Merge pull request #1413 from ae-utbm/counter-barmen

feat: `request.barmen`

api/permissions.py

@@ -46,7 +46,7 @@ from django.http import HttpRequest
 from ninja_extra import ControllerBase
 from ninja_extra.permissions import BasePermission
 
-from counter.models import Counter
+from counter.utils import is_logged_in_counter
 
 
 class IsInGroup(BasePermission):
@@ -186,12 +186,7 @@ class IsLoggedInCounter(BasePermission):
     """Check that a user is logged in a counter."""
 
     def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
-        if "/counter/" not in request.META.get("HTTP_REFERER", ""):
-            return False
-        token = request.session.get("counter_token")
-        if not token:
-            return False
-        return Counter.objects.filter(token=token).exists()
+        return is_logged_in_counter(request)
 
 
 CanAccessLookup = IsLoggedInCounter | HasPerm("core.access_lookup")

club/migrations/0017_linktype_clublink.py

@@ -25,8 +25,7 @@ class Migration(migrations.Migration):
                     "url_base",
                     models.URLField(
                         help_text=(
-                            "The base url that links with this type "
-                            "must respect (e.g. `https://www.instagram.com`)"
+                            "The base url that links with this type must respect"
                         ),
                         unique=True,
                         verbose_name="url base",

club/models.py

@@ -793,10 +793,7 @@ class LinkType(models.Model):
     url_base = models.URLField(
         "url base",
         unique=True,
-        help_text=_(
-            "The base url that links with this type must respect (e.g. `%(url)s`)"
-        )
-        % {"url": "https://www.instagram.com"},
+        help_text=_("The base url that links with this type must respect"),
     )
     icon = models.CharField(
         _("icon"),

core/management/commands/populate.py

@@ -43,6 +43,7 @@ from core.models import BanGroup, Group, Page, PageRev, SithFile, User
 from core.utils import resize_image
 from counter.models import (
     Counter,
+    CounterSellers,
     Price,
     Product,
     ProductType,
@@ -364,10 +365,10 @@ class Command(BaseCommand):
         Counter.objects.create(name="Carte AE", club=clubs.refound, type="OFFICE")
 
         # Add barman to counter
-        Counter.sellers.through.objects.bulk_create(
+        CounterSellers.objects.bulk_create(
             [
-                Counter.sellers.through(counter_id=1, user=skia),  # MDE
-                Counter.sellers.through(counter_id=2, user=krophil),  # Foyer
+                CounterSellers(counter_id=1, user=skia, is_regular=True),  # MDE
+                CounterSellers(counter_id=2, user=krophil, is_regular=True),  # Foyer
             ]
         )
 

core/templates/core/base/header.jinja

@@ -22,14 +22,9 @@
         </form>
         <ul class="bars">
           {% cache 100 "counters_activity" %}
-                      {# The sith has no periodic tasks manager
-                         and using cron jobs would be way too overkill here.
-                         Thus the barmen timeout is handled in the only place that
-                         is loaded on every page : the header bar.
-                         However, let's be clear : this has nothing to do here.
-                         It's' merely a contrived workaround that should
-                         replaced by a proper task manager as soon as possible. #}
-            {% set _ = Counter.objects.filter(type="BAR").handle_timeout() %}
+            {# It would be cleaner to handle the timeout with django-celery-beat,
+               but doing it here is simpler and less error-prone #}
+            {% do Counter.objects.filter(type="BAR").handle_timeout() %}
           {% endcache %}
           {% for bar in Counter.objects.annotate_has_barman(user).annotate_is_open().filter(type="BAR") %}
             <li>

counter/forms.py

@@ -9,6 +9,7 @@ from django import forms
 from django.core.exceptions import ValidationError
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
+from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import ClockedSchedule
@@ -17,6 +18,7 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User, UserQuerySet
+from core.views import LoginForm
 from core.views.forms import (
     FutureDateTimeField,
     NFCTextInput,
@@ -91,30 +93,18 @@ class StudentCardForm(forms.ModelForm):
 
 
 class GetUserForm(forms.Form):
-    """The Form class aims at providing a valid user_id field in its cleaned data, in order to pass it to some view,
-    reverse function, or any other use.
-
-    The Form implements a nice JS widget allowing the user to type a customer account id, or search the database with
-    some nickname, first name, or last name (TODO)
-    """
+    """Find a user to show its click page."""
 
     code = forms.CharField(
         label="Code",
         max_length=StudentCard.UID_SIZE,
         required=False,
-        widget=NFCTextInput,
+        widget=NFCTextInput(attrs={"autofocus": True}),
     )
     id = forms.CharField(
-        label=_("Select user"),
-        help_text=None,
-        widget=AutoCompleteSelectUser,
-        required=False,
+        label=_("Select user"), widget=AutoCompleteSelectUser, required=False
     )
 
-    def as_p(self):
-        self.fields["code"].widget.attrs["autofocus"] = True
-        return super().as_p()
-
     def clean(self):
         cleaned_data = super().clean()
         customer = None
@@ -136,11 +126,40 @@ class GetUserForm(forms.Form):
 
         if customer is None or not customer.can_buy:
             raise forms.ValidationError(_("User not found"))
-        cleaned_data["user_id"] = customer.user.id
+        cleaned_data["user_id"] = customer.user_id
         cleaned_data["user"] = customer.user
         return cleaned_data
 
 
+class CounterLoginForm(LoginForm):
+    """LoginForm to log a barman in a counter.
+
+    To be able to log in a counter, a user must :
+
+    - be part of the sellers of the given counter
+    - not being already logged in any counter
+    """
+
+    def __init__(self, *args, request: HttpRequest, counter: Counter, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.counter = counter
+        self.request = request
+
+    def confirm_login_allowed(self, user: User):
+        super().confirm_login_allowed(user)
+        if not self.counter.sellers.contains(user):
+            raise ValidationError(
+                message=_("You are not a barman of this counter."), code="not_barman"
+            )
+        if user in self.request.barmen:
+            message = (
+                _("You are already logged in this counter.")
+                if user in self.counter.barmen_list
+                else _("You are already logged in another counter.")
+            )
+            raise ValidationError(message=message, code="already_logged_in")
+
+
 class RefillForm(forms.ModelForm):
     allowed_refilling_methods = [
         Refilling.PaymentMethod.CASH,

counter/middleware.py

@@ -0,0 +1,64 @@
+from typing import TYPE_CHECKING, Callable
+
+from django.db.models import Exists, OuterRef
+from django.http import HttpRequest, HttpResponse
+from django.utils.functional import SimpleLazyObject, empty
+
+from core.models import User
+from counter.models import Permanency
+
+if TYPE_CHECKING:
+    from django.contrib.sessions.backends.base import SessionBase
+
+
+SESSION_BARMEN_KEY = "barmen_ids"
+
+
+def get_cached_barmen(request: HttpRequest) -> set[User]:
+    if not hasattr(request, "_cached_barmen"):
+        session: SessionBase = request.session
+        barmen_ids = session.get(SESSION_BARMEN_KEY, [])
+        if barmen_ids:
+            request._cached_barmen = set(
+                User.objects.filter(
+                    Exists(Permanency.objects.filter(user=OuterRef("pk"), end=None)),
+                    id__in=barmen_ids,
+                )
+            )
+        else:
+            request._cached_barmen = set()
+
+    return request._cached_barmen
+
+
+class BarmenMiddleware:
+    """Inject barmen logged in the current session.
+
+    In a similar fashion as `request.user`, `request.barmen` contains
+    users that are barmen in the current session, and ONLY them ;
+    if a user is logged as a barman on another session,
+    it will not be in `request.barmen`.
+
+    Notes:
+        In case of ended permanence, users will be automatically
+        removed from `request.barmen`.
+        However, in case of newly started permanence, this middleware
+        cannot add new barmen in the session data, so that operation
+        must be explicitly done in the barman login view.
+    """
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        request.barmen = SimpleLazyObject(lambda: get_cached_barmen(request))
+
+        response = self.get_response(request)
+
+        if request.barmen._wrapped is not empty and {
+            b.id for b in request.barmen
+        } != set(request.session.get(SESSION_BARMEN_KEY, [])):
+            # update the session data only if `session.barmen`
+            # has been accessed and modified.
+            request.session[SESSION_BARMEN_KEY] = [b.id for b in request.barmen]
+        return response

counter/migrations/0040_product_clic_limit.py

@@ -21,4 +21,5 @@ class Migration(migrations.Migration):
                 verbose_name="clic limit",
             ),
         ),
+        migrations.RemoveField(model_name="counter", name="token"),
     ]

counter/models.py

@@ -619,7 +619,6 @@ class Counter(models.Model):
     view_groups = models.ManyToManyField(
         Group, related_name="viewable_counters", blank=True
     )
-    token = models.CharField(_("token"), max_length=30, null=True, blank=True)
 
     objects = CounterQuerySet.as_manager()
 

counter/signals.py

@@ -20,41 +20,34 @@
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
+import random
 
 from django.db.models.signals import pre_delete
 from django.dispatch import receiver
 
 from core.middleware import get_signal_request
 from core.models import OperationLog
-from counter.models import Counter, Refilling, Selling
+from counter.models import Refilling, Selling
 
 
-def write_log(instance, operation_type):
+def write_log(instance: Selling | Refilling, operation_type):
     def get_user():
         request = get_signal_request()
 
         if not request:
             return None
 
-        # Get a random barmen if deletion is from a counter
-        session = getattr(request, "session", {})
-        session_token = session.get("counter_token", None)
-        if session_token:
-            counter = Counter.objects.filter(token=session_token).first()
-            if counter and len(counter.barmen_list) > 0:
-                return counter.get_random_barman()
+        if request.barmen:
+            return random.choice(list(request.barmen))
 
         # Get the current logged user if not from a counter
-        if request.user and not request.user.is_anonymous:
+        if request.user.is_authenticated:
             return request.user
 
-        # Return None by default
         return None
 
     OperationLog(
-        label=str(instance),
-        operator=get_user(),
-        operation_type=operation_type,
+        label=str(instance), operator=get_user(), operation_type=operation_type
     ).save()
 
 

counter/templates/counter/counter_main.jinja

@@ -32,12 +32,11 @@
       </ul>
       <p><strong>{% trans %}Total: {% endtrans %}{{ last_total }} €</strong></p>
     {% endif %}
-    {% if barmen %}
+    {% if can_click %}
       <p>{% trans %}Enter client code:{% endtrans %}</p>
-      <form method="post" action="">
+      <form method="post" action="" id="select-user-form">
         {% csrf_token %}
-        <input type="hidden" name="counter_token" value="{{ counter.token }}" />
-        {{ form.as_p() }}
+        {{ form }}
         <p><input type="submit" value="{% trans %}validate{% endtrans %}" /></p>
       </form>
     {% else %}
@@ -45,17 +44,36 @@
     {% endif %}
   </div>
   {% if counter.type == 'BAR' %}
+    <h3>{% trans %}Barmen:{% endtrans %}</h3>
+
+    {% if barmen_here %}
+      <div class="row gap-2x">
         <div>
-      <h3>{% trans %}Barman: {% endtrans %}</h3>
+          <h4>{% trans %}On this device{% endtrans %}</h4>
+          {% for b in barmen_here %}
+            <p>{{ barman_logout_link(b) }}</p>
+          {% endfor %}
+        </div>
+        <div>
+          <h4>{% trans %}Elsewhere{% endtrans %}</h4>
+          {% if barmen_here|length == barmen|length %}
+            {# all logged barmen are logged in this session #}
+            <p><em>{% trans %}No barman logged elsewhere{% endtrans %}</em></p>
+          {% else %}
+            {% for b in barmen %}
+              {%- if b not in barmen_here -%}
+                <p>{{ barman_logout_link(b) }}</p>
+              {%- endif -%}
+            {% endfor %}
+          {% endif %}
+        </div>
+      </div>
+    {% else %}
       {% for b in barmen %}
         <p>{{ barman_logout_link(b) }}</p>
       {% endfor %}
-      <form method="post" action="{{ url('counter:login', counter_id=counter.id) }}">
-        {% csrf_token %}
-        {{ login_form.as_p() }}
-        <p><input type="submit" value="{% trans %}login{% endtrans %}" /></p>
-      </form>
-    </div>
+    {% endif %}
+    {{ login_fragment }}
   {% endif %}
 {% endblock %}
 
@@ -63,10 +81,10 @@
   {{ super() }}
   <script type="text/javascript">
     window.addEventListener("DOMContentLoaded", () => {
-      // The login form annoyingly takes priority over the code form 
-      // This is due to the loading time of the web component
-      // We can't rely on DOMContentLoaded to know if the component is there so we
-      // periodically run a script until the field is there
+      {# The login form annoyingly takes priority over the code form
+         This is due to the loading time of the web component
+         We can't rely on DOMContentLoaded to know if the component is there so we
+         periodically run a script until the field is there #}
       const autofocus = () => {
         const field = document.querySelector("input[id='id_code']");
         if (field === null){

counter/templates/counter/fragments/login.jinja

@@ -0,0 +1,5 @@
+<form hx-post="{{ action }}" hx-swap="outerHTML">
+  {% csrf_token %}
+  {{ form }}
+  <input type="submit" value="{% trans %}Confirm{% endtrans %}"/>
+</form>

counter/tests/test_counter.py

@@ -17,9 +17,11 @@ from datetime import timedelta
 from decimal import Decimal
 
 import pytest
+from bs4 import BeautifulSoup
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.contrib.auth.models import Permission, make_password
+from django.contrib.messages import DEFAULT_LEVELS, get_messages
 from django.http import HttpResponse
 from django.shortcuts import resolve_url
 from django.test import Client, TestCase
@@ -37,6 +39,7 @@ from core.models import BanGroup, Group, User
 from counter.baker_recipes import price_recipe, product_recipe, sale_recipe
 from counter.models import (
     Counter,
+    CounterSellers,
     Customer,
     Permanency,
     ProductType,
@@ -66,10 +69,14 @@ class TestFullClickBase(TestCase):
         cls.subscriber = subscriber_user.make()
 
         cls.counter = baker.make(Counter, type="BAR")
-        cls.counter.sellers.add(cls.barmen, cls.board_admin)
-
         cls.other_counter = baker.make(Counter, type="BAR")
-        cls.other_counter.sellers.add(cls.barmen)
+        CounterSellers.objects.bulk_create(
+            [
+                CounterSellers(counter=cls.counter, user=cls.barmen),
+                CounterSellers(counter=cls.counter, user=cls.board_admin),
+                CounterSellers(counter=cls.other_counter, user=cls.barmen),
+            ]
+        )
 
         cls.yet_another_counter = baker.make(Counter, type="BAR")
 
@@ -114,7 +121,10 @@ class TestRefilling(TestFullClickBase):
     ) -> HttpResponse:
         used_client = client if client is not None else self.client
         return used_client.post(
-            reverse("counter:refilling_create", kwargs={"customer_id": user.pk}),
+            reverse(
+                "counter:refilling_create",
+                kwargs={"customer_id": user.pk, "counter_id": self.counter.pk},
+            ),
             {"amount": str(amount), "payment_method": Refilling.PaymentMethod.CASH},
             HTTP_REFERER=reverse(
                 "counter:click", kwargs={"counter_id": counter.id, "user_id": user.pk}
@@ -138,7 +148,10 @@ class TestRefilling(TestFullClickBase):
             return self.client.post(
                 reverse(
                     "counter:refilling_create",
-                    kwargs={"customer_id": self.customer.pk},
+                    kwargs={
+                        "customer_id": self.customer.pk,
+                        "counter_id": self.counter.pk,
+                    },
                 ),
                 {"amount": "10", "payment_method": "CASH"},
             )
@@ -442,9 +455,19 @@ class TestCounterClick(TestFullClickBase):
 
     def test_click_not_connected(self):
         force_refill_user(self.customer, 10)
+
+        # trying to click on a bar without being logged should result
+        # in a redirect to the counter page with an error message
         res = self.submit_basket(self.customer, [BasketItem(self.snack.id, 2)])
         assertRedirects(res, self.counter.get_absolute_url())
+        messages = list(get_messages(res.wsgi_request))
+        assert len(messages) == 1
+        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
+        assert (
+            messages[0].message == "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+        )
 
+        # trying to click on an office counter without permission should 403
         res = self.submit_basket(
             self.customer, [BasketItem(self.snack.id, 2)], counter=self.club_counter
         )
@@ -718,59 +741,97 @@ class TestCounterStats(TestCase):
 class TestBarmanConnection(TestCase):
     @classmethod
     def setUpTestData(cls):
-        cls.krophil = User.objects.get(username="krophil")
-        cls.skia = User.objects.get(username="skia")
-        cls.skia.customer.account = 800
-        cls.krophil.customer.save()
-        cls.skia.customer.save()
-
-        cls.counter = Counter.objects.get(id=2)
+        cls.barman = subscriber_user.make()
+        cls.barman.set_password("plop")
+        cls.barman.save()
+        cls.counter = baker.make(Counter, type="BAR", sellers=[cls.barman])
+        cls.login_url = reverse("counter:login", kwargs={"counter_id": cls.counter.id})
+        cls.detail_url = reverse(
+            "counter:details", kwargs={"counter_id": cls.counter.id}
+        )
 
     def test_barman_granted(self):
+        response = self.client.post(
+            self.login_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.status_code == 200
+        assert response.headers["HX-Redirect"] == self.detail_url
+        last_perm = Permanency.objects.last()
+        assert last_perm.counter == self.counter
+        assert last_perm.user == self.barman
+        assert last_perm.end is None
+        assert self.barman in response.wsgi_request.barmen
+        response = self.client.get(
+            self.detail_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.context_data.get("barmen") == [self.barman]
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is not None
+
+    def assert_counter_login_fails(self, user: User):
+        initial_perms = set(self.counter.permanencies.filter(user=user, end=None))
+        response = self.client.post(
+            self.login_url, {"username": user.username, "password": "plop"}
+        )
+        assert "HX-Redirect" not in response.headers
+        assert (
+            set(self.counter.permanencies.filter(user=user, end=None)) == initial_perms
+        )
+        if initial_perms:
+            # the user was already logged in, and we already tested
+            # that it didn't re-login, so we can skip the next assertions.
+            return
+
+        self.counter.refresh_from_db()
+        assert response.wsgi_request.barmen.isdisjoint(set(self.counter.barmen_list))
+
+        response = self.client.get(self.detail_url)
+        assert response.context_data.get("barmen") == []
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is None
+
+    def test_barman_not_seller(self):
+        """Test when the barman is not a seller of the counter"""
+        not_barman = subscriber_user.make()
+        not_barman.set_password("plop")
+        not_barman.save()
+        self.assert_counter_login_fails(not_barman)
+
+    def test_barman_already_logged(self):
+        """Test when the barman is already logged in the current counter."""
         self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
+            self.login_url, {"username": self.barman.username, "password": "plop"}
         )
-        response = self.client.get(reverse("counter:details", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)
 
-        assert "<p>Entrez un code client : </p>" in str(response.content)
-
-    def test_counters_list_barmen(self):
+    def test_barman_already_logged_elsewhere(self):
+        """Test when the barman is already logged in another counter."""
+        other_counter = baker.make(Counter, type="BAR")
+        CounterSellers.objects.create(counter=other_counter, user=self.barman)
         self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
+            reverse("counter:login", kwargs={"counter_id": other_counter.id}),
+            {"username": self.barman.username, "password": "plop"},
         )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)
 
-        assert '<li><a href="/user/10/">Kro Phil&#39;</a></li>' in str(response.content)
-
-    def test_barman_denied(self):
-        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "skia", "password": "plop"},
+    def test_login_on_non_bar_counter(self):
+        counter = baker.make(Counter, type="OFFICE")
+        CounterSellers.objects.create(counter=counter, user=self.barman)
+        url = reverse("counter:login", kwargs={"counter_id": counter.id})
+        response = self.client.get(url)
+        assert response.status_code == 403
+        response = self.client.post(
+            url, {"username": self.barman.username, "password": "plop"}
         )
-        response_get = self.client.get(
-            reverse("counter:details", args=[self.counter.id])
-        )
-
-        assert "<p>Merci de vous identifier</p>" in str(response_get.content)
-
-    def test_counters_list_no_barmen(self):
-        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
-        )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
-
-        assert '<li><a href="/user/1/">S&#39; Kia</a></li>' not in str(response.content)
+        assert response.status_code == 403
 
 
 @pytest.mark.django_db
-def test_barman_timeout():
+def test_barman_timeout(client: Client):
     """Test that barmen timeout is well managed."""
     bar = baker.make(Counter, type="BAR")
     user = baker.make(User)
-    bar.sellers.add(user)
+    CounterSellers.objects.create(counter=bar, user=user)
     baker.make(Permanency, counter=bar, user=user, start=now())
 
     qs = Counter.objects.annotate_is_open().filter(pk=bar.pk)
@@ -786,6 +847,8 @@ def test_barman_timeout():
         bar = qs[0]
         assert not bar.is_open
         assert bar.barmen_list == []
+    res = client.get("")
+    assert res.wsgi_request.barmen == set()
 
 
 class TestClubCounterClickAccess(TestCase):
@@ -835,14 +898,14 @@ class TestClubCounterClickAccess(TestCase):
 
     def test_barman(self):
         """Sellers should be able to click on office counters"""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
         assert res.status_code == 200
 
     def test_both_barman_and_board_member(self):
         """If the user is barman and board member, he should be authorized as well."""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
         baker.make(
             Membership, club=self.counter.club, user=self.user, role=self.board_role
         )
@@ -868,14 +931,15 @@ class TestCounterLogout:
             )
         assertRedirects(
             res,
-                reverse(
-                    "counter:details", kwargs={"counter_id": permanence.counter_id}
-                ),
+            reverse("counter:details", kwargs={"counter_id": permanence.counter_id}),
         )
         permanence.refresh_from_db()
-            assert permanence.end == now()
+        assert permanence.end == permanence.activity
+        assert permanence.user not in res.wsgi_request.barmen
 
     def test_logout_doesnt_change_old_permanences(self, client: Client):
+        # regression test for #1141
+        # https://github.com/ae-utbm/sith/pull/1141
         perm_counter = baker.make(Counter, type="BAR")
         permanence = baker.make(
             Permanency,
@@ -896,6 +960,6 @@ class TestCounterLogout:
                 data={"user_id": permanence.user_id},
             )
             permanence.refresh_from_db()
-            assert permanence.end == now()
+            assert permanence.end == permanence.activity
             old_permanence.refresh_from_db()
             assert old_permanence.end == old_end

counter/urls.py

@@ -41,7 +41,6 @@ from counter.views.admin import (
     ReturnableProductUpdateView,
     SellingDeleteView,
 )
-from counter.views.auth import counter_login, counter_logout
 from counter.views.cash import (
     CashSummaryEditView,
     CashSummaryListView,
@@ -57,7 +56,9 @@ from counter.views.eticket import (
 from counter.views.home import (
     CounterActivityView,
     CounterLastOperationsView,
+    CounterLoginFragment,
     CounterMain,
+    counter_logout,
 )
 from counter.views.invoice import InvoiceCallView
 from counter.views.student_card import StudentCardDeleteView, StudentCardFormFragment
@@ -66,7 +67,7 @@ urlpatterns = [
     path("<int:counter_id>/", CounterMain.as_view(), name="details"),
     path("<int:counter_id>/click/<int:user_id>/", CounterClick.as_view(), name="click"),
     path(
-        "refill/<int:customer_id>/",
+        "<int:counter_id>/refill/<int:customer_id>/",
         RefillingCreateView.as_view(),
         name="refilling_create",
     ),
@@ -82,7 +83,7 @@ urlpatterns = [
     ),
     path("<int:counter_id>/activity/", CounterActivityView.as_view(), name="activity"),
     path("<int:counter_id>/stats/", CounterStatView.as_view(), name="stats"),
-    path("<int:counter_id>/login/", counter_login, name="login"),
+    path("<int:counter_id>/login/", CounterLoginFragment.as_view(), name="login"),
     path("<int:counter_id>/logout/", counter_logout, name="logout"),
     path("eticket/<int:selling_id>/pdf/", EticketPDFView.as_view(), name="eticket_pdf"),
     path(

counter/utils.py

@@ -3,8 +3,6 @@ from urllib.parse import urlparse
 from django.http import HttpRequest
 from django.urls import resolve
 
-from counter.models import Counter
-
 
 def is_logged_in_counter(request: HttpRequest) -> bool:
     """Check if the request is sent from a device logged to a counter.
@@ -20,24 +18,13 @@ def is_logged_in_counter(request: HttpRequest) -> bool:
       or the request path belongs to the counter app
       (eg. the barman went back to the main by missclick and go back
       to the counter)
-    - The current session has a counter token associated with it.
-    - A counter with this token exists.
-    - The counter is open
+    - There are barmen logged in the current session
     """
     referer_ok = (
         "HTTP_REFERER" in request.META
         and resolve(urlparse(request.META["HTTP_REFERER"]).path).app_name == "counter"
     )
-    has_token = (
-        (referer_ok or request.resolver_match.app_name == "counter")
-        and "counter_token" in request.session
-        and request.session["counter_token"]
-    )
-    if not has_token:
+    if not referer_ok and request.resolver_match.app_name != "counter":
         return False
 
-    return (
-        Counter.objects.annotate_is_open()
-        .filter(token=request.session["counter_token"], is_open=True)
-        .exists()
-    )
+    return bool(request.barmen)

counter/views/auth.py

@@ -1,53 +0,0 @@
-#
-# Copyright 2023 © AE UTBM
-# ae@utbm.fr / ae.info@utbm.fr
-#
-# This file is part of the website of the UTBM Student Association (AE UTBM),
-# https://ae.utbm.fr.
-#
-# You can find the source code of the website at https://github.com/ae-utbm/sith
-#
-# LICENSED UNDER THE GNU GENERAL PUBLIC LICENSE VERSION 3 (GPLv3)
-# SEE : https://raw.githubusercontent.com/ae-utbm/sith/master/LICENSE
-# OR WITHIN THE LOCAL FILE "LICENSE"
-#
-#
-
-from django.http import HttpRequest, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
-from django.utils import timezone
-from django.utils.timezone import now
-from django.views.decorators.http import require_POST
-
-from core.views.forms import LoginForm
-from counter.models import Counter, Permanency
-
-
-@require_POST
-def counter_login(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """Log a user in a counter.
-
-    A successful login will result in the beginning of a counter duty
-    for the user.
-    """
-    counter = get_object_or_404(Counter, pk=counter_id)
-    form = LoginForm(request, data=request.POST)
-    if not form.is_valid():
-        return redirect(counter.get_absolute_url() + "?credentials")
-    user = form.get_user()
-    if not counter.sellers.contains(user) or user in counter.barmen_list:
-        return redirect(counter.get_absolute_url() + "?sellers")
-    if len(counter.barmen_list) == 0:
-        counter.gen_token()
-    request.session["counter_token"] = counter.token
-    counter.permanencies.create(user=user, start=timezone.now())
-    return redirect(counter)
-
-
-@require_POST
-def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """End the permanency of a user in this counter."""
-    Permanency.objects.filter(
-        counter=counter_id, user=request.POST["user_id"], end=None
-    ).update(end=now())
-    return redirect("counter:details", counter_id=counter_id)

counter/views/click.py

@@ -12,8 +12,10 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+import random
 from collections import defaultdict
 
+from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Q
@@ -21,6 +23,7 @@ from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, resolve_url
 from django.urls import reverse
 from django.utils.safestring import SafeString
+from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django.views.generic.detail import SingleObjectMixin
 from ninja.main import HttpRequest
@@ -29,13 +32,7 @@ from core.auth.mixins import CanViewMixin
 from core.models import User
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BasketForm, RefillForm
-from counter.models import (
-    Counter,
-    Customer,
-    ProductFormula,
-    ReturnableProduct,
-    Selling,
-)
+from counter.models import Counter, Customer, ProductFormula, ReturnableProduct, Selling
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin
 from counter.views.student_card import StudentCardFormFragment
@@ -46,7 +43,7 @@ def get_operator(request: HttpRequest, counter: Counter, customer: Customer) ->
         return request.user
     if counter.customer_is_barman(customer):
         return customer.user
-    return counter.get_random_barman()
+    return random.choice(list(request.barmen))
 
 
 class CounterClick(
@@ -78,7 +75,7 @@ class CounterClick(
         return kwargs
 
     def dispatch(self, request, *args, **kwargs):
-        self.customer = get_object_or_404(Customer, user__id=self.kwargs["user_id"])
+        self.customer = get_object_or_404(Customer, user_id=self.kwargs["user_id"])
         obj: Counter = self.get_object()
 
         if not self.customer.can_buy or self.customer.user.is_banned_counter:
@@ -96,11 +93,10 @@ class CounterClick(
             # or a seller of this counter.
             raise PermissionDenied
 
-        if obj.type == "BAR" and (
-            not obj.is_open
-            or "counter_token" not in request.session
-            or request.session["counter_token"] != obj.token
+        if obj.type == "BAR" and not (
+            request.barmen and request.barmen.issubset(set(obj.barmen_list))
         ):
+            messages.error(request, _("You cannot click users on this counter"))
             return redirect(obj)  # Redirect to counter
 
         self.prices = list(obj.get_prices_for(self.customer))
@@ -199,7 +195,7 @@ class CounterClick(
             )
         if self.object.can_refill():
             res["refilling_fragment"] = RefillingCreateView.as_fragment()(
-                self.request, customer=self.customer
+                self.request, customer=self.customer, counter=self.object
             )
         return res
 
@@ -237,11 +233,13 @@ class RefillingCreateView(FragmentMixin, FormView):
         if not is_logged_in_counter(request):
             raise PermissionDenied
 
-        self.counter: Counter = get_object_or_404(
-            Counter, token=request.session["counter_token"]
-        )
+        self.counter: Counter = get_object_or_404(Counter, id=self.kwargs["counter_id"])
 
-        if not self.counter.can_refill():
+        if not (
+            request.barmen
+            and request.barmen.issubset(self.counter.barmen_list)
+            and self.counter.can_refill()
+        ):
             raise PermissionDenied
 
         self.operator = get_operator(request, self.counter, self.customer)
@@ -250,6 +248,7 @@ class RefillingCreateView(FragmentMixin, FormView):
 
     def render_fragment(self, request, **kwargs) -> SafeString:
         self.customer = kwargs.pop("customer")
+        self.counter = kwargs.pop("counter")
         return super().render_fragment(request, **kwargs)
 
     def form_valid(self, form):
@@ -264,7 +263,8 @@ class RefillingCreateView(FragmentMixin, FormView):
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         kwargs["action"] = reverse(
-            "counter:refilling_create", kwargs={"customer_id": self.customer.pk}
+            "counter:refilling_create",
+            kwargs={"customer_id": self.customer.pk, "counter_id": self.counter.pk},
         )
         return kwargs
 

counter/views/home.py

@@ -15,78 +15,120 @@
 from datetime import timedelta
 
 from django.conf import settings
-from django.http import HttpResponseRedirect
-from django.urls import reverse, reverse_lazy
+from django.core.exceptions import PermissionDenied
+from django.db.models import F
+from django.http import HttpRequest, HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
+from django.utils.safestring import SafeString
+from django.views.decorators.http import require_POST
 from django.views.generic import DetailView
-from django.views.generic.edit import FormMixin, ProcessFormView
+from django.views.generic.detail import SingleObjectMixin
+from django.views.generic.edit import FormView
 
 from core.auth.mixins import CanViewMixin
-from core.views.forms import LoginForm
-from counter.forms import GetUserForm
-from counter.models import Counter
+from core.views import FragmentMixin, UseFragmentsMixin
+from counter.forms import CounterLoginForm, GetUserForm
+from counter.models import Counter, Permanency
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin
 
 
+class CounterLoginFragment(FragmentMixin, SingleObjectMixin, FormView):
+    model = Counter
+    form_class = CounterLoginForm
+    reload_on_redirect = True
+    pk_url_kwarg = "counter_id"
+    template_name = "counter/fragments/login.jinja"
+
+    def dispatch(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if self.object.type != "BAR":
+            # barmen have to log in only if it is a bar,
+            # so calling this view on a non-bar counter makes no sense
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "request": self.request,
+            "counter": self.object,
+        }
+
+    def form_valid(self, form: CounterLoginForm):
+        user = form.get_user()
+        self.object.permanencies.create(user=user, start=timezone.now())
+        self.request.barmen.add(user)
+        self.success_url = reverse(
+            "counter:details", kwargs={"counter_id": self.object.id}
+        )
+        return super().form_valid(form)
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.pop("counter")
+        return super().render_fragment(request, **kwargs)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "action": reverse("counter:login", kwargs={"counter_id": self.object.id})
+        }
+
+
+@require_POST
+def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
+    """End the permanency of a user in this counter."""
+    Permanency.objects.filter(
+        counter=counter_id, user=request.POST["user_id"], end=None
+    ).update(end=F("activity"))
+    return redirect("counter:details", counter_id=counter_id)
+
+
 class CounterMain(
-    CounterTabsMixin, CanViewMixin, DetailView, ProcessFormView, FormMixin
+    CounterTabsMixin, UseFragmentsMixin, CanViewMixin, SingleObjectMixin, FormView
 ):
     """The public (barman) view."""
 
     model = Counter
+    queryset = Counter.objects.exclude(type="EBOUTIC")
     template_name = "counter/counter_main.jinja"
     pk_url_kwarg = "counter_id"
-    form_class = (
-        GetUserForm  # Form to enter a client code and get the corresponding user id
-    )
+    form_class = GetUserForm
     current_tab = "counter"
 
-    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC")
+    def dispatch(self, request, *args, **kwargs):
+        self.object: Counter = self.get_object()
+        if self.object.type == "BAR":
+            self.object.update_activity()
+        return super().dispatch(request, *args, **kwargs)
 
-    def post(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if self.object.type == "BAR" and not (
-            "counter_token" in self.request.session
-            and self.request.session["counter_token"] == self.object.token
-        ):  # Check the token to avoid the bar to be stolen
-            return HttpResponseRedirect(
-                reverse_lazy(
-                    "counter:details",
-                    args=self.args,
-                    kwargs={"counter_id": self.object.id},
+    def get_fragment_context_data(self) -> dict[str, SafeString]:
+        login_fragment = (
+            CounterLoginFragment.as_fragment()(self.request, counter=self.object)
+            if self.object.type == "BAR"
+            else ""
         )
-                + "?bad_location"
-            )
-        return super().post(request, *args, **kwargs)
+        return super().get_fragment_context_data() | {"login_fragment": login_fragment}
 
     def get_context_data(self, **kwargs):
         """We handle here the login form for the barman."""
-        if self.request.method == "POST":
-            self.object = self.get_object()
-        self.object.update_activity()
         kwargs = super().get_context_data(**kwargs)
-        kwargs["login_form"] = LoginForm()
-        kwargs["login_form"].fields["username"].widget.attrs["autofocus"] = True
-        kwargs[
-            "login_form"
-        ].cleaned_data = {}  # add_error fails if there are no cleaned_data
-        if "credentials" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("Bad credentials"))
-        if "sellers" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("User is not barman"))
-        kwargs["form"] = self.get_form()
-        kwargs["form"].cleaned_data = {}  # same as above
-        if "bad_location" in self.request.GET:
-            kwargs["form"].add_error(
-                None, _("Bad location, someone is already logged in somewhere else")
-            )
         if self.object.type == "BAR":
             kwargs["barmen"] = self.object.barmen_list
-        elif self.request.user.is_authenticated:
-            kwargs["barmen"] = [self.request.user]
+            kwargs["barmen_here"] = list(
+                self.request.barmen.intersection(self.object.barmen_list)
+            )
+        kwargs["can_click"] = (
+            self.object.type == "BAR"
+            and self.request.barmen
+            and self.request.barmen.issubset(set(self.object.barmen_list))
+        ) or (
+            self.object.type == "OFFICE"
+            and (
+                self.object.sellers.contains(self.request.user)
+                or self.object.club.has_rights_in_club(self.request.user)
+            )
+        )
         if "last_basket" in self.request.session:
             kwargs["last_basket"] = self.request.session.pop("last_basket")
             kwargs["last_customer"] = self.request.session.pop("last_customer")
@@ -96,14 +138,17 @@ class CounterMain(
             )
         return kwargs
 
-    def form_valid(self, form):
+    def form_valid(self, form: GetUserForm):
         """We handle here the redirection, passing the user id of the asked customer."""
-        self.kwargs["user_id"] = form.cleaned_data["user_id"]
+        self.success_url = reverse(
+            "counter:click",
+            kwargs={
+                "counter_id": self.kwargs["counter_id"],
+                "user_id": form.cleaned_data["user_id"],
+            },
+        )
         return super().form_valid(form)
 
-    def get_success_url(self):
-        return reverse_lazy("counter:click", args=self.args, kwargs=self.kwargs)
-
 
 class CounterLastOperationsView(CounterTabsMixin, CanViewMixin, DetailView):
     """Provide the last operations to allow barmen to delete them."""

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-23 12:15+0200\n"
+"POT-Creation-Date: 2026-06-02 10:53+0200\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -363,11 +363,8 @@ msgid "Unregistered user"
 msgstr "Utilisateur non enregistré"
 
 #: club/models.py
-#, python-format
-msgid "The base url that links with this type must respect (e.g. `%(url)s`)"
-msgstr ""
-"L'url de base que tous les liens de ce type doivent respecter (par exemple "
-"`%(url)s`)"
+msgid "The base url that links with this type must respect"
+msgstr "L'url de base que tous les liens de ce type doivent respecter"
 
 #: club/models.py counter/models.py
 msgid "icon"
@@ -2203,6 +2200,7 @@ msgstr "Êtes-vous sûr de vouloir supprimer \"%(name)s\" ?"
 #: core/templates/core/delete_confirm.jinja
 #: core/templates/core/file_delete_confirm.jinja
 #: counter/templates/counter/fragments/delete_student_card.jinja
+#: counter/templates/counter/fragments/login.jinja
 msgid "Confirm"
 msgstr "Confirmation"
 
@@ -3206,6 +3204,18 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"
 
+#: counter/forms.py
+msgid "You are not a barman of this counter."
+msgstr "Vous n'êtes pas barman sur ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in this counter."
+msgstr "Vous êtes déjà connecté à ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in another counter."
+msgstr "Vous êtes déjà connecté à un autre comptoir."
+
 #: counter/forms.py
 msgid "Regular barmen"
 msgstr "Barmen réguliers"
@@ -3484,10 +3494,6 @@ msgstr "Bureau"
 msgid "sellers"
 msgstr "vendeurs"
 
-#: counter/models.py
-msgid "token"
-msgstr "jeton"
-
 #: counter/models.py
 msgid "regular barman"
 msgstr "barman régulier"
@@ -3812,7 +3818,7 @@ msgstr ""
 
 #: counter/templates/counter/counter_click.jinja
 msgid "No products available on this counter for this user"
-msgstr "Pas de produits disponnibles dans ce comptoir pour cet utilisateur"
+msgstr "Pas de produits disponibles dans ce comptoir pour cet utilisateur"
 
 #: counter/templates/counter/counter_list.jinja
 msgid "Counter admin list"
@@ -3873,12 +3879,20 @@ msgid "Please, login"
 msgstr "Merci de vous identifier"
 
 #: counter/templates/counter/counter_main.jinja
-msgid "Barman: "
-msgstr "Barman : "
+msgid "Barmen:"
+msgstr "Barmen :"
 
 #: counter/templates/counter/counter_main.jinja
-msgid "login"
-msgstr "login"
+msgid "On this device"
+msgstr "Sur cet appareil"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "Elsewhere"
+msgstr "Ailleurs"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "No barman logged elsewhere"
+msgstr "Pas de barman connecté ailleurs"
 
 #: counter/templates/counter/eticket_list.jinja
 msgid "Eticket list"
@@ -4283,22 +4297,14 @@ msgstr "Montant du chèque"
 msgid "Check quantity"
 msgstr "Nombre de chèque"
 
+#: counter/views/click.py
+msgid "You cannot click users on this counter"
+msgstr "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+
 #: counter/views/eticket.py
 msgid "people(s)"
 msgstr "personne(s)"
 
-#: counter/views/home.py
-msgid "Bad credentials"
-msgstr "Mauvais identifiants"
-
-#: counter/views/home.py
-msgid "User is not barman"
-msgstr "L'utilisateur n'est pas barman."
-
-#: counter/views/home.py
-msgid "Bad location, someone is already logged in somewhere else"
-msgstr "Mauvais comptoir, quelqu'un est déjà connecté ailleurs"
-
 #: counter/views/invoice.py
 msgid "Invoice calls status has been updated."
 msgstr "Le statut des appels à facture a été mis à jour."

sith/settings.py

@@ -34,6 +34,7 @@ https://docs.djangoproject.com/en/1.8/ref/settings/
 """
 
 import binascii
+import contextlib
 import os
 import sys
 from datetime import timedelta
@@ -41,6 +42,7 @@ from pathlib import Path
 
 import sentry_sdk
 from dateutil.relativedelta import relativedelta
+from django.utils.deprecation import RemovedInDjango60Warning
 from django.utils.translation import gettext_lazy as _
 from environs import Env
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -91,7 +93,8 @@ ALLOWED_HOSTS = ["*"]
 # RemovedInDjango60Warning: It's a transitional setting helpful in early
 # adoption of "https" as the new default value of forms.URLField.assume_scheme.
 # Remove this after upgrading to Django 6.x
-FORMS_URLFIELD_ASSUME_HTTPS = True
+with contextlib.suppress(RemovedInDjango60Warning):
+    FORMS_URLFIELD_ASSUME_HTTPS = True
 
 # Application definition
 
@@ -138,13 +141,13 @@ MIDDLEWARE = (
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "core.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.locale.LocaleMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "django.middleware.security.SecurityMiddleware",
-    "core.middleware.AuthenticationMiddleware",
     "core.middleware.SignalRequestMiddleware",
+    "counter.middleware.BarmenMiddleware",
 )
 
 ROOT_URLCONF = "sith.urls"