diff --git a/core/tests/test_files.py b/core/tests/test_files.py
index 70a01c7a..525de3dd 100644
--- a/core/tests/test_files.py
+++ b/core/tests/test_files.py
@@ -66,6 +66,40 @@ class TestImageAccess:
         assert not picture.is_owned_by(user)
 
 
+@pytest.mark.django_db
+class TestUserPicture:
+    def test_anonymous_user_unauthorized(self, client):
+        """An anonymous user shouldn't have access to an user's photo page."""
+        response = client.get(
+            reverse(
+                "core:user_pictures",
+                kwargs={"user_id": User.objects.get(username="sli").pk},
+            )
+        )
+        assert response.status_code == 403
+
+    @pytest.mark.parametrize(
+        ("username", "status"),
+        [
+            ("guy", 403),
+            ("root", 200),
+            ("skia", 200),
+            ("sli", 200),
+        ],
+    )
+    def test_page_is_working(self, client, username, status):
+        """Only user that subscribed (or admins) should be able to see the page."""
+        # Test for simple user
+        client.force_login(User.objects.get(username=username))
+        response = client.get(
+            reverse(
+                "core:user_pictures",
+                kwargs={"user_id": User.objects.get(username="sli").pk},
+            )
+        )
+        assert response.status_code == status
+
+
 # TODO: many tests on the pages:
 #   - renaming a page
 #   - changing a page's parent --> check that page's children's full_name
diff --git a/core/tests/test_user.py b/core/tests/test_user.py
index b15c7bbe..17bcbb3d 100644
--- a/core/tests/test_user.py
+++ b/core/tests/test_user.py
@@ -22,6 +22,7 @@ from core.models import Group, User
 from core.views import UserTabsMixin
 from counter.models import Counter, Refilling, Selling
 from eboutic.models import Invoice, InvoiceItem
+from sas.models import Picture
 
 
 class TestSearchUsers(TestCase):
@@ -29,6 +30,7 @@ class TestSearchUsers(TestCase):
     def setUpTestData(cls):
         # News.author has on_delete=PROTECT, so news must be deleted beforehand
         News.objects.all().delete()
+        Picture.objects.all().delete()  # same for pictures
         User.objects.all().delete()
         user_recipe = Recipe(
             User,
diff --git a/sas/tests/test_api.py b/sas/tests/test_api.py
index 813c02a1..fee2eb06 100644
--- a/sas/tests/test_api.py
+++ b/sas/tests/test_api.py
@@ -61,7 +61,7 @@ class TestPictureSearch(TestSas):
         self.client.force_login(self.user_b)
         res = self.client.get(self.url + f"?album_id={self.album_a.id}")
         assert res.status_code == 200
-        expected = list(self.album_a.children_pictures.values_list("id", flat=True))
+        expected = list(self.album_a.pictures.values_list("id", flat=True))
         assert [i["id"] for i in res.json()["results"]] == expected
 
     def test_filter_by_user(self):
@@ -70,7 +70,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.order_by(
-                "-picture__parent__date", "picture__date"
+                "-picture__parent__event_date", "picture__created_at"
             ).values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -84,7 +84,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.union(self.user_b.pictures.all())
-            .order_by("-picture__parent__date", "picture__date")
+            .order_by("-picture__parent__event_date", "picture__created_at")
             .values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -97,7 +97,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.order_by(
-                "-picture__parent__date", "picture__date"
+                "-picture__parent__event_date", "picture__created_at"
             ).values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -123,7 +123,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_b.pictures.intersection(self.user_a.pictures.all())
-            .order_by("-picture__parent__date", "picture__date")
+            .order_by("-picture__parent__event_date", "picture__created_at")
             .values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
diff --git a/sas/tests/test_views.py b/sas/tests/test_views.py
index f085f202..37c545f3 100644
--- a/sas/tests/test_views.py
+++ b/sas/tests/test_views.py
@@ -136,9 +136,7 @@ class TestAlbumUpload:
 class TestSasModeration(TestCase):
     @classmethod
     def setUpTestData(cls):
-        album = baker.make(
-            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, is_moderated=True
-        )
+        album = baker.make(Album)
         cls.pictures = picture_recipe.make(
             parent=album, _quantity=10, _bulk_create=True
         )