sqsdqd

exclude archived products from product autocompletion.

core/admin.py

@@ -98,9 +98,9 @@ class PageAdmin(admin.ModelAdmin):
 
 @admin.register(SithFile)
 class SithFileAdmin(admin.ModelAdmin):
-    list_display = ("name", "owner", "size", "date", "is_in_sas")
+    list_display = ("name", "owner", "size", "date")
     autocomplete_fields = ("parent", "owner", "moderator")
-    search_fields = ("name", "parent__name")
+    search_fields = ("name",)
 
 
 @admin.register(OperationLog)

core/api.py

@@ -110,7 +110,7 @@ class SithFileController(ControllerBase):
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
     def search_files(self, search: Annotated[str, MinLen(1)]):
-        return SithFile.objects.filter(is_in_sas=False).filter(name__icontains=search)
+        return SithFile.objects.filter(name__icontains=search)
 
 
 @api_controller("/group")

core/management/commands/populate.py

@@ -110,7 +110,6 @@ class Command(BaseCommand):
         p.save(force_lock=True)
 
         club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )
@@ -694,33 +693,21 @@ class Command(BaseCommand):
         # SAS
         for f in self.SAS_FIXTURE_PATH.glob("*"):
             if f.is_dir():
-                album = Album(
+                album = Album.objects.create(name=f.name, is_moderated=True)
-                    parent=sas,
-                    name=f.name,
-                    owner=root,
-                    is_folder=True,
-                    is_in_sas=True,
-                    is_moderated=True,
-                )
-                album.clean()
-                album.save()
                 for p in f.iterdir():
                     file = resize_image(Image.open(p), 1000, "WEBP")
                     pict = Picture(
                         parent=album,
                         name=p.name,
-                        file=file,
+                        original=file,
                         owner=root,
-                        is_folder=False,
-                        is_in_sas=True,
                         is_moderated=True,
-                        mime_type="image/webp",
-                        size=file.size,
                     )
-                    pict.file.name = p.name
+                    pict.original.name = pict.name
-                    pict.full_clean()
                     pict.generate_thumbnails()
+                    pict.full_clean()
                     pict.save()
+                album.generate_thumbnail()
 
         img_skia = Picture.objects.get(name="skia.jpg")
         img_sli = Picture.objects.get(name="sli.jpg")

core/migrations/0049_remove_sithfiles.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.17 on 2025-01-26 15:01
+
+from typing import TYPE_CHECKING
+
+from django.db import migrations
+from django.db.migrations.state import StateApps
+
+if TYPE_CHECKING:
+    import core.models
+
+
+def remove_sas_sithfiles(apps: StateApps, schema_editor):
+    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
+    SithFile.objects.filter(is_in_sas=True).delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0048_alter_user_options"),
+        ("sas", "0007_alter_peoplepicturerelation_picture_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            remove_sas_sithfiles, reverse_code=migrations.RunPython.noop, elidable=True
+        )
+    ]

core/migrations/0050_remove_sithfile_is_in_sas.py

@@ -0,0 +1,9 @@
+# Generated by Django 4.2.17 on 2025-02-14 11:58
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0049_remove_sithfiles")]
+
+    operations = [migrations.RemoveField(model_name="sithfile", name="is_in_sas")]

core/models.py

@@ -833,9 +833,6 @@ class SithFile(models.Model):
         on_delete=models.CASCADE,
     )
     asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
-    is_in_sas = models.BooleanField(
-        _("is in the SAS"), default=False, db_index=True
-    )  # Allows to query this flag, updated at each call to save()
 
     class Meta:
         verbose_name = _("file")
@@ -844,22 +841,10 @@ class SithFile(models.Model):
         return self.get_parent_path() + "/" + self.name
 
     def save(self, *args, **kwargs):
-        sas = SithFile.objects.filter(id=settings.SITH_SAS_ROOT_DIR_ID).first()
-        self.is_in_sas = sas in self.get_parent_list() or self == sas
         adding = self._state.adding
         super().save(*args, **kwargs)
         if adding:
             self.copy_rights()
-        if self.is_in_sas:
-            for user in User.objects.filter(
-                groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
-            ):
-                Notification(
-                    user=user,
-                    url=reverse("sas:moderation"),
-                    type="SAS_MODERATION",
-                    param="1",
-                ).save()
 
     def is_owned_by(self, user: User) -> bool:
         if user.is_anonymous:
@@ -872,8 +857,6 @@ class SithFile(models.Model):
             return user.is_board_member
         if user.is_com_admin:
             return True
-        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            return True
         return user.id == self.owner_id
 
     def can_be_viewed_by(self, user: User) -> bool:
@@ -900,8 +883,6 @@ class SithFile(models.Model):
         super().clean()
         if "/" in self.name:
             raise ValidationError(_("Character '/' not authorized in name"))
-        if self == self.parent:
-            raise ValidationError(_("Loop in folder tree"), code="loop")
         if self == self.parent or (
             self.parent is not None and self in self.get_parent_list()
         ):
@@ -982,18 +963,6 @@ class SithFile(models.Model):
     def is_file(self):
         return not self.is_folder
 
-    @cached_property
-    def as_picture(self):
-        from sas.models import Picture
-
-        return Picture.objects.filter(id=self.id).first()
-
-    @cached_property
-    def as_album(self):
-        from sas.models import Album
-
-        return Album.objects.filter(id=self.id).first()
-
     def get_parent_list(self):
         parents = []
         current = self.parent

core/templates/core/delete_confirm.jinja

@@ -21,6 +21,8 @@
   <h2>{% trans %}Delete confirmation{% endtrans %}</h2>
   <form action="" method="post">{% csrf_token %}
     <p>{% trans name=object_name %}Are you sure you want to delete "{{ name }}"?{% endtrans %}</p>
+    {% if help_text %}<p><em>{{ help_text }}</em></p>{% endif %}
+    <br/>
     <input type="submit" value="{% trans %}Confirm{% endtrans %}" />
   </form>
   <form method="GET" action="javascript:history.back();">

core/tests/test_files.py

@@ -5,6 +5,7 @@ from typing import Callable
 from uuid import uuid4
 
 import pytest
+from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile, UploadedFile
 from django.test import Client, TestCase
@@ -17,8 +18,8 @@ from pytest_django.asserts import assertNumQueries
 from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
 from core.models import Group, QuickUploadImage, SithFile, User
 from core.utils import RED_PIXEL_PNG
+from sas.baker_recipes import picture_recipe
 from sas.models import Picture
-from sith import settings
 
 
 @pytest.mark.django_db
@@ -30,24 +31,19 @@ class TestImageAccess:
             lambda: baker.make(
                 User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
             ),
-            lambda: baker.make(
-                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)]
-            ),
         ],
     )
     def test_sas_image_access(self, user_factory: Callable[[], User]):
         """Test that only authorized users can access the sas image."""
         user = user_factory()
-        picture: SithFile = baker.make(
+        picture = picture_recipe.make()
-            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        assert user.can_edit(picture)
-        )
-        assert picture.is_owned_by(user)
 
     def test_sas_image_access_owner(self):
         """Test that the owner of the image can access it."""
         user = baker.make(User)
-        picture: Picture = baker.make(Picture, owner=user)
+        picture = picture_recipe.make(owner=user)
-        assert picture.is_owned_by(user)
+        assert user.can_edit(picture)
 
     @pytest.mark.parametrize(
         "user_factory",
@@ -63,7 +59,41 @@ class TestImageAccess:
         user = user_factory()
         owner = baker.make(User)
         picture: Picture = baker.make(Picture, owner=owner)
-        assert not picture.is_owned_by(user)
+        assert not user.can_edit(picture)
+
+
+@pytest.mark.django_db
+class TestUserPicture:
+    def test_anonymous_user_unauthorized(self, client):
+        """An anonymous user shouldn't have access to an user's photo page."""
+        response = client.get(
+            reverse(
+                "sas:user_pictures",
+                kwargs={"user_id": User.objects.get(username="sli").pk},
+            )
+        )
+        assert response.status_code == 403
+
+    @pytest.mark.parametrize(
+        ("username", "status"),
+        [
+            ("guy", 403),
+            ("root", 200),
+            ("skia", 200),
+            ("sli", 200),
+        ],
+    )
+    def test_page_is_working(self, client, username, status):
+        """Only user that subscribed (or admins) should be able to see the page."""
+        # Test for simple user
+        client.force_login(User.objects.get(username=username))
+        response = client.get(
+            reverse(
+                "sas:user_pictures",
+                kwargs={"user_id": User.objects.get(username="sli").pk},
+            )
+        )
+        assert response.status_code == status
 
 
 # TODO: many tests on the pages:

core/tests/test_user.py

@@ -27,6 +27,7 @@ from counter.baker_recipes import sale_recipe
 from counter.models import Counter, Customer, Permanency, Refilling, Selling
 from counter.utils import is_logged_in_counter
 from eboutic.models import Invoice, InvoiceItem
+from sas.models import Picture
 
 
 class TestSearchUsers(TestCase):
@@ -34,6 +35,7 @@ class TestSearchUsers(TestCase):
     def setUpTestData(cls):
         # News.author has on_delete=PROTECT, so news must be deleted beforehand
         News.objects.all().delete()
+        Picture.objects.all().delete()  # same for pictures
         User.objects.all().delete()
         user_recipe = Recipe(
             User,

core/utils.py

@@ -12,18 +12,23 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-
+from dataclasses import dataclass
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Final
+from typing import Any, Final, Unpack
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.files.uploadedfile import UploadedFile
-from django.http import HttpRequest
+from django.db import models
+from django.forms import BaseForm
+from django.http import Http404, HttpRequest
+from django.shortcuts import get_list_or_404
+from django.template.loader import render_to_string
+from django.utils.safestring import SafeString
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
@@ -42,6 +47,21 @@ to generate a dummy image that is considered valid nonetheless
 """
 
 
+@dataclass
+class FormFragmentTemplateData[T: BaseForm]:
+    """Dataclass used to pre-render form fragments"""
+
+    form: T
+    template: str
+    context: dict[str, Any]
+
+    def render(self, request: HttpRequest) -> SafeString:
+        # Request is needed for csrf_tokens
+        return render_to_string(
+            self.template, context={"form": self.form, **self.context}, request=request
+        )
+
+
 def get_start_of_semester(today: date | None = None) -> date:
     """Return the date of the start of the semester of the given date.
     If no date is given, return the start date of the current semester.
@@ -205,3 +225,56 @@ def get_client_ip(request: HttpRequest) -> str | None:
             return ip
 
     return None
+
+
+Filterable = type[models.Model] | models.QuerySet | models.Manager
+ListFilter = dict[str, list | tuple | set]
+
+
+def get_list_exact_or_404(klass: Filterable, **kwargs: Unpack[ListFilter]) -> list:
+    """Use filter() to return a list of objects from a list of unique keys (like ids)
+    or raises Http404 if the list has not the same length as the given one.
+
+    Work like `get_object_or_404()` but for lists of objects, with some caveats :
+
+    - The filter must be a list, a tuple or a set.
+    - There can't be more than exactly one filter.
+    - There must be no duplicate in the filter.
+    - The filter should consist in unique keys (like ids), or it could fail randomly.
+
+    klass may be a Model, Manager, or QuerySet object. All other passed
+    arguments and keyword arguments are used in the filter() query.
+
+    Raises:
+        Http404: If the list is empty or doesn't have as many elements as the keys list.
+        ValueError: If the first argument is not a Model, Manager, or QuerySet object.
+        ValueError: If more than one filter is passed.
+        TypeError: If the given filter is not a list, a tuple or a set.
+
+    Examples:
+        Get all the products with ids 1, 2, 3: ::
+
+            products = get_list_exact_or_404(Product, id__in=[1, 2, 3])
+
+        Don't work with duplicate ids: ::
+
+            products = get_list_exact_or_404(Product, id__in=[1, 2, 3, 3])
+            # Raises Http404: "The list of keys must contain no duplicates."
+    """
+    if len(kwargs) > 1:
+        raise ValueError("get_list_exact_or_404() only accepts one filter.")
+    key, list_filter = next(iter(kwargs.items()))
+    if not isinstance(list_filter, (list, tuple, set)):
+        raise TypeError(
+            f"The given filter must be a list, a tuple or a set, not {type(list_filter)}"
+        )
+    if len(list_filter) != len(set(list_filter)):
+        raise ValueError("The list of keys must contain no duplicates.")
+    kwargs = {key: list_filter}
+    obj_list = get_list_or_404(klass, **kwargs)
+    if len(obj_list) != len(list_filter):
+        raise Http404(
+            "The given list of keys doesn't match the number of objects found."
+            f"Expected {len(list_filter)} items, got {len(obj_list)}."
+        )
+    return obj_list

core/views/files.py

@@ -374,7 +374,7 @@ class FileDeleteView(AllowFragment, CanEditPropMixin, DeleteView):
 class FileModerationView(AllowFragment, ListView):
     model = SithFile
     template_name = "core/file_moderation.jinja"
-    queryset = SithFile.objects.filter(is_moderated=False, is_in_sas=False)
+    queryset = SithFile.objects.filter(is_moderated=False)
     ordering = "id"
     paginate_by = 100
 

counter/forms.py

@@ -5,6 +5,7 @@ from datetime import date, datetime, timezone
 
 from dateutil.relativedelta import relativedelta
 from django import forms
+from django.core.validators import MaxValueValidator
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
 from django.utils.timezone import now
@@ -23,6 +24,7 @@ from core.views.forms import (
 )
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
+    AutoCompleteSelectMultiple,
     AutoCompleteSelectMultipleGroup,
     AutoCompleteSelectMultipleUser,
     AutoCompleteSelectUser,
@@ -34,6 +36,7 @@ from counter.models import (
     Eticket,
     InvoiceCall,
     Product,
+    ProductFormula,
     Refilling,
     ReturnableProduct,
     ScheduledProductAction,
@@ -168,11 +171,21 @@ class CounterEditForm(forms.ModelForm):
     class Meta:
         model = Counter
         fields = ["sellers", "products"]
+        widgets = {"sellers": AutoCompleteSelectMultipleUser}
 
-        widgets = {
+    def __init__(self, *args, user: User, instance: Counter, **kwargs):
-            "sellers": AutoCompleteSelectMultipleUser,
+        super().__init__(*args, instance=instance, **kwargs)
-            "products": AutoCompleteSelectMultipleProduct,
+        if user.has_perm("counter.change_counter"):
-        }
+            self.fields["products"].widget = AutoCompleteSelectMultipleProduct()
+        else:
+            self.fields["products"].widget = AutoCompleteSelectMultiple()
+            self.fields["products"].queryset = Product.objects.filter(
+                Q(club_id=instance.club_id) | Q(counters=instance), archived=False
+            ).distinct()
+            self.fields["products"].help_text = _(
+                "If you want to add a product that is not owned by "
+                "your club to this counter, you should ask an admin."
+            )
 
 
 class ScheduledProductActionForm(forms.ModelForm):
@@ -316,7 +329,6 @@ class ProductForm(forms.ModelForm):
         }
 
     counters = forms.ModelMultipleChoiceField(
-        help_text=None,
         label=_("Counters"),
         required=False,
         widget=AutoCompleteSelectMultipleCounter,
@@ -327,10 +339,31 @@ class ProductForm(forms.ModelForm):
         super().__init__(*args, instance=instance, **kwargs)
         if self.instance.id:
             self.fields["counters"].initial = self.instance.counters.all()
+            if hasattr(self.instance, "formula"):
+                self.formula_init(self.instance.formula)
         self.action_formset = ScheduledProductActionFormSet(
             *args, product=self.instance, **kwargs
         )
 
+    def formula_init(self, formula: ProductFormula):
+        """Part of the form initialisation specific to formula products."""
+        self.fields["selling_price"].help_text = _(
+            "This product is a formula. "
+            "Its price cannot be greater than the price "
+            "of the products constituting it, which is %(price)s €"
+        ) % {"price": formula.max_selling_price}
+        self.fields["special_selling_price"].help_text = _(
+            "This product is a formula. "
+            "Its special price cannot be greater than the price "
+            "of the products constituting it, which is %(price)s €"
+        ) % {"price": formula.max_special_selling_price}
+        for key, price in (
+            ("selling_price", formula.max_selling_price),
+            ("special_selling_price", formula.max_special_selling_price),
+        ):
+            self.fields[key].widget.attrs["max"] = price
+            self.fields[key].validators.append(MaxValueValidator(price))
+
     def is_valid(self):
         return super().is_valid() and self.action_formset.is_valid()
 
@@ -349,13 +382,47 @@ class ProductForm(forms.ModelForm):
         return product
 
 
+class ProductFormulaForm(forms.ModelForm):
+    class Meta:
+        model = ProductFormula
+        fields = ["products", "result"]
+        widgets = {
+            "products": AutoCompleteSelectMultipleProduct,
+            "result": AutoCompleteSelectProduct,
+        }
+
+    def clean(self):
+        cleaned_data = super().clean()
+        if cleaned_data["result"] in cleaned_data["products"]:
+            self.add_error(
+                None,
+                _(
+                    "The same product cannot be at the same time "
+                    "the result and a part of the formula."
+                ),
+            )
+        prices = [p.selling_price for p in cleaned_data["products"]]
+        special_prices = [p.special_selling_price for p in cleaned_data["products"]]
+        selling_price = cleaned_data["result"].selling_price
+        special_selling_price = cleaned_data["result"].special_selling_price
+        if selling_price > sum(prices) or special_selling_price > sum(special_prices):
+            self.add_error(
+                "result",
+                _(
+                    "The result cannot be more expensive "
+                    "than the total of the other products."
+                ),
+            )
+        return cleaned_data
+
+
 class ReturnableProductForm(forms.ModelForm):
     class Meta:
         model = ReturnableProduct
         fields = ["product", "returned_product", "max_return"]
         widgets = {
-            "product": AutoCompleteSelectProduct(),
+            "product": AutoCompleteSelectProduct,
-            "returned_product": AutoCompleteSelectProduct(),
+            "returned_product": AutoCompleteSelectProduct,
         }
 
     def save(self, commit: bool = True) -> ReturnableProduct:  # noqa FBT

counter/migrations/0037_productformula.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.2.8 on 2025-11-26 11:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("counter", "0036_product_created_at_product_updated_at")]
+
+    operations = [
+        migrations.CreateModel(
+            name="ProductFormula",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "products",
+                    models.ManyToManyField(
+                        help_text="The products that constitute this formula.",
+                        related_name="formulas",
+                        to="counter.product",
+                        verbose_name="products",
+                    ),
+                ),
+                (
+                    "result",
+                    models.OneToOneField(
+                        help_text="The formula product.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="counter.product",
+                        verbose_name="result product",
+                    ),
+                ),
+            ],
+        ),
+    ]

counter/models.py

@@ -456,6 +456,37 @@ class Product(models.Model):
         return self.selling_price - self.purchase_price
 
 
+class ProductFormula(models.Model):
+    products = models.ManyToManyField(
+        Product,
+        related_name="formulas",
+        verbose_name=_("products"),
+        help_text=_("The products that constitute this formula."),
+    )
+    result = models.OneToOneField(
+        Product,
+        related_name="formula",
+        on_delete=models.CASCADE,
+        verbose_name=_("result product"),
+        help_text=_("The product got with the formula."),
+    )
+
+    def __str__(self):
+        return self.result.name
+
+    @cached_property
+    def max_selling_price(self) -> float:
+        # iterating over all products is less efficient than doing
+        # a simple aggregation, but this method is likely to be used in
+        # coordination with `max_special_selling_price`,
+        # and Django caches the result of the `all` queryset.
+        return sum(p.selling_price for p in self.products.all())
+
+    @cached_property
+    def max_special_selling_price(self) -> float:
+        return sum(p.special_selling_price for p in self.products.all())
+
+
 class CounterQuerySet(models.QuerySet):
     def annotate_has_barman(self, user: User) -> Self:
         """Annotate the queryset with the `user_is_barman` field.

counter/static/bundled/counter/components/ajax-select-index.ts

@@ -18,7 +18,10 @@ export class ProductAjaxSelect extends AjaxSelect {
   protected searchField = ["code", "name"];
 
   protected async search(query: string): Promise<TomOption[]> {
-    const resp = await productSearchProducts({ query: { search: query } });
+    const resp = await productSearchProducts({
+      // biome-ignore lint/style/useNamingConvention: API is snake_case
+      query: { search: query, is_archived: false },
+    });
     if (resp.data) {
       return resp.data.results;
     }

counter/static/bundled/counter/counter-click-index.ts

@@ -1,6 +1,10 @@
 import { AlertMessage } from "#core:utils/alert-message.ts";
 import { BasketItem } from "#counter:counter/basket.ts";
-import type { CounterConfig, ErrorMessage } from "#counter:counter/types.ts";
+import type {
+  CounterConfig,
+  ErrorMessage,
+  ProductFormula,
+} from "#counter:counter/types.ts";
 import type { CounterProductSelect } from "./components/counter-product-select-index.ts";
 
 document.addEventListener("alpine:init", () => {
@@ -47,15 +51,43 @@ document.addEventListener("alpine:init", () => {
 
       this.basket[id] = item;
 
+      this.checkFormulas();
+
       if (this.sumBasket() > this.customerBalance) {
         item.quantity = oldQty;
         if (item.quantity === 0) {
           delete this.basket[id];
         }
-        return gettext("Not enough money");
+        this.alertMessage.display(gettext("Not enough money"), { success: false });
       }
+    },
 
-      return "";
+    checkFormulas() {
+      const products = new Set(
+        Object.keys(this.basket).map((i: string) => Number.parseInt(i)),
+      );
+      const formula: ProductFormula = config.formulas.find((f: ProductFormula) => {
+        return f.products.every((p: number) => products.has(p));
+      });
+      if (formula === undefined) {
+        return;
+      }
+      for (const product of formula.products) {
+        const key = product.toString();
+        this.basket[key].quantity -= 1;
+        if (this.basket[key].quantity <= 0) {
+          this.removeFromBasket(key);
+        }
+      }
+      this.alertMessage.display(
+        interpolate(
+          gettext("Formula %(formula)s applied"),
+          { formula: config.products[formula.result.toString()].name },
+          true,
+        ),
+        { success: true },
+      );
+      this.addToBasket(formula.result.toString(), 1);
     },
 
     getBasketSize() {
@@ -70,14 +102,7 @@ document.addEventListener("alpine:init", () => {
         (acc: number, cur: BasketItem) => acc + cur.sum(),
         0,
       ) as number;
-      return total;
+      return Math.round(total * 100) / 100;
-    },
-
-    addToBasketWithMessage(id: string, quantity: number) {
-      const message = this.addToBasket(id, quantity);
-      if (message.length > 0) {
-        this.alertMessage.display(message, { success: false });
-      }
     },
 
     onRefillingSuccess(event: CustomEvent) {
@@ -116,7 +141,7 @@ document.addEventListener("alpine:init", () => {
           this.finish();
         }
       } else {
-        this.addToBasketWithMessage(code, quantity);
+        this.addToBasket(code, quantity);
       }
       this.codeField.widget.clear();
       this.codeField.widget.focus();

counter/static/bundled/counter/types.d.ts

@@ -7,10 +7,16 @@ export interface InitialFormData {
   errors?: string[];
 }
 
+export interface ProductFormula {
+  result: number;
+  products: number[];
+}
+
 export interface CounterConfig {
   customerBalance: number;
   customerId: number;
   products: Record<string, Product>;
+  formulas: ProductFormula[];
   formInitial: InitialFormData[];
   cancelUrl: string;
 }

counter/static/counter/css/counter-click.scss

@@ -10,12 +10,12 @@
   float: right;
 }
 
-.basket-error-container {
+.basket-message-container {
   position: relative;
   display: block
 }
 
-.basket-error {
+.basket-message {
   z-index: 10; // to get on top of tomselect
   text-align: center;
   position: absolute;

counter/templates/counter/counter_click.jinja

@@ -32,13 +32,11 @@
   <div id="bar-ui" x-data="counter({
                            customerBalance: {{ customer.amount }},
                            products: products,
+                           formulas: formulas,
                            customerId: {{ customer.pk }},
                            formInitial: formInitial,
                            cancelUrl: '{{ cancel_url }}',
                            })">
-    <noscript>
-      <p class="important">Javascript is required for the counter UI.</p>
-    </noscript>
 
     <div id="user_info">
       <h5>{% trans %}Customer{% endtrans %}</h5>
@@ -88,11 +86,12 @@
 
           <form x-cloak method="post" action="" x-ref="basketForm">
 
-            <div class="basket-error-container">
+            <div class="basket-message-container">
               <div
                 x-cloak
-                class="alert alert-red basket-error"
+                class="alert basket-message"
-                x-show="alertMessage.show"
+                :class="alertMessage.success ? 'alert-green' : 'alert-red'"
+                x-show="alertMessage.open"
                 x-transition.duration.500ms
                 x-text="alertMessage.content"
               ></div>
@@ -111,9 +110,9 @@
                     </div>
                   </template>
 
-                  <button @click.prevent="addToBasketWithMessage(item.product.id, -1)">-</button>
+                  <button @click.prevent="addToBasket(item.product.id, -1)">-</button>
                   <span class="quantity" x-text="item.quantity"></span>
-                  <button @click.prevent="addToBasketWithMessage(item.product.id, 1)">+</button>
+                  <button @click.prevent="addToBasket(item.product.id, 1)">+</button>
 
                   <span x-text="item.product.name"></span> :
                   <span x-text="item.sum().toLocaleString(undefined, { minimumFractionDigits: 2 })">€</span>
@@ -213,7 +212,7 @@
                 <h5 class="margin-bottom">{{ category }}</h5>
                 <div class="row gap-2x">
                   {% for product in categories[category] -%}
-                    <button class="card shadow" @click="addToBasketWithMessage('{{ product.id }}', 1)">
+                    <button class="card shadow" @click="addToBasket('{{ product.id }}', 1)">
                       <img
                         class="card-image"
                         alt="image de {{ product.name }}"
@@ -252,6 +251,18 @@
         },
       {%- endfor -%}
     };
+    const formulas = [
+      {%- for formula in formulas -%}
+        {
+          result: {{ formula.result_id }},
+          products: [
+            {%- for product in formula.products.all() -%}
+              {{ product.id }},
+            {%- endfor -%}
+          ]
+        },
+      {%- endfor -%}
+    ];
     const formInitial = [
       {%- for f in form -%}
         {%- if f.cleaned_data -%}

counter/templates/counter/formula_list.jinja

@@ -0,0 +1,78 @@
+{% extends "core/base.jinja" %}
+
+{% block title %}
+  {% trans %}Product formulas{% endtrans %}
+{% endblock %}
+
+{% block additional_css %}
+  <link rel="stylesheet" href="{{ static("core/components/card.scss") }}">
+  <link rel="stylesheet" href="{{ static("counter/css/admin.scss") }}">
+{% endblock %}
+
+{% block content %}
+  <main>
+    <h3 class="margin-bottom">{% trans %}Product formulas{% endtrans %}</h3>
+    <p>
+      {%- trans trimmed -%}
+        Formulas allow you to associate a group of products
+        with a result product (the formula itself).
+      {%- endtrans -%}
+    </p>
+    <p>
+      {%- trans trimmed -%}
+        If the product of a formula is available on a counter,
+        it will be automatically applied if all the products that
+        make it up are added to the basket.
+      {%- endtrans -%}
+    </p>
+    <p>
+      {%- trans trimmed -%}
+        For example, if there is a formula that combines a "Sandwich Formula" product
+        with the "Sandwich" and "Soft Drink" products,
+        then, if a person orders a sandwich and a soft drink,
+        the formula will be applied and the basket will then contain a sandwich formula instead.
+      {%- endtrans -%}
+    </p>
+    <p class="margin-bottom">
+      <a href="{{ url('counter:product_formula_create') }}" class="btn btn-blue">
+        {% trans %}New formula{% endtrans %}
+        <i class="fa fa-plus"></i>
+      </a>
+    </p>
+    <div class="product-group">
+      {%- for formula in object_list -%}
+        <a
+          class="card card-row shadow clickable"
+          href="{{ url('counter:product_formula_edit', formula_id=formula.id) }}"
+        >
+          <div class="card-content">
+            <strong class="card-title">{{ formula.result.name }}</strong>
+            <p>
+              {% for p in formula.products.all() %}
+                <i>{{ p.code }} ({{ p.selling_price }} €)</i>
+                {% if not loop.last %}+{% endif %}
+              {% endfor %}
+            </p>
+            <p>
+              {{ formula.result.selling_price }} €
+              ({% trans %}instead of{% endtrans %} {{ formula.max_selling_price}} €)
+            </p>
+          </div>
+          {% if user.has_perm("counter.delete_productformula") %}
+            <button
+              x-data
+              class="btn btn-red btn-no-text card-top-left"
+              @click.prevent="document.location.href = '{{ url('counter:product_formula_delete', formula_id=formula.id) }}'"
+            >
+            {# The delete link is a button with a JS event listener
+               instead of a proper <a> element,
+               because the enclosing card is already a <a>,
+               and HTML forbids nested <a> #}
+              <i class="fa fa-trash"></i>
+            </button>
+          {% endif %}
+        </a>
+      {%- endfor -%}
+    </div>
+  </main>
+{% endblock %}

counter/tests/test_counter_admin.py

@@ -0,0 +1,62 @@
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from club.models import Membership
+from core.baker_recipes import subscriber_user
+from core.models import User
+from counter.baker_recipes import product_recipe
+from counter.forms import CounterEditForm
+from counter.models import Counter
+
+
+class TestEditCounterProducts(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.counter = baker.make(Counter)
+        cls.products = product_recipe.make(_quantity=5, _bulk_create=True)
+        cls.counter.products.add(*cls.products)
+
+    def test_admin(self):
+        """Test that an admin can add and remove products"""
+        user = baker.make(
+            User, user_permissions=[Permission.objects.get(codename="change_counter")]
+        )
+        new_product = product_recipe.make()
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.products.all()) == {*self.products[1:], new_product}
+
+    def test_club_board_id(self):
+        """Test that people from counter club board can only add their own products."""
+        club = self.counter.club
+        user = subscriber_user.make()
+        baker.make(Membership, user=user, club=club, end_date=None)
+        new_product = product_recipe.make(club=club)
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.products.all()) == {*self.products[1:], new_product}
+
+        new_product = product_recipe.make()  # product not owned by the club
+        form = CounterEditForm(
+            data={"sellers": [], "products": [*self.products[1:], new_product]},
+            user=user,
+            instance=self.counter,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "products": [
+                "Sélectionnez un choix valide. "
+                f"{new_product.id} n\u2019en fait pas partie."
+            ],
+        }

counter/tests/test_formula.py

@@ -0,0 +1,59 @@
+from django.test import TestCase
+
+from counter.baker_recipes import product_recipe
+from counter.forms import ProductFormulaForm
+
+
+class TestFormulaForm(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.products = product_recipe.make(
+            selling_price=iter([1.5, 1, 1]),
+            special_selling_price=iter([1.4, 0.9, 0.9]),
+            _quantity=3,
+            _bulk_create=True,
+        )
+
+    def test_ok(self):
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[1].id, self.products[2].id],
+            }
+        )
+        assert form.is_valid()
+        formula = form.save()
+        assert formula.result == self.products[0]
+        assert set(formula.products.all()) == set(self.products[1:])
+
+    def test_price_invalid(self):
+        self.products[0].selling_price = 2.1
+        self.products[0].save()
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[1].id, self.products[2].id],
+            }
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "result": [
+                "Le résultat ne peut pas être plus cher "
+                "que le total des autres produits."
+            ]
+        }
+
+    def test_product_both_in_result_and_products(self):
+        form = ProductFormulaForm(
+            data={
+                "result": self.products[0].id,
+                "products": [self.products[0].id, self.products[1].id],
+            }
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "__all__": [
+                "Un même produit ne peut pas être à la fois "
+                "le résultat et un élément de la formule."
+            ]
+        }

counter/tests/test_product.py

@@ -15,8 +15,9 @@ from pytest_django.asserts import assertNumQueries, assertRedirects
 from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
+from counter.baker_recipes import product_recipe
 from counter.forms import ProductForm
-from counter.models import Product, ProductType
+from counter.models import Product, ProductFormula, ProductType
 
 
 @pytest.mark.django_db
@@ -93,6 +94,9 @@ class TestCreateProduct(TestCase):
     def setUpTestData(cls):
         cls.product_type = baker.make(ProductType)
         cls.club = baker.make(Club)
+        cls.counter_admin = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
         cls.data = {
             "name": "foo",
             "description": "bar",
@@ -116,13 +120,36 @@ class TestCreateProduct(TestCase):
         assert instance.name == "foo"
         assert instance.selling_price == 1.0
 
-    def test_view(self):
+    def test_form_with_product_from_formula(self):
-        self.client.force_login(
+        """Test when the edited product is a result of a formula."""
-            baker.make(
+        self.client.force_login(self.counter_admin)
-                User,
+        products = product_recipe.make(
-                groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)],
+            selling_price=iter([1.5, 1, 1]),
-            )
+            special_selling_price=iter([1.4, 0.9, 0.9]),
+            _quantity=3,
+            _bulk_create=True,
         )
+        baker.make(ProductFormula, result=products[0], products=products[1:])
+
+        data = self.data | {"selling_price": 1.7, "special_selling_price": 1.5}
+        form = ProductForm(data=data, instance=products[0])
+        assert form.is_valid()
+
+        # it shouldn't be possible to give a price higher than the formula's products
+        data = self.data | {"selling_price": 2.1, "special_selling_price": 1.9}
+        form = ProductForm(data=data, instance=products[0])
+        assert not form.is_valid()
+        assert form.errors == {
+            "selling_price": [
+                "Assurez-vous que cette valeur est inférieure ou égale à 2.00."
+            ],
+            "special_selling_price": [
+                "Assurez-vous que cette valeur est inférieure ou égale à 1.80."
+            ],
+        }
+
+    def test_view(self):
+        self.client.force_login(self.counter_admin)
         url = reverse("counter:new_product")
         response = self.client.get(url)
         assert response.status_code == 200

counter/urls.py

@@ -25,6 +25,10 @@ from counter.views.admin import (
     CounterStatView,
     ProductCreateView,
     ProductEditView,
+    ProductFormulaCreateView,
+    ProductFormulaDeleteView,
+    ProductFormulaEditView,
+    ProductFormulaListView,
     ProductListView,
     ProductTypeCreateView,
     ProductTypeEditView,
@@ -116,6 +120,24 @@ urlpatterns = [
         ProductEditView.as_view(),
         name="product_edit",
     ),
+    path(
+        "admin/formula/", ProductFormulaListView.as_view(), name="product_formula_list"
+    ),
+    path(
+        "admin/formula/new/",
+        ProductFormulaCreateView.as_view(),
+        name="product_formula_create",
+    ),
+    path(
+        "admin/formula/<int:formula_id>/edit",
+        ProductFormulaEditView.as_view(),
+        name="product_formula_edit",
+    ),
+    path(
+        "admin/formula/<int:formula_id>/delete",
+        ProductFormulaDeleteView.as_view(),
+        name="product_formula_delete",
+    ),
     path(
         "admin/product-type/list/",
         ProductTypeListView.as_view(),

counter/views/admin.py

@@ -34,11 +34,13 @@ from counter.forms import (
     CloseCustomerAccountForm,
     CounterEditForm,
     ProductForm,
+    ProductFormulaForm,
     ReturnableProductForm,
 )
 from counter.models import (
     Counter,
     Product,
+    ProductFormula,
     ProductType,
     Refilling,
     ReturnableProduct,
@@ -56,7 +58,7 @@ class CounterListView(CounterAdminTabsMixin, CanViewMixin, ListView):
     current_tab = "counters"
 
 
-class CounterEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
+class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
     """Edit a counter's main informations (for the counter's manager)."""
 
     model = Counter
@@ -65,10 +67,14 @@ class CounterEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     template_name = "core/edit.jinja"
     current_tab = "counters"
 
-    def dispatch(self, request, *args, **kwargs):
+    def test_func(self):
-        obj = self.get_object()
+        if self.request.user.has_perm("counter.change_counter"):
-        self.edit_club.append(obj.club)
+            return True
-        return super().dispatch(request, *args, **kwargs)
+        obj = self.get_object(queryset=self.get_queryset().select_related("club"))
+        return obj.club.has_rights_in_club(self.request.user)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"user": self.request.user}
 
     def get_success_url(self):
         return reverse_lazy("counter:admin", kwargs={"counter_id": self.object.id})
@@ -162,6 +168,62 @@ class ProductEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     current_tab = "products"
 
 
+class ProductFormulaListView(CounterAdminTabsMixin, PermissionRequiredMixin, ListView):
+    model = ProductFormula
+    queryset = ProductFormula.objects.select_related("result").prefetch_related(
+        "products"
+    )
+    template_name = "counter/formula_list.jinja"
+    current_tab = "formulas"
+    permission_required = "counter.view_productformula"
+
+
+class ProductFormulaCreateView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, CreateView
+):
+    model = ProductFormula
+    form_class = ProductFormulaForm
+    pk_url_kwarg = "formula_id"
+    template_name = "core/create.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.add_productformula"
+
+
+class ProductFormulaEditView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, UpdateView
+):
+    model = ProductFormula
+    form_class = ProductFormulaForm
+    pk_url_kwarg = "formula_id"
+    template_name = "core/edit.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.change_productformula"
+
+
+class ProductFormulaDeleteView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, DeleteView
+):
+    model = ProductFormula
+    pk_url_kwarg = "formula_id"
+    template_name = "core/delete_confirm.jinja"
+    current_tab = "formulas"
+    success_url = reverse_lazy("counter:product_formula_list")
+    permission_required = "counter.delete_productformula"
+
+    def get_context_data(self, **kwargs):
+        obj_name = self.object.result.name
+        return super().get_context_data(**kwargs) | {
+            "object_name": _("%(formula)s (formula)") % {"formula": obj_name},
+            "help_text": _(
+                "This action will only delete the formula, "
+                "but not the %(product)s product itself."
+            )
+            % {"product": obj_name},
+        }
+
+
 class ReturnableProductListView(
     CounterAdminTabsMixin, PermissionRequiredMixin, ListView
 ):

counter/views/click.py

@@ -12,6 +12,7 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from collections import defaultdict
 
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
@@ -31,6 +32,7 @@ from counter.forms import BasketForm, RefillForm
 from counter.models import (
     Counter,
     Customer,
+    ProductFormula,
     ReturnableProduct,
     Selling,
 )
@@ -206,12 +208,13 @@ class CounterClick(
         """Add customer to the context."""
         kwargs = super().get_context_data(**kwargs)
         kwargs["products"] = self.products
-        kwargs["categories"] = {}
+        kwargs["formulas"] = ProductFormula.objects.filter(
+            result__in=self.products
+        ).prefetch_related("products")
+        kwargs["categories"] = defaultdict(list)
         for product in kwargs["products"]:
             if product.product_type:
-                kwargs["categories"].setdefault(product.product_type, []).append(
+                kwargs["categories"][product.product_type].append(product)
-                    product
-                )
         kwargs["customer"] = self.customer
         kwargs["cancel_url"] = self.get_success_url()
 

counter/views/mixins.py

@@ -100,6 +100,11 @@ class CounterAdminTabsMixin(TabedViewMixin):
             "slug": "products",
             "name": _("Products"),
         },
+        {
+            "url": reverse_lazy("counter:product_formula_list"),
+            "slug": "formulas",
+            "name": _("Formulas"),
+        },
         {
             "url": reverse_lazy("counter:product_type_list"),
             "slug": "product_types",

docs/tutorial/groups.md

@@ -263,3 +263,35 @@ avec un unique champ permettant de sélectionner des groupes.
 Par défaut, seuls les utilisateurs avec la permission
 `auth.change_permission` auront accès à ce formulaire
 (donc, normalement, uniquement les utilisateurs Root).
+
+```mermaid
+sequenceDiagram
+    participant A as Utilisateur
+    participant B as ReverseProxy
+    participant C as MarkdownImage
+    participant D as Model
+
+    A->>B: GET /page/foo
+    B->>C: GET /page/foo
+    C-->>B: La page, avec les urls
+    B-->>A: La page, avec les urls
+    alt image publique 
+        A->>B: GET markdown/public/2025/img.webp
+        B-->>A: img.webp
+    end
+    alt image privée 
+        A->>B: GET markdown_image/{id}
+        B->>C: GET markdown_image/{id}
+        C->>D: user.can_view(image)
+        alt l'utilisateur a le droit de voir l'image
+            D-->>C: True
+            C-->>B: 200 (avec le X-Accel-Redirect)
+            B-->>A: img.webp
+        end
+        alt l'utilisateur n'a pas le droit de l'image
+            D-->>C: False
+            C-->>B: 403
+            B-->>A: 403
+        end
+    end
+```

eboutic/templates/eboutic/eboutic_checkout.jinja

@@ -68,12 +68,6 @@
         <template x-for="[key, value] in Object.entries(data)" :key="key">
           <input type="hidden" :name="key" :value="value">
         </template>
-        <input type="checkbox" value="cgv" required>
-        <label>
-          {% trans  trimmed %}I have read and accept {% endtrans %}
-          <a href="">{% trans %}the general terms and conditions{% endtrans%}</a> 
-          {%trans%}of the student assosiation of UTBM{% endtrans %}</label>
-        <br>
         <input
           x-cloak
           type="submit"
@@ -99,12 +93,6 @@
     {% else %}
       <form method="post" action="{{ url('eboutic:pay_with_sith', basket_id=basket.id) }}" name="sith-pay-form">
         {% csrf_token %}
-        <input type="checkbox" value="cgv" required>
-        <label>
-          {% trans  trimmed %}I have read and accept {% endtrans %}
-          <a href="">{% trans %}the general terms and conditions{% endtrans%}</a> 
-          {%trans%}of the student assosiation of UTBM{% endtrans %}</label>
-        <br>
         <input class="btn btn-blue" type="submit" value="{% trans %}Pay with Sith account{% endtrans %}"/>
       </form>
     {% endif %}

galaxy/management/commands/generate_galaxy_test_data.py

@@ -25,13 +25,12 @@ import warnings
 from datetime import timedelta
 from typing import Final, Optional
 
-from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.management.base import BaseCommand
 from django.utils import timezone
 
 from club.models import Club, Membership
-from core.models import Group, Page, SithFile, User
+from core.models import Group, Page, User
 from core.utils import RED_PIXEL_PNG
 from sas.models import Album, PeoplePictureRelation, Picture
 from subscription.models import Subscription
@@ -91,13 +90,8 @@ class Command(BaseCommand):
         self.NB_CLUBS = options["club_count"]
 
         root = User.objects.filter(username="root").first()
-        sas = SithFile.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
         self.galaxy_album = Album.objects.create(
-            name="galaxy-register-file",
+            name="galaxy-register-file", owner=root, is_moderated=True
-            owner=root,
-            is_moderated=True,
-            is_in_sas=True,
-            parent=sas,
         )
 
         self.make_clubs()
@@ -285,14 +279,10 @@ class Command(BaseCommand):
                     owner=u,
                     name=f"galaxy-picture {u} {i // self.NB_USERS}",
                     is_moderated=True,
-                    is_folder=False,
                     parent=self.galaxy_album,
-                    is_in_sas=True,
+                    original=ContentFile(RED_PIXEL_PNG),
-                    file=ContentFile(RED_PIXEL_PNG),
                     compressed=ContentFile(RED_PIXEL_PNG),
                     thumbnail=ContentFile(RED_PIXEL_PNG),
-                    mime_type="image/png",
-                    size=len(RED_PIXEL_PNG),
                 )
             )
             self.picts[i].file.name = self.picts[i].name

locale/fr/LC_MESSAGES/djangojs.po

@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-23 15:30+0200\n"
+"POT-Creation-Date: 2025-11-26 15:45+0100\n"
 "PO-Revision-Date: 2024-09-17 11:54+0200\n"
 "Last-Translator: Sli <antoine@bartuccio.fr>\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -206,6 +206,10 @@ msgstr "capture.%s"
 msgid "Not enough money"
 msgstr "Pas assez d'argent"
 
+#: counter/static/bundled/counter/counter-click-index.ts
+msgid "Formula %(formula)s applied"
+msgstr "Formule %(formula)s appliquée"
+
 #: counter/static/bundled/counter/counter-click-index.ts
 msgid "You can't send an empty basket."
 msgstr "Vous ne pouvez pas envoyer un panier vide."
@@ -262,3 +266,9 @@ msgstr "Il n'a pas été possible de modérer l'image"
 #: sas/static/bundled/sas/viewer-index.ts
 msgid "Couldn't delete picture"
 msgstr "Il n'a pas été possible de supprimer l'image"
+
+#: timetable/static/bundled/timetable/generator-index.ts
+msgid ""
+"Wrong timetable format. Make sure you copied if from your student folder."
+msgstr ""
+"Mauvais format d'emploi du temps. Assurez-vous que vous l'avez copié depuis votre dossier étudiants."

sas/admin.py

@@ -20,9 +20,9 @@ from sas.models import Album, PeoplePictureRelation, Picture, PictureModerationR
 
 @admin.register(Picture)
 class PictureAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent", "date", "size", "is_moderated")
+    list_display = ("name", "parent", "is_moderated")
     search_fields = ("name",)
-    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups", "moderator")
+    autocomplete_fields = ("owner", "parent", "moderator")
 
 
 @admin.register(PeoplePictureRelation)
@@ -33,9 +33,9 @@ class PeoplePictureRelationAdmin(admin.ModelAdmin):
 
 @admin.register(Album)
 class AlbumAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent", "date", "owner", "is_moderated")
+    list_display = ("name", "parent")
     search_fields = ("name",)
-    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups")
+    autocomplete_fields = ("parent", "edit_groups", "view_groups")
 
 
 @admin.register(PictureModerationRequest)

sas/api.py

@@ -3,7 +3,8 @@ from typing import Any, Literal
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.urls import reverse
-from ninja import Body, File, Query
+from ninja import Body, Query, UploadedFile
+from ninja.errors import HttpError
 from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import NotFound, PermissionDenied
@@ -16,11 +17,12 @@ from api.permissions import (
     CanAccessLookup,
     CanEdit,
     CanView,
+    HasPerm,
     IsInGroup,
     IsRoot,
 )
 from core.models import Notification, User
-from core.schemas import UploadedImage
+from core.utils import get_list_exact_or_404
 from sas.models import Album, PeoplePictureRelation, Picture
 from sas.schemas import (
     AlbumAutocompleteSchema,
@@ -28,6 +30,7 @@ from sas.schemas import (
     AlbumSchema,
     IdentifiedUserSchema,
     ModerationRequestSchema,
+    MoveAlbumSchema,
     PictureFilterSchema,
     PictureSchema,
 )
@@ -69,6 +72,44 @@ class AlbumController(ControllerBase):
             Album.objects.viewable_by(self.context.request.user).order_by("-date")
         )
 
+    @route.patch("/parent")
+    def change_album_parent(self, payload: list[MoveAlbumSchema]):
+        """Change parents of albums
+
+        Note:
+            For this operation to work, the user must be authorized
+            to edit both the moved albums and their new parent.
+        """
+        user: User = self.context.request.user
+        albums: list[Album] = get_list_exact_or_404(
+            Album, pk__in={a.id for a in payload}
+        )
+        if not user.has_perm("sas.change_album"):
+            unauthorized = [a.id for a in albums if not user.can_edit(a)]
+            if unauthorized:
+                raise PermissionDenied(
+                    f"You can't move the following albums : {unauthorized}"
+                )
+        parents: list[Album] = get_list_exact_or_404(
+            Album, pk__in={a.new_parent_id for a in payload}
+        )
+        if not user.has_perm("sas.change_album"):
+            unauthorized = [a.id for a in parents if not user.can_edit(a)]
+            if unauthorized:
+                raise PermissionDenied(
+                    f"You can't move to the following albums : {unauthorized}"
+                )
+        id_to_new_parent = {i.id: i.new_parent_id for i in payload}
+        for album in albums:
+            album.parent_id = id_to_new_parent[album.id]
+        # known caveat : moving an album won't move it's thumbnail.
+        # E.g. if the album foo/bar is moved to foo/baz,
+        # the thumbnail will still be foo/bar/thumb.webp
+        # This has no impact for the end user
+        # and doing otherwise would be hard for us to implement,
+        # because we would then have to manage rollbacks on fail.
+        Album.objects.bulk_update(albums, fields=["parent_id"])
+
 
 @api_controller("/sas/picture")
 class PicturesController(ControllerBase):
@@ -96,7 +137,7 @@ class PicturesController(ControllerBase):
         return (
             filters.filter(Picture.objects.viewable_by(user))
             .distinct()
-            .order_by("-parent__date", "date")
+            .order_by("-parent__event_date", "created_at")
             .select_related("owner", "parent")
         )
 
@@ -110,27 +151,25 @@ class PicturesController(ControllerBase):
         },
         url_name="upload_picture",
     )
-    def upload_picture(self, album_id: Body[int], picture: File[UploadedImage]):
+    def upload_picture(self, album_id: Body[int], picture: UploadedFile):
         album = self.get_object_or_exception(Album, pk=album_id)
         user = self.context.request.user
         self_moderate = user.has_perm("sas.moderate_sasfile")
         new = Picture(
             parent=album,
             name=picture.name,
-            file=picture,
+            original=picture,
             owner=user,
             is_moderated=self_moderate,
-            is_folder=False,
-            mime_type=picture.content_type,
         )
         if self_moderate:
             new.moderator = user
+        new.generate_thumbnails()
         try:
-            new.generate_thumbnails()
             new.full_clean()
-            new.save()
         except ValidationError as e:
-            return self.create_response({"detail": dict(e)}, status_code=409)
+            raise HttpError(status_code=409, message=str(e)) from e
+        new.save()
 
     @route.get(
         "/{picture_id}/identified",
@@ -215,9 +254,9 @@ class UsersIdentifiedController(ControllerBase):
         relation = self.get_object_or_exception(PeoplePictureRelation, pk=relation_id)
         user: User = self.context.request.user
         if (
-            relation.user_id != user.id
+                relation.user_id != user.id
-            and not user.is_root
+                and not user.is_root
-            and not user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
+                and not user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
         ):
             raise PermissionDenied
         relation.delete()

sas/baker_recipes.py

@@ -1,18 +1,35 @@
+from django.core.files.uploadedfile import SimpleUploadedFile
 from model_bakery import seq
 from model_bakery.recipe import Recipe
 
-from sas.models import Picture
+from core.utils import RED_PIXEL_PNG
+from sas.models import Album, Picture
+
+album_recipe = Recipe(
+    Album,
+    name=seq("Album "),
+    thumbnail=SimpleUploadedFile(
+        name="thumb.webp", content=b"", content_type="image/webp"
+    ),
+)
+
 
 picture_recipe = Recipe(
     Picture,
-    is_in_sas=True,
-    is_folder=False,
     is_moderated=True,
     name=seq("Picture "),
+    original=SimpleUploadedFile(
+        # compressed and thumbnail are generated on save (except if bulk creating).
+        # For this step no to fail, original must be a valid image.
+        name="img.png",
+        content=RED_PIXEL_PNG,
+        content_type="image/png",
+    ),
+    compressed=SimpleUploadedFile(
+        name="img.webp", content=b"", content_type="image/webp"
+    ),
+    thumbnail=SimpleUploadedFile(
+        name="img.webp", content=b"", content_type="image/webp"
+    ),
 )
-"""A SAS Picture fixture.
+"""A SAS Picture fixture."""
-
-Warnings:
-    If you don't `bulk_create` this, you need
-    to explicitly set the parent album, or it won't work
-"""

sas/forms.py

@@ -48,13 +48,12 @@ class PictureEditForm(forms.ModelForm):
 class AlbumEditForm(forms.ModelForm):
     class Meta:
         model = Album
-        fields = ["name", "date", "file", "parent", "edit_groups"]
+        fields = ["name", "date", "thumbnail", "parent", "edit_groups"]
         widgets = {
             "parent": AutoCompleteSelectAlbum,
             "edit_groups": AutoCompleteSelectMultipleGroup,
         }
 
-    name = forms.CharField(max_length=Album.NAME_MAX_LENGTH, label=_("file name"))
     date = forms.DateField(label=_("Date"), widget=SelectDate, required=True)
     recursive = forms.BooleanField(label=_("Apply rights recursively"), required=False)
 

sas/migrations/0006_move_the_whole_sas.py

@@ -0,0 +1,357 @@
+# Generated by Django 4.2.17 on 2025-01-22 21:53
+import collections
+import itertools
+import logging
+from typing import TYPE_CHECKING
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+from django.db.migrations.state import StateApps
+
+import sas.models
+
+if TYPE_CHECKING:
+    import core.models
+
+# NB : tous les commentaires sont écrits en français,
+#      parce qu'on est sur des opérations qui sont complexes,
+#      et qui sont surtout DANGEREUSES.
+#      Ici, la clarté des explications prime sur toute autre considération.
+
+
+def copy_albums_and_pictures(apps: StateApps, schema_editor):
+    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
+    Album: type[sas.models.Album] = apps.get_model("sas", "Album")
+    Picture: type[sas.models.Picture] = apps.get_model("sas", "Picture")
+    logger = logging.getLogger("django")
+
+    # Il y a environ 1800 albums, 257k photos et 488k identifications
+    # d'utilisateurs dans la db de prod.
+    # En supposant qu'une insertion prenne 10ms (ce qui est très optimiste),
+    # migrer tous les enregistrements de la db prendrait plus de 2h.
+    # C'est trop long.
+    # Mais d'un autre côté, j'ai pas assez confiance dans les capacités de nos
+    # machines pour charger presque un million d'objets en mémoire.
+    # Pour faire un compromis, les albums sont migrés individuellement un à un,
+    # mais tous les objets liés à ces albums
+    # (photos, groupes de vue, groupe d'édition, identification d'utilisateurs)
+    # sont migrés en tas.
+    #
+    # Ordre des opérations :
+    # 1. On migre les albums 1 à 1 (il y en a 1800, donc c'est relativement court)
+    # 2. On migre les photos par paquet de 2500 (soit ~une centaine d'opérations)
+    # 3. On migre tous les groupes de vue et tous les groupes d'édition des albums
+    #
+    # Au total, la migration devrait demander aux alentours de 2000 insertions,
+    # ce qui est un compromis acceptable entre une migration
+    # pas trop longue et une RAM pas trop surchargée.
+    #
+    # Pour ce qui est de la répartition des tables, quatre nouvelles tables
+    # sont créées : sas_album, sas_picture,
+    # sas_pictureviewgroups et sas_picture_editgroups.
+    # Tous les albums et toutes les photos qui sont dans core_sithfile
+    # vont être copiés dans ces tables.
+    # Comme les albums sont migrés un à un, ils recevront une nouvelle
+    # clef primaire.
+    # Pour les photos, en revanche, c'est beaucoup plus sûr de leur donner
+    # le même id que celui qu'il y avait dans core_sithfile.
+    #
+    # Les identifications des photos ne sont pas migrées pour l'instant.
+    # Ce qu'on va faire, c'est qu'on va changer la contrainte de clef étrangère
+    # sur la colonne des photos pour pointer vers sas_picture
+    # au lieu de core_sithfile.
+    # Cependant, pour que ça marche,
+    # il faut qu'au moment où ce changement est effectué,
+    # toutes les clefs primaires référencées existent à la fois dans
+    # les deux tables, sinon les contraintes d'intégrité ne sont pas respectées.
+    # La migration de ce fichier va donc s'occuper de créer les nouvelles tables
+    # et d'y copier les données nécessaires.
+    # Puis une deuxième migration s'occupera de changer les contraintes.
+    # Et enfin une troisième migration supprimera les anciennes données.
+    #
+    # Pavé César
+
+    albums = SithFile.objects.filter(is_in_sas=True, is_folder=True).prefetch_related(
+        "view_groups", "edit_groups"
+    )
+    old_albums = collections.deque(
+        albums.filter(parent_id=settings.SITH_SAS_ROOT_DIR_ID)
+    )
+
+    # Changement de représentation en DB.
+    # Dans l'ancien système, un fichier était dans le SAS si
+    # un fichier spécial (le SAS_ROOT) était parmi ses ancêtres.
+    # Comme maintenant les fichiers du SAS sont dans des tables à part,
+    # il ne peut plus y avoir de confusion.
+    # Les photos ont donc obligatoirement un parent (qui est un album)
+    # et les albums peuvent avoir un parent null.
+    # Un album sans parent est considéré comme se trouvant à la racine
+    # de l'arborescence.
+    # En quelque sorte, None est le nouveau SITH_SAS_ROOT_DIR_ID
+    album_id_old_to_new = {settings.SITH_SAS_ROOT_DIR_ID: None}
+
+    logger.info(f"migrating {albums.count()} albums")
+    while len(old_albums) > 0:
+        # Comme les albums référencent leur parent, les albums doivent être migrés
+        # par ordre croissant de profondeur dans l'arborescence.
+        # Chaque album est donc pris par la gauche de la file
+        # et ses enfants ajoutés sur la droite.
+        old_album = old_albums.popleft()
+        old_albums.extend(list(albums.filter(parent=old_album)))
+        new_album = Album.objects.create(
+            parent_id=album_id_old_to_new[old_album.parent_id],
+            event_date=old_album.date.date(),
+            name=old_album.name,
+            thumbnail=(old_album.file or None),
+            is_moderated=old_album.is_moderated,
+        )
+        # on garde un dictionnaire qui associe les id des albums dans l'ancienne table
+        # à leur id dans la nouvelle table, pour pouvoir recréer
+        # les liens de parenté entre albums
+        album_id_old_to_new[old_album.id] = new_album.id
+
+    pictures = SithFile.objects.filter(is_in_sas=True, is_folder=False)
+    nb_pictures = pictures.count()
+    logger.info(f"migrating {nb_pictures} pictures")
+    for i, pictures_batch in enumerate(itertools.batched(pictures, 2500), start=1):
+        Picture.objects.bulk_create(
+            [
+                Picture(
+                    id=p.id,
+                    name=p.name,
+                    parent_id=album_id_old_to_new[p.parent_id],
+                    thumbnail=p.thumbnail,
+                    compressed=p.compressed,
+                    original=p.file,
+                    owner_id=p.owner_id,
+                    created_at=p.date,
+                    is_moderated=p.is_moderated,
+                    asked_for_removal=p.asked_for_removal,
+                    moderator_id=p.moderator_id,
+                )
+                for p in pictures_batch
+            ]
+        )
+        logger.info(f"Migrated {min(i * 2500, nb_pictures)} / {nb_pictures} pictures")
+
+    logger.info("Migrating album groups")
+    albums = SithFile.objects.filter(is_in_sas=True, is_folder=True).exclude(
+        id=settings.SITH_SAS_ROOT_DIR_ID
+    )
+    Album.edit_groups.through.objects.bulk_create(
+        [
+            Album.view_groups.through(
+                album=album_id_old_to_new[g.sithfile_id], group_id=g.group_id
+            )
+            for g in SithFile.view_groups.through.objects.filter(sithfile__in=albums)
+        ]
+    )
+    Album.edit_groups.through.objects.bulk_create(
+        [
+            Album.view_groups.through(
+                album=album_id_old_to_new[g.sithfile_id], group_id=g.group_id
+            )
+            for g in SithFile.view_groups.through.objects.filter(sithfile__in=albums)
+        ]
+    )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("core", "0044_alter_userban_options"),
+        ("sas", "0005_alter_sasfile_options"),
+    ]
+
+    operations = [
+        # les relations et les demandes de modération étaient liées à SithFile,
+        # via le model proxy Picture.
+        # Pour que la migration marche malgré la disparition du modèle Proxy,
+        # on change la relation pour qu'elle pointe directement vers SithFile
+        migrations.AlterField(
+            model_name="peoplepicturerelation",
+            name="picture",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="people",
+                to="core.sithfile",
+                verbose_name="picture",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="picturemoderationrequest",
+            name="picture",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="moderation_requests",
+                to="core.sithfile",
+                verbose_name="Picture",
+            ),
+        ),
+        migrations.DeleteModel(name="Album"),
+        migrations.DeleteModel(name="Picture"),
+        migrations.DeleteModel(name="SasFile"),
+        migrations.CreateModel(
+            name="Album",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "thumbnail",
+                    models.FileField(
+                        max_length=256,
+                        upload_to=sas.models.get_thumbnail_directory,
+                        verbose_name="thumbnail",
+                    ),
+                ),
+                ("name", models.CharField(max_length=100, verbose_name="name")),
+                (
+                    "event_date",
+                    models.DateField(
+                        default=django.utils.timezone.localdate,
+                        help_text="The date on which the photos in this album were taken",
+                        verbose_name="event date",
+                    ),
+                ),
+                (
+                    "is_moderated",
+                    models.BooleanField(default=False, verbose_name="is moderated"),
+                ),
+                (
+                    "edit_groups",
+                    models.ManyToManyField(
+                        related_name="editable_albums",
+                        to="core.group",
+                        verbose_name="edit groups",
+                    ),
+                ),
+                (
+                    "parent",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="children",
+                        to="sas.album",
+                        verbose_name="parent",
+                    ),
+                ),
+                (
+                    "view_groups",
+                    models.ManyToManyField(
+                        related_name="viewable_albums",
+                        to="core.group",
+                        verbose_name="view groups",
+                    ),
+                ),
+            ],
+            options={"verbose_name": "album"},
+        ),
+        migrations.CreateModel(
+            name="Picture",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "thumbnail",
+                    models.FileField(
+                        unique=True,
+                        upload_to=sas.models.get_thumbnail_directory,
+                        verbose_name="thumbnail",
+                        max_length=256,
+                    ),
+                ),
+                ("name", models.CharField(max_length=256, verbose_name="file name")),
+                (
+                    "original",
+                    models.FileField(
+                        unique=True,
+                        upload_to=sas.models.get_directory,
+                        verbose_name="original image",
+                        max_length=256,
+                    ),
+                ),
+                (
+                    "compressed",
+                    models.FileField(
+                        unique=True,
+                        upload_to=sas.models.get_compressed_directory,
+                        verbose_name="compressed image",
+                        max_length=256,
+                    ),
+                ),
+                ("created_at", models.DateTimeField(default=django.utils.timezone.now)),
+                (
+                    "is_moderated",
+                    models.BooleanField(default=False, verbose_name="is moderated"),
+                ),
+                (
+                    "asked_for_removal",
+                    models.BooleanField(
+                        default=False, verbose_name="asked for removal"
+                    ),
+                ),
+                (
+                    "moderator",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="moderated_pictures",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "owner",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.PROTECT,
+                        related_name="owned_pictures",
+                        to=settings.AUTH_USER_MODEL,
+                        verbose_name="owner",
+                    ),
+                ),
+                (
+                    "parent",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="pictures",
+                        to="sas.album",
+                        verbose_name="album",
+                    ),
+                ),
+            ],
+            options={"abstract": False, "verbose_name": "picture"},
+        ),
+        migrations.AddConstraint(
+            model_name="picture",
+            constraint=models.UniqueConstraint(
+                fields=("name", "parent"), name="sas_picture_unique_per_album"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="album",
+            constraint=models.UniqueConstraint(
+                fields=("name", "parent"), name="unique_album_name_if_same_parent"
+            ),
+        ),
+        migrations.RunPython(
+            copy_albums_and_pictures,
+            reverse_code=migrations.RunPython.noop,
+            elidable=True,
+        ),
+    ]

sas/migrations/0007_alter_peoplepicturerelation_picture_and_more.py

@@ -0,0 +1,31 @@
+# Generated by Django 4.2.17 on 2025-01-25 23:50
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("sas", "0006_move_the_whole_sas")]
+
+    operations = [
+        migrations.AlterField(
+            model_name="peoplepicturerelation",
+            name="picture",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="people",
+                to="sas.picture",
+                verbose_name="picture",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="picturemoderationrequest",
+            name="picture",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="moderation_requests",
+                to="sas.picture",
+                verbose_name="Picture",
+            ),
+        ),
+    ]

sas/models.py

@@ -18,29 +18,57 @@ from __future__ import annotations
 import contextlib
 from io import BytesIO
 from pathlib import Path
-from typing import ClassVar, Self
+from typing import TYPE_CHECKING, ClassVar, Self
 
 from django.conf import settings
 from django.core.cache import cache
+from django.core.exceptions import ValidationError
+from django.core.files.base import ContentFile
 from django.db import models
 from django.db.models import Exists, OuterRef, Q
+from django.db.models.deletion import Collector
 from django.urls import reverse
+from django.utils import timezone
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from PIL import Image
 
-from core.models import Notification, SithFile, User
+from core.models import Group, Notification, User
 from core.utils import exif_auto_rotate, resize_image
 
+if TYPE_CHECKING:
+    from django.db.models.fields.files import FieldFile
 
-class SasFile(SithFile):
-    """Proxy model for any file in the SAS.
 
-    May be used to have logic that should be shared by both
+def get_directory(instance: SasFile, filename: str):
+    return f"./{instance.parent_path}/{filename}"
+
+
+def get_compressed_directory(instance: SasFile, filename: str):
+    return f"./.compressed/{instance.parent_path}/{filename}"
+
+
+def get_thumbnail_directory(instance: SasFile, filename: str):
+    if isinstance(instance, Album):
+        _, extension = filename.rsplit(".", 1)
+        filename = f"{instance.name}/thumb.{extension}"
+    return f"./.thumbnails/{instance.parent_path}/{filename}"
+
+
+class SasFile(models.Model):
+    """Abstract model for SAS files
+
+    This model is used to have logic that should be shared by both
     [Picture][sas.models.Picture] and [Album][sas.models.Album].
+
+    Notes:
+        This is an abstract model.
+        [Album][sas.models.Album] and [Picture][sas.models.Picture]
+        are separated tables in the database.
     """
 
     class Meta:
-        proxy = True
+        abstract = True
         permissions = [
             ("moderate_sasfile", "Can moderate SAS files"),
             ("view_unmoderated_sasfile", "Can view not moderated SAS files"),
@@ -65,6 +93,169 @@ class SasFile(SithFile):
     def can_be_edited_by(self, user):
         return user.has_perm("sas.change_sasfile")
 
+    @cached_property
+    def parent_path(self) -> str:
+        """The parent location in the SAS album tree (e.g. `SAS/foo/bar`)."""
+        return "/".join(["SAS", *[p.name for p in self.parent_list]])
+
+    @cached_property
+    def parent_list(self) -> list[Album]:
+        """The ancestors of this SAS object.
+
+        The result is ordered from the direct parent to the farthest one.
+        """
+        parents = []
+        current = self.parent
+        while current is not None:
+            parents.append(current)
+            current = current.parent
+        return parents
+
+
+class AlbumQuerySet(models.QuerySet):
+    def viewable_by(self, user: User) -> Self:
+        """Filter the albums that this user can view.
+
+        Warning:
+            Calling this queryset method may add several additional requests.
+        """
+        if user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return self.all()
+        if user.was_subscribed:
+            return self.filter(is_moderated=True)
+        # known bug : if all children of an album are also albums
+        # then this album is excluded, even if one of the sub-albums should be visible.
+        # The fs-like navigation is likely to be half-broken for non-subscribers,
+        # but that's ok, since non-subscribers are expected to see only the albums
+        # containing pictures on which they have been identified (hence, very few).
+        # Most, if not all, of their albums will be displayed on the
+        # `latest albums` section of the SAS.
+        # Moreover, they will still see all of their picture in their profile.
+        return self.filter(
+            Exists(Picture.objects.filter(parent_id=OuterRef("pk")).viewable_by(user))
+        )
+
+
+class Album(SasFile):
+    NAME_MAX_LENGTH: ClassVar[int] = 50
+
+    name = models.CharField(_("name"), max_length=100)
+    parent = models.ForeignKey(
+        "self",
+        related_name="children",
+        verbose_name=_("parent"),
+        null=True,
+        blank=True,
+        on_delete=models.CASCADE,
+    )
+    thumbnail = models.FileField(
+        upload_to=get_thumbnail_directory,
+        verbose_name=_("thumbnail"),
+        max_length=256,
+        blank=True,
+    )
+    view_groups = models.ManyToManyField(
+        Group, related_name="viewable_albums", verbose_name=_("view groups"), blank=True
+    )
+    edit_groups = models.ManyToManyField(
+        Group, related_name="editable_albums", verbose_name=_("edit groups"), blank=True
+    )
+    event_date = models.DateField(
+        _("event date"),
+        help_text=_("The date on which the photos in this album were taken"),
+        default=timezone.localdate,
+        blank=True,
+    )
+    is_moderated = models.BooleanField(_("is moderated"), default=False)
+
+    objects = AlbumQuerySet.as_manager()
+
+    class Meta:
+        verbose_name = _("album")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["name", "parent"],
+                name="unique_album_name_if_same_parent",
+                # TODO : add `nulls_distinct=True` after upgrading to django>=5.0
+            )
+        ]
+
+    def __str__(self):
+        return f"Album {self.name}"
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        for user in User.objects.filter(
+            groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
+        ):
+            Notification(
+                user=user,
+                url=reverse("sas:moderation"),
+                type="SAS_MODERATION",
+                param="1",
+            ).save()
+
+    def get_absolute_url(self):
+        return reverse("sas:album", kwargs={"album_id": self.id})
+
+    def clean(self):
+        super().clean()
+        if "/" in self.name:
+            raise ValidationError(_("Character '/' not authorized in name"))
+        if self.parent_id is not None and (
+            self.id == self.parent_id or self in self.parent_list
+        ):
+            raise ValidationError(_("Loop in album tree"), code="loop")
+        if self.thumbnail:
+            try:
+                Image.open(BytesIO(self.thumbnail.read()))
+            except Image.UnidentifiedImageError as e:
+                raise ValidationError(_("This is not a valid album thumbnail")) from e
+
+    def delete(self, *args, **kwargs):
+        """Delete the album, all of its children and all linked disk files"""
+        collector = Collector(using="default")
+        collector.collect([self])
+        albums: set[Album] = collector.data[Album]
+        pictures: set[Picture] = collector.data[Picture]
+        files: list[FieldFile] = [
+            *[a.thumbnail for a in albums],
+            *[p.thumbnail for p in pictures],
+            *[p.compressed for p in pictures],
+            *[p.original for p in pictures],
+        ]
+        # `bool(f)` checks that the file actually exists on the disk
+        files = [f for f in files if bool(f)]
+        folders = {Path(f.path).parent for f in files}
+        res = super().delete(*args, **kwargs)
+        # once the model instances have been deleted,
+        # delete the actual files.
+        for file in files:
+            # save=False ensures that django doesn't recreate the db record,
+            # which would make the whole deletion pointless
+            # cf. https://docs.djangoproject.com/en/stable/ref/models/fields/#django.db.models.fields.files.FieldFile.delete
+            file.delete(save=False)
+        for folder in folders:
+            # now that the files are deleted, remove the empty folders
+            if folder.is_dir() and next(folder.iterdir(), None) is None:
+                folder.rmdir()
+        return res
+
+    def get_download_url(self):
+        return reverse("sas:album_preview", kwargs={"album_id": self.id})
+
+    def generate_thumbnail(self):
+        p = (
+            self.pictures.exclude(thumbnail="").order_by("?").first()
+            or self.children.exclude(thumbnail="").order_by("?").first()
+        )
+        if p:
+            # The file is loaded into memory to duplicate it.
+            # It may not be the most efficient way, but thumbnails are
+            # usually quite small, so it's still ok
+            self.thumbnail = ContentFile(p.thumbnail.read(), name="thumb.webp")
+            self.save()
+
 
 class PictureQuerySet(models.QuerySet):
     def viewable_by(self, user: User) -> Self:
@@ -80,23 +271,65 @@ class PictureQuerySet(models.QuerySet):
         return self.filter(people__user_id=user.id, is_moderated=True)
 
 
-class SASPictureManager(models.Manager):
-    def get_queryset(self):
-        return super().get_queryset().filter(is_in_sas=True, is_folder=False)
-
-
 class Picture(SasFile):
+    name = models.CharField(_("file name"), max_length=256)
+    parent = models.ForeignKey(
+        Album,
+        related_name="pictures",
+        verbose_name=_("album"),
+        on_delete=models.CASCADE,
+    )
+    thumbnail = models.FileField(
+        upload_to=get_thumbnail_directory,
+        verbose_name=_("thumbnail"),
+        max_length=256,
+        unique=True,
+    )
+    original = models.FileField(
+        upload_to=get_directory,
+        verbose_name=_("original image"),
+        max_length=256,
+        unique=True,
+    )
+    compressed = models.FileField(
+        upload_to=get_compressed_directory,
+        verbose_name=_("compressed image"),
+        max_length=256,
+        unique=True,
+    )
+    created_at = models.DateTimeField(default=timezone.now)
+    owner = models.ForeignKey(
+        User,
+        related_name="owned_pictures",
+        verbose_name=_("owner"),
+        on_delete=models.PROTECT,
+    )
+
+    is_moderated = models.BooleanField(_("is moderated"), default=False)
+    asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
+    moderator = models.ForeignKey(
+        User,
+        related_name="moderated_pictures",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+    )
+
+    objects = PictureQuerySet.as_manager()
+
     class Meta:
-        proxy = True
+        verbose_name = _("picture")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["name", "parent"], name="sas_picture_unique_per_album"
+            )
+        ]
 
-    objects = SASPictureManager.from_queryset(PictureQuerySet)()
+    def __str__(self):
+        return self.name
 
-    @property
+    def get_absolute_url(self):
-    def is_vertical(self):
+        return reverse("sas:picture", kwargs={"picture_id": self.id})
-        with open(settings.MEDIA_ROOT / self.file.name, "rb") as f:
-            im = Image.open(BytesIO(f.read()))
-            (w, h) = im.size
-            return (w / h) < 1
 
     def get_download_url(self):
         return reverse("sas:download", kwargs={"picture_id": self.id})
@@ -107,41 +340,34 @@ class Picture(SasFile):
     def get_download_thumb_url(self):
         return reverse("sas:download_thumb", kwargs={"picture_id": self.id})
 
-    def get_absolute_url(self):
+    @property
-        return reverse("sas:picture", kwargs={"picture_id": self.id})
+    def is_vertical(self):
+        # original, compressed and thumbnail image have all three the same ratio,
+        # so the smallest one is used to tell if the image is vertical
+        im = Image.open(BytesIO(self.thumbnail.read()))
+        (w, h) = im.size
+        return w < h
 
-    def generate_thumbnails(self, *, overwrite=False):
+    def generate_thumbnails(self):
-        im = Image.open(BytesIO(self.file.read()))
+        im = Image.open(self.original)
         with contextlib.suppress(Exception):
             im = exif_auto_rotate(im)
         # convert the compressed image and the thumbnail into webp
-        # The original image keeps its original type, because it's not
-        # meant to be shown on the website, but rather to keep the real image
-        # for less frequent cases (like downloading the pictures of an user)
-        extension = self.mime_type.split("/")[-1]
         # the HD version of the image doesn't need to be optimized, because :
         # - it isn't frequently queried
-        # - optimizing large images takes a lot time, which greatly hinders the UX
+        # - optimizing large images takes a lot of time, which greatly hinders the UX
         # - photographers usually already optimize their images
-        file = resize_image(im, max(im.size), extension, optimize=False)
         thumb = resize_image(im, 200, "webp")
         compressed = resize_image(im, 1200, "webp")
-        if overwrite:
+        new_extension_name = str(Path(self.original.name).with_suffix(".webp"))
-            self.file.delete()
-            self.thumbnail.delete()
-            self.compressed.delete()
-        new_extension_name = str(Path(self.name).with_suffix(".webp"))
-        self.file = file
-        self.file.name = self.name
         self.thumbnail = thumb
         self.thumbnail.name = new_extension_name
         self.compressed = compressed
         self.compressed.name = new_extension_name
 
     def rotate(self, degree):
-        for attr in ["file", "compressed", "thumbnail"]:
+        for field in self.original, self.compressed, self.thumbnail:
-            name = self.__getattribute__(attr).name
+            with open(field.file, "r+b") as file:
-            with open(settings.MEDIA_ROOT / name, "r+b") as file:
                 if file:
                     im = Image.open(BytesIO(file.read()))
                     file.seek(0)
@@ -154,110 +380,6 @@ class Picture(SasFile):
                         progressive=True,
                     )
 
-    def get_next(self):
-        if self.is_moderated:
-            pictures_qs = self.parent.children.filter(
-                is_moderated=True,
-                asked_for_removal=False,
-                is_folder=False,
-                id__gt=self.id,
-            )
-        else:
-            pictures_qs = Picture.objects.filter(id__gt=self.id, is_moderated=False)
-        return pictures_qs.order_by("id").first()
-
-    def get_previous(self):
-        if self.is_moderated:
-            pictures_qs = self.parent.children.filter(
-                is_moderated=True,
-                asked_for_removal=False,
-                is_folder=False,
-                id__lt=self.id,
-            )
-        else:
-            pictures_qs = Picture.objects.filter(id__lt=self.id, is_moderated=False)
-        return pictures_qs.order_by("-id").first()
-
-
-class AlbumQuerySet(models.QuerySet):
-    def viewable_by(self, user: User) -> Self:
-        """Filter the albums that this user can view.
-
-        Warning:
-            Calling this queryset method may add several additional requests.
-        """
-        if user.has_perm("sas.moderate_sasfile"):
-            return self.all()
-        if user.was_subscribed:
-            return self.filter(Q(is_moderated=True) | Q(owner=user))
-        # known bug : if all children of an album are also albums
-        # then this album is excluded, even if one of the sub-albums should be visible.
-        # The fs-like navigation is likely to be half-broken for non-subscribers,
-        # but that's ok, since non-subscribers are expected to see only the albums
-        # containing pictures on which they have been identified (hence, very few).
-        # Most, if not all, of their albums will be displayed on the
-        # `latest albums` section of the SAS.
-        # Moreover, they will still see all of their picture in their profile.
-        return self.filter(
-            Exists(Picture.objects.filter(parent_id=OuterRef("pk")).viewable_by(user))
-        )
-
-
-class SASAlbumManager(models.Manager):
-    def get_queryset(self):
-        return super().get_queryset().filter(is_in_sas=True, is_folder=True)
-
-
-class Album(SasFile):
-    NAME_MAX_LENGTH: ClassVar[int] = 50
-    """Maximum length of an album's name.
-    
-    [SithFile][core.models.SithFile] have a maximum length
-    of 256 characters.
-    However, this limit is too high for albums.
-    Names longer than 50 characters are harder to read
-    and harder to display on the SAS page.
-    
-    It is to be noted, though, that this does not
-    add or modify any db behaviour.
-    It's just a constant to be used in views and forms.
-    """
-
-    class Meta:
-        proxy = True
-
-    objects = SASAlbumManager.from_queryset(AlbumQuerySet)()
-
-    @property
-    def children_pictures(self):
-        return Picture.objects.filter(parent=self)
-
-    @property
-    def children_albums(self):
-        return Album.objects.filter(parent=self)
-
-    def get_absolute_url(self):
-        if self.id == settings.SITH_SAS_ROOT_DIR_ID:
-            return reverse("sas:main")
-        return reverse("sas:album", kwargs={"album_id": self.id})
-
-    def get_download_url(self):
-        return reverse("sas:album_preview", kwargs={"album_id": self.id})
-
-    def generate_thumbnail(self):
-        p = (
-            self.children_pictures.order_by("?").first()
-            or self.children_albums.exclude(file=None)
-            .exclude(file="")
-            .order_by("?")
-            .first()
-        )
-        if p and p.file:
-            image = resize_image(Image.open(BytesIO(p.file.read())), 200, "webp")
-            self.file = image
-            self.file.name = f"{self.name}/thumb.webp"
-            self.save()
-
 
 def sas_notification_callback(notif: Notification):
     count = Picture.objects.filter(is_moderated=False).count()

sas/schemas.py

@@ -26,19 +26,10 @@ class SimpleAlbumSchema(ModelSchema):
 class AlbumSchema(ModelSchema):
     class Meta:
         model = Album
-        fields = ["id", "name", "is_moderated"]
+        fields = ["id", "name", "is_moderated", "thumbnail"]
 
-    thumbnail: str | None
     sas_url: str
 
-    @staticmethod
-    def resolve_thumbnail(obj: Album) -> str | None:
-        # Album thumbnails aren't stored in `Album.thumbnail` but in `Album.file`
-        # Don't ask me why.
-        if not obj.file:
-            return None
-        return obj.get_download_url()
-
     @staticmethod
     def resolve_sas_url(obj: Album) -> str:
         return obj.get_absolute_url()
@@ -55,7 +46,12 @@ class AlbumAutocompleteSchema(ModelSchema):
 
     @staticmethod
     def resolve_path(obj: Album) -> str:
-        return str(Path(obj.get_parent_path()) / obj.name)
+        return str(Path(obj.parent_path) / obj.name)
+
+
+class MoveAlbumSchema(Schema):
+    id: int
+    new_parent_id: int
 
 
 class PictureFilterSchema(FilterSchema):
@@ -70,7 +66,7 @@ class PictureFilterSchema(FilterSchema):
 class PictureSchema(ModelSchema):
     class Meta:
         model = Picture
-        fields = ["id", "name", "date", "size", "is_moderated", "asked_for_removal"]
+        fields = ["id", "name", "created_at", "is_moderated", "asked_for_removal"]
 
     owner: UserProfileSchema
     sas_url: str

sas/static/bundled/sas/album-index.ts

@@ -128,3 +128,108 @@ document.addEventListener("alpine:init", () => {
     },
   }));
 });
+
+// Todo: migrate to alpine.js if we have some time
+// $("form#upload_form").submit(function (event) {
+//   const formData = new FormData($(this)[0]);
+//
+//   if (!formData.get("album_name") && !formData.get("images").name) return false;
+//
+//   if (!formData.get("images").name) {
+//     return true;
+//   }
+//
+//   event.preventDefault();
+//
+//   let errorList = this.querySelector("#upload_form ul.errorlist.nonfield");
+//   if (errorList === null) {
+//     errorList = document.createElement("ul");
+//     errorList.classList.add("errorlist", "nonfield");
+//     this.insertBefore(errorList, this.firstElementChild);
+//   }
+//
+//   while (errorList.childElementCount > 0)
+//     errorList.removeChild(errorList.firstElementChild);
+//
+//   let progress = this.querySelector("progress");
+//   if (progress === null) {
+//     progress = document.createElement("progress");
+//     progress.value = 0;
+//     const p = document.createElement("p");
+//     p.appendChild(progress);
+//     this.insertBefore(p, this.lastElementChild);
+//   }
+//
+//   let dataHolder;
+//
+//   if (formData.get("album_name")) {
+//     dataHolder = new FormData();
+//     dataHolder.set("csrfmiddlewaretoken", "{{ csrf_token }}");
+//     dataHolder.set("album_name", formData.get("album_name"));
+//     $.ajax({
+//       method: "POST",
+//       url: "{{ url('sas:album_upload', album_id=object.id) }}",
+//       data: dataHolder,
+//       processData: false,
+//       contentType: false,
+//       success: onSuccess,
+//     });
+//   }
+//
+//   const images = formData.getAll("images");
+//   const imagesCount = images.length;
+//   let completeCount = 0;
+//
+//   const poolSize = 1;
+//   const imagePool = [];
+//
+//   while (images.length > 0 && imagePool.length < poolSize) {
+//     const image = images.shift();
+//     imagePool.push(image);
+//     sendImage(image);
+//   }
+//
+//   function sendImage(image) {
+//     dataHolder = new FormData();
+//     dataHolder.set("csrfmiddlewaretoken", "{{ csrf_token }}");
+//     dataHolder.set("images", image);
+//
+//     $.ajax({
+//       method: "POST",
+//       url: "{{ url('sas:album_upload', album_id=object.id) }}",
+//       data: dataHolder,
+//       processData: false,
+//       contentType: false,
+//     })
+//       .fail(onSuccess.bind(undefined, image))
+//       .done(onSuccess.bind(undefined, image))
+//       .always(next.bind(undefined, image));
+//   }
+//
+//   function next(image, _, __) {
+//     const index = imagePool.indexOf(image);
+//     const nextImage = images.shift();
+//
+//     if (index !== -1) {
+//       imagePool.splice(index, 1);
+//     }
+//
+//     if (nextImage) {
+//       imagePool.push(nextImage);
+//       sendImage(nextImage);
+//     }
+//   }
+//
+//   function onSuccess(image, data, _, __) {
+//     let errors = [];
+//
+//     if ($(data.responseText).find(".errorlist.nonfield")[0])
+//       errors = Array.from($(data.responseText).find(".errorlist.nonfield")[0].children);
+//
+//     while (errors.length > 0) errorList.appendChild(errors.shift());
+//
+//     progress.value = ++completeCount / imagesCount;
+//     if (progress.value === 1 && errorList.children.length === 0)
+//       document.location.reload();
+//   }
+// });

sas/static/bundled/sas/pictures-download-index.ts

@@ -31,10 +31,10 @@ document.addEventListener("alpine:init", () => {
 
       await Promise.all(
         this.downloadPictures.map((p: PictureSchema) => {
-          const imgName = `${p.album.name}/IMG_${p.id}_${p.date.replace(/[:-]/g, "_")}${p.name.slice(p.name.lastIndexOf("."))}`;
+          const imgName = `${p.album.name}/IMG_${p.id}_${p.created_at.replace(/[:-]/g, "_")}${p.name.slice(p.name.lastIndexOf("."))}`;
           return zipWriter.add(imgName, new HttpReader(p.full_size_url), {
             level: 9,
-            lastModDate: new Date(p.date),
+            lastModDate: new Date(p.created_at),
             onstart: incrementProgressBar,
           });
         }),

sas/static/bundled/sas/viewer-index.ts

@@ -142,7 +142,8 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
         // biome-ignore lint/style/useNamingConvention: api is in snake_case
         full_size_url: "",
         owner: "",
-        date: new Date(),
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        created_at: new Date(),
         identifications: [] as IdentifiedUserSchema[],
       },
       /**

sas/templates/sas/album.jinja

@@ -20,7 +20,7 @@
 
 {% block content %}
   <code>
-    <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album.parent) }} {{ album.get_display_name() }}
+    <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album.parent) }} {{ album.name }}
   </code>
 
   {% set is_sas_admin = user.can_edit(album) %}
@@ -30,7 +30,7 @@
     <form action="" method="post" enctype="multipart/form-data">
       {% csrf_token %}
       <div class="album-navbar">
-        <h3>{{ album.get_display_name() }}</h3>
+        <h3>{{ album.name }}</h3>
 
         <div class="toolbar">
           <a href="{{ url('sas:album_edit', album_id=album.id) }}">{% trans %}Edit{% endtrans %}</a>
@@ -40,17 +40,17 @@
         </div>
       </div>
 
-      {% if clipboard %}
+{#      {% if clipboard %}#}
-        <div class="clipboard">
+{#        <div class="clipboard">#}
-          {% trans %}Clipboard: {% endtrans %}
+{#          {% trans %}Clipboard: {% endtrans %}#}
-          <ul>
+{#          <ul>#}
-            {% for f in clipboard %}
+{#            {% for f in clipboard["albums"] %}#}
-              <li>{{ f.get_full_path() }}</li>
+{#              <li>{{ f.get_full_path() }}</li>#}
-            {% endfor %}
+{#            {% endfor %}#}
-          </ul>
+{#          </ul>#}
-          <input name="clear" type="submit" value="{% trans %}Clear clipboard{% endtrans %}">
+{#          <input name="clear" type="submit" value="{% trans %}Clear clipboard{% endtrans %}">#}
-        </div>
+{#        </div>#}
-      {% endif %}
+{#      {% endif %}#}
   {% endif %}
 
   {% if show_albums %}
@@ -73,8 +73,8 @@
                 <div class="text">{% trans %}To be moderated{% endtrans %}</div>
               </template>
             </div>
-            {% if is_sas_admin %}
+            {% if edit_mode %}
-              <input type="checkbox" name="file_list" :value="album.id">
+              <input type="checkbox" name="album_list" :value="album.id">
             {% endif %}
           </a>
         </template>
@@ -100,7 +100,7 @@
             </template>
           </div>
           {% if is_sas_admin %}
-            <input type="checkbox" name="file_list" :value="picture.id">
+            <input type="checkbox" name="picture_list" :value="picture.id">
           {% endif %}
         </a>
       </template>
@@ -120,9 +120,9 @@
       {% csrf_token %}
       <div class="inputs">
         <p>
-          <label for="{{ upload_form.images.id_for_label }}">{{ upload_form.images.label }} :</label>
+          <label for="{{ form.images.id_for_label }}">{{ form.images.label }} :</label>
-          {{ upload_form.images|add_attr("x-ref=pictures") }}
+          {{ form.images|add_attr("x-ref=pictures") }}
-          <span class="helptext">{{ upload_form.images.help_text }}</span>
+          <span class="helptext">{{ form.images.help_text }}</span>
         </p>
         <input type="submit" value="{% trans %}Upload{% endtrans %}" />
         <progress x-ref="progress" x-show="sending"></progress>

sas/templates/sas/macros.jinja

@@ -1,19 +1,13 @@
 {% macro display_album(a, edit_mode) %}
   <a href="{{ url('sas:album', album_id=a.id) }}">
-    {% if a.file %}
+    {% if a.thumbnail %}
       {% set img = a.get_download_url() %}
       {% set src = a.name %}
-    {% elif a.children.filter(is_folder=False, is_moderated=True).exists() %}
-      {% set picture = a.children.filter(is_folder=False).first().as_picture %}
-      {% set img = picture.get_download_thumb_url()  %}
-      {% set src = picture.name %}
     {% else %}
       {% set img = static('core/img/sas.jpg') %}
       {% set src = "sas.jpg" %}
     {% endif %}
-    <div
+    <div class="album{% if not a.is_moderated %} not_moderated{% endif %}">
-      class="album{% if not a.is_moderated %} not_moderated{% endif %}"
-    >
       <img src="{{ img }}" alt="{{ src }}" loading="lazy" />
       {% if not a.is_moderated %}
         <div class="overlay">&nbsp;</div>
@@ -31,7 +25,7 @@
 {% macro print_path(file) %}
   {% if file and file.parent %}
     {{ print_path(file.parent) }}
-    <a href="{{ url('sas:album', album_id=file.id) }}">{{ file.get_display_name() }}</a> /
+    <a href="{{ url("sas:album", album_id=file.id) }}">{{ file.name }}</a> /
   {% endif %}
 {% endmacro %}
 

sas/templates/sas/picture.jinja

@@ -1,9 +1,9 @@
 {% extends "core/base.jinja" %}
 
 {%- block additional_css -%}
-  <link defer rel="stylesheet" href="{{ static('bundled/core/components/ajax-select-index.css') }}">
+  <link rel="stylesheet" href="{{ static('bundled/core/components/ajax-select-index.css') }}">
-  <link defer rel="stylesheet" href="{{ static('core/components/ajax-select.scss') }}">
+  <link rel="stylesheet" href="{{ static('core/components/ajax-select.scss') }}">
-  <link defer rel="stylesheet" href="{{ static('sas/css/picture.scss') }}">
+  <link rel="stylesheet" href="{{ static('sas/css/picture.scss') }}">
 {%- endblock -%}
 
 {%- block additional_js -%}
@@ -104,7 +104,7 @@
                 <span
                   x-text="Intl.DateTimeFormat(
                           '{{ LANGUAGE_CODE }}', {dateStyle: 'long'}
-                          ).format(new Date(currentPicture.date))"
+                          ).format(new Date(currentPicture.created_at))"
                 >
                 </span>
               </div>

sas/tests/test_api.py

@@ -27,8 +27,8 @@ class TestSas(TestCase):
         cls.user_b, cls.user_c = subscriber_user.make(_quantity=2)
 
         picture = picture_recipe.extend(owner=owner)
-        cls.album_a = baker.make(Album, is_in_sas=True, parent=sas)
+        cls.album_a = baker.make(Album)
-        cls.album_b = baker.make(Album, is_in_sas=True, parent=sas)
+        cls.album_b = baker.make(Album)
         relation_recipe = Recipe(PeoplePictureRelation)
         relations = []
         for album in cls.album_a, cls.album_b:
@@ -61,7 +61,7 @@ class TestPictureSearch(TestSas):
         self.client.force_login(self.user_b)
         res = self.client.get(self.url + f"?album_id={self.album_a.id}")
         assert res.status_code == 200
-        expected = list(self.album_a.children_pictures.values_list("id", flat=True))
+        expected = list(self.album_a.pictures.values_list("id", flat=True))
         assert [i["id"] for i in res.json()["results"]] == expected
 
     def test_filter_by_user(self):
@@ -70,7 +70,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.order_by(
-                "-picture__parent__date", "picture__date"
+                "-picture__parent__event_date", "picture__created_at"
             ).values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -84,7 +84,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.union(self.user_b.pictures.all())
-            .order_by("-picture__parent__date", "picture__date")
+            .order_by("-picture__parent__event_date", "picture__created_at")
             .values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -97,7 +97,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_a.pictures.order_by(
-                "-picture__parent__date", "picture__date"
+                "-picture__parent__event_date", "picture__created_at"
             ).values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected
@@ -123,7 +123,7 @@ class TestPictureSearch(TestSas):
         assert res.status_code == 200
         expected = list(
             self.user_b.pictures.intersection(self.user_a.pictures.all())
-            .order_by("-picture__parent__date", "picture__date")
+            .order_by("-picture__parent__event_date", "picture__created_at")
             .values_list("picture_id", flat=True)
         )
         assert [i["id"] for i in res.json()["results"]] == expected

sas/tests/test_model.py

@@ -4,8 +4,8 @@ from model_bakery import baker
 
 from core.baker_recipes import old_subscriber_user, subscriber_user
 from core.models import User
-from sas.baker_recipes import picture_recipe
+from sas.baker_recipes import album_recipe, picture_recipe
-from sas.models import PeoplePictureRelation, Picture
+from sas.models import Album, PeoplePictureRelation, Picture
 
 
 class TestPictureQuerySet(TestCase):
@@ -67,3 +67,22 @@ def test_identifications_viewable_by_user():
     assert list(picture.people.viewable_by(identifications[1].user)) == [
         identifications[1]
     ]
+
+
+class TestDeleteAlbum(TestCase):
+    def setUp(cls):
+        cls.album: Album = album_recipe.make()
+        cls.album_pictures = picture_recipe.make(parent=cls.album, _quantity=5)
+        cls.sub_album = album_recipe.make(parent=cls.album)
+        cls.sub_album_pictures = picture_recipe.make(parent=cls.sub_album, _quantity=5)
+
+    def test_delete(self):
+        album_ids = [self.album.id, self.sub_album.id]
+        picture_ids = [
+            *[p.id for p in self.album_pictures],
+            *[p.id for p in self.sub_album_pictures],
+        ]
+        self.album.delete()
+        # assert not p.exists()
+        assert not Album.objects.filter(id__in=album_ids).exists()
+        assert not Picture.objects.filter(id__in=picture_ids).exists()

sas/tests/test_views.py

@@ -136,9 +136,7 @@ class TestAlbumUpload:
 class TestSasModeration(TestCase):
     @classmethod
     def setUpTestData(cls):
-        album = baker.make(
+        album = baker.make(Album)
-            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, is_moderated=True
-        )
         cls.pictures = picture_recipe.make(
             parent=album, _quantity=10, _bulk_create=True
         )

sas/views.py

@@ -12,6 +12,7 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from pathlib import Path
 from typing import Any
 
 from django.conf import settings
@@ -22,12 +23,12 @@ from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.safestring import SafeString
 from django.views.generic import CreateView, DetailView, TemplateView
-from django.views.generic.edit import FormView, UpdateView
+from django.views.generic.edit import FormMixin, FormView, UpdateView
 
 from core.auth.mixins import CanEditMixin, CanViewMixin
 from core.models import SithFile, User
-from core.views import UseFragmentsMixin
+from core.views import FileView, UseFragmentsMixin
-from core.views.files import FileView, send_file
+from core.views.files import send_raw_file
 from core.views.mixins import FragmentMixin, FragmentRenderer
 from core.views.user import UserTabsMixin
 from sas.forms import (
@@ -63,6 +64,7 @@ class AlbumCreateFragment(FragmentMixin, CreateView):
 
 
 class SASMainView(UseFragmentsMixin, TemplateView):
+    form_class = AlbumCreateForm
     template_name = "sas/main.jinja"
 
     def get_fragments(self) -> dict[str, FragmentRenderer]:
@@ -79,12 +81,26 @@ class SASMainView(UseFragmentsMixin, TemplateView):
         root_user = User.objects.get(pk=settings.SITH_ROOT_USER_ID)
         return {"album_create_fragment": {"owner": root_user}}
 
+    def dispatch(self, request, *args, **kwargs):
+        if request.method == "POST" and not self.request.user.has_perm("sas.add_album"):
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_form(self, form_class=None):
+        if not self.request.user.has_perm("sas.add_album"):
+            return None
+        return super().get_form(form_class)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "owner": User.objects.get(pk=settings.SITH_ROOT_USER_ID),
+            "parent": None,
+        }
+
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         albums_qs = Album.objects.viewable_by(self.request.user)
-        kwargs["categories"] = list(
+        kwargs["categories"] = list(albums_qs.filter(parent=None).order_by("id"))
-            albums_qs.filter(parent_id=settings.SITH_SAS_ROOT_DIR_ID).order_by("id")
-        )
         kwargs["latest"] = list(albums_qs.order_by("-id")[:5])
         return kwargs
 
@@ -94,6 +110,9 @@ class PictureView(CanViewMixin, DetailView):
     pk_url_kwarg = "picture_id"
     template_name = "sas/picture.jinja"
 
+    def get_queryset(self):
+        return super().get_queryset().select_related("parent")
+
     def get(self, request, *args, **kwargs):
         self.object = self.get_object()
         if "rotate_right" in request.GET:
@@ -103,31 +122,42 @@ class PictureView(CanViewMixin, DetailView):
         return super().get(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):
-        return super().get_context_data(**kwargs) | {
+        return super().get_context_data(**kwargs) | {"album": self.object.parent}
-            "album": Album.objects.get(children=self.object)
-        }
 
 
 def send_album(request, album_id):
-    return send_file(request, album_id, Album)
+    album = get_object_or_404(Album, id=album_id)
+    if not album.can_be_viewed_by(request.user):
+        raise PermissionDenied
+    return send_raw_file(Path(album.thumbnail.path))
 
 
 def send_pict(request, picture_id):
-    return send_file(request, picture_id, Picture)
+    picture = get_object_or_404(Picture, id=picture_id)
+    if not picture.can_be_viewed_by(request.user):
+        raise PermissionDenied
+    return send_raw_file(Path(picture.original.path))
 
 
 def send_compressed(request, picture_id):
-    return send_file(request, picture_id, Picture, "compressed")
+    picture = get_object_or_404(Picture, id=picture_id)
+    if not picture.can_be_viewed_by(request.user):
+        raise PermissionDenied
+    return send_raw_file(Path(picture.compressed.path))
 
 
 def send_thumb(request, picture_id):
-    return send_file(request, picture_id, Picture, "thumbnail")
+    picture = get_object_or_404(Picture, id=picture_id)
+    if not picture.can_be_viewed_by(request.user):
+        raise PermissionDenied
+    return send_raw_file(Path(picture.thumbnail.path))
 
 
-class AlbumView(CanViewMixin, UseFragmentsMixin, DetailView):
+class AlbumView(CanViewMixin, UseFragmentsMixin, FormMixin, DetailView):
     model = Album
     pk_url_kwarg = "album_id"
     template_name = "sas/album.jinja"
+    form_class = PictureUploadForm
 
     def get_fragments(self) -> dict[str, FragmentRenderer]:
         return {
@@ -142,27 +172,32 @@ class AlbumView(CanViewMixin, UseFragmentsMixin, DetailView):
         except ValueError as e:
             raise Http404 from e
         if "clipboard" not in request.session:
-            request.session["clipboard"] = []
+            request.session["clipboard"] = {"albums": [], "pictures": []}
         return super().dispatch(request, *args, **kwargs)
 
+    def get_form(self, *args, **kwargs):
+        if not self.request.user.can_edit(self.object):
+            return None
+        return super().get_form(*args, **kwargs)
+
     def post(self, request, *args, **kwargs):
         self.object = self.get_object()
-        if not self.object.file:
+        form = self.get_form()
-            self.object.generate_thumbnail()
+        if not form:
-        if request.user.can_edit(self.object):  # Handle the copy-paste functions
+            # the form is reserved for users that can edit this album.
-            FileView.handle_clipboard(request, self.object)
+            # If there is no form, it means the user has no right to do a POST
-        return HttpResponseRedirect(self.request.path)
+            raise PermissionDenied
+        FileView.handle_clipboard(self.request, self.object)
+        if not form.is_valid():
+            return self.form_invalid(form)
+        return self.form_valid(form)
 
     def get_fragment_data(self) -> dict[str, dict[str, Any]]:
         return {"album_create_fragment": {"owner": self.request.user}}
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        if ids := self.request.session.get("clipboard", None):
+        kwargs["clipboard"] = {}
-            kwargs["clipboard"] = SithFile.objects.filter(id__in=ids)
-        kwargs["upload_form"] = PictureUploadForm()
-        # if True, the albums will be fetched with a request to the API
-        # if False, the section won't be displayed at all
         kwargs["show_albums"] = (
             Album.objects.viewable_by(self.request.user)
             .filter(parent_id=self.object.id)
@@ -215,7 +250,7 @@ class ModerationView(TemplateView):
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         kwargs["albums_to_moderate"] = Album.objects.filter(
-            is_moderated=False, is_in_sas=True, is_folder=True
+            is_moderated=False
         ).order_by("id")
         pictures = Picture.objects.filter(is_moderated=False).select_related("parent")
         kwargs["pictures"] = pictures

staticfiles/processors.py

@@ -182,13 +182,12 @@ class OpenApi:
                 path[action]["operationId"] = "_".join(
                     desc["operationId"].split("_")[:-1]
                 )
+
         schema = str(schema)
 
         if old_hash == sha1(schema.encode("utf-8")).hexdigest():
             logging.getLogger("django").info("✨ Api did not change, nothing to do ✨")
             return
 
-        with open(out, "w") as f:
+        out.write_text(schema)
-            _ = f.write(schema)
-
         return subprocess.Popen(["npm", "run", "openapi"])