doc: third-party auth

C'est pas la branche la plus appropriée, mais ça gène mon debug de devoir scroller plus longtemps dans l'html des réponses à cause de la place que prennent les notifs.

api/admin.py

@@ -17,6 +17,15 @@ class ApiClientAdmin(admin.ModelAdmin):
         "owner__nick_name",
     )
     autocomplete_fields = ("owner", "groups", "client_permissions")
+    readonly_fields = ("hmac_key",)
+    actions = ("reset_hmac_key",)
+
+    @admin.action(permissions=["change"], description=_("Reset HMAC key"))
+    def reset_hmac_key(self, _request: HttpRequest, queryset: QuerySet[ApiClient]):
+        objs = list(queryset)
+        for obj in objs:
+            obj.reset_hmac(commit=False)
+        ApiClient.objects.bulk_update(objs, fields=["hmac_key"])
 
 
 @admin.register(ApiKey)

api/api.py

@@ -0,0 +1,16 @@
+from ninja_extra import ControllerBase, api_controller, route
+
+from api.auth import ApiKeyAuth
+from api.schemas import ApiClientSchema
+
+
+@api_controller("/client")
+class ApiClientController(ControllerBase):
+    @route.get(
+        "/me",
+        auth=[ApiKeyAuth()],
+        response=ApiClientSchema,
+        url_name="api-client-infos",
+    )
+    def get_client_info(self):
+        return self.context.request.auth

api/forms.py

@@ -0,0 +1,35 @@
+from django import forms
+from django.forms import HiddenInput
+from django.utils.translation import gettext_lazy as _
+
+
+class ThirdPartyAuthForm(forms.Form):
+    """Form to complete to authenticate on the sith from a third-party app.
+
+    For the form to be valid, the user approve the EULA (french: CGU)
+    and give its username from the third-party app.
+    """
+
+    cgu_accepted = forms.BooleanField(
+        required=True,
+        label=_("I have read and I accept the terms and conditions of use"),
+        error_messages={
+            "required": _("You must approve the terms and conditions of use.")
+        },
+    )
+    is_username_valid = forms.BooleanField(
+        required=True,
+        error_messages={"required": _("You must confirm that this is your username.")},
+    )
+    client_id = forms.IntegerField(widget=HiddenInput())
+    third_party_app = forms.CharField(widget=HiddenInput())
+    privacy_link = forms.URLField(widget=HiddenInput())
+    username = forms.CharField(widget=HiddenInput())
+    callback_url = forms.URLField(widget=HiddenInput())
+    signature = forms.CharField(widget=HiddenInput())
+
+    def __init__(self, *args, label_suffix: str = "", initial, **kwargs):
+        super().__init__(*args, label_suffix=label_suffix, initial=initial, **kwargs)
+        self.fields["is_username_valid"].label = _(
+            "I confirm that %(username)s is my username on %(app)s"
+        ) % {"username": initial.get("username"), "app": initial.get("third_party_app")}

api/migrations/0002_apiclient_hmac_key.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.3 on 2025-10-26 10:15
+
+from django.db import migrations, models
+
+import api.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("api", "0001_initial")]
+
+    operations = [
+        migrations.AddField(
+            model_name="apiclient",
+            name="hmac_key",
+            field=models.CharField(
+                default=api.models.get_hmac_key, max_length=128, verbose_name="HMAC Key"
+            ),
+        ),
+    ]

api/models.py

@@ -1,13 +1,20 @@
+import secrets
 from typing import Iterable
 
 from django.contrib.auth.models import Permission
 from django.db import models
+from django.db.models import Q
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import pgettext_lazy
 
 from core.models import Group, User
 
 
+def get_hmac_key():
+    return secrets.token_hex(64)
+
+
 class ApiClient(models.Model):
     name = models.CharField(_("name"), max_length=64)
     owner = models.ForeignKey(
@@ -26,11 +33,10 @@ class ApiClient(models.Model):
         help_text=_("Specific permissions for this api client."),
         related_name="clients",
     )
+    hmac_key = models.CharField(_("HMAC Key"), max_length=128, default=get_hmac_key)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
-    _perm_cache: set[str] | None = None
-
     class Meta:
         verbose_name = _("api client")
         verbose_name_plural = _("api clients")
@@ -38,33 +44,38 @@ class ApiClient(models.Model):
     def __str__(self):
         return self.name
 
+    @cached_property
+    def all_permissions(self) -> set[str]:
+        permissions = (
+            Permission.objects.filter(
+                Q(group__group__in=self.groups.all()) | Q(clients=self)
+            )
+            .values_list("content_type__app_label", "codename")
+            .order_by()
+        )
+        return {f"{content_type}.{name}" for content_type, name in permissions}
+
     def has_perm(self, perm: str):
         """Return True if the client has the specified permission."""
+        return perm in self.all_permissions
 
-        if self._perm_cache is None:
+    def has_perms(self, perm_list: Iterable[str]) -> bool:
-            group_permissions = (
+        """Return True if the client has each of the specified permissions."""
-                Permission.objects.filter(group__group__in=self.groups.all())
-                .values_list("content_type__app_label", "codename")
-                .order_by()
-            )
-            client_permissions = self.client_permissions.values_list(
-                "content_type__app_label", "codename"
-            ).order_by()
-            self._perm_cache = {
-                f"{content_type}.{name}"
-                for content_type, name in (*group_permissions, *client_permissions)
-            }
-        return perm in self._perm_cache
-
-    def has_perms(self, perm_list):
-        """
-        Return True if the client has each of the specified permissions. If
-        object is passed, check if the client has all required perms for it.
-        """
         if not isinstance(perm_list, Iterable) or isinstance(perm_list, str):
             raise ValueError("perm_list must be an iterable of permissions.")
         return all(self.has_perm(perm) for perm in perm_list)
 
+    def reset_hmac(self, *, commit: bool = True) -> str:
+        """Reset and return the HMAC key for this client.
+
+        Args:
+            commit: if True (the default), persist the new hmac in db.
+        """
+        self.hmac_key = get_hmac_key()
+        if commit:
+            self.save()
+        return self.hmac_key
+
 
 class ApiKey(models.Model):
     PREFIX_LENGTH = 5

api/schemas.py

@@ -0,0 +1,23 @@
+from ninja import ModelSchema, Schema
+from pydantic import Field, HttpUrl
+
+from api.models import ApiClient
+from core.schemas import SimpleUserSchema
+
+
+class ApiClientSchema(ModelSchema):
+    class Meta:
+        model = ApiClient
+        fields = ["id", "name"]
+
+    owner: SimpleUserSchema
+    permissions: list[str] = Field(alias="all_permissions")
+
+
+class ThirdPartyAuthParamsSchema(Schema):
+    client_id: int
+    third_party_app: str
+    privacy_link: HttpUrl
+    username: str
+    callback_url: HttpUrl
+    signature: str

api/templates/api/third_party/auth.jinja

@@ -0,0 +1,32 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  <form method="post">
+    {% csrf_token %}
+    <h3>{% trans %}Confidentiality{% endtrans %}</h3>
+    <p>
+      {% trans trimmed app=third_party_app %}
+        By ticking this box and clicking on the send button, you
+        acknowledge and agree to provide {{ app }} with your
+        first name, last name, nickname and any other information
+        that was the third party app was explicitly authorized to fetch
+        and that it must have acknowledged to you, in a complete and accurate manner.
+      {% endtrans %}
+    </p>
+    <p class="margin-bottom">
+      {% trans trimmed app=third_party_app, privacy_link=third_party_cgu, sith_cgu_link=sith_cgu %}
+        The privacy policies of <a href="{{ privacy_link }}">{{ app }}</a>
+        and of <a href="{{ sith_cgu_link }}">the Students' Association</a>
+        applies as soon as the form is submitted.
+      {% endtrans %}
+    </p>
+    <div class="row">{{ form.cgu_accepted }} {{ form.cgu_accepted.label_tag() }}</div>
+    <br>
+    <h3 class="margin-bottom">{% trans %}Confirmation of identity{% endtrans %}</h3>
+    <div class="row margin-bottom">
+      {{ form.is_username_valid }} {{ form.is_username_valid.label_tag() }}
+    </div>
+    {% for field in form.hidden_fields() %}{{ field }}{% endfor %}
+    <input type="submit" class="btn btn-blue">
+  </form>
+{% endblock %}

api/tests/test_admin.py

@@ -0,0 +1,24 @@
+import pytest
+from django.contrib.admin import AdminSite
+from django.http import HttpRequest
+from model_bakery import baker
+from pytest_django.asserts import assertNumQueries
+
+from api.admin import ApiClientAdmin
+from api.models import ApiClient
+
+
+@pytest.mark.django_db
+def test_reset_hmac_action():
+    client_admin = ApiClientAdmin(ApiClient, AdminSite())
+    api_clients = baker.make(ApiClient, _quantity=4, _bulk_create=True)
+    old_hmac_keys = [c.hmac_key for c in api_clients]
+    with assertNumQueries(2):
+        qs = ApiClient.objects.filter(id__in=[c.id for c in api_clients[2:4]])
+        client_admin.reset_hmac_key(HttpRequest(), qs)
+    for c in api_clients:
+        c.refresh_from_db()
+    assert api_clients[0].hmac_key == old_hmac_keys[0]
+    assert api_clients[1].hmac_key == old_hmac_keys[1]
+    assert api_clients[2].hmac_key != old_hmac_keys[2]
+    assert api_clients[3].hmac_key != old_hmac_keys[3]

api/tests/test_api_client_controller.py

@@ -0,0 +1,18 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+from api.schemas import ApiClientSchema
+
+
+@pytest.mark.django_db
+def test_api_client_controller(client: Client):
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    res = client.get(reverse("api:api-client-infos"), headers={"X-APIKey": key})
+    assert res.status_code == 200
+    assert res.json() == ApiClientSchema.from_orm(api_client).model_dump()

api/tests/test_client.py

@@ -0,0 +1,59 @@
+import pytest
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from api.models import ApiClient
+from core.models import Group
+
+
+class TestClientPermissions(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.api_client = baker.make(ApiClient)
+        cls.perms = baker.make(Permission, _quantity=10, _bulk_create=True)
+        cls.api_client.groups.set(
+            [
+                baker.make(Group, permissions=cls.perms[0:3]),
+                baker.make(Group, permissions=cls.perms[3:5]),
+            ]
+        )
+        cls.api_client.client_permissions.set(
+            [cls.perms[3], cls.perms[5], cls.perms[6], cls.perms[7]]
+        )
+
+    def test_all_permissions(self):
+        assert self.api_client.all_permissions == {
+            f"{p.content_type.app_label}.{p.codename}" for p in self.perms[0:8]
+        }
+
+    def test_has_perm(self):
+        assert self.api_client.has_perm(
+            f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}"
+        )
+        assert not self.api_client.has_perm(
+            f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}"
+        )
+
+    def test_has_perms(self):
+        assert self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[2].content_type.app_label}.{self.perms[2].codename}",
+            ]
+        )
+        assert not self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}",
+            ],
+        )
+
+
+@pytest.mark.django_db
+def test_reset_hmac_key():
+    client = baker.make(ApiClient)
+    original_key = client.hmac_key
+    client.reset_hmac(commit=True)
+    assert len(client.hmac_key) == len(original_key)
+    assert client.hmac_key != original_key

api/tests/test_third_party_auth.py

@@ -0,0 +1,114 @@
+from unittest import mock
+from unittest.mock import Mock
+
+from django.db.models import Max
+from django.test import TestCase
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from api.models import ApiClient, get_hmac_key
+from core.baker_recipes import subscriber_user
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+def mocked_post(*, ok: bool):
+    class MockedResponse(Mock):
+        @property
+        def ok(self):
+            return ok
+
+    def mocked():
+        return MockedResponse()
+
+    return mocked
+
+
+class TestThirdPartyAuth(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        cls.api_client = baker.make(ApiClient)
+
+    def setUp(self):
+        self.query = {
+            "client_id": self.api_client.id,
+            "third_party_app": "app",
+            "privacy_link": "https://foobar.fr/",
+            "username": "bibou",
+            "callback_url": "https://callback.fr/",
+        }
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        self.callback_data = {
+            "user": UserProfileSchema.from_orm(self.user).model_dump()
+        }
+        self.callback_data["signature"] = hmac_hexdigest(
+            self.api_client.hmac_key, self.callback_data["user"]
+        )
+
+    def test_auth_ok(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        with mock.patch("requests.post", new_callable=mocked_post(ok=True)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "success"}),
+        )
+
+    def test_callback_error(self):
+        """Test that the user see the failure page if the callback request failed."""
+        self.client.force_login(self.user)
+        with mock.patch("requests.post", new_callable=mocked_post(ok=False)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "failure"}),
+        )
+
+    def test_wrong_signature(self):
+        """Test that a 403 is raised if the signature of the query is wrong."""
+        self.client.force_login(subscriber_user.make())
+        new_key = get_hmac_key()
+        del self.query["signature"]
+        self.query["signature"] = hmac_hexdigest(new_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_cgu_not_accepted(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        res = self.client.post(reverse("api-link:third-party-auth"), data=self.query)
+        assert res.status_code == 200  # no redirect means invalid form
+        res = self.client.post(
+            reverse("api-link:third-party-auth"),
+            data={"cgu_accepted": False, "is_username_valid": False, **self.query},
+        )
+        assert res.status_code == 200
+
+    def test_invalid_client(self):
+        self.query["client_id"] = ApiClient.objects.aggregate(res=Max("id"))["res"] + 1
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_missing_parameter(self):
+        """Test that a 403 is raised if there is a missing parameter."""
+        del self.query["username"]
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403

api/urls.py

@@ -1,6 +1,10 @@
+from django.urls import path, register_converter
 from ninja.security import SessionAuth
 from ninja_extra import NinjaExtraAPI
 
+from api.views import ThirdPartyAuthResultView, ThirdPartyAuthView
+from core.converters import ResultConverter
+
 api = NinjaExtraAPI(
     title="PICON",
     description="Portail Interactif de Communication avec les Outils Numériques",
@@ -9,3 +13,14 @@ api = NinjaExtraAPI(
     auth=[SessionAuth()],
 )
 api.auto_discover_controllers()
+
+register_converter(ResultConverter, "res")
+
+urlpatterns = [
+    path("auth/", ThirdPartyAuthView.as_view(), name="third-party-auth"),
+    path(
+        "auth/<res:result>/",
+        ThirdPartyAuthResultView.as_view(),
+        name="third-party-auth-result",
+    ),
+]

api/views.py

@@ -0,0 +1,119 @@
+import hmac
+from urllib.parse import unquote
+
+import pydantic
+import requests
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView, TemplateView
+from ninja_extra.shortcuts import get_object_or_none
+
+from api.forms import ThirdPartyAuthForm
+from api.models import ApiClient
+from api.schemas import ThirdPartyAuthParamsSchema
+from core.models import SithFile
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+class ThirdPartyAuthView(LoginRequiredMixin, FormView):
+    form_class = ThirdPartyAuthForm
+    template_name = "api/third_party/auth.jinja"
+    success_url = reverse_lazy("core:index")
+
+    def parse_params(self) -> ThirdPartyAuthParamsSchema:
+        """Parse and check the authentication parameters.
+
+        Raises:
+            PermissionDenied: if the verification failed.
+        """
+        # This is here rather than in ThirdPartyAuthForm because
+        # the given parameters and their signature are checked during both
+        # POST (for obvious reasons) and GET (in order not to make
+        # the user fill a form just to get an error he won't understand)
+        params = self.request.GET or self.request.POST
+        params = {key: unquote(val) for key, val in params.items()}
+        try:
+            params = ThirdPartyAuthParamsSchema(**params)
+        except pydantic.ValidationError as e:
+            raise PermissionDenied("Wrong data format") from e
+        client: ApiClient = get_object_or_none(ApiClient, id=params.client_id)
+        if not client:
+            raise PermissionDenied
+        if not hmac.compare_digest(
+            hmac_hexdigest(client.hmac_key, params.model_dump(exclude={"signature"})),
+            params.signature,
+        ):
+            raise PermissionDenied("Bad signature")
+        return params
+
+    def dispatch(self, request, *args, **kwargs):
+        self.params = self.parse_params()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get(self, *args, **kwargs):
+        messages.warning(
+            self.request,
+            _(
+                "You are going to link your AE account and your %(app)s account. "
+                "Continue only if this page was opened from %(app)s."
+            )
+            % {"app": self.params.third_party_app},
+        )
+        return super().get(*args, **kwargs)
+
+    def get_initial(self):
+        return self.params.model_dump()
+
+    def form_valid(self, form):
+        client = ApiClient.objects.get(id=form.cleaned_data["client_id"])
+        user = UserProfileSchema.from_orm(self.request.user).model_dump()
+        data = {"user": user, "signature": hmac_hexdigest(client.hmac_key, user)}
+        response = requests.post(form.cleaned_data["callback_url"], json=data)
+        self.success_url = reverse(
+            "api-link:third-party-auth-result",
+            kwargs={"result": "success" if response.ok else "failure"},
+        )
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "third_party_app": self.params.third_party_app,
+            "third_party_cgu": self.params.privacy_link,
+            "sith_cgu": SithFile.objects.get(id=settings.SITH_CGU_FILE_ID),
+        }
+
+
+class ThirdPartyAuthResultView(LoginRequiredMixin, TemplateView):
+    """View that the user will see if its authentication on sith was successful.
+
+    This can show either a success or a failure message :
+    - success : everything is good, the user is successfully authenticated
+      and can close the page
+    - failure : the authentication has been processed on the sith side,
+      but the request to the callback url received an error.
+      In such a case, there is nothing much we can do but to advice
+      the user to contact the developers of the third-party app.
+    """
+
+    template_name = "core/base.jinja"
+    success_message = _(
+        "You have been successfully authenticated. You can now close this page."
+    )
+    error_message = _(
+        "Your authentication on the AE website was successful, "
+        "but an error happened during the interaction "
+        "with the third-party application. "
+        "Please contact the managers of the latter."
+    )
+
+    def get(self, request, *args, **kwargs):
+        if self.kwargs.get("result") == "success":
+            messages.success(request, self.success_message)
+        else:
+            messages.error(request, self.error_message)
+        return super().get(request, *args, **kwargs)

club/api.py

@@ -6,9 +6,15 @@ from ninja_extra.pagination import PageNumberPaginationExtra
 from ninja_extra.schemas import PaginatedResponseSchema
 
 from api.auth import ApiKeyAuth
-from api.permissions import CanAccessLookup, HasPerm
+from api.permissions import CanAccessLookup, CanView, HasPerm
 from club.models import Club, Membership
-from club.schemas import ClubSchema, ClubSearchFilterSchema, SimpleClubSchema
+from club.schemas import (
+    ClubSchema,
+    ClubSearchFilterSchema,
+    SimpleClubSchema,
+    UserMembershipSchema,
+)
+from core.models import User
 
 
 @api_controller("/club")
@@ -38,3 +44,22 @@ class ClubController(ControllerBase):
         return self.get_object_or_exception(
             Club.objects.prefetch_related(prefetch), id=club_id
         )
+
+
+@api_controller("/user/{int:user_id}/club")
+class UserClubController(ControllerBase):
+    @route.get(
+        "",
+        response=list[UserMembershipSchema],
+        auth=[ApiKeyAuth(), SessionAuth()],
+        permissions=[CanView],
+        url_name="fetch_user_clubs",
+    )
+    def fetch_user_clubs(self, user_id: int):
+        """Get all the active memberships of the given user."""
+        user = self.get_object_or_exception(User, id=user_id)
+        return (
+            Membership.objects.ongoing()
+            .filter(user=user)
+            .select_related("club", "user")
+        )

club/schemas.py

@@ -40,6 +40,8 @@ class ClubProfileSchema(ModelSchema):
 
 
 class ClubMemberSchema(ModelSchema):
+    """A schema to represent all memberships in a club."""
+
     class Meta:
         model = Membership
         fields = ["start_date", "end_date", "role", "description"]
@@ -53,3 +55,13 @@ class ClubSchema(ModelSchema):
         fields = ["id", "name", "logo", "is_active", "short_description", "address"]
 
     members: list[ClubMemberSchema]
+
+
+class UserMembershipSchema(ModelSchema):
+    """A schema to represent the active club memberships of a user."""
+
+    class Meta:
+        model = Membership
+        fields = ["id", "start_date", "role", "description"]
+
+    club: SimpleClubSchema

club/tests/test_user_club_controller.py

@@ -0,0 +1,50 @@
+from datetime import timedelta
+
+from django.test import TestCase
+from django.urls import reverse
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from club.schemas import UserMembershipSchema
+from core.baker_recipes import subscriber_user
+from core.models import Page
+
+
+class TestFetchClub(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        pages = baker.make(Page, _quantity=3, _bulk_create=True)
+        clubs = baker.make(Club, page=iter(pages), _quantity=3, _bulk_create=True)
+        recipe = Recipe(
+            Membership, user=cls.user, start_date=localdate() - timedelta(days=2)
+        )
+        cls.members = Membership.objects.bulk_create(
+            [
+                recipe.prepare(club=clubs[0]),
+                recipe.prepare(club=clubs[1], end_date=localdate() - timedelta(days=1)),
+                recipe.prepare(club=clubs[1]),
+            ]
+        )
+
+    def test_fetch_memberships(self):
+        self.client.force_login(subscriber_user.make())
+        res = self.client.get(
+            reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+        )
+        assert res.status_code == 200
+        assert [UserMembershipSchema.model_validate(m) for m in res.json()] == [
+            UserMembershipSchema.from_orm(m) for m in (self.members[0], self.members[2])
+        ]
+
+    def test_fetch_club_nb_queries(self):
+        self.client.force_login(subscriber_user.make())
+        with self.assertNumQueries(6):
+            # - 5 queries for authentication
+            # - 1 query for the actual data
+            res = self.client.get(
+                reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+            )
+            assert res.status_code == 200

core/auth/mixins.py

@@ -307,6 +307,7 @@ class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
             return False
         if super().has_permission():
             return True
-        return self.club is not None and any(
+        return (
-            g.id == self.club.board_group_id for g in self.request.user.cached_groups
+            self.club is not None
+            and self.club.board_group_id in self.request.user.all_groups
         )

core/converters.py

@@ -1,19 +1,16 @@
-class FourDigitYearConverter:
+from django.urls.converters import IntConverter, StringConverter
-    regex = "[0-9]{4}"
 
-    def to_python(self, value):
+
-        return int(value)
+class FourDigitYearConverter(IntConverter):
+    regex = "[0-9]{4}"
 
     def to_url(self, value):
         return str(value).zfill(4)
 
 
-class TwoDigitMonthConverter:
+class TwoDigitMonthConverter(IntConverter):
     regex = "[0-9]{2}"
 
-    def to_python(self, value):
-        return int(value)
-
     def to_url(self, value):
         return str(value).zfill(2)
 
@@ -28,3 +25,9 @@ class BooleanStringConverter:
 
     def to_url(self, value):
         return str(value)
+
+
+class ResultConverter(StringConverter):
+    """Converter whose regex match either "success" or "failure"."""
+
+    regex = "(success|failure)"

core/management/commands/populate.py

@@ -28,6 +28,7 @@ from typing import ClassVar, NamedTuple
 from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
+from django.core.files.base import ContentFile
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django.db import connection
@@ -104,13 +105,21 @@ class Command(BaseCommand):
         )
         self.profiles_root = SithFile.objects.create(name="profiles", owner=root)
         home_root = SithFile.objects.create(name="users", owner=root)
+        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
+        SithFile.objects.create(
+            name="CGU",
+            is_folder=False,
+            file=ContentFile(
+                content="Conditions générales d'utilisation", name="cgu.txt"
+            ),
+            owner=root,
+        )
 
         # Page needed for club creation
         p = Page(name=settings.SITH_CLUB_ROOT_PAGE)
         p.save(force_lock=True)
 
-        club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )

core/management/commands/populate_more.py

@@ -1,3 +1,4 @@
+import math
 import random
 from datetime import date, timedelta
 from datetime import timezone as tz
@@ -34,12 +35,17 @@ class Command(BaseCommand):
         super().__init__(*args, **kwargs)
         self.faker = Faker("fr_FR")
 
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-n", "--nb-users", help="Number of users to create", type=int, default=600
+        )
+
     def handle(self, *args, **options):
         if not settings.DEBUG:
             raise Exception("Never call this command in prod. Never.")
 
         self.stdout.write("Creating users...")
-        users = self.create_users()
+        users = self.create_users(options["nb_users"])
         self.create_bans(random.sample(users, k=len(users) // 200))  # 0.5% of users
         subscribers = random.sample(users, k=int(0.8 * len(users)))
         self.stdout.write("Creating subscriptions...")
@@ -79,7 +85,7 @@ class Command(BaseCommand):
         self.stdout.write("Creating products...")
         self.create_products()
         self.stdout.write("Creating sales and refills...")
-        sellers = random.sample(list(User.objects.all()), 100)
+        sellers = random.sample(users, len(users) // 10)
         self.create_sales(sellers)
         self.stdout.write("Creating permanences...")
         self.create_permanences(sellers)
@@ -88,7 +94,7 @@ class Command(BaseCommand):
 
         self.stdout.write("Done")
 
-    def create_users(self) -> list[User]:
+    def create_users(self, nb_users: int = 600) -> list[User]:
         # Create a single password hash for all users to make it faster.
         # It's insecure as hell, but it's ok since it's only for dev purposes.
         password = make_password("plop")
@@ -107,7 +113,7 @@ class Command(BaseCommand):
                 address=self.faker.address(),
                 password=password,
             )
-            for _ in range(600)
+            for _ in range(nb_users)
         ]
         # there may a duplicate or two
         # Not a problem, we will just have 599 users instead of 600
@@ -410,8 +416,9 @@ class Command(BaseCommand):
         Permanency.objects.bulk_create(perms)
 
     def create_forums(self):
-        forumers = random.sample(list(User.objects.all()), 100)
+        users = list(User.objects.all())
-        most_actives = random.sample(forumers, 10)
+        forumers = random.sample(users, math.ceil(len(users) / 10))
+        most_actives = random.sample(forumers, math.ceil(len(forumers) / 6))
         categories = list(Forum.objects.filter(is_category=True))
         new_forums = [
             Forum(name=self.faker.text(20), parent=random.choice(categories))

core/models.py

@@ -356,23 +356,27 @@ class User(AbstractUser):
         )
         if group_id is None:
             return False
-        if group_id == settings.SITH_GROUP_SUBSCRIBERS_ID:
+        return group_id in self.all_groups
-            return self.is_subscribed
-        if group_id == settings.SITH_GROUP_ROOT_ID:
-            return self.is_root
-        return any(g.id == group_id for g in self.cached_groups)
 
     @cached_property
-    def cached_groups(self) -> list[Group]:
+    def all_groups(self) -> dict[int, Group]:
         """Get the list of groups this user is in."""
-        return list(self.groups.all())
+        additional_groups = []
+        if self.is_subscribed:
+            additional_groups.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
+        if self.is_superuser:
+            additional_groups.append(settings.SITH_GROUP_ROOT_ID)
+        qs = self.groups.all()
+        if additional_groups:
+            # This is somewhat counter-intuitive, but this query runs way faster with
+            # a UNION rather than a OR (in average, 0.25ms vs 14ms).
+            # For the why, cf. https://dba.stackexchange.com/questions/293836/why-is-an-or-statement-slower-than-union
+            qs = qs.union(Group.objects.filter(id__in=additional_groups))
+        return {g.id: g for g in qs}
 
     @cached_property
     def is_root(self) -> bool:
-        if self.is_superuser:
+        return self.is_superuser or settings.SITH_GROUP_ROOT_ID in self.all_groups
-            return True
-        root_id = settings.SITH_GROUP_ROOT_ID
-        return any(g.id == root_id for g in self.cached_groups)
 
     @cached_property
     def is_board_member(self) -> bool:
@@ -1099,10 +1103,7 @@ class PageQuerySet(models.QuerySet):
             return self.filter(view_groups=settings.SITH_GROUP_PUBLIC_ID)
         if user.has_perm("core.view_page"):
             return self.all()
-        groups_ids = [g.id for g in user.cached_groups]
+        return self.filter(view_groups__in=user.all_groups)
-        if user.is_subscribed:
-            groups_ids.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
-        return self.filter(view_groups__in=groups_ids)
 
 
 # This function prevents generating migration upon settings change
@@ -1376,7 +1377,7 @@ class PageRev(models.Model):
         return self.page.can_be_edited_by(user)
 
     def is_owned_by(self, user: User) -> bool:
-        return any(g.id == self.page.owner_group_id for g in user.cached_groups)
+        return self.page.owner_group_id in user.all_groups
 
     def similarity_ratio(self, text: str) -> float:
         """Similarity ratio between this revision's content and the given text.

core/static/bundled/core/dynamic-formset-index.ts

@@ -0,0 +1,77 @@
+interface Config {
+  /**
+   * The prefix of the formset, in case it has been changed.
+   * See https://docs.djangoproject.com/fr/stable/topics/forms/formsets/#customizing-a-formset-s-prefix
+   */
+  prefix?: string;
+}
+
+// biome-ignore lint/style/useNamingConvention: It's the DOM API naming
+type HTMLFormInputElement = HTMLInputElement | HTMLSelectElement | HTMLTextAreaElement;
+
+document.addEventListener("alpine:init", () => {
+  /**
+   * Alpine data element to allow the dynamic addition of forms to a formset.
+   *
+   * To use this, you need :
+   * - an HTML element containing the existing forms, noted by `x-ref="formContainer"`
+   * - a template containing the empty form
+   *   (that you can obtain jinja-side with `{{ formset.empty_form }}`),
+   *   noted by `x-ref="formTemplate"`
+   * - a button with `@click="addForm"`
+   * - you may also have one or more buttons with `@click="removeForm(element)"`,
+   *   where `element` is the HTML element containing the form.
+   *
+   * For an example of how this is used, you can have a look to
+   * `counter/templates/counter/product_form.jinja`
+   */
+  Alpine.data("dynamicFormSet", (config?: Config) => ({
+    init() {
+      this.formContainer = this.$refs.formContainer as HTMLElement;
+      this.nbForms = this.formContainer.children.length as number;
+      this.template = this.$refs.formTemplate as HTMLTemplateElement;
+      const prefix = config?.prefix ?? "form";
+      this.$root
+        .querySelector(`#id_${prefix}-TOTAL_FORMS`)
+        .setAttribute(":value", "nbForms");
+    },
+
+    addForm() {
+      this.formContainer.appendChild(document.importNode(this.template.content, true));
+      const newForm = this.formContainer.lastElementChild;
+      const inputs: NodeListOf<HTMLFormInputElement> = newForm.querySelectorAll(
+        "input, select, textarea",
+      );
+      for (const el of inputs) {
+        el.name = el.name.replace("__prefix__", this.nbForms.toString());
+        el.id = el.id.replace("__prefix__", this.nbForms.toString());
+      }
+      const labels: NodeListOf<HTMLLabelElement> = newForm.querySelectorAll("label");
+      for (const el of labels) {
+        el.htmlFor = el.htmlFor.replace("__prefix__", this.nbForms.toString());
+      }
+      inputs[0].focus();
+      this.nbForms += 1;
+    },
+
+    removeForm(container: HTMLDivElement) {
+      container.remove();
+      this.nbForms -= 1;
+      // adjust the id of remaining forms
+      for (let i = 0; i < this.nbForms; i++) {
+        const form: HTMLDivElement = this.formContainer.children[i];
+        const inputs: NodeListOf<HTMLFormInputElement> = form.querySelectorAll(
+          "input, select, textarea",
+        );
+        for (const el of inputs) {
+          el.name = el.name.replace(/\d+/, i.toString());
+          el.id = el.id.replace(/\d+/, i.toString());
+        }
+        const labels: NodeListOf<HTMLLabelElement> = form.querySelectorAll("label");
+        for (const el of labels) {
+          el.htmlFor = el.htmlFor.replace(/\d+/, i.toString());
+        }
+      }
+    },
+  }));
+});

core/static/core/forms.scss

@@ -141,7 +141,6 @@ form {
   display: block;
   margin: calc(var(--nf-input-size) * 1.5) auto 10px;
   line-height: 1;
-  white-space: nowrap;
 
   .fields-centered {
     padding: 10px 10px 0;

core/templates/core/base.jinja

@@ -35,8 +35,8 @@
       <noscript><link rel="stylesheet" href="{{ static('bundled/fontawesome-index.css') }}"></noscript>
 
       <script src="{{ url('javascript-catalog') }}"></script>
-      <script type="module" src={{ static("bundled/core/navbar-index.ts") }}></script>
+      <script type="module" src="{{ static("bundled/core/navbar-index.ts") }}"></script>
-      <script type="module" src={{ static("bundled/core/components/include-index.ts") }}></script>
+      <script type="module" src="{{ static("bundled/core/components/include-index.ts") }}"></script>
       <script type="module" src="{{ static('bundled/alpine-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/htmx-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/country-flags-index.ts') }}"></script>

core/templates/core/base/notifications.jinja

@@ -1,14 +1,11 @@
 <div id="quick-notifications"
      x-data="{
              messages: [
-             {% if messages %}
+             {%- if messages -%}
-               {% for message in messages %}
+               {%- for message in messages -%}
-                 {
+                 { tag: '{{ message.tags }}', text: '{{ message }}' },
-                 tag: '{{ message.tags }}',
+               {%- endfor -%}
-                 text: '{{ message }}',
+             {%- endif -%}
-                 },
-               {% endfor %}
-             {% endif %}
              ]
              }"
      @quick-notification-add="(e) => messages.push(e?.detail)"

core/templates/core/delete_confirm.jinja

@@ -21,6 +21,8 @@
   <h2>{% trans %}Delete confirmation{% endtrans %}</h2>
   <form action="" method="post">{% csrf_token %}
     <p>{% trans name=object_name %}Are you sure you want to delete "{{ name }}"?{% endtrans %}</p>
+    {% if help_text %}<p><em>{{ help_text }}</em></p>{% endif %}
+    <br/>
     <input type="submit" value="{% trans %}Confirm{% endtrans %}" />
   </form>
   <form method="GET" action="javascript:history.back();">

core/tests/test_commands.py

@@ -0,0 +1,13 @@
+import contextlib
+import os
+
+import pytest
+from django.core.management import call_command
+
+
+@pytest.mark.django_db
+def test_populate_more(settings):
+    """Just check that populate more doesn't crash"""
+    settings.DEBUG = True
+    with open(os.devnull, "w") as devnull, contextlib.redirect_stdout(devnull):
+        call_command("populate_more", "--nb-users", "50")

core/tests/test_core.py

@@ -418,16 +418,16 @@ class TestUserIsInGroup(TestCase):
         group_in = baker.make(Group)
         self.public_user.groups.add(group_in)
 
-        # clear the cached property `User.cached_groups`
+        # clear the cached property `User.all_groups`
-        self.public_user.__dict__.pop("cached_groups", None)
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is in the group
-        with self.assertNumQueries(1):
+        with self.assertNumQueries(2):
             self.public_user.is_in_group(pk=group_in.id)
         with self.assertNumQueries(0):
             self.public_user.is_in_group(pk=group_in.id)
 
         group_not_in = baker.make(Group)
-        self.public_user.__dict__.pop("cached_groups", None)
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is not in the group
         with self.assertNumQueries(1):
             self.public_user.is_in_group(pk=group_not_in.id)

core/utils.py

@@ -12,22 +12,32 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from __future__ import annotations
 
+import hmac
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Final
+from typing import TYPE_CHECKING
+from urllib.parse import urlencode
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
-from django.core.files.uploadedfile import UploadedFile
-from django.http import HttpRequest
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
 
+if TYPE_CHECKING:
+    from _hashlib import HASH
+    from collections.abc import Buffer, Mapping, Sequence
+    from typing import Any, Callable, Final
+
+    from django.core.files.uploadedfile import UploadedFile
+    from django.http import HttpRequest
+
+
 RED_PIXEL_PNG: Final[bytes] = (
     b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52"
     b"\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90\x77\x53"
@@ -205,3 +215,30 @@ def get_client_ip(request: HttpRequest) -> str | None:
             return ip
 
     return None
+
+
+def hmac_hexdigest(
+    key: str | bytes,
+    data: Mapping[str, Any] | Sequence[tuple[str, Any]],
+    digest: str | Callable[[Buffer], HASH] = "sha512",
+) -> str:
+    """Return the hexdigest of the signature of the given data.
+
+    Args:
+        key: the HMAC key used for the signature
+        data: the data to sign
+        digest: a PEP247 hashing algorithm (by default, sha512)
+
+    Examples:
+        ```python
+        data = {
+            "foo": 5,
+            "bar": "somevalue",
+        }
+        hmac_key = secrets.token_hex(64)
+        signature = hmac_hexdigest(hmac_key, data, "sha256")
+        ```
+    """
+    if isinstance(key, str):
+        key = key.encode()
+    return hmac.digest(key, urlencode(data).encode(), digest).hex()

counter/forms.py

@@ -5,6 +5,7 @@ from datetime import date, datetime, timezone
 
 from dateutil.relativedelta import relativedelta
 from django import forms
+from django.core.validators import MaxValueValidator
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
 from django.utils.timezone import now
@@ -23,6 +24,7 @@ from core.views.forms import (
 )
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
+    AutoCompleteSelectMultiple,
     AutoCompleteSelectMultipleGroup,
     AutoCompleteSelectMultipleUser,
     AutoCompleteSelectUser,
@@ -34,6 +36,7 @@ from counter.models import (
     Eticket,
     InvoiceCall,
     Product,
+    ProductFormula,
     Refilling,
     ReturnableProduct,
     ScheduledProductAction,
@@ -168,11 +171,21 @@ class CounterEditForm(forms.ModelForm):
     class Meta:
         model = Counter
         fields = ["sellers", "products"]
+        widgets = {"sellers": AutoCompleteSelectMultipleUser}
 
-        widgets = {
+    def __init__(self, *args, user: User, instance: Counter, **kwargs):
-            "sellers": AutoCompleteSelectMultipleUser,
+        super().__init__(*args, instance=instance, **kwargs)
-            "products": AutoCompleteSelectMultipleProduct,
+        if user.has_perm("counter.change_counter"):
-        }
+            self.fields["products"].widget = AutoCompleteSelectMultipleProduct()
+        else:
+            self.fields["products"].widget = AutoCompleteSelectMultiple()
+            self.fields["products"].queryset = Product.objects.filter(
+                Q(club_id=instance.club_id) | Q(counters=instance), archived=False
+            ).distinct()
+            self.fields["products"].help_text = _(
+                "If you want to add a product that is not owned by "
+                "your club to this counter, you should ask an admin."
+            )
 
 
 class ScheduledProductActionForm(forms.ModelForm):
@@ -278,7 +291,8 @@ ScheduledProductActionFormSet = forms.modelformset_factory(
     absolute_max=None,
     can_delete=True,
     can_delete_extra=False,
-    extra=2,
+    extra=0,
+    min_num=1,
 )
 
 
@@ -316,7 +330,6 @@ class ProductForm(forms.ModelForm):
         }
 
     counters = forms.ModelMultipleChoiceField(
-        help_text=None,
         label=_("Counters"),
         required=False,
         widget=AutoCompleteSelectMultipleCounter,
@@ -327,10 +340,31 @@ class ProductForm(forms.ModelForm):
         super().__init__(*args, instance=instance, **kwargs)
         if self.instance.id:
             self.fields["counters"].initial = self.instance.counters.all()
+            if hasattr(self.instance, "formula"):
+                self.formula_init(self.instance.formula)
         self.action_formset = ScheduledProductActionFormSet(
             *args, product=self.instance, **kwargs
         )
 
+    def formula_init(self, formula: ProductFormula):
+        """Part of the form initialisation specific to formula products."""
+        self.fields["selling_price"].help_text = _(
+            "This product is a formula. "
+            "Its price cannot be greater than the price "
+            "of the products constituting it, which is %(price)s €"
+        ) % {"price": formula.max_selling_price}
+        self.fields["special_selling_price"].help_text = _(
+            "This product is a formula. "
+            "Its special price cannot be greater than the price "
+            "of the products constituting it, which is %(price)s €"
+        ) % {"price": formula.max_special_selling_price}
+        for key, price in (
+            ("selling_price", formula.max_selling_price),
+            ("special_selling_price", formula.max_special_selling_price),
+        ):
+            self.fields[key].widget.attrs["max"] = price
+            self.fields[key].validators.append(MaxValueValidator(price))
+
     def is_valid(self):
         return super().is_valid() and self.action_formset.is_valid()
 
@@ -349,13 +383,47 @@ class ProductForm(forms.ModelForm):
         return product
 
 
+class ProductFormulaForm(forms.ModelForm):
+    class Meta:
+        model = ProductFormula
+        fields = ["products", "result"]
+        widgets = {
+            "products": AutoCompleteSelectMultipleProduct,
+            "result": AutoCompleteSelectProduct,
+        }
+
+    def clean(self):
+        cleaned_data = super().clean()
+        if cleaned_data["result"] in cleaned_data["products"]:
+            self.add_error(
+                None,
+                _(
+                    "The same product cannot be at the same time "
+                    "the result and a part of the formula."
+                ),
+            )
+        prices = [p.selling_price for p in cleaned_data["products"]]
+        special_prices = [p.special_selling_price for p in cleaned_data["products"]]
+        selling_price = cleaned_data["result"].selling_price
+        special_selling_price = cleaned_data["result"].special_selling_price
+        if selling_price > sum(prices) or special_selling_price > sum(special_prices):
+            self.add_error(
+                "result",
+                _(
+                    "The result cannot be more expensive "
+                    "than the total of the other products."
+                ),
+            )
+        return cleaned_data
+
+
 class ReturnableProductForm(forms.ModelForm):
     class Meta:
         model = ReturnableProduct
         fields = ["product", "returned_product", "max_return"]
         widgets = {
-            "product": AutoCompleteSelectProduct(),
+            "product": AutoCompleteSelectProduct,
-            "returned_product": AutoCompleteSelectProduct(),
+            "returned_product": AutoCompleteSelectProduct,
         }
 
     def save(self, commit: bool = True) -> ReturnableProduct:  # noqa FBT

counter/migrations/0037_productformula.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.2.8 on 2025-11-26 11:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("counter", "0036_product_created_at_product_updated_at")]
+
+    operations = [
+        migrations.CreateModel(
+            name="ProductFormula",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "products",
+                    models.ManyToManyField(
+                        help_text="The products that constitute this formula.",
+                        related_name="formulas",
+                        to="counter.product",
+                        verbose_name="products",
+                    ),
+                ),
+                (
+                    "result",
+                    models.OneToOneField(
+                        help_text="The formula product.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="counter.product",
+                        verbose_name="result product",
+                    ),
+                ),
+            ],
+        ),
+    ]

counter/models.py

@@ -456,6 +456,37 @@ class Product(models.Model):
         return self.selling_price - self.purchase_price
 
 
+class ProductFormula(models.Model):
+    products = models.ManyToManyField(
+        Product,
+        related_name="formulas",
+        verbose_name=_("products"),
+        help_text=_("The products that constitute this formula."),
+    )
+    result = models.OneToOneField(
+        Product,
+        related_name="formula",
+        on_delete=models.CASCADE,
+        verbose_name=_("result product"),
+        help_text=_("The product got with the formula."),
+    )
+
+    def __str__(self):
+        return self.result.name
+
+    @cached_property
+    def max_selling_price(self) -> float:
+        # iterating over all products is less efficient than doing
+        # a simple aggregation, but this method is likely to be used in
+        # coordination with `max_special_selling_price`,
+        # and Django caches the result of the `all` queryset.
+        return sum(p.selling_price for p in self.products.all())
+
+    @cached_property
+    def max_special_selling_price(self) -> float:
+        return sum(p.special_selling_price for p in self.products.all())
+
+
 class CounterQuerySet(models.QuerySet):
     def annotate_has_barman(self, user: User) -> Self:
         """Annotate the queryset with the `user_is_barman` field.

counter/static/bundled/counter/components/ajax-select-index.ts

@@ -18,7 +18,10 @@ export class ProductAjaxSelect extends AjaxSelect {
   protected searchField = ["code", "name"];
 
   protected async search(query: string): Promise<TomOption[]> {
-    const resp = await productSearchProducts({ query: { search: query } });
+    const resp = await productSearchProducts({
+      // biome-ignore lint/style/useNamingConvention: API is snake_case
+      query: { search: query, is_archived: false },
+    });
     if (resp.data) {
       return resp.data.results;
     }

counter/static/bundled/counter/counter-click-index.ts

@@ -1,6 +1,10 @@
 import { AlertMessage } from "#core:utils/alert-message.ts";
 import { BasketItem } from "#counter:counter/basket.ts";
-import type { CounterConfig, ErrorMessage } from "#counter:counter/types.ts";
+import type {
+  CounterConfig,
+  ErrorMessage,
+  ProductFormula,
+} from "#counter:counter/types.ts";
 import type { CounterProductSelect } from "./components/counter-product-select-index.ts";
 
 document.addEventListener("alpine:init", () => {
@@ -47,15 +51,43 @@ document.addEventListener("alpine:init", () => {
 
       this.basket[id] = item;
 
+      this.checkFormulas();
+
       if (this.sumBasket() > this.customerBalance) {
         item.quantity = oldQty;
         if (item.quantity === 0) {
           delete this.basket[id];
         }
-        return gettext("Not enough money");
+        this.alertMessage.display(gettext("Not enough money"), { success: false });
       }
+    },
 
-      return "";
+    checkFormulas() {
+      const products = new Set(
+        Object.keys(this.basket).map((i: string) => Number.parseInt(i)),
+      );
+      const formula: ProductFormula = config.formulas.find((f: ProductFormula) => {
+        return f.products.every((p: number) => products.has(p));
+      });
+      if (formula === undefined) {
+        return;
+      }
+      for (const product of formula.products) {
+        const key = product.toString();
+        this.basket[key].quantity -= 1;
+        if (this.basket[key].quantity <= 0) {
+          this.removeFromBasket(key);
+        }
+      }
+      this.alertMessage.display(
+        interpolate(
+          gettext("Formula %(formula)s applied"),
+          { formula: config.products[formula.result.toString()].name },
+          true,
+        ),
+        { success: true },
+      );
+      this.addToBasket(formula.result.toString(), 1);
     },
 
     getBasketSize() {
@@ -70,14 +102,7 @@ document.addEventListener("alpine:init", () => {
         (acc: number, cur: BasketItem) => acc + cur.sum(),
         0,
       ) as number;
-      return total;
+      return Math.round(total * 100) / 100;
-    },
-
-    addToBasketWithMessage(id: string, quantity: number) {
-      const message = this.addToBasket(id, quantity);
-      if (message.length > 0) {
-        this.alertMessage.display(message, { success: false });
-      }
     },
 
     onRefillingSuccess(event: CustomEvent) {
@@ -116,7 +141,7 @@ document.addEventListener("alpine:init", () => {
           this.finish();
         }
       } else {
-        this.addToBasketWithMessage(code, quantity);
+        this.addToBasket(code, quantity);
       }
       this.codeField.widget.clear();
       this.codeField.widget.focus();

counter/static/bundled/counter/types.d.ts

@@ -7,10 +7,16 @@ export interface InitialFormData {
   errors?: string[];
 }
 
+export interface ProductFormula {
+  result: number;
+  products: number[];
+}
+
 export interface CounterConfig {
   customerBalance: number;
   customerId: number;
   products: Record<string, Product>;
+  formulas: ProductFormula[];
   formInitial: InitialFormData[];
   cancelUrl: string;
 }

counter/static/counter/css/counter-click.scss

@@ -10,12 +10,12 @@
   float: right;
 }
 
-.basket-error-container {
+.basket-message-container {
   position: relative;
   display: block
 }
 
-.basket-error {
+.basket-message {
   z-index: 10; // to get on top of tomselect
   text-align: center;
   position: absolute;

counter/templates/counter/counter_click.jinja

@@ -32,13 +32,11 @@
   <div id="bar-ui" x-data="counter({
                            customerBalance: {{ customer.amount }},
                            products: products,
+                           formulas: formulas,
                            customerId: {{ customer.pk }},
                            formInitial: formInitial,
                            cancelUrl: '{{ cancel_url }}',
                            })">
-    <noscript>
-      <p class="important">Javascript is required for the counter UI.</p>
-    </noscript>
 
     <div id="user_info">
       <h5>{% trans %}Customer{% endtrans %}</h5>
@@ -88,11 +86,12 @@
 
           <form x-cloak method="post" action="" x-ref="basketForm">
 
-            <div class="basket-error-container">
+            <div class="basket-message-container">
               <div
                 x-cloak
-                class="alert alert-red basket-error"
+                class="alert basket-message"
-                x-show="alertMessage.show"
+                :class="alertMessage.success ? 'alert-green' : 'alert-red'"
+                x-show="alertMessage.open"
                 x-transition.duration.500ms
                 x-text="alertMessage.content"
               ></div>
@@ -111,9 +110,9 @@
                     </div>
                   </template>
 
-                  <button @click.prevent="addToBasketWithMessage(item.product.id, -1)">-</button>
+                  <button @click.prevent="addToBasket(item.product.id, -1)">-</button>
                   <span class="quantity" x-text="item.quantity"></span>
-                  <button @click.prevent="addToBasketWithMessage(item.product.id, 1)">+</button>
+                  <button @click.prevent="addToBasket(item.product.id, 1)">+</button>
 
                   <span x-text="item.product.name"></span> :
                   <span x-text="item.sum().toLocaleString(undefined, { minimumFractionDigits: 2 })">€</span>
@@ -213,7 +212,7 @@
                 <h5 class="margin-bottom">{{ category }}</h5>
                 <div class="row gap-2x">
                   {% for product in categories[category] -%}
-                    <button class="card shadow" @click="addToBasketWithMessage('{{ product.id }}', 1)">
+                    <button class="card shadow" @click="addToBasket('{{ product.id }}', 1)">
                       <img
                         class="card-image"
                         alt="image de {{ product.name }}"
@@ -252,6 +251,18 @@
         },
       {%- endfor -%}
     };
+    const formulas = [
+      {%- for formula in formulas -%}
+        {
+          result: {{ formula.result_id }},
+          products: [
+            {%- for product in formula.products.all() -%}
+              {{ product.id }},
+            {%- endfor -%}
+          ]
+        },
+      {%- endfor -%}
+    ];
     const formInitial = [
       {%- for f in form -%}
         {%- if f.cleaned_data -%}

counter/templates/counter/formula_list.jinja

@@ -0,0 +1,78 @@
+{% extends "core/base.jinja" %}
+
+{% block title %}
+  {% trans %}Product formulas{% endtrans %}
+{% endblock %}
+
+{% block additional_css %}
+  <link rel="stylesheet" href="{{ static("core/components/card.scss") }}">
+  <link rel="stylesheet" href="{{ static("counter/css/admin.scss") }}">
+{% endblock %}
+
+{% block content %}
+  <main>
+    <h3 class="margin-bottom">{% trans %}Product formulas{% endtrans %}</h3>
+    <p>
+      {%- trans trimmed -%}
+        Formulas allow you to associate a group of products
+        with a result product (the formula itself).
+      {%- endtrans -%}
+    </p>
+    <p>
+      {%- trans trimmed -%}
+        If the product of a formula is available on a counter,
+        it will be automatically applied if all the products that
+        make it up are added to the basket.
+      {%- endtrans -%}
+    </p>
+    <p>
+      {%- trans trimmed -%}
+        For example, if there is a formula that combines a "Sandwich Formula" product
+        with the "Sandwich" and "Soft Drink" products,
+        then, if a person orders a sandwich and a soft drink,
+        the formula will be applied and the basket will then contain a sandwich formula instead.
+      {%- endtrans -%}
+    </p>
+    <p class="margin-bottom">
+      <a href="{{ url('counter:product_formula_create') }}" class="btn btn-blue">
+        {% trans %}New formula{% endtrans %}
+        <i class="fa fa-plus"></i>
+      </a>
+    </p>
+    <div class="product-group">
+      {%- for formula in object_list -%}
+        <a
+          class="card card-row shadow clickable"
+          href="{{ url('counter:product_formula_edit', formula_id=formula.id) }}"
+        >
+          <div class="card-content">
+            <strong class="card-title">{{ formula.result.name }}</strong>
+            <p>
+              {% for p in formula.products.all() %}
+                <i>{{ p.code }} ({{ p.selling_price }} €)</i>
+                {% if not loop.last %}+{% endif %}
+              {% endfor %}
+            </p>
+            <p>
+              {{ formula.result.selling_price }} €
+              ({% trans %}instead of{% endtrans %} {{ formula.max_selling_price}} €)
+            </p>
+          </div>
+          {% if user.has_perm("counter.delete_productformula") %}
+            <button
+              x-data
+              class="btn btn-red btn-no-text card-top-left"
+              @click.prevent="document.location.href = '{{ url('counter:product_formula_delete', formula_id=formula.id) }}'"
+            >
+            {# The delete link is a button with a JS event listener
+               instead of a proper <a> element,
+               because the enclosing card is already a <a>,
+               and HTML forbids nested <a> #}
+              <i class="fa fa-trash"></i>
+            </button>
+          {% endif %}
+        </a>
+      {%- endfor -%}
+    </div>
+  </main>
+{% endblock %}

counter/templates/counter/product_form.jinja

@@ -1,5 +1,44 @@
 {% extends "core/base.jinja" %}
 
+{% block additional_js %}
+  <script type="module" src="{{ static("bundled/core/dynamic-formset-index.ts") }}"></script>
+{% endblock %}
+
+
+{% macro action_form(form) %}
+  <fieldset x-data="{action: '{{ form.task.initial }}'}">
+    {{ form.non_field_errors() }}
+    <div class="row gap-2x margin-bottom">
+      <div>
+        {{ form.task.errors }}
+        {{ form.task.label_tag() }}
+        {{ form.task|add_attr("x-model=action") }}
+      </div>
+      <div>{{ form.trigger_at.as_field_group() }}</div>
+    </div>
+    <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
+      {{ form.counters.as_field_group() }}
+    </div>
+    {%- if form.DELETE -%}
+      <div class="row gap">
+        {{ form.DELETE.as_field_group() }}
+      </div>
+    {%- else -%}
+      <button
+        class="btn btn-grey"
+        @click.prevent="removeForm($event.target.closest('fieldset'))"
+      >
+        <i class="fa fa-minus"></i>{% trans %}Remove this action{% endtrans %}
+      </button>
+    {%- endif -%}
+    {%- for field in form.hidden_fields() -%}
+      {{ field }}
+    {%- endfor -%}
+    <hr />
+  </fieldset>
+{% endmacro %}
+
+
 {% block content %}
   {% if object %}
     <h2>{% trans name=object %}Edit product {{ name }}{% endtrans %}</h2>
@@ -25,34 +64,20 @@
       </em>
     </p>
 
-    {{ form.action_formset.management_form }}
+    <div x-data="dynamicFormSet" class="margin-bottom">
-    {%- for action_form in form.action_formset.forms -%}
+      {{ form.action_formset.management_form }}
-      <fieldset x-data="{action: '{{ action_form.task.initial }}'}">
+      <div x-ref="formContainer">
-        {{ action_form.non_field_errors() }}
+        {%- for f in form.action_formset.forms -%}
-        <div class="row gap-2x margin-bottom">
+          {{ action_form(f) }}
-          <div>
-            {{ action_form.task.errors }}
-            {{ action_form.task.label_tag() }}
-            {{ action_form.task|add_attr("x-model=action") }}
-          </div>
-          <div>{{ action_form.trigger_at.as_field_group() }}</div>
-        </div>
-        <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
-          {{ action_form.counters.as_field_group() }}
-        </div>
-        {%- if action_form.DELETE -%}
-          <div class="row gap">
-            {{ action_form.DELETE.as_field_group() }}
-          </div>
-        {%- endif -%}
-        {%- for field in action_form.hidden_fields() -%}
-          {{ field }}
         {%- endfor -%}
-      </fieldset>
+      </div>
-      {%- if not loop.last -%}
+      <template x-ref="formTemplate">
-        <hr class="margin-bottom">
+        {{ action_form(form.action_formset.empty_form) }}
-      {%- endif -%}
+      </template>
-    {%- endfor -%}
+      <button @click.prevent="addForm()" class="btn btn-grey">
-    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+        <i class="fa fa-plus"></i>{% trans %}Add action{% endtrans %}
+      </button>
+    </div>
+    <p><input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" /></p>
   </form>
 {% endblock %}

counter/tests/test_counter_admin.py

@@ -0,0 +1,62 @@
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from club.models import Membership
+from core.baker_recipes import subscriber_user
+from core.models import User
+from counter.baker_recipes import product_recipe
+from counter.forms import CounterEditForm
+from counter.models import Counter
+
+
+class TestEditCounterProducts(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.counter = baker.make(Counter)
+        cls.products = product_recipe.make(_quantity=5, _bulk_create=True)
+        cls.counter.products.add(*cls.products)
+
+    def test_admin(self):
+        """Test that an admin can add and remove products"""
+        user = baker.make(
+            User, user_permissions=[Permission.objects.get(codename="change_counter")]
+        )
+        new_product = product_recipe.make()
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.products.all()) == {*self.products[1:], new_product}
+
+    def test_club_board_id(self):
+        """Test that people from counter club board can only add their own products."""
+        club = self.counter.club
+        user = subscriber_user.make()
+        baker.make(Membership, user=user, club=club, end_date=None)
+        new_product = product_recipe.make(club=club)
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.products.all()) == {*self.products[1:], new_product}
+
+        new_product = product_recipe.make()  # product not owned by the club
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "products": [
+                "Sélectionnez un choix valide. "
+                f"{new_product.id} n\u2019en fait pas partie."
+            ],
+        }

counter/tests/test_formula.py

@@ -0,0 +1,59 @@
+from django.test import TestCase
+
+from counter.baker_recipes import product_recipe
+from counter.forms import ProductFormulaForm
+
+
+class TestFormulaForm(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.products = product_recipe.make(
+            selling_price=iter([1.5, 1, 1]),
+            special_selling_price=iter([1.4, 0.9, 0.9]),
+            _quantity=3,
+            _bulk_create=True,
+        )
+
+    def test_ok(self):
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[1].id, self.products[2].id],
+            }
+        )
+        assert form.is_valid()
+        formula = form.save()
+        assert formula.result == self.products[0]
+        assert set(formula.products.all()) == set(self.products[1:])
+
+    def test_price_invalid(self):
+        self.products[0].selling_price = 2.1
+        self.products[0].save()
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[1].id, self.products[2].id],
+            }
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "result": [
+                "Le résultat ne peut pas être plus cher "
+                "que le total des autres produits."
+            ]
+        }
+
+    def test_product_both_in_result_and_products(self):
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[0].id, self.products[1].id],
+            }
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "__all__": [
+                "Un même produit ne peut pas être à la fois "
+                "le résultat et un élément de la formule."
+            ]
+        }

counter/tests/test_product.py

@@ -15,8 +15,9 @@ from pytest_django.asserts import assertNumQueries, assertRedirects
 from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
+from counter.baker_recipes import product_recipe
 from counter.forms import ProductForm
-from counter.models import Product, ProductType
+from counter.models import Product, ProductFormula, ProductType
 
 
 @pytest.mark.django_db
@@ -93,6 +94,9 @@ class TestCreateProduct(TestCase):
     def setUpTestData(cls):
         cls.product_type = baker.make(ProductType)
         cls.club = baker.make(Club)
+        cls.counter_admin = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
         cls.data = {
             "name": "foo",
             "description": "bar",
@@ -116,13 +120,36 @@ class TestCreateProduct(TestCase):
         assert instance.name == "foo"
         assert instance.selling_price == 1.0
 
-    def test_view(self):
+    def test_form_with_product_from_formula(self):
-        self.client.force_login(
+        """Test when the edited product is a result of a formula."""
-            baker.make(
+        self.client.force_login(self.counter_admin)
-                User,
+        products = product_recipe.make(
-                groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)],
+            selling_price=iter([1.5, 1, 1]),
-            )
+            special_selling_price=iter([1.4, 0.9, 0.9]),
+            _quantity=3,
+            _bulk_create=True,
         )
+        baker.make(ProductFormula, result=products[0], products=products[1:])
+
+        data = self.data | {"selling_price": 1.7, "special_selling_price": 1.5}
+        form = ProductForm(data=data, instance=products[0])
+        assert form.is_valid()
+
+        # it shouldn't be possible to give a price higher than the formula's products
+        data = self.data | {"selling_price": 2.1, "special_selling_price": 1.9}
+        form = ProductForm(data=data, instance=products[0])
+        assert not form.is_valid()
+        assert form.errors == {
+            "selling_price": [
+                "Assurez-vous que cette valeur est inférieure ou égale à 2.00."
+            ],
+            "special_selling_price": [
+                "Assurez-vous que cette valeur est inférieure ou égale à 1.80."
+            ],
+        }
+
+    def test_view(self):
+        self.client.force_login(self.counter_admin)
         url = reverse("counter:new_product")
         response = self.client.get(url)
         assert response.status_code == 200

counter/urls.py

@@ -25,6 +25,10 @@ from counter.views.admin import (
     CounterStatView,
     ProductCreateView,
     ProductEditView,
+    ProductFormulaCreateView,
+    ProductFormulaDeleteView,
+    ProductFormulaEditView,
+    ProductFormulaListView,
     ProductListView,
     ProductTypeCreateView,
     ProductTypeEditView,
@@ -116,6 +120,24 @@ urlpatterns = [
         ProductEditView.as_view(),
         name="product_edit",
     ),
+    path(
+        "admin/formula/", ProductFormulaListView.as_view(), name="product_formula_list"
+    ),
+    path(
+        "admin/formula/new/",
+        ProductFormulaCreateView.as_view(),
+        name="product_formula_create",
+    ),
+    path(
+        "admin/formula/<int:formula_id>/edit",
+        ProductFormulaEditView.as_view(),
+        name="product_formula_edit",
+    ),
+    path(
+        "admin/formula/<int:formula_id>/delete",
+        ProductFormulaDeleteView.as_view(),
+        name="product_formula_delete",
+    ),
     path(
         "admin/product-type/list/",
         ProductTypeListView.as_view(),

counter/views/admin.py

@@ -34,11 +34,13 @@ from counter.forms import (
     CloseCustomerAccountForm,
     CounterEditForm,
     ProductForm,
+    ProductFormulaForm,
     ReturnableProductForm,
 )
 from counter.models import (
     Counter,
     Product,
+    ProductFormula,
     ProductType,
     Refilling,
     ReturnableProduct,
@@ -56,7 +58,7 @@ class CounterListView(CounterAdminTabsMixin, CanViewMixin, ListView):
     current_tab = "counters"
 
 
-class CounterEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
+class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
     """Edit a counter's main informations (for the counter's manager)."""
 
     model = Counter
@@ -65,10 +67,14 @@ class CounterEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     template_name = "core/edit.jinja"
     current_tab = "counters"
 
-    def dispatch(self, request, *args, **kwargs):
+    def test_func(self):
-        obj = self.get_object()
+        if self.request.user.has_perm("counter.change_counter"):
-        self.edit_club.append(obj.club)
+            return True
-        return super().dispatch(request, *args, **kwargs)
+        obj = self.get_object(queryset=self.get_queryset().select_related("club"))
+        return obj.club.has_rights_in_club(self.request.user)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"user": self.request.user}
 
     def get_success_url(self):
         return reverse_lazy("counter:admin", kwargs={"counter_id": self.object.id})
@@ -162,6 +168,62 @@ class ProductEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     current_tab = "products"
 
 
+class ProductFormulaListView(CounterAdminTabsMixin, PermissionRequiredMixin, ListView):
+    model = ProductFormula
+    queryset = ProductFormula.objects.select_related("result").prefetch_related(
+        "products"
+    )
+    template_name = "counter/formula_list.jinja"
+    current_tab = "formulas"
+    permission_required = "counter.view_productformula"
+
+
+class ProductFormulaCreateView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, CreateView
+):
+    model = ProductFormula
+    form_class = ProductFormulaForm
+    pk_url_kwarg = "formula_id"
+    template_name = "core/create.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.add_productformula"
+
+
+class ProductFormulaEditView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, UpdateView
+):
+    model = ProductFormula
+    form_class = ProductFormulaForm
+    pk_url_kwarg = "formula_id"
+    template_name = "core/edit.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.change_productformula"
+
+
+class ProductFormulaDeleteView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, DeleteView
+):
+    model = ProductFormula
+    pk_url_kwarg = "formula_id"
+    template_name = "core/delete_confirm.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.delete_productformula"
+
+    def get_context_data(self, **kwargs):
+        obj_name = self.object.result.name
+        return super().get_context_data(**kwargs) | {
+            "object_name": _("%(formula)s (formula)") % {"formula": obj_name},
+            "help_text": _(
+                "This action will only delete the formula, "
+                "but not the %(product)s product itself."
+            )
+            % {"product": obj_name},
+        }
+
+
 class ReturnableProductListView(
     CounterAdminTabsMixin, PermissionRequiredMixin, ListView
 ):

counter/views/click.py

@@ -12,6 +12,7 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from collections import defaultdict
 
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
@@ -31,6 +32,7 @@ from counter.forms import BasketForm, RefillForm
 from counter.models import (
     Counter,
     Customer,
+    ProductFormula,
     ReturnableProduct,
     Selling,
 )
@@ -206,12 +208,13 @@ class CounterClick(
         """Add customer to the context."""
         kwargs = super().get_context_data(**kwargs)
         kwargs["products"] = self.products
-        kwargs["categories"] = {}
+        kwargs["formulas"] = ProductFormula.objects.filter(
+            result__in=self.products
+        ).prefetch_related("products")
+        kwargs["categories"] = defaultdict(list)
         for product in kwargs["products"]:
             if product.product_type:
-                kwargs["categories"].setdefault(product.product_type, []).append(
+                kwargs["categories"][product.product_type].append(product)
-                    product
-                )
         kwargs["customer"] = self.customer
         kwargs["cancel_url"] = self.get_success_url()
 

counter/views/mixins.py

@@ -100,6 +100,11 @@ class CounterAdminTabsMixin(TabedViewMixin):
             "slug": "products",
             "name": _("Products"),
         },
+        {
+            "url": reverse_lazy("counter:product_formula_list"),
+            "slug": "formulas",
+            "name": _("Formulas"),
+        },
         {
             "url": reverse_lazy("counter:product_type_list"),
             "slug": "product_types",

docs/reference/api/schemas.md

@@ -0,0 +1 @@
+::: api.schemas

docs/reference/api/views.md

@@ -0,0 +1 @@
+::: api.views

docs/tutorial/api/account-link.md

@@ -0,0 +1,353 @@
+Le site AE offre des mécanismes permettant aux applications tierces
+de récupérer les informations sur un utilisateur du site AE.
+De cette manière, il devient possible de synchroniser les informations
+qu possède l'application tierce sur l'utilisateur, directement depuis
+le site AE.
+
+## Fonctionnement général
+
+Pour authentifier vos utilisateurs, vous aurez besoin d'un serveur web
+et d'un client d'API (celui auquel est liée votre
+[clef d'API](./connect.md#obtenir-une-clef-dapi)).
+Deux informations vous sont nécessaires, en plus de votre clef d'API :
+
+- l'id du client : vous pouvez l'obtenir soit en le demandant à l'équipe info,
+  soit en appelant la route `GET /client/me` avec votre clef d'API
+  renseignée dans le header [X-APIKey](./connect.md#x-apikey)
+- la clef HMAC du client : vous devez la demander à l'équipe info.
+
+Grâce à ces informations, vous allez pouvoir fournir le contexte nécessaire
+au site AE pour qu'il authentifie vos utilisateurs.
+
+En effet, la démarche d'authentification s'effectue presque entièrement
+sur le site : le travail de l'application tierce consiste uniquement
+à fournir à l'utilisateur une url avec les bons paramètres, puis
+à recevoir la réponse du serveur si tout s'est bien passé.
+
+Comme un dessin vaut parfois mieux que mille mots,
+voici les diagrammes décrivant le processus.
+L'un montre l'entièreté de la démarche ;
+l'autre dans un souci de simplicité, ne montre que ce qui est visible
+directement par l'application tierce.
+
+=== "Intégralité du processus"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        User->>+Sith: GET url
+        opt Utilisateur non-connecté
+            Sith->>+User: Formulaire de connexion
+            User-->>-Sith: Connexion
+        end
+        Sith->>Sith: vérification de la signature
+        Sith->>+User: Formulaire<br/>des conditions<br/>d'utilisation
+        User-->>-Sith: Validation
+        Sith->>+App: URL de retour<br/>avec données utilisateur
+        App->>App: Traitement des <br/>données utilisateur
+        App-->>-Sith: 204 OK, No content
+        Sith-->>-User: Message de succès
+        App--)User: Message de succès
+    ```
+
+=== "Point de vue de l'application tierce"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        opt
+            Sith->>+App: URL de retour<br/>avec données utilisateur
+            App->>App: Traitement des <br/>données utilisateur
+            App-->>-Sith: 204 OK, No content
+            App--)User: Message de succès
+        end
+    ```
+
+## Données attendues
+
+### URL de connexion
+
+L'URL de connexion que vous allez fournir à l'utilisateur doit
+être `https://ae.utbm.fr/api-link/auth/`
+et doit contenir les données décrites dans
+[`ThirdPartyAuthParamsSchema`][api.schemas.ThirdPartyAuthParamsSchema] :
+
+- `client_id` (integer) : l'id de votre client, que vous pouvez obtenir
+  de la manière décrite plus haut
+- `third_party_app`(string) : le nom de la plateforme pour laquelle
+  l'authentification va être réalisée (si votre application est un bot
+  discord, mettez la valeur "discord")
+- `privacy_link`(URL) : l'URL vers la page de politique de confidentialité
+  qui s'appliquera dans le cadre de l'application
+  (s'il s'agit d'un bot discord, donnez le lien vers celles de Discord)
+- `username`(string) : le pseudonyme que l'utilisateur possède sur
+  votre application
+- `callback_url`(URL) : l'URL que le site AE appellera si l'authentification
+  réussit
+- `signature`(string) : la signature des données de la requête.
+
+Ces données doivent être url-encodées et passées dans les paramètres GET.
+
+!!!tip "URL de retour"
+
+    Notre système n'impose aucune contrainte quant à la manière
+    de construire votre URL (hormis le fait que ce doit être une URL HTTPS valide),
+    mais il est tout de même conseillé d'utiliser l'identifiant de votre
+    utilisateur comme paramètre dans l'URL 
+    (par exemple `GET /callback/{int:user_id}/`).
+
+???Example
+
+    Supposons que votre client d'API soit utilisé dans le cadre d'un bot Discord,
+    avec les données suivantes :
+    
+    - l'id du client est 15
+    - sa clef HMAC est "beb99dd53"
+      (c'est pour l'exemple, une vraie clef sera beaucoup plus longue)
+    - le pseudonyme discord de votre utilisateur est Brian
+    - son id sur discord est 123456789
+    - votre route de callback est `GET /callback/{int:user_id}/`,
+      accessible au domaine `https://bot.ae.utbm.fr`
+    
+    Alors les paramètres de votre URL seront :
+    
+    | Paramètre       | valeur                                                                |
+    |-----------------|-----------------------------------------------------------------------|
+    | client_id       | 15                                                                    |
+    | third_party_app | discord                                                               |
+    | privacy_link    | `https://discord.com/privacy`                                         |
+    | username        | Brian                                                                 |
+    | callback_url    | `https://bot.ae.utbm.fr/callback/123456789/`                          |
+    | signature       | 1a383c51060be64f07772aa42e07<br/>18ae096b8f21f2cdb4061c0834a416d12101 |
+    
+    Et l'url fournie à l'utilisateur sera :
+    
+    `https://ae.utbm.fr/api-link/auth/?client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F
+    &signature=1a383c51060be64f07772aa42e0718ae096b8f21f2cdb4061c0834a416d12101`
+
+### Données de retour
+
+Si l'authentification réussit, le site AE enverra une requête HTTP POST
+à l'URL de retour fournie dans l'URL de connexion.
+
+Le corps de la requête de callback et au format JSON 
+et contient deux paires clef-valeur :
+
+- `user` : les données utilisateur, telles que décrites
+  par [UserProfileSchema][core.schemas.UserProfileSchema]
+- `signature` : la signature des données utilisateur
+
+???Example
+
+    En reprenant les mêmes paramètres que dans l'exemple précédent,
+    le site AE pourra renvoyer à l'application la requête suivante :
+
+    ```http
+    POST https://bot.ae.utbm.fr/callback/123456789/
+    content-type: application/json
+    body: {
+        "user": {
+            "id": 144131,
+            "nick_name": "inzekitchen",
+            "first_name": "Brian",
+            ...
+        },
+        "signature": "f16955bab6b805f6e1abbb98a86dfee53fed0bf812aa6513ca46cfd461b70020"
+    }
+    ```
+
+L'application doit répondre avec un des codes HTTP suivants :
+
+| Code | Raison                                                                         |
+|------|--------------------------------------------------------------------------------|
+| 204  | Tout s'est bien passé                                                          |
+| 403  | Les données de retour ne sont <br>pas signées ou sont mal signées              |
+| 404  | L'URL de retour ne permet pas <br>d'identifier un utilisateur de l'application |
+
+!!!note "Code d'erreur par défaut"
+
+    Si l'appel de la route fait face à plusieurs problèmes en même temps 
+    (par exemple, l'URL ne permet pas de retrouver votre utilisateur, 
+    et en plus les données sont mal signées),
+    le 403 prime et doit être retourné par défaut.
+
+## Signature des données
+
+Les données de l'URL de connexion doivent être signées,
+et la signature de l'URL de retour doit être vérifiée.
+
+Dans le deux cas, la signature est le digest HMAC-SHA512
+des données url-encodées, en utilisant la clef HMAC du client d'API.
+
+???Example "Signature de l'URL de connexion"
+
+    En reprenant le même exemple que les fois précédentes,
+    l'url-encodage des données est :
+
+    `client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy%2F&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F`
+
+    Notez que la signature n'est pas (encore) dedans.
+    Cette dernière peut-être obtenue avec le code suivant :
+
+    === ":simple-python: Python"
+    
+        Dépendances :
+    
+        - `environs` (>=14.1)
+    
+        ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        key = env.str("HMAC_KEY").encode()
+        data = {
+            "client_id": 15,
+            "third_party_app": "discord",
+            "privacy_link": "https://discord.com/privacy/",
+            "username": "Brian",
+            "callback_url": "https://bot.ae.utbm.fr/callback/123456789/",
+        }
+        urlencoded = urlencode(data)
+        data["signature"] = hmac.digest(key, urlencoded.encode(), "sha512").hex()
+        
+        # URL a fournir à l'utilisateur pour son authentification
+        user_url = f"https://ae.ubtm.fr/api-link/auth/?{urlencode(data)}"
+        ```    
+    
+    === ":simple-rust: Rust"
+    
+        Dépendances :
+        
+        - `hmac` (>=0.12.1)
+        - `url` (>=2.5.7, features `serde`)
+        - `serde` (>=1.0.228, features `derive`)
+        - `serde_urlencoded` (>="0.7.1)
+        - `sha2` (>=0.10.9)
+        - `dotenvy` (>= 0.15)
+    
+        ```rust
+        use hmac::{Mac, SimpleHmac};
+        use serde::Serialize;
+        use sha2::Sha512;
+        use url::Url;
+        
+        #[derive(Serialize, Debug)]
+        struct UrlData<'a> {
+            client_id: u32,
+            third_party_app: &'a str,
+            privacy_link: Url,
+            username: &'a str,
+            callback_url: Url,
+        }
+        
+        impl<'a> UrlData<'a> {
+            pub fn signature(&self, key: &[u8]) -> CtOutput<SimpleHmac<Sha512>> {
+                let urlencoded = serde_urlencoded::to_string(self).unwrap();
+                SimpleHmac::<Sha512>::new_from_slice(key)
+                    .unwrap()
+                    .chain_update(urlencoded.as_bytes())
+                    .finalize()
+            }
+        }
+        
+        impl Into<Url> for UrlData<'_> {
+            fn into(self) -> Url {
+                let key = std::env::var("HMAC_KEY").unwrap();
+                let mut url = Url::parse("http://ae.utbm.fr/api-link/auth/").unwrap();
+                url.set_query(Some(
+                    format!(
+                        "{}&signature={:x}",
+                        serde_urlencoded::to_string(&self).unwrap(),
+                        self.signature(key.as_bytes()).into_bytes()
+                    )
+                    .as_str(),
+                ));
+                url
+            }
+        }
+        
+        fn main() {
+            dotenvy::dotenv().expect("Couldn't load env");
+            let data = UrlData {
+                client_id: 1,
+                third_party_app: "discord",
+                privacy_link: "https://discord.com/privacy/".parse().unwrap(),
+                username: "Brian",
+                callback_url: "https://bot.ae.utbm.fr/callback/123456789/"
+                    .parse()
+                    .unwrap(),
+            };
+            let url: Url = data.into();
+            println!("{:?}", url);
+        }
+        ```
+
+???Example "Vérification de la signature de la réponse"
+
+    Les données utilisateur peuvent ressembler à :
+
+    ```json
+    {
+        "user": {
+            "display_name": "Matthieu Vincent",
+            "profile_url": "/user/380/",
+            "profile_pict": "/static/core/img/unknown.jpg",
+            "id": 380,
+            "nick_name": None,
+            "first_name": "Matthieu",
+            "last_name": "Vincent",
+        },
+        "signature": "3802a280fbb01bd9fetc."
+    }
+    ```
+
+    Vous pouvez vérifier la signature ainsi :
+
+    ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        def is_signature_valid(user_data: dict, signature: str) -> bool:
+            key = env.str("HMAC_KEY").encode()
+            urlencoded = urlencode(user_data)
+            return hmac.compare_digest(
+                hmac.digest(key, urlencoded.encode(), "sha512").hex(),
+                signature,
+            )
+        
+        
+        post_data = <récupération des données POST>
+        print(
+            "signature valide :", 
+            is_signature_valid(post_data["user"], post_data["signature"]
+        )
+    ```
+
+!!!Warning
+
+    Vous devez impérativement vérifier la signature 
+    des données de la requête de callback !
+
+    Si l'équipe informatique se rend compte que vous ne le faites pas,
+    elle se réserve le droit de suspendre votre application,
+    immédiatement et sans préavis.

docs/tutorial/api/connect.md

@@ -112,7 +112,7 @@ cf. [HTTP persistant connection (wikipedia)](https://en.wikipedia.org/wiki/HTTP_
 
 Voici quelques exemples : 
 
-=== "Python (requests)"
+=== ":simple-python: Python (requests)"
 
     Dépendances :
 
@@ -132,7 +132,7 @@ Voici quelques exemples :
         print(response.json())
     ```
 
-=== "Python (aiohttp)"
+=== ":simple-python: Python (aiohttp)"
 
     Dépendances :
 
@@ -158,7 +158,7 @@ Voici quelques exemples :
     asyncio.run(main())
     ```
 
-=== "Javascript (axios)"
+=== ":simple-javascript: Javascript (axios)"
 
     Dépendances :
 
@@ -178,7 +178,7 @@ Voici quelques exemples :
     console.log(await instance.get("club/1").json());
     ```
 
-=== "Rust (reqwest)"
+=== ":simple-rust: Rust (reqwest)"
 
     Dépendances :
     

eboutic/converters.py

@@ -1,37 +0,0 @@
-#
-# Copyright 2022
-# - Maréchal <thgirod@hotmail.com
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-
-
-class PaymentResultConverter:
-    """Converter used for url mapping of the `eboutic.views.payment_result` view.
-
-    It's meant to build an url that can match
-    either `/eboutic/pay/success/` or `/eboutic/pay/failure/`
-    but nothing else.
-    """
-
-    regex = "(success|failure)"
-
-    def to_python(self, value):
-        return str(value)
-
-    def to_url(self, value):
-        return str(value)

eboutic/urls.py

@@ -24,7 +24,7 @@
 
 from django.urls import path, register_converter
 
-from eboutic.converters import PaymentResultConverter
+from core.converters import ResultConverter
 from eboutic.views import (
     BillingInfoFormFragment,
     EbouticCheckout,
@@ -34,7 +34,7 @@ from eboutic.views import (
     payment_result,
 )
 
-register_converter(PaymentResultConverter, "res")
+register_converter(ResultConverter, "res")
 
 urlpatterns = [
     # Subscription views

election/views.py

@@ -1,7 +1,6 @@
 from typing import TYPE_CHECKING
 
 from cryptography.utils import cached_property
-from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.mixins import (
     LoginRequiredMixin,
@@ -115,16 +114,9 @@ class VoteFormView(LoginRequiredMixin, UserPassesTestMixin, FormView):
     def test_func(self):
         if not self.election.can_vote(self.request.user):
             return False
-
+        return self.election.vote_groups.filter(
-        groups = set(self.election.vote_groups.values_list("id", flat=True))
+            id__in=self.request.user.all_groups
-        if (
+        ).exists()
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
 
     def vote(self, election_data):
         with transaction.atomic():
@@ -238,15 +230,9 @@ class RoleCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView):
             return False
         if self.request.user.has_perm("election.add_role"):
             return True
-        groups = set(self.election.edit_groups.values_list("id", flat=True))
+        return self.election.edit_groups.filter(
-        if (
+            id__in=self.request.user.all_groups
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
+        ).exists()
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
 
     def get_initial(self):
         return {"election": self.election}
@@ -279,14 +265,7 @@ class ElectionListCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView
             .union(self.election.edit_groups.values("id"))
             .values_list("id", flat=True)
         )
-        if (
+        return not groups.isdisjoint(self.request.user.all_groups.keys())
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
 
     def get_initial(self):
         return {"election": self.election}

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-14 15:21+0100\n"
+"POT-Creation-Date: 2026-03-07 15:47+0100\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -35,6 +35,10 @@ msgstr ""
 "True si gardé à jour par le biais d'un fournisseur externe de domains "
 "toxics, False sinon"
 
+#: api/admin.py
+msgid "Reset HMAC key"
+msgstr "Réinitialiser la clef HMAC"
+
 #: api/admin.py
 #, python-format
 msgid ""
@@ -48,6 +52,23 @@ msgstr ""
 msgid "Revoke selected API keys"
 msgstr "Révoquer les clefs d'API sélectionnées"
 
+#: api/forms.py
+msgid "I have read and I accept the terms and conditions of use"
+msgstr "J'ai lu et j'accepte les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must approve the terms and conditions of use."
+msgstr "Vous devez approuver les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must confirm that this is your username."
+msgstr "Vous devez confirmer que c'est bien votre nom d'utilisateur."
+
+#: api/forms.py
+#, python-format
+msgid "I confirm that %(username)s is my username on %(app)s"
+msgstr "Je confirme que %(username)s est mon nom d'utilisateur sur %(app)s"
+
 #: api/models.py club/models.py com/models.py counter/models.py forum/models.py
 msgid "name"
 msgstr "nom"
@@ -68,6 +89,10 @@ msgstr "permissions du client"
 msgid "Specific permissions for this api client."
 msgstr "Permissions spécifiques pour ce client d'API"
 
+#: api/models.py
+msgid "HMAC Key"
+msgstr "Clef HMAC"
+
 #: api/models.py
 msgid "api client"
 msgstr "client d'api"
@@ -97,6 +122,63 @@ msgstr "clef d'api"
 msgid "api keys"
 msgstr "clefs d'api"
 
+#: api/templates/api/third_party/auth.jinja
+msgid "Confidentiality"
+msgstr "Confidentialité"
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"By ticking this box and clicking on the send button, you acknowledge and "
+"agree to provide %(app)s with your first name, last name, nickname and any "
+"other information that was the third party app was explicitly authorized to "
+"fetch and that it must have acknowledged to you, in a complete and accurate "
+"manner."
+msgstr ""
+"En cochant cette case et en cliquant sur le bouton « Envoyer », vous "
+"reconnaissez et acceptez de fournir à %(app)s votre prénom, nom, pseudonyme "
+"et toute autre information que l'application tierce a été explicitement "
+"autorisée à récupérer et qu'elle doit vous avoir communiqué de manière "
+"complète et exacte."
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"The privacy policies of <a href=\"%(privacy_link)s\">%(app)s</a> and of <a "
+"href=\"%(sith_cgu_link)s\">the Students' Association</a> applies as soon as "
+"the form is submitted."
+msgstr ""
+"Les politiques de confidentialité de <a href=\"%(privacy_link)s\">%(app)s</a> et de <a "
+"href=\"%(sith_cgu_link)s\">l'Association des Etudiants</a> s'appliquent dès la soumission "
+"du formulaire."
+
+#: api/templates/api/third_party/auth.jinja
+msgid "Confirmation of identity"
+msgstr "Confirmation d'identité"
+
+#: api/views.py
+#, python-format
+msgid ""
+"You are going to link your AE account and your %(app)s account. Continue "
+"only if this page was opened from %(app)s."
+msgstr ""
+"Vous allez lier votre compte AE et votre compte %(app)s. Poursuivez "
+"uniquement si cette page a été ouverte depuis %(app)s."
+
+#: api/views.py
+msgid "You have been successfully authenticated. You can now close this page."
+msgstr "Vous avez été authentifié avec succès. Vous pouvez maintenant fermer cette page."
+
+#: api/views.py
+msgid ""
+"Your authentication on the AE website was successful, but an error happened "
+"during the interaction with the third-party application. Please contact the "
+"managers of the latter."
+msgstr ""
+"Votre authentification sur le site AE a fonctionné, mais une erreur est arrivée "
+"durant l'interaction avec l'application tierce. Veuillez contacter les responsables "
+"de cette dernière."
+
 #: club/forms.py
 msgid "Users to add"
 msgstr "Utilisateurs à ajouter"
@@ -2937,6 +3019,14 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"
 
+#: counter/forms.py
+msgid ""
+"If you want to add a product that is not owned by your club to this counter, "
+"you should ask an admin."
+msgstr ""
+"Si vous souhaitez ajouter sur ce comptoir un produit qui n'appartient pas à "
+"votre club, vous devriez demander à un admin."
+
 #: counter/forms.py
 msgid "Date and time of action"
 msgstr "Date et heure de l'action"
@@ -2957,6 +3047,38 @@ msgstr ""
 "Décrivez le produit. Si c'est un click pour un évènement, donnez quelques "
 "détails dessus, comme la date (en incluant l'année)."
 
+#: counter/forms.py
+#, python-format
+msgid ""
+"This product is a formula. Its price cannot be greater than the price of the "
+"products constituting it, which is %(price)s €"
+msgstr ""
+"Ce produit est une formule. Son prix ne peut pas être supérieur au prix des "
+"produits qui la constituent, soit %(price)s €."
+
+#: counter/forms.py
+#, python-format
+msgid ""
+"This product is a formula. Its special price cannot be greater than the "
+"price of the products constituting it, which is %(price)s €"
+msgstr ""
+"Ce produit est une formule. Son prix spécial ne peut pas être supérieur au "
+"prix des produits qui la constituent, soit %(price)s €."
+
+#: counter/forms.py
+msgid ""
+"The same product cannot be at the same time the result and a part of the "
+"formula."
+msgstr ""
+"Un même produit ne peut pas être à la fois le résultat et un élément de la "
+"formule."
+
+#: counter/forms.py
+msgid ""
+"The result cannot be more expensive than the total of the other products."
+msgstr ""
+"Le résultat ne peut pas être plus cher que le total des autres produits."
+
 #: counter/forms.py
 msgid "Refound this account"
 msgstr "Rembourser ce compte"
@@ -3121,6 +3243,18 @@ msgstr "produit"
 msgid "products"
 msgstr "produits"
 
+#: counter/models.py
+msgid "The products that constitute this formula."
+msgstr "Les produits qui constituent cette formule."
+
+#: counter/models.py
+msgid "result product"
+msgstr "produit résultat"
+
+#: counter/models.py
+msgid "The product got with the formula."
+msgstr "Le produit obtenu par la formule."
+
 #: counter/models.py
 msgid "counter type"
 msgstr "type de comptoir"
@@ -3541,6 +3675,48 @@ msgstr "Nouveau eticket"
 msgid "There is no eticket in this website."
 msgstr "Il n'y a pas de eticket sur ce site web."
 
+#: counter/templates/counter/formula_list.jinja
+msgid "Product formulas"
+msgstr "Formules de produits"
+
+#: counter/templates/counter/formula_list.jinja
+msgid ""
+"Formulas allow you to associate a group of products with a result product "
+"(the formula itself)."
+msgstr ""
+"Les formules permettent d'associer un groupe de produits à un produit "
+"résultat (la formule en elle-même)."
+
+#: counter/templates/counter/formula_list.jinja
+msgid ""
+"If the product of a formula is available on a counter, it will be "
+"automatically applied if all the products that make it up are added to the "
+"basket."
+msgstr ""
+"Si le produit d'une formule est disponible sur un comptoir, celle-ci sera "
+"automatiquement appliquée si tous les produits qui la constituent sont "
+"ajoutés au panier."
+
+#: counter/templates/counter/formula_list.jinja
+msgid ""
+"For example, if there is a formula that combines a \"Sandwich Formula\" "
+"product with the \"Sandwich\" and \"Soft Drink\" products, then, if a person "
+"orders a sandwich and a soft drink, the formula will be applied and the "
+"basket will then contain a sandwich formula instead."
+msgstr ""
+"Par exemple s'il existe une formule associant un produit « Formule "
+"sandwich » aux produits « Sandwich » et « Soft », alors, si une personne "
+"commande un sandwich et un soft, la formule sera appliquée et le panier "
+"contiendra alors une formule sandwich à la place."
+
+#: counter/templates/counter/formula_list.jinja
+msgid "New formula"
+msgstr "Nouvelle formule"
+
+#: counter/templates/counter/formula_list.jinja
+msgid "instead of"
+msgstr "au lieu de"
+
 #: counter/templates/counter/fragments/create_student_card.jinja
 msgid "No student card registered."
 msgstr "Aucune carte étudiante enregistrée."
@@ -3663,6 +3839,10 @@ msgstr ""
 "votre cotisation. Si vous ne renouvelez pas votre cotisation, il n'y aura "
 "aucune conséquence autre que le retrait de l'argent de votre compte."
 
+#: counter/templates/counter/product_form.jinja
+msgid "Remove this action"
+msgstr "Retirer cette action"
+
 #: counter/templates/counter/product_form.jinja
 #, python-format
 msgid "Edit product %(name)s"
@@ -3690,6 +3870,10 @@ msgstr ""
 "Les actions automatiques vous permettent de planifier des modifications du "
 "produit à l'avance."
 
+#: counter/templates/counter/product_form.jinja
+msgid "Add action"
+msgstr "Ajouter une action"
+
 #: counter/templates/counter/product_list.jinja
 msgid "Product list"
 msgstr "Liste des produits"
@@ -3803,6 +3987,20 @@ msgstr "Temps"
 msgid "Top 100 barman %(counter_name)s (all semesters)"
 msgstr "Top 100 barman %(counter_name)s (tous les semestres)"
 
+#: counter/views/admin.py
+#, python-format
+msgid "%(formula)s (formula)"
+msgstr "%(formula)s (formule)"
+
+#: counter/views/admin.py
+#, python-format
+msgid ""
+"This action will only delete the formula, but not the %(product)s product "
+"itself."
+msgstr ""
+"Cette action supprimera seulement la formule, mais pas le produit "
+"%(product)s en lui-même."
+
 #: counter/views/admin.py
 #, python-format
 msgid "returnable product : %(returnable)s -> %(returned)s"
@@ -3888,6 +4086,10 @@ msgstr "Dernières opérations"
 msgid "Counter administration"
 msgstr "Administration des comptoirs"
 
+#: counter/views/mixins.py
+msgid "Formulas"
+msgstr "Formules"
+
 #: counter/views/mixins.py
 msgid "Product types"
 msgstr "Types de produit"

locale/fr/LC_MESSAGES/djangojs.po

@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-23 15:30+0200\n"
+"POT-Creation-Date: 2025-11-26 15:45+0100\n"
 "PO-Revision-Date: 2024-09-17 11:54+0200\n"
 "Last-Translator: Sli <antoine@bartuccio.fr>\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -206,6 +206,10 @@ msgstr "capture.%s"
 msgid "Not enough money"
 msgstr "Pas assez d'argent"
 
+#: counter/static/bundled/counter/counter-click-index.ts
+msgid "Formula %(formula)s applied"
+msgstr "Formule %(formula)s appliquée"
+
 #: counter/static/bundled/counter/counter-click-index.ts
 msgid "You can't send an empty basket."
 msgstr "Vous ne pouvez pas envoyer un panier vide."
@@ -262,3 +266,9 @@ msgstr "Il n'a pas été possible de modérer l'image"
 #: sas/static/bundled/sas/viewer-index.ts
 msgid "Couldn't delete picture"
 msgstr "Il n'a pas été possible de supprimer l'image"
+
+#: timetable/static/bundled/timetable/generator-index.ts
+msgid ""
+"Wrong timetable format. Make sure you copied if from your student folder."
+msgstr ""
+"Mauvais format d'emploi du temps. Assurez-vous que vous l'avez copié depuis votre dossier étudiants."

mkdocs.yml

@@ -69,6 +69,7 @@ nav:
     - API:
       - Développement: tutorial/api/dev.md
       - Connexion à l'API: tutorial/api/connect.md
+      - Liaison avec le compte AE: tutorial/api/account-link.md
     - Etransactions: tutorial/etransaction.md
   - How-to:
     - L'ORM de Django: howto/querysets.md
@@ -91,6 +92,8 @@ nav:
       - reference/api/hashers.md
       - reference/api/models.md
       - reference/api/perms.md
+      - reference/api/schemas.md
+      - reference/api/views.md
     - club:
       - reference/club/models.md
       - reference/club/views.md

sas/static/bundled/sas/viewer-index.ts

@@ -109,232 +109,225 @@ interface ViewerConfig {
   /** id of the first picture to load on the page */
   firstPictureId: number;
   /** if the user is sas admin */
-  userIsSasAdmin: boolean;
+  userCanModerate: boolean;
 }
 
 /**
  * Load user picture page with a nice download bar
  **/
-exportToHtml("loadViewer", (config: ViewerConfig) => {
+document.addEventListener("alpine:init", () => {
-  document.addEventListener("alpine:init", () => {
+  Alpine.data("picture_viewer", (config: ViewerConfig) => ({
-    Alpine.data("picture_viewer", () => ({
+    /**
-      /**
+     * All the pictures that can be displayed on this picture viewer
-       * All the pictures that can be displayed on this picture viewer
+     **/
-       **/
+    pictures: [] as PictureWithIdentifications[],
-      pictures: [] as PictureWithIdentifications[],
+    /**
-      /**
+     * The currently displayed picture
-       * The currently displayed picture
+     * Default dummy data are pre-loaded to avoid javascript error
-       * Default dummy data are pre-loaded to avoid javascript error
+     * when loading the page at the beginning
-       * when loading the page at the beginning
+     * @type PictureWithIdentifications
-       * @type PictureWithIdentifications
+     **/
-       **/
+    currentPicture: {
-      currentPicture: {
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      is_moderated: true,
-        is_moderated: true,
+      id: null as number,
-        id: null as number,
+      name: "",
-        name: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      display_name: "",
-        display_name: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      compressed_url: "",
-        compressed_url: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      profile_url: "",
-        profile_url: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      full_size_url: "",
-        full_size_url: "",
+      owner: "",
-        owner: "",
+      date: new Date(),
-        date: new Date(),
+      identifications: [] as IdentifiedUserSchema[],
-        identifications: [] as IdentifiedUserSchema[],
+    },
-      },
+    /**
-      /**
+     * The picture which will be displayed next if the user press the "next" button
-       * The picture which will be displayed next if the user press the "next" button
+     **/
-       **/
+    nextPicture: null as PictureWithIdentifications,
-      nextPicture: null as PictureWithIdentifications,
+    /**
-      /**
+     * The picture which will be displayed next if the user press the "previous" button
-       * The picture which will be displayed next if the user press the "previous" button
+     **/
-       **/
+    previousPicture: null as PictureWithIdentifications,
-      previousPicture: null as PictureWithIdentifications,
+    /**
-      /**
+     * The select2 component used to identify users
-       * The select2 component used to identify users
+     **/
-       **/
+    selector: undefined as UserAjaxSelect,
-      selector: undefined as UserAjaxSelect,
+    /**
-      /**
+     * Error message when a moderation operation fails
-       * Error message when a moderation operation fails
+     **/
-       **/
+    moderationError: "",
-      moderationError: "",
+    /**
-      /**
+     * Method of pushing new url to the browser history
-       * Method of pushing new url to the browser history
+     * Used by popstate event and always reset to it's default value when used
-       * Used by popstate event and always reset to it's default value when used
+     **/
-       **/
+    pushstate: History.Push,
-      pushstate: History.Push,
 
-      async init() {
+    async init() {
-        this.pictures = (
+      this.pictures = (
-          await paginated(picturesFetchPictures, {
+        await paginated(picturesFetchPictures, {
-            // biome-ignore lint/style/useNamingConvention: api is in snake_case
+          // biome-ignore lint/style/useNamingConvention: api is in snake_case
-            query: { album_id: config.albumId },
+          query: { album_id: config.albumId },
-          } as PicturesFetchPicturesData)
+        } as PicturesFetchPicturesData)
-        ).map(PictureWithIdentifications.fromPicture);
+      ).map(PictureWithIdentifications.fromPicture);
-        this.selector = this.$refs.search;
+      this.selector = this.$refs.search;
-        this.selector.setFilter((users: UserProfileSchema[]) => {
+      this.selector.setFilter((users: UserProfileSchema[]) => {
-          const resp: UserProfileSchema[] = [];
+        const resp: UserProfileSchema[] = [];
-          const ids = [
+        const ids = [
-            ...(this.currentPicture.identifications || []).map(
+          ...(this.currentPicture.identifications || []).map(
-              (i: IdentifiedUserSchema) => i.user.id,
+            (i: IdentifiedUserSchema) => i.user.id,
-            ),
+          ),
-          ];
+        ];
-          for (const user of users) {
+        for (const user of users) {
-            if (!ids.includes(user.id)) {
+          if (!ids.includes(user.id)) {
-              resp.push(user);
+            resp.push(user);
-            }
           }
-          return resp;
+        }
-        });
+        return resp;
-        this.currentPicture = this.pictures.find(
+      });
-          (i: PictureSchema) => i.id === config.firstPictureId,
+      this.currentPicture = this.pictures.find(
-        );
+        (i: PictureSchema) => i.id === config.firstPictureId,
-        this.$watch(
+      );
-          "currentPicture",
+      this.$watch(
-          (current: PictureSchema, previous: PictureSchema) => {
+        "currentPicture",
-            if (current === previous) {
+        (current: PictureSchema, previous: PictureSchema) => {
-              /* Avoid recursive updates */
+          if (current === previous) {
-              return;
+            /* Avoid recursive updates */
-            }
-            this.updatePicture();
-          },
-        );
-        window.addEventListener("popstate", async (event) => {
-          if (!event.state || event.state.sasPictureId === undefined) {
             return;
           }
-          this.pushstate = History.Replace;
+          this.updatePicture();
-          this.currentPicture = this.pictures.find(
+        },
-            (i: PictureSchema) =>
+      );
-              i.id === Number.parseInt(event.state.sasPictureId, 10),
+      window.addEventListener("popstate", async (event) => {
-          );
+        if (!event.state || event.state.sasPictureId === undefined) {
-        });
-        this.pushstate = History.Replace; /* Avoid first url push */
-        await this.updatePicture();
-      },
-
-      /**
-       * Update the page.
-       * Called when the `currentPicture` property changes.
-       *
-       * The url is modified without reloading the page,
-       * and the previous picture, the next picture and
-       * the list of identified users are updated.
-       */
-      async updatePicture(): Promise<void> {
-        const updateArgs = {
-          data: { sasPictureId: this.currentPicture.id },
-          unused: "",
-          url: this.currentPicture.sas_url,
-        };
-        if (this.pushstate === History.Replace) {
-          window.history.replaceState(
-            updateArgs.data,
-            updateArgs.unused,
-            updateArgs.url,
-          );
-          this.pushstate = History.Push;
-        } else {
-          window.history.pushState(updateArgs.data, updateArgs.unused, updateArgs.url);
-        }
-
-        this.moderationError = "";
-        const index: number = this.pictures.indexOf(this.currentPicture);
-        this.previousPicture = this.pictures[index - 1] || null;
-        this.nextPicture = this.pictures[index + 1] || null;
-        this.$refs.mainPicture?.addEventListener("load", () => {
-          // once the current picture is loaded,
-          // start preloading the next and previous pictures
-          this.nextPicture?.preload();
-          this.previousPicture?.preload();
-        });
-        if (this.currentPicture.asked_for_removal && config.userIsSasAdmin) {
-          await Promise.all([
-            this.currentPicture.loadIdentifications(),
-            this.currentPicture.loadModeration(),
-          ]);
-        } else {
-          await this.currentPicture.loadIdentifications();
-        }
-      },
-
-      async moderatePicture() {
-        const res = await picturesModeratePicture({
-          // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          path: { picture_id: this.currentPicture.id },
-        });
-        if (res.error) {
-          this.moderationError = `${gettext("Couldn't moderate picture")} : ${(res.error as { detail: string }).detail}`;
           return;
         }
-        this.currentPicture.is_moderated = true;
+        this.pushstate = History.Replace;
-        this.currentPicture.asked_for_removal = false;
+        this.currentPicture = this.pictures.find(
-      },
+          (i: PictureSchema) => i.id === Number.parseInt(event.state.sasPictureId, 10),
+        );
+      });
+      this.pushstate = History.Replace; /* Avoid first url push */
+      await this.updatePicture();
+    },
 
-      async deletePicture() {
+    /**
-        const res = await picturesDeletePicture({
+     * Update the page.
+     * Called when the `currentPicture` property changes.
+     *
+     * The url is modified without reloading the page,
+     * and the previous picture, the next picture and
+     * the list of identified users are updated.
+     */
+    async updatePicture(): Promise<void> {
+      const updateArgs = {
+        data: { sasPictureId: this.currentPicture.id },
+        unused: "",
+        url: this.currentPicture.sas_url,
+      };
+      if (this.pushstate === History.Replace) {
+        window.history.replaceState(updateArgs.data, updateArgs.unused, updateArgs.url);
+        this.pushstate = History.Push;
+      } else {
+        window.history.pushState(updateArgs.data, updateArgs.unused, updateArgs.url);
+      }
+
+      this.moderationError = "";
+      const index: number = this.pictures.indexOf(this.currentPicture);
+      this.previousPicture = this.pictures[index - 1] || null;
+      this.nextPicture = this.pictures[index + 1] || null;
+      this.$refs.mainPicture?.addEventListener("load", () => {
+        // once the current picture is loaded,
+        // start preloading the next and previous pictures
+        this.nextPicture?.preload();
+        this.previousPicture?.preload();
+      });
+      if (this.currentPicture.asked_for_removal && config.userCanModerate) {
+        await Promise.all([
+          this.currentPicture.loadIdentifications(),
+          this.currentPicture.loadModeration(),
+        ]);
+      } else {
+        await this.currentPicture.loadIdentifications();
+      }
+    },
+
+    async moderatePicture() {
+      const res = await picturesModeratePicture({
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        path: { picture_id: this.currentPicture.id },
+      });
+      if (res.error) {
+        this.moderationError = `${gettext("Couldn't moderate picture")} : ${(res.error as { detail: string }).detail}`;
+        return;
+      }
+      this.currentPicture.is_moderated = true;
+      this.currentPicture.asked_for_removal = false;
+    },
+
+    async deletePicture() {
+      const res = await picturesDeletePicture({
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        path: { picture_id: this.currentPicture.id },
+      });
+      if (res.error) {
+        this.moderationError = `${gettext("Couldn't delete picture")} : ${(res.error as { detail: string }).detail}`;
+        return;
+      }
+      this.pictures.splice(this.pictures.indexOf(this.currentPicture), 1);
+      if (this.pictures.length === 0) {
+        // The deleted picture was the only one in the list.
+        // As the album is now empty, go back to the parent page
+        document.location.href = config.albumUrl;
+      }
+      this.currentPicture = this.nextPicture || this.previousPicture;
+    },
+
+    /**
+     * Send the identification request and update the list of identified users.
+     */
+    async submitIdentification(): Promise<void> {
+      const widget: TomSelect = this.selector.widget;
+      await picturesIdentifyUsers({
+        path: {
           // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          path: { picture_id: this.currentPicture.id },
+          picture_id: this.currentPicture.id,
-        });
+        },
-        if (res.error) {
+        body: widget.items.map((i: string) => Number.parseInt(i, 10)),
-          this.moderationError = `${gettext("Couldn't delete picture")} : ${(res.error as { detail: string }).detail}`;
+      });
-          return;
+      // refresh the identified users list
-        }
+      await this.currentPicture.loadIdentifications({ forceReload: true });
-        this.pictures.splice(this.pictures.indexOf(this.currentPicture), 1);
-        if (this.pictures.length === 0) {
-          // The deleted picture was the only one in the list.
-          // As the album is now empty, go back to the parent page
-          document.location.href = config.albumUrl;
-        }
-        this.currentPicture = this.nextPicture || this.previousPicture;
-      },
 
-      /**
+      // Clear selection and cache of retrieved user so they can be filtered again
-       * Send the identification request and update the list of identified users.
+      widget.clear(false);
-       */
+      widget.clearOptions();
-      async submitIdentification(): Promise<void> {
+      widget.setTextboxValue("");
-        const widget: TomSelect = this.selector.widget;
+    },
-        await picturesIdentifyUsers({
-          path: {
-            // biome-ignore lint/style/useNamingConvention: api is in snake_case
-            picture_id: this.currentPicture.id,
-          },
-          body: widget.items.map((i: string) => Number.parseInt(i, 10)),
-        });
-        // refresh the identified users list
-        await this.currentPicture.loadIdentifications({ forceReload: true });
 
-        // Clear selection and cache of retrieved user so they can be filtered again
+    /**
-        widget.clear(false);
+     * Check if an identification can be removed by the currently logged user
-        widget.clearOptions();
+     */
-        widget.setTextboxValue("");
+    canBeRemoved(identification: IdentifiedUserSchema): boolean {
-      },
+      return config.userCanModerate || identification.user.id === config.userId;
+    },
 
-      /**
+    /**
-       * Check if an identification can be removed by the currently logged user
+     * Untag a user from the current picture
-       */
+     */
-      canBeRemoved(identification: IdentifiedUserSchema): boolean {
+    async removeIdentification(identification: IdentifiedUserSchema): Promise<void> {
-        return config.userIsSasAdmin || identification.user.id === config.userId;
+      const res = await usersidentifiedDeleteRelation({
-      },
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-
+        path: { relation_id: identification.id },
-      /**
+      });
-       * Untag a user from the current picture
+      if (!res.error && Array.isArray(this.currentPicture.identifications)) {
-       */
+        this.currentPicture.identifications =
-      async removeIdentification(identification: IdentifiedUserSchema): Promise<void> {
+          this.currentPicture.identifications.filter(
-        const res = await usersidentifiedDeleteRelation({
+            (i: IdentifiedUserSchema) => i.id !== identification.id,
-          // biome-ignore lint/style/useNamingConvention: api is in snake_case
+          );
-          path: { relation_id: identification.id },
+      }
-        });
+    },
-        if (!res.error && Array.isArray(this.currentPicture.identifications)) {
+  }));
-          this.currentPicture.identifications =
-            this.currentPicture.identifications.filter(
-              (i: IdentifiedUserSchema) => i.id !== identification.id,
-            );
-        }
-      },
-    }));
-  });
 });

sas/templates/sas/picture.jinja

@@ -17,10 +17,8 @@
 
 {% from "sas/macros.jinja" import print_path %}
 
-{% set user_is_sas_admin = user.is_root or user.is_in_group(pk = settings.SITH_GROUP_SAS_ADMIN_ID) %}
-
 {% block content %}
-  <main x-data="picture_viewer">
+  <main x-data="picture_viewer(config)">
     <code>
       <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album) }} <span x-text="currentPicture.name"></span>
     </code>
@@ -50,15 +48,13 @@
               It will be hidden to other users until it has been moderated.
             {% endtrans %}
           </p>
-          {% if user_is_sas_admin %}
+          {% if user.has_perm("sas.moderate_sasfile") %}
             <template x-if="currentPicture.asked_for_removal">
               <div>
                 <h5>{% trans %}The following issues have been raised:{% endtrans %}</h5>
                 <template x-for="req in (currentPicture.moderationRequests ?? [])" :key="req.id">
                   <div>
-                    <h6
+                    <h6 x-text="`${req.author.first_name} ${req.author.last_name}`"></h6>
-                      x-text="`${req.author.first_name} ${req.author.last_name}`"
-                    ></h6>
                     <i x-text="Intl.DateTimeFormat(
                                '{{ LANGUAGE_CODE }}',
                                {dateStyle: 'long', timeStyle: 'short'}
@@ -70,7 +66,7 @@
             </template>
           {% endif %}
         </div>
-        {% if user_is_sas_admin %}
+        {% if user.has_perm("sas.moderate_sasfile") %}
           <div class="alert-aside">
             <button class="btn btn-blue" @click="moderatePicture()">
               {% trans %}Moderate{% endtrans %}
@@ -204,16 +200,13 @@
 {% endblock %}
 
 {% block script %}
-  {{ super() }}
   <script>
-    window.addEventListener("DOMContentLoaded", () => {
+    const config = {
-      loadViewer({
+      albumId: {{ album.id }},
-        albumId: {{ album.id }} ,
+      albumUrl: "{{ album.get_absolute_url() }}",
-        albumUrl: "{{ album.get_absolute_url() }}",
+      firstPictureId: {{ picture.id }},  {# id of the first picture to show after page load #}
-        firstPictureId: {{ picture.id }},  {# id of the first picture to show after page load #}
+      userId: {{ user.id }},
-        userId: {{ user.id }},
+      userCanModerate: {{ user.has_perm("sas.moderate_sasfile")|tojson }}
-        userIsSasAdmin: {{ user_is_sas_admin|tojson }}
+    }
-      });
-    })
   </script>
 {% endblock %}

sas/tests/test_views.py

@@ -161,16 +161,22 @@ class TestSasModeration(TestCase):
         assert len(res.context_data["pictures"]) == 1
         assert res.context_data["pictures"][0] == self.to_moderate
 
-        res = self.client.post(
-            reverse("sas:moderation"),
-            data={"album_id": self.to_moderate.id, "picture_id": self.to_moderate.id},
-        )
-
     def test_moderation_page_forbidden(self):
         self.client.force_login(self.simple_user)
         res = self.client.get(reverse("sas:moderation"))
         assert res.status_code == 403
 
+    def test_moderate_album(self):
+        self.client.force_login(self.moderator)
+        url = reverse("sas:moderation")
+        album = baker.make(
+            Album, is_moderated=False, parent_id=settings.SITH_SAS_ROOT_DIR_ID
+        )
+        res = self.client.post(url, data={"album_id": album.id, "moderate": ""})
+        assertRedirects(res, url)
+        album.refresh_from_db()
+        assert album.is_moderated
+
     def test_moderate_picture(self):
         self.client.force_login(self.moderator)
         res = self.client.get(

sas/views.py

@@ -15,10 +15,10 @@
 from typing import Any
 
 from django.conf import settings
-from django.core.exceptions import PermissionDenied
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.db.models import Count, OuterRef, Subquery
 from django.http import Http404, HttpResponseRedirect
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.safestring import SafeString
 from django.views.generic import CreateView, DetailView, TemplateView
@@ -191,26 +191,21 @@ class UserPicturesView(UserTabsMixin, CanViewMixin, DetailView):
 # Admin views
 
 
-class ModerationView(TemplateView):
+class ModerationView(PermissionRequiredMixin, TemplateView):
     template_name = "sas/moderation.jinja"
-
+    permission_required = "sas.moderate_sasfile"
-    def get(self, request, *args, **kwargs):
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            return super().get(request, *args, **kwargs)
-        raise PermissionDenied
 
     def post(self, request, *args, **kwargs):
         if "album_id" not in request.POST:
             raise Http404
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+        album = get_object_or_404(Album, pk=request.POST["album_id"])
-            album = get_object_or_404(Album, pk=request.POST["album_id"])
+        if "moderate" in request.POST:
-            if "moderate" in request.POST:
+            album.moderator = request.user
-                album.moderator = request.user
+            album.is_moderated = True
-                album.is_moderated = True
+            album.save()
-                album.save()
+        elif "delete" in request.POST:
-            elif "delete" in request.POST:
+            album.delete()
-                album.delete()
+        return redirect(self.request.path)
-        return super().get(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)

sith/settings.py

@@ -405,6 +405,8 @@ SITH_FORUM_PAGE_LENGTH = 30
 SITH_SAS_ROOT_DIR_ID = env.int("SITH_SAS_ROOT_DIR_ID", default=4)
 SITH_SAS_IMAGES_PER_PAGE = 60
 
+SITH_CGU_FILE_ID = env.int("SITH_CGU_FILE_ID", default=5)
+
 SITH_PROFILE_DEPARTMENTS = [
     ("TC", _("TC")),
     ("IMSI", _("IMSI")),
@@ -551,27 +553,27 @@ SITH_SUBSCRIPTIONS = {
     # Discount subscriptions
     "un-semestre-reduction": {
         "name": _("One semester (-20%)"),
-        "price": 12,
+        "price": 16,
         "duration": 1,
     },
     "deux-semestres-reduction": {
         "name": _("Two semesters (-20%)"),
-        "price": 22,
+        "price": 28,
         "duration": 2,
     },
     "cursus-tronc-commun-reduction": {
         "name": _("Common core cursus (-20%)"),
-        "price": 36,
+        "price": 48,
         "duration": 4,
     },
     "cursus-branche-reduction": {
         "name": _("Branch cursus (-20%)"),
-        "price": 36,
+        "price": 48,
         "duration": 6,
     },
     "cursus-alternant-reduction": {
         "name": _("Alternating cursus (-20%)"),
-        "price": 24,
+        "price": 28,
         "duration": 6,
     },
     # CA special offer

sith/urls.py

@@ -34,6 +34,7 @@ urlpatterns = [
     path("", include(("core.urls", "core"), namespace="core")),
     path("sitemap.xml", cache_page(86400)(sitemap), {"sitemaps": sitemaps}),
     path("api/", api.urls),
+    path("api-link/", include(("api.urls", "api-link"), namespace="api-link")),
     path("rootplace/", include(("rootplace.urls", "rootplace"), namespace="rootplace")),
     path(
         "subscription/",