery(users), id=FakeUserColumn()),
+    )
+
+
+def test_get_audit_logs_includes_actor_name(app, client, monkeypatch, fake_models):
+    with app.test_request_context('/api/v1/admin/audit-logs'):
+        response = audit_controller.get_audit_logs()
+
+    assert response.status_code == 200
+    data = response.get_json()
+    assert data['logs'][0]['actor_name'] == 'Admin User'
+    assert data['logs'][0]['actor_user_id'] == 7
+
+
+def test_get_audit_log_by_id_includes_actor_name(app, client, monkeypatch, fake_models):
+    with app.test_request_context('/api/v1/admin/audit-logs/1'):
+        response = audit_controller.get_audit_log_by_id(1)
+
+    assert response.status_code == 200
+    data = response.get_json()
+    assert data['log']['actor_name'] == 'Admin User'
+    assert data['log']['actor_user_id'] == 7
diff --git a/frontend/src/components/ReportTable.jsx b/frontend/src/components/ReportTable.jsx
index 647bc7f..df9951c 100644
--- a/frontend/src/components/ReportTable.jsx
+++ b/frontend/src/components/ReportTable.jsx
@@ -173,15 +173,15 @@ const ReportTable = ({ data = [], type }) => {
   
   if (!data || data.length === 0) {
     return (
-      <div className="text-center py-6 text-slate-400">
+      <div className="flex h-full items-center justify-center text-center py-6 text-slate-400">
         No data available for this report
       </div>
     );
   }
   
   return (
-    <div>
-      <div className="overflow-x-auto">
+    <div className="flex h-full flex-col">
+      <div className="flex-1 min-h-0 overflow-auto">
         <table className="min-w-full divide-y divide-slate-700/70">
           <thead className="bg-slate-800/60">
             <tr>
diff --git a/frontend/src/pages/AdminAuditLogs.jsx b/frontend/src/pages/AdminAuditLogs.jsx
index f91810c..1e9fb4d 100644
--- a/frontend/src/pages/AdminAuditLogs.jsx
+++ b/frontend/src/pages/AdminAuditLogs.jsx
@@ -88,7 +88,7 @@ const AdminAuditLogs = () => {
                         </span>
                       </td>
                       <td className="px-4 py-3 text-sm">
-                        {log.actor_user_id ? `User ${log.actor_user_id}` : 'System'}
+                        {log.actor_name || (log.actor_user_id ? `User ${log.actor_user_id}` : 'System')}
                         {log.actor_role && <span className="ml-1 text-xs text-slate-500">({log.actor_role})</span>}
                       </td>
                       <td className="px-4 py-3 text-sm text-slate-300">
@@ -129,7 +129,7 @@ const AdminAuditLogs = () => {
             <div className="bg-slate-900 border border-slate-700 rounded-xl p-6 w-full max-w-lg max-h-[80vh] overflow-y-auto">
               <h2 className="text-lg font-semibold mb-4">Audit Log Detail</h2>
               <dl className="space-y-3 text-sm">
-                {[['ID', selectedLog.id], ['Action', selectedLog.action], ['Actor', selectedLog.actor_user_id],
+                {[['ID', selectedLog.id], ['Action', selectedLog.action], ['Actor', selectedLog.actor_name || selectedLog.actor_user_id],
                   ['Role', selectedLog.actor_role], ['Resource', `${selectedLog.resource_type || ''} ${selectedLog.resource_id || ''}`],
                   ['IP', selectedLog.ip], ['User Agent', selectedLog.user_agent],
                   ['Timestamp', selectedLog.created_at ? new Date(selectedLog.created_at).toLocaleString() : '—']
diff --git a/frontend/src/pages/Reports.jsx b/frontend/src/pages/Reports.jsx
index 2c59422..a8df2e6 100644
--- a/frontend/src/pages/Reports.jsx
+++ b/frontend/src/pages/Reports.jsx
@@ -706,20 +706,22 @@ const Reports = () => {
         </div>
 
         {/* Report Details + Generated Reports */}
-        <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
-          <div className="bg-slate-900/70 rounded-2xl shadow-md overflow-hidden border border-slate-800/70">
+        <div className="grid grid-cols-1 lg:grid-cols-2 gap-6 lg:items-stretch">
+          <div className="bg-slate-900/70 rounded-2xl shadow-md overflow-hidden border border-slate-800/70 flex h-full flex-col lg:h-[36rem]">
             <div className="px-6 py-4 border-b border-slate-800">
               <h2 className="text-lg font-semibold text-slate-100">Report Details</h2>
             </div>
-            <ReportTable data={details || []} type={reportType} />
+            <div className="flex-1 min-h-0">
+              <ReportTable data={details || []} type={reportType} />
+            </div>
           </div>
 
-          <div className="bg-slate-900/70 rounded-2xl shadow-md border border-slate-800/70">
+          <div className="bg-slate-900/70 rounded-2xl shadow-md border border-slate-800/70 flex h-full flex-col lg:h-[36rem]">
             <div className="px-6 py-4 border-b border-slate-800 flex items-center justify-between">
               <h2 className="text-lg font-semibold text-slate-100">Generated Reports</h2>
               <span className="text-xs text-slate-500 uppercase tracking-wide">PDF downloads</span>
             </div>
-            <div className="p-6">
+            <div className="flex-1 min-h-0 overflow-y-auto p-6 pr-4">
               {generatedReports.length === 0 ? (
                 <p className="text-sm text-slate-500">
                   No generated reports yet. Use Generate Report to create one.
diff --git a/frontend/src/tests/components/ReportTable.test.jsx b/frontend/src/tests/components/ReportTable.test.jsx
index 019cd57..420a5a3 100644
--- a/frontend/src/tests/components/ReportTable.test.jsx
+++ b/frontend/src/tests/components/ReportTable.test.jsx
@@ -45,6 +45,7 @@ describe('ReportTable', () => {
     expect(screen.getByText('Review')).toBeInTheDocument();
     expect(screen.getByText('Backlog')).toBeInTheDocument();
     expect(screen.getByText('Completed')).toBeInTheDocument();
+    expect(screen.getByText('Assignee 2')).toBeInTheDocument();
     expect(screen.getAllByText('View').length).toBe(5);
     expect(screen.getAllByText('Unassigned').length).toBeGreaterThan(0);
   });
diff --git a/frontend/src/tests/pages/AdminAuditLogs.test.jsx b/frontend/src/tests/pages/AdminAuditLogs.test.jsx
new file mode 100644
index 0000000..5372d17
--- /dev/null
+++ b/frontend/src/tests/pages/AdminAuditLogs.test.jsx
@@ -0,0 +1,68 @@
+import React from 'react';
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+
+import AdminAuditLogs from '../../pages/AdminAuditLogs';
+import { auditLogService } from '../../services/utils/api';
+
+jest.mock('../../services/utils/api', () => ({
+  auditLogService: {
+    getLogs: jest.fn(),
+    getLogById: jest.fn(),
+  },
+}));
+
+describe('AdminAuditLogs', () => {
+  beforeEach(() => {
+    auditLogService.getLogs.mockResolvedValue({
+      logs: [
+        {
+          id: 1,
+          actor_user_id: 7,
+          actor_name: 'Admin User',
+          actor_role: 'admin',
+          action: 'user_created',
+          resource_type: 'user',
+          resource_id: '42',
+          created_at: '2026-05-08T10:00:00.000Z',
+        },
+      ],
+      total: 1,
+      pages: 1,
+      current_page: 1,
+    });
+
+    auditLogService.getLogById.mockResolvedValue({
+      id: 1,
+      actor_user_id: 7,
+      actor_name: 'Admin User',
+      actor_role: 'admin',
+      action: 'user_created',
+      resource_type: 'user',
+      resource_id: '42',
+      ip: '127.0.0.1',
+      user_agent: 'pytest',
+      metadata: null,
+      created_at: '2026-05-08T10:00:00.000Z',
+    });
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  test('renders actor names instead of raw ids when available', async () => {
+    render(<AdminAuditLogs />);
+
+    expect(await screen.findByText('Admin User')).toBeInTheDocument();
+    expect(screen.queryByText('User 7')).not.toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /view/i }));
+
+    await waitFor(() => {
+      expect(auditLogService.getLogById).toHaveBeenCalledWith(1);
+    });
+
+    expect(await screen.findByText(/Audit Log Detail/i)).toBeInTheDocument();
+    expect(screen.getAllByText('Admin User').length).toBeGreaterThan(0);
+  });
+});
diff --git a/frontend/src/tests/pages/AdminProjects.test.jsx b/frontend/src/tests/pages/AdminProjects.test.jsx
index b858cf6..3403688 100644
--- a/frontend/src/tests/pages/AdminProjects.test.jsx
+++ b/frontend/src/tests/pages/AdminProjects.test.jsx
@@ -3,6 +3,7 @@ import { fireEvent, render, screen, waitFor } from '@testing-library/react';
 import { MemoryRouter } from 'react-router-dom';
 
 import AdminProjects from '../../pages/AdminProjects';
+import { useAuth } from '../../context/AuthContext';
 import { projectService } from '../../services/utils/api';
 
 jest.mock('../../services/utils/api', () => ({
@@ -13,6 +14,10 @@ jest.mock('../../services/utils/api', () => ({
 
 jest.mock('../../components/LoadingSpinner', () => () => <div>Loading spinner</div>);
 
+jest.mock('../../context/AuthContext', () => ({
+  useAuth: jest.fn(),
+}));
+
 const renderAdminProjects = () => {
   return render(
     <MemoryRouter future={{ v7_startTransition: true, v7_relativeSplatPath: true }}>
@@ -25,6 +30,10 @@ describe('AdminProjects page', () => {
   beforeEach(() => {
     jest.spyOn(console, 'error').mockImplementation(() => {});
 
+    useAuth.mockReturnValue({
+      currentUser: { id: 1, role: 'admin' },
+    });
+
     projectService.getAllProjects.mockReset();
     projectService.getAllProjects.mockResolvedValue([
       {
diff --git a/frontend/src/tests/services/utils/api.test.jsx b/frontend/src/tests/services/utils/api.test.jsx
new file mode 100644
index 0000000..0832c3e
--- /dev/null
+++ b/frontend/src/tests/services/utils/api.test.jsx
@@ -0,0 +1,24 @@
+import { normalizeTaskReportDetails } from '../../../services/utils/api';
+
+describe('normalizeTaskReportDetails', () => {
+  test('hydrates assignee_name from the user list when task rows only expose assigned_to ids', () => {
+    const tasks = [
+      { id: 1, title: 'Task A', assigned_to: 9 },
+      { id: 2, title: 'Task B', assigned_to: 10 },
+      { id: 3, title: 'Task C', assigned_to: null },
+    ];
+
+    const users = [
+      { id: 9, name: 'Developer One' },
+      { id: 10, name: 'Developer Two' },
+    ];
+
+    const normalized = normalizeTaskReportDetails(tasks, users);
+
+    expect(normalized).toEqual([
+      { id: 1, title: 'Task A', assigned_to: 9, assignee_name: 'Developer One' },
+      { id: 2, title: 'Task B', assigned_to: 10, assignee_name: 'Developer Two' },
+      { id: 3, title: 'Task C', assigned_to: null, assignee_name: null },
+    ]);
+  });
+});

From 99b11a22f7408ae2720ce4634a62800ad5e2d13c Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:43:17 +0100
Subject: [PATCH 36/37] fix: increase maximum height of task panel in
 BasicDashboard

---
 frontend/src/pages/BasicDashboard.jsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/pages/BasicDashboard.jsx b/frontend/src/pages/BasicDashboard.jsx
index f2e0ea2..e57ff7c 100644
--- a/frontend/src/pages/BasicDashboard.jsx
+++ b/frontend/src/pages/BasicDashboard.jsx
@@ -231,7 +231,7 @@ const BasicDashboard = () => {
             {/* Main Content Grid */}
             <div className="grid grid-cols-1 lg:grid-cols-3 gap-6 items-stretch min-h-[720px]">
               <div className="lg:col-span-2 flex flex-col gap-6 h-full">
-                <div className={`${panelClass} flex-1 min-h-[520px] max-h-[70vh]`}>
+                <div className={`${panelClass} flex-1 min-h-[520px] max-h-[85vh]`}>
                   <div className={panelHeaderClass}>
                     <div>
                       <h3 className={sectionTitleClass}>My Tasks</h3>

From d99e09619224a21057ee6432ddc915491fe84120 Mon Sep 17 00:00:00 2001
From: Ahmed Ikram <2571642@dundee.ac.uk>
Date: Fri, 8 May 2026 00:49:23 +0100
Subject: [PATCH 37/37] refactor: consolidate imports from githubService and
 taskService in GitHubIntegrationDetail

---
 frontend/src/pages/GithubIntegrationDetail.jsx            | 3 +--
 frontend/src/tests/pages/GithubIntegrationDetail.test.jsx | 8 ++------
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/frontend/src/pages/GithubIntegrationDetail.jsx b/frontend/src/pages/GithubIntegrationDetail.jsx
index 6bcefe4..e1142a4 100644
--- a/frontend/src/pages/GithubIntegrationDetail.jsx
+++ b/frontend/src/pages/GithubIntegrationDetail.jsx
@@ -1,7 +1,6 @@
 import React, { useState, useEffect } from 'react';
 import { useParams, useNavigate, Link } from 'react-router-dom';
-import { githubService } from '../services/github';
-import { taskService } from '../services/utils/api';
+import { githubService, taskService } from '../services/utils/api';
 import LoadingSpinner from '../components/LoadingSpinner';
 
 const panelClass = "bg-slate-900/70 border border-slate-800/70 rounded-2xl p-6 shadow-[0_10px_30px_rgba(0,0,0,0.25)]";
diff --git a/frontend/src/tests/pages/GithubIntegrationDetail.test.jsx b/frontend/src/tests/pages/GithubIntegrationDetail.test.jsx
index 5b8ec04..11790bf 100644
--- a/frontend/src/tests/pages/GithubIntegrationDetail.test.jsx
+++ b/frontend/src/tests/pages/GithubIntegrationDetail.test.jsx
@@ -2,8 +2,7 @@ import React from 'react';
 import { fireEvent, render, screen, waitFor } from '@testing-library/react';
 
 import GitHubIntegrationDetail from '../../pages/GithubIntegrationDetail';
-import { githubService } from '../../services/github';
-import { taskService } from '../../services/utils/api';
+import { githubService, taskService } from '../../services/utils/api';
 
 const mockNavigate = jest.fn();
 const mockUseParams = jest.fn();
@@ -19,16 +18,13 @@ jest.mock('react-router-dom', () => ({
   useParams: () => mockUseParams(),
 }));
 
-jest.mock('../../services/github', () => ({
+jest.mock('../../services/utils/api', () => ({
   githubService: {
     getUserRepos: jest.fn(),
     getIssues: jest.fn(),
     getPullRequests: jest.fn(),
     linkTaskToGithub: jest.fn(),
   },
-}));
-
-jest.mock('../../services/utils/api', () => ({
   taskService: {
     getAllTasks: jest.fn(),
   },