vmi-virtual-memorial/vmi-wd-backend / 812ace5

+from django.utils.html import format_html

+from django.urls import reverse

+from django.utils.safestring import mark_safe

+from .models import Conflict, Person, Contribution

+    list_display = ['display_name', 'class_year', 'conflict', 'rank', 'get_death_date_display', 'has_pdf', 'has_description', 'contribution_count']

+    has_description.short_description = 'Has Description'

+    

+    def contribution_count(self, obj):

+        """Show number of contributions"""

+        total = obj.contributions.count()

+        approved = obj.contributions.filter(status='approved').count()

+        pending = obj.contributions.filter(status='pending').count()

+        

+        if pending > 0:

+            return format_html(

+                '<span style="color: green;">{}</span> / '

+                '<span style="color: orange;">{}</span> / '

+                '<span>{}</span>',

+                approved, pending, total

+            )

+        return f"{approved} / {total}"

+    contribution_count.short_description = 'Contributions (A/P/T)'

+

+

+@admin.register(Contribution)

+class ContributionAdmin(admin.ModelAdmin):

+    list_display = [

+        'id', 'person_link', 'contributor_email', 'content_type', 

+        'status_badge', 'submitted_at', 'reviewed_by'

+    ]

+    list_filter = ['status', 'content_type', 'submitted_at', 'reviewed_at']

+    search_fields = [

+        'person__first_name', 'person__last_name', 

+        'contributor_email', 'content_text'

+    ]

+    readonly_fields = [

+        'person', 'contributor_email', 'content_type', 'content_text',

+        'image_preview', 'submitted_at', 'reviewed_at', 'reviewed_by'

+    ]

+    

+    fieldsets = (

+        ('Contribution Info', {

+            'fields': ('person', 'contributor_email', 'submitted_at')

+        }),

+        ('Content', {

+            'fields': ('content_type', 'content_text', 'image_preview')

+        }),

+        ('Review Status', {

+            'fields': ('status', 'reviewed_at', 'reviewed_by', 'rejection_reason')

+        })

+    )

+    

+    actions = ['approve_contributions', 'reject_contributions']

+    

+    def person_link(self, obj):

+        """Link to person in admin"""

+        url = reverse('admin:memorial_person_change', args=[obj.person.id])

+        return format_html('<a href="{}">{}</a>', url, obj.person.full_display_name)

+    person_link.short_description = 'Person'

+    

+    def status_badge(self, obj):

+        """Color-coded status badge"""

+        colors = {

+            'pending': '#FFA500',

+            'approved': '#28a745',

+            'rejected': '#dc3545'

+        }

+        return format_html(

+            '<span style="background-color: {}; color: white; padding: 3px 10px; '

+            'border-radius: 3px; font-weight: bold;">{}</span>',

+            colors.get(obj.status, '#666'),

+            obj.get_status_display()

+        )

+    status_badge.short_description = 'Status'

+    

+    def image_preview(self, obj):

+        """Preview of uploaded image"""

+        if obj.content_image:

+            return mark_safe(

+                f'<img src="{obj.content_image.url}" '

+                f'style="max-width: 300px; max-height: 300px;" />'

+            )

+        return "No image"

+    image_preview.short_description = 'Image Preview'

+    

+    def approve_contributions(self, request, queryset):

+        """Bulk approve action"""

+        count = 0

+        for contribution in queryset.filter(status='pending'):

+            contribution.approve(request.user)

+            count += 1

+        self.message_user(request, f"{count} contributions approved.")

+    approve_contributions.short_description = "Approve selected contributions"

+    

+    def reject_contributions(self, request, queryset):

+        """Bulk reject action"""

+        count = 0

+        for contribution in queryset.filter(status='pending'):

+            contribution.reject(request.user, "Bulk rejection")

+            count += 1

+        self.message_user(request, f"{count} contributions rejected.")

+    reject_contributions.short_description = "Reject selected contributions"

+    

+    def has_add_permission(self, request):

+        """Prevent manual addition through admin"""

+        return False

+# Generated by Django 5.0.6 on 2025-07-18 20:20

+

+import django.db.models.deletion

+from django.conf import settings

+from django.db import migrations, models

+

+

+class Migration(migrations.Migration):

+

+    dependencies = [

+        ("memorial", "0004_person_death_date_precision"),

+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),

+    ]

+

+    operations = [

+        migrations.CreateModel(

+            name="Contribution",

+            fields=[

+                (

+                    "id",

+                    models.BigAutoField(

+                        auto_created=True,

+                        primary_key=True,

+                        serialize=False,

+                        verbose_name="ID",

+                    ),

+                ),

+                (

+                    "contributor_email",

+                    models.EmailField(

+                        help_text="Email of the person submitting this contribution",

+                        max_length=254,

+                    ),

+                ),

+                (

+                    "content_type",

+                    models.CharField(

+                        choices=[

+                            ("text", "Text"),

+                            ("image", "Image"),

+                            ("both", "Both"),

+                        ],

+                        default="text",

+                        max_length=10,

+                    ),

+                ),

+                (

+                    "content_text",

+                    models.TextField(

+                        blank=True, help_text="Text content of the contribution"

+                    ),

+                ),

+                (

+                    "content_image",

+                    models.ImageField(

+                        blank=True,

+                        help_text="Image contribution",

+                        null=True,

+                        upload_to="contributions/",

+                    ),

+                ),

+                (

+                    "status",

+                    models.CharField(

+                        choices=[

+                            ("pending", "Pending"),

+                            ("approved", "Approved"),

+                            ("rejected", "Rejected"),

+                        ],

+                        default="pending",

+                        max_length=10,

+                    ),

+                ),

+                ("submitted_at", models.DateTimeField(auto_now_add=True)),

+                ("reviewed_at", models.DateTimeField(blank=True, null=True)),

+                ("rejection_reason", models.TextField(blank=True)),

+                (

+                    "person",

+                    models.ForeignKey(

+                        on_delete=django.db.models.deletion.CASCADE,

+                        related_name="contributions",

+                        to="memorial.person",

+                    ),

+                ),

+                (

+                    "reviewed_by",

+                    models.ForeignKey(

+                        blank=True,

+                        null=True,

+                        on_delete=django.db.models.deletion.SET_NULL,

+                        related_name="reviewed_contributions",

+                        to=settings.AUTH_USER_MODEL,

+                    ),

+                ),

+            ],

+            options={

+                "ordering": ["-submitted_at"],

+                "indexes": [

+                    models.Index(

+                        fields=["person", "status"],

+                        name="memorial_co_person__8f13d8_idx",

+                    ),

+                    models.Index(

+                        fields=["status", "submitted_at"],

+                        name="memorial_co_status_0bff92_idx",

+                    ),

+                ],

+            },

+        ),

+    ]

+from django.utils import timezone

+        return reverse('person-detail', kwargs={'pk': self.pk})

+

+

+class ContributionStatus(models.TextChoices):

+    PENDING = 'pending', 'Pending'

+    APPROVED = 'approved', 'Approved'

+    REJECTED = 'rejected', 'Rejected'

+

+

+class Contribution(models.Model):

+    """Community contributions for person records"""

+    

+    # Link to person

+    person = models.ForeignKey(

+        'Person', 

+        on_delete=models.CASCADE, 

+        related_name='contributions'

+    )

+    

+    # Contributor info

+    contributor_email = models.EmailField(

+        help_text="Email of the person submitting this contribution"

+    )

+    

+    # Content

+    content_type = models.CharField(

+        max_length=10,

+        choices=[

+            ('text', 'Text'),

+            ('image', 'Image'),

+            ('both', 'Both'),

+        ],

+        default='text'

+    )

+    content_text = models.TextField(

+        blank=True,

+        help_text="Text content of the contribution"

+    )

+    content_image = models.ImageField(

+        upload_to='contributions/',

+        blank=True,

+        null=True,

+        help_text="Image contribution"

+    )

+    

+    # Moderation

+    status = models.CharField(

+        max_length=10,

+        choices=ContributionStatus.choices,

+        default=ContributionStatus.PENDING

+    )

+    

+    # Timestamps

+    submitted_at = models.DateTimeField(auto_now_add=True)

+    reviewed_at = models.DateTimeField(null=True, blank=True)

+    

+    # Review info

+    reviewed_by = models.ForeignKey(

+        'auth.User',

+        on_delete=models.SET_NULL,

+        null=True,

+        blank=True,

+        related_name='reviewed_contributions'

+    )

+    rejection_reason = models.TextField(blank=True)

+    

+    class Meta:

+        ordering = ['-submitted_at']

+        indexes = [

+            models.Index(fields=['person', 'status']),

+            models.Index(fields=['status', 'submitted_at']),

+        ]

+    

+    def __str__(self):

+        return f"Contribution for {self.person} by {self.contributor_email} ({self.status})"

+    

+    def approve(self, user):

+        """Approve this contribution"""

+        self.status = ContributionStatus.APPROVED

+        self.reviewed_by = user

+        self.reviewed_at = timezone.now()

+        self.save()

+    

+    def reject(self, user, reason=''):

+        """Reject this contribution"""

+        self.status = ContributionStatus.REJECTED

+        self.reviewed_by = user

+        self.reviewed_at = timezone.now()

+        self.rejection_reason = reason

+        self.save()

+from .models import Conflict, Person, Contribution

+        ]

+

+

+# Contribution serializers

+class ContributionSerializer(serializers.ModelSerializer):

+    """Base serializer for contributions"""

+    contributor_email = serializers.EmailField(required=True)

+    reviewed_by_username = serializers.CharField(

+        source='reviewed_by.username', 

+        read_only=True

+    )

+    

+    class Meta:

+        model = Contribution

+        fields = [

+            'id', 'person', 'contributor_email', 'content_type',

+            'content_text', 'content_image', 'status', 'submitted_at',

+            'reviewed_at', 'reviewed_by', 'reviewed_by_username',

+            'rejection_reason'

+        ]

+        read_only_fields = [

+            'id', 'status', 'submitted_at', 'reviewed_at', 

+            'reviewed_by', 'rejection_reason'

+        ]

+

+

+class ContributionCreateSerializer(serializers.ModelSerializer):

+    """Serializer for creating contributions"""

+    content_image = serializers.ImageField(required=False, allow_null=True)

+    

+    class Meta:

+        model = Contribution

+        fields = ['contributor_email', 'content_type', 'content_text', 'content_image']

+    

+    def validate(self, data):

+        """Ensure content matches content_type"""

+        content_type = data.get('content_type')

+        

+        if content_type in ['text', 'both'] and not data.get('content_text'):

+            raise serializers.ValidationError(

+                "Text content is required for text contributions"

+            )

+        

+        if content_type in ['image', 'both'] and not data.get('content_image'):

+            raise serializers.ValidationError(

+                "Image is required for image contributions"

+            )

+        

+        return data

+

+

+class ContributionPublicSerializer(serializers.ModelSerializer):

+    """Public view of approved contributions only"""

+    contributor_display = serializers.SerializerMethodField()

+    

+    class Meta:

+        model = Contribution

+        fields = [

+            'id', 'content_type', 'content_text', 'content_image',

+            'submitted_at', 'contributor_display'

+        ]

+    

+    def get_contributor_display(self, obj):

+        """Partially mask email for privacy"""

+        email = obj.contributor_email

+        parts = email.split('@')

+        if len(parts) == 2:

+            name = parts[0]

+            if len(name) > 2:

+                masked = name[0] + '*' * (len(name) - 2) + name[-1]

+            else:

+                masked = name[0] + '*'

+            return f"{masked}@{parts[1]}"

+        return "Anonymous"

+

+

+class ContributionReviewSerializer(serializers.Serializer):

+    """Serializer for approving/rejecting contributions"""

+    action = serializers.ChoiceField(choices=['approve', 'reject'])

+    rejection_reason = serializers.CharField(required=False, allow_blank=True)

+    

+    def validate(self, data):

+        if data['action'] == 'reject' and not data.get('rejection_reason'):

+            raise serializers.ValidationError(

+                "Rejection reason is required when rejecting a contribution"

+            )

+        return data

+

+

+class PersonDetailSerializerWithContributions(PersonDetailSerializer):

+    """Person details including approved contributions"""

+    contributions = ContributionPublicSerializer(many=True, read_only=True)

+    

+    class Meta(PersonDetailSerializer.Meta):

+        fields = PersonDetailSerializer.Meta.fields + ['contributions']

+    

+    def to_representation(self, instance):

+        data = super().to_representation(instance)

+        # Only show approved contributions

+        data['contributions'] = ContributionPublicSerializer(

+            instance.contributions.filter(status='approved'),

+            many=True

+        ).data

+        return data

+# memorial/urls.py

+from rest_framework_nested import routers as nested_routers

+from .views import (

+    ConflictViewSet, PersonViewSet, ContributionViewSet,

+    memorial_index, search_filters, test_s3_connection,

+    pending_contributions, contribution_stats,

+    create_contribution, get_csrf_token

+)

+# Main router

+# Nested router for person contributions (admin only except creation)

+persons_router = nested_routers.NestedDefaultRouter(router, 'persons', lookup='person')

+persons_router.register('contributions', ContributionViewSet, basename='person-contributions')

+

+    # CSRF token endpoint (must be first for frontend)

+    path('csrf/', get_csrf_token, name='csrf-token'),

+    

+    # Public endpoints

+    

+    # Contribution creation (public with throttling and CSRF)

+    path('persons/<int:person_id>/contributions/', create_contribution, name='create-contribution'),

+    

+    # Admin-only endpoints

+    path('contributions/pending/', pending_contributions, name='pending-contributions'),

+    path('contributions/stats/', contribution_stats, name='contribution-stats'),

+    

+    # Include routers

+    path('', include(router.urls)),

+    path('', include(persons_router.urls)),

+from rest_framework import viewsets, status, permissions

+from rest_framework.decorators import action, api_view, permission_classes, authentication_classes, parser_classes

+from rest_framework.parsers import MultiPartParser, FormParser

+from rest_framework.authentication import SessionAuthentication

+from rest_framework.throttling import AnonRateThrottle, UserRateThrottle

+from django.views.decorators.csrf import ensure_csrf_cookie

+from django.middleware.csrf import get_token

+from django.http import HttpResponse, HttpResponseRedirect, JsonResponse

+from django.core.exceptions import ValidationError

+from django.core.files.uploadedfile import UploadedFile

+from PIL import Image

+import io

+

+from .models import Conflict, Person, Contribution

+    PersonSearchSerializer, PersonDetailSerializerWithContributions,

+    ContributionSerializer, ContributionCreateSerializer,

+    ContributionPublicSerializer, ContributionReviewSerializer

+# Constants for contribution validation

+MAX_IMAGE_SIZE = 10 * 1024 * 1024  # 10MB

+ALLOWED_IMAGE_TYPES = ['image/jpeg', 'image/png', 'image/gif', 'image/webp']

+MAX_IMAGE_DIMENSIONS = (4000, 4000)  # Max width/height

+

+

+        return PersonDetailSerializerWithContributions

+    

+    @action(detail=True, methods=['get'])

+    def contributions(self, request, pk=None):

+        """Get approved contributions for a person"""

+        person = self.get_object()

+        contributions = person.contributions.filter(status='approved')

+        serializer = ContributionPublicSerializer(contributions, many=True)

+        return Response({

+            'count': contributions.count(),

+            'results': serializer.data

+        })

+

+

+class ContributionViewSet(viewsets.ModelViewSet):

+    """API endpoints for contributions - Admin only except for creation"""

+    queryset = Contribution.objects.all()

+    parser_classes = (MultiPartParser, FormParser)

+    

+    def get_serializer_class(self):

+        if self.action == 'create':

+            return ContributionCreateSerializer

+        elif self.action == 'review':

+            return ContributionReviewSerializer

+        return ContributionSerializer

+    

+    def get_permissions(self):

+        """

+        Anyone can create contributions (with throttling)

+        Only admin can list, update, or delete

+        """

+        if self.action == 'create':

+            return [permissions.AllowAny()]

+        return [permissions.IsAdminUser()]

+    

+    def get_throttles(self):

+        """Apply throttling to creation"""

+        if self.action == 'create':

+            return [AnonRateThrottle()]

+        return []

+    

+    def validate_image(self, image_file):

+        """Validate uploaded image"""

+        if image_file.size > MAX_IMAGE_SIZE:

+            raise ValidationError(f"Image size must be less than {MAX_IMAGE_SIZE // 1024 // 1024}MB")

+        

+        if image_file.content_type not in ALLOWED_IMAGE_TYPES:

+            raise ValidationError(f"Image type must be one of: {', '.join(ALLOWED_IMAGE_TYPES)}")

+        

+        try:

+            img = Image.open(image_file)

+            img.verify()

+            

+            image_file.seek(0)

+            img = Image.open(image_file)

+            

+            if img.width > MAX_IMAGE_DIMENSIONS[0] or img.height > MAX_IMAGE_DIMENSIONS[1]:

+                raise ValidationError(

+                    f"Image dimensions must be less than {MAX_IMAGE_DIMENSIONS[0]}x{MAX_IMAGE_DIMENSIONS[1]}"

+                )

+            

+            image_file.seek(0)

+            

+        except Exception as e:

+            raise ValidationError(f"Invalid image file: {str(e)}")

+    

+    def create(self, request, *args, **kwargs):

+        """Create a new contribution with validation"""

+        person_id = self.kwargs.get('person_pk')

+        

+        if not person_id:

+            return Response(

+                {"error": "Person ID not found in URL"}, 

+                status=status.HTTP_400_BAD_REQUEST

+            )

+        

+        try:

+            person = Person.objects.get(pk=person_id)

+        except Person.DoesNotExist:

+            return Response(

+                {"error": "Person not found"}, 

+                status=status.HTTP_404_NOT_FOUND

+            )

+        

+        serializer = self.get_serializer(data=request.data)

+        serializer.is_valid(raise_exception=True)

+        

+        # Validate image if provided

+        image = request.FILES.get('content_image')

+        if image:

+            try:

+                self.validate_image(image)

+            except ValidationError as e:

+                return Response(

+                    {"error": str(e)}, 

+                    status=status.HTTP_400_BAD_REQUEST

+                )

+        

+        contribution = serializer.save(person=person)

+        

+        return Response(

+            ContributionSerializer(contribution).data,

+            status=status.HTTP_201_CREATED

+        )

+    

+    @action(detail=True, methods=['post'], permission_classes=[permissions.IsAdminUser])

+    def review(self, request, pk=None):

+        """Approve or reject a contribution"""

+        contribution = self.get_object()

+        serializer = self.get_serializer(data=request.data)

+        serializer.is_valid(raise_exception=True)

+        

+        action = serializer.validated_data['action']

+        

+        if action == 'approve':

+            contribution.approve(request.user)

+        else:  # reject

+            rejection_reason = serializer.validated_data.get('rejection_reason', '')

+            contribution.reject(request.user, rejection_reason)

+        

+        return Response(ContributionSerializer(contribution).data)

+    

+    def list(self, request, *args, **kwargs):

+        """List contributions with filtering (admin only)"""

+        queryset = self.get_queryset()

+        

+        status_filter = request.query_params.get('status')

+        if status_filter:

+            queryset = queryset.filter(status=status_filter)

+        

+        person_id = request.query_params.get('person')

+        if person_id:

+            queryset = queryset.filter(person_id=person_id)

+        

+        queryset = queryset.order_by('-submitted_at')

+        

+        serializer = self.get_serializer(queryset, many=True)

+        return Response({

+            'count': queryset.count(),

+            'results': serializer.data

+        })

+

+# Admin-only views for managing contributions

+@api_view(['GET'])

+@permission_classes([permissions.IsAdminUser])

+def pending_contributions(request):

+    """Get all pending contributions for admin review"""

+    contributions = Contribution.objects.filter(status='pending').order_by('-submitted_at')

+    

+    data = []

+    for contrib in contributions:

+        contrib_data = ContributionSerializer(contrib).data

+        contrib_data['person_details'] = PersonListSerializer(contrib.person).data

+        data.append(contrib_data)

+    

+    return Response({

+        'count': contributions.count(),

+        'results': data

+    })

+

+

+@api_view(['GET'])

+@permission_classes([permissions.IsAdminUser])

+def contribution_stats(request):

+    """Get statistics about contributions"""

+    from django.db.models import Count

+    

+    stats = Contribution.objects.aggregate(

+        total=Count('id'),

+        pending=Count('id', filter=Q(status='pending')),

+        approved=Count('id', filter=Q(status='approved')),

+        rejected=Count('id', filter=Q(status='rejected'))

+    )

+    

+    recent = Contribution.objects.order_by('-submitted_at')[:10]

+    

+    return Response({

+        'stats': stats,

+        'recent': ContributionSerializer(recent, many=True).data

+    })

+

+

+@permission_classes([permissions.IsAdminUser])

+    """Test S3 configuration in production - Admin only"""

+        }, status=500)

+

+

+@api_view(['POST'])

+@parser_classes([MultiPartParser, FormParser])

+@permission_classes([permissions.AllowAny])

+def create_contribution(request, person_id):

+    """Simple endpoint to create a contribution with CSRF and throttling"""

+    # Apply throttling

+    throttle = AnonRateThrottle()

+    if not throttle.allow_request(request, None):

+        return Response(

+            {"error": "Rate limit exceeded. Please try again later."}, 

+            status=status.HTTP_429_TOO_MANY_REQUESTS

+        )

+    

+    try:

+        person = Person.objects.get(pk=person_id)

+    except Person.DoesNotExist:

+        return Response(

+            {"error": "Person not found"}, 

+            status=status.HTTP_404_NOT_FOUND

+        )

+    

+    serializer = ContributionCreateSerializer(data=request.data)

+    if not serializer.is_valid():

+        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

+    

+    # Validate image if provided

+    image = request.FILES.get('content_image')

+    if image:

+        if image.size > MAX_IMAGE_SIZE:

+            return Response(

+                {"error": f"Image size must be less than {MAX_IMAGE_SIZE // 1024 // 1024}MB"}, 

+                status=status.HTTP_400_BAD_REQUEST

+            )

+        

+        if image.content_type not in ALLOWED_IMAGE_TYPES:

+            return Response(

+                {"error": f"Image type must be one of: {', '.join(ALLOWED_IMAGE_TYPES)}"}, 

+                status=status.HTTP_400_BAD_REQUEST

+            )

+    

+    contribution = serializer.save(person=person)

+    

+    return Response(

+        ContributionSerializer(contribution).data,

+        status=status.HTTP_201_CREATED

+    )

+

+@api_view(['GET'])

+@ensure_csrf_cookie

+def get_csrf_token(request):

+    """Get CSRF token for frontend"""

+    return JsonResponse({

+        'csrfToken': get_token(request)

+    })

+# Production-ready allowed hosts

+if DEBUG:

+    ALLOWED_HOSTS = ['localhost', '127.0.0.1', '.up.railway.app']

+else:

+    ALLOWED_HOSTS = [

+        '.up.railway.app',

+        'vmimemorial.com',

+        'www.vmimemorial.com',

+        config('ALLOWED_HOST', default=''),  # Allow custom domain via env var

+    ]

+    # Remove empty strings

+    ALLOWED_HOSTS = [host for host in ALLOWED_HOSTS if host]

+

+# CSRF Trusted Origins

+if DEBUG:

+    CSRF_TRUSTED_ORIGINS = [

+        'http://localhost:3000',

+        'http://127.0.0.1:3000',

+        'https://*.up.railway.app',

+    ]

+else:

+    CSRF_TRUSTED_ORIGINS = [

+        'https://vmimemorial.com',

+        'https://www.vmimemorial.com',

+        'https://*.up.railway.app',

+    ]

+    'whitenoise.middleware.WhiteNoiseMiddleware',

+    'corsheaders.middleware.CorsMiddleware',

+TIME_ZONE = 'America/New_York'  # VMI's location

+# Static files

+# CORS settings - Environment-dependent

+if DEBUG:

+    CORS_ALLOW_ALL_ORIGINS = False

+    CORS_ALLOWED_ORIGINS = [

+        "http://localhost:3000",

+        "http://127.0.0.1:3000",

+    ]

+else:

+    CORS_ALLOW_ALL_ORIGINS = False

+    CORS_ALLOWED_ORIGINS = [

+        "https://vmimemorial.com",

+        "https://www.vmimemorial.com",

+    ]

+

+CORS_ALLOW_CREDENTIALS = True

+CORS_ALLOWED_METHODS = [

+    'DELETE',

+    'GET',

+    'OPTIONS',

+    'PATCH',

+    'POST',

+    'PUT',

+]

+CORS_ALLOWED_HEADERS = [

+    'accept',

+    'accept-encoding',

+    'authorization',

+    'content-type',

+    'dnt',

+    'origin',

+    'user-agent',

+    'x-csrftoken',

+    'x-requested-with',

+

+    ],

+    'DEFAULT_AUTHENTICATION_CLASSES': [

+        'rest_framework.authentication.SessionAuthentication',

+    ],

+    'DEFAULT_THROTTLE_CLASSES': [

+        'rest_framework.throttling.AnonRateThrottle',

+        'rest_framework.throttling.UserRateThrottle'

+    ],

+    'DEFAULT_THROTTLE_RATES': {

+        'anon': '60/hour',    # Anonymous users: 60 requests per hour

+        'user': '1000/hour'   # Authenticated users: 1000 per hour

+    }

+# Contribution-specific settings

+CONTRIBUTION_IMAGE_MAX_SIZE = 10 * 1024 * 1024  # 10MB

+CONTRIBUTION_ALLOWED_IMAGE_TYPES = ['image/jpeg', 'image/png', 'image/gif', 'image/webp']

+CONTRIBUTION_IMAGE_MAX_DIMENSIONS = (4000, 4000)

+

+# Media files configuration

+    # Security headers and HTTPS

+    SECURE_HSTS_SECONDS = 31536000  # 1 year

+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True

+    SECURE_HSTS_PRELOAD = True

+    

+    # Cookie security

+    CSRF_COOKIE_SECURE = True

+    SESSION_COOKIE_HTTPONLY = True

+    CSRF_COOKIE_HTTPONLY = True

+    

+    # Content security

+    SECURE_CONTENT_TYPE_NOSNIFF = True

+    SECURE_BROWSER_XSS_FILTER = True

+    X_FRAME_OPTIONS = 'DENY'  # Prevent clickjacking (except for PDF viewer)

+    

+    # Additional security

+    SECURE_REFERRER_POLICY = 'strict-origin-when-cross-origin'

+

+# Logging configuration for production

+if not DEBUG:

+    LOGGING = {

+        'version': 1,

+        'disable_existing_loggers': False,

+        'handlers': {

+            'console': {

+                'class': 'logging.StreamHandler',

+            },

+        },

+        'root': {

+            'handlers': ['console'],

+            'level': 'INFO',

+        },

+        'loggers': {

+            'django': {

+                'handlers': ['console'],

+                'level': 'INFO',

+                'propagate': False,

+            },

+            'memorial': {

+                'handlers': ['console'],

+                'level': 'INFO',

+                'propagate': False,

+            },

+        },

+    }

+

+# Email settings (for future contribution notifications)

+EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' if DEBUG else 'django.core.mail.backends.smtp.EmailBackend'

+if not DEBUG:

+    EMAIL_HOST = config('EMAIL_HOST', default='')

+    EMAIL_PORT = config('EMAIL_PORT', default=587, cast=int)

+    EMAIL_USE_TLS = config('EMAIL_USE_TLS', default=True, cast=bool)

+    EMAIL_HOST_USER = config('EMAIL_HOST_USER', default='')

+    EMAIL_HOST_PASSWORD = config('EMAIL_HOST_PASSWORD', default='')

+    DEFAULT_FROM_EMAIL = config('DEFAULT_FROM_EMAIL', default='noreply@vmimemorial.com')

+    ADMIN_EMAIL = config('ADMIN_EMAIL', default='admin@vmimemorial.com')