Leave Management System – Backend

Backend REST API for a Leave Management System built with Django 5 and Django REST Framework. It manages employees, authentication (JWT), and leave requests with role-based access control.

---

Tech Stack

• Python 3.11+
• Django 5.x
• Django REST Framework (DRF)
• djangorestframework-simplejwt (JWT auth)
• django-cors-headers
• drf-spectacular (OpenAPI schema)

---

Project Structure (backend)

leaves/

• models.py – Employee (custom user model) and Leave models -serializers.py – serializers for leave CRUD, registration, and password update

• views.py – DRF generic views for authentication and leave management

• urls.py – app-level routes (mounted under /api/)

• leavesystem/

• settings.py – Django configuration (custom user model, REST_FRAMEWORK, logging)

• urls.py – project-level URLs (/admin/, /api/...)

---

Installation & Setup

From the backendproject directory:

1. Create and activate a virtual environment (Windows PowerShell)

   uv venv .venv
   .\.venv\Scripts\Activate.ps1

2. Install dependencies (from pyproject.toml):

   uv add django djangorestframework djangorestframework-simplejwt django-cors-headers drf-spectacular django-environ django-extensions 

3. Apply migrations

   python manage.py makemigrations
   python manage.py migrate

4. Create a superuser (for Django admin)

   python manage.py createsuperuser

5. Run the development server

   python manage.py runserver

The API will be available at: http://127.0.0.1:8000/.

---

Authentication & User Model

Custom user model: leaves.Employee (email used as login identifier).

Fields (simplified):

• email (unique, used as username)
• first_name, last_name
• employee_department
• employee_position
• phone_number
• employee_role – one of STAFF, MANAGER, HR

Roles affect access to leave data:

• HR / MANAGER – can see all leave requests
• STAFF – can see only their own leave requests

Default DRF permission (settings.REST_FRAMEWORK) is IsAuthenticated, except where explicitly overridden (e.g. registration).

---

Base URLs

• Django admin: GET /admin/
• API base: all app endpoints are under /api/ (see below).

---

Authentication Endpoints

All auth endpoints are defined in leaves/urls.py and mounted under /api/ in leavesystem/urls.py.

1. Register

• URL: POST /api/auth/register/
• Permissions: Public (AllowAny)
• Body (JSON): json { "first_name": "Michael", "last_name": "Ataro", "email": "michael@example.com", "password": "SecurePassword123!", "employee_department": "Computer Science", "employee_position": "Student Developer", "phone_number": "0712345678", "employee_role": "STAFF" }
• Response: 201 Created with employee details (password excluded).

2. Login (obtain JWT)

• URL: POST /api/auth/login/

• Permissions: Public

• Body (JSON):

     {
         "email": "michael@example.com", 
         "password": "SecurePassword123!"}

• Response:

  {
      "refresh": "<refresh_token>",
      "access": "<access_token>"
  }

Use the access token in the Authorization header for protected endpoints:

Authorization: Bearer <access_token>

3. Refresh Token

• URL: POST /api/auth/token/refresh/
• Body: { "refresh": "<refresh_token>" }

4. Update Password

• URL: PUT /api/auth/update-password/

• Permissions: Authenticated

• Body (JSON):

  {
      "old_password": "OldPassword123!",
      "new_password": "NewSecurePassword456!"
  }

Leave Endpoints

Defined in leaves/urls.py and protected by IsAuthenticated.

1. List / Create Leaves

• URL: GET /api/leaves/all/

• HR / MANAGER: list all leaves

• STAFF: list only their own leaves

• URL: POST /api/leaves/all/

• Create a new leave request for the current user.

• Body (JSON) example:

  {
      "leave_type": "SICK",
      "start_date": "2026-03-20",
      "end_date": "2026-03-22",
      "reason": "Flu"
  }

2. Retrieve / Update / Delete Single Leave

• URL: /api/leaves/<id>/ (e.g. /api/leaves/3/)
• Methods:
  • GET – retrieve a leave
  • PUT / PATCH – update a leave
  • DELETE – delete a leave

Access rules:

• HR / MANAGER: can access any leave
• STAFF: can only access their own leaves

Validation in the Leave model & serializer ensures:

• end_date is not before start_date
• start_date is not in the past
• Certain leave types (e.g. SICK, STUDY) require a supporting document

---

Logging & Monitoring

• Logging is configured in leavesystem/settings.py to output to the console.
• The leaves app logs key user actions (registration, leave creation, listing, and password updates) using Python’s logging module.
• When running python manage.py runserver, check the terminal to trace user activity and debug issues.

---

Running Tests

From the backendproject directory:

python manage.py test

This will run tests for the leaves app (and any other apps with tests).