feat(ig): Add editable IG pages with dynamic fields

[Anandhu0724]

Description

This PR implements editable Interest Group (IG) pages with dynamic field support.

Changes Made

• Added planning document for editable IG pages feature
• Prepared structure for dynamic page content
• Outlined API endpoints for page management

Type of Change

• New feature
• Bug fix
• Documentation update

Implementation Plan

Database Schema

• Add page_content JSONField to InterestGroup model
• Create IGPageSection model for dynamic sections

API Endpoints

• GET /api/dashboard/ig/{id}/page/ - Get page content
• PUT /api/dashboard/ig/{id}/page/ - Update page
• POST /api/dashboard/ig/{id}/sections/ - Add section
• DELETE /api/dashboard/ig/{id}/sections/{id}/ - Remove section

Features

• Text, image, video sections
• Dynamic field validation
• Section reordering

Status

🚧 Work in Progress

Testing

• Tested locally
• All tests pass

Related Issues

None

[Copilot]

Pull request overview

This PR introduces a planning document for implementing editable Interest Group (IG) pages with dynamic field support. The plan outlines database schema changes, new API endpoints for managing page content and sections, and support for various content types including text, images, video embeds, and custom HTML blocks. This feature aims to give IG administrators more flexibility in customizing their Interest Group pages beyond the current static fields.

Key Changes:

• Planning document for dynamic IG page editing feature
• Proposed schema updates: JSONField for page_content and new IGPageSection model
• Four new API endpoints for CRUD operations on IG pages and sections

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The plan doesn't specify authorization requirements for the new endpoints. Based on the existing PATCH endpoint at line 291 in dash_ig_view.py which restricts updates to Admins and IG Leads, clarify who should be able to create, update, and delete page sections - should it be limited to IG Leads and Admins only, or should members have access as well?

Suggested change

	### Authorization Requirements
	- Only IG Leads and Admins are permitted to create, update, or delete page sections via the following endpoints:
	- PUT /api/dashboard/ig/{id}/page/
	- POST /api/dashboard/ig/{id}/sections/
	- DELETE /api/dashboard/ig/{id}/sections/{section_id}/
	- Regular IG members and other users have read-only access (GET endpoint only).

[Copilot]

The database schema updates lack important implementation details. For the JSONField 'page_content', specify the expected schema structure and constraints. For the 'IGPageSection' model, define the fields it should contain (e.g., section_type, content, order, created_by, updated_by, timestamps). Without this information, developers implementing this feature may make inconsistent design decisions.

Suggested change

	- Add `page_content` JSONField to Interest Group model
	- Add `IGPageSection` model for dynamic sections
	- Add `page_content` JSONField to Interest Group model
	- **Expected schema:**
	```json
	{
	"sections": [
	{
	"section_type": "text" | "image" | "video" | "html",
	"content": string | object, // e.g., text, image URL, video embed code, or HTML
	"order": integer,
	"settings": { /* optional, e.g., style, alignment, etc. */ }
	}
	]
	}
	```
	- **Constraints:**
	- `sections` is an array of section objects
	- Each section must have a `section_type`, `content`, and `order`
	- `order` is a unique integer per IG page, used for sorting
	- `section_type` must be one of: `"text"`, `"image"`, `"video"`, `"html"`
	- Add `IGPageSection` model for dynamic sections
	- **Fields:**
	- `id`: AutoField (primary key)
	- `interest_group`: ForeignKey to Interest Group
	- `section_type`: CharField (choices: `"text"`, `"image"`, `"video"`, `"html"`)
	- `content`: JSONField (structure depends on `section_type`)
	- `order`: IntegerField (for ordering sections)
	- `created_by`: ForeignKey to User
	- `updated_by`: ForeignKey to User
	- `created_at`: DateTimeField (auto_now_add=True)
	- `updated_at`: DateTimeField (auto_now=True)
	- **Constraints:**
	- `order` must be unique per Interest Group
	- `section_type` must be one of the allowed choices
	- `content` must match the expected structure for the given `section_type`

[Copilot]

Video embeds should specify which platforms/domains will be allowed (e.g., YouTube, Vimeo) to prevent security risks from arbitrary embed sources. Additionally, the plan should mention using oEmbed or iframe sandboxing for safe embedding, and validating that URLs match expected patterns for approved platforms.

Suggested change

	- Video embeds
	- Video embeds (only from approved platforms: YouTube, Vimeo, etc.; embed URLs will be validated to match expected patterns; oEmbed or iframe sandboxing will be used for safe embedding)

[Copilot]

Custom HTML blocks pose a significant XSS (cross-site scripting) security risk. If user-generated HTML is rendered without proper sanitization, malicious scripts can be injected and executed in other users' browsers. Consider implementing HTML sanitization (e.g., using bleach library in Python or DOMPurify on the frontend) to strip potentially dangerous elements and attributes, or avoid custom HTML altogether in favor of a safer markdown format.

Suggested change

	- Custom HTML blocks
	- Custom HTML blocks (must be sanitized before rendering using a library such as bleach (Python) or DOMPurify (JS), or consider using a safer markdown format instead)

[Copilot]

The API endpoints lack input validation specifications. The plan should include details about validating JSONField content structure, maximum sizes for text/image sections, allowed video embed domains (to prevent embedding from untrusted sources), and restrictions on the number of sections per page to prevent abuse and ensure system stability.