Security fix for image rotations. Add proper permissions, tests and use a form to avoid cross domain forgery attacks

Sas style improvement

core/management/commands/populate.py

@@ -16,7 +16,7 @@
 # details.
 #
 # You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
+# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
@@ -110,7 +110,9 @@ class Command(BaseCommand):
         p.save(force_lock=True)
 
         club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
+        sas = SithFile.objects.create(
+            name="SAS", owner=root, id=settings.SITH_SAS_ROOT_DIR_ID
+        )
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )

core/models.py

@@ -131,7 +131,9 @@ class UserQuerySet(models.QuerySet):
         if user.has_perm("core.view_hidden_user"):
             return self
         if user.has_perm("core.view_user"):
-            return self.filter(Q(is_viewable=True) | Q(whitelisted_users=user))
+            return self.filter(
+                Q(is_viewable=True) | Q(whitelisted_users=user) | Q(pk=user.pk)
+            )
         if user.is_anonymous:
             return self.none()
         return self.filter(id=user.id)
@@ -884,8 +886,10 @@ class SithFile(models.Model):
         return self.get_parent_path() + "/" + self.name
 
     def save(self, *args, **kwargs):
-        sas = SithFile.objects.filter(id=settings.SITH_SAS_ROOT_DIR_ID).first()
-        self.is_in_sas = sas in self.get_parent_list() or self == sas
+        sas_id = settings.SITH_SAS_ROOT_DIR_ID
+        self.is_in_sas = self.id == sas_id or any(
+            p.id == sas_id for p in self.get_parent_list()
+        )
         adding = self._state.adding
         super().save(*args, **kwargs)
         if adding:

core/templates/core/base/notifications.jinja

@@ -1,13 +1,13 @@
 <div id="quick-notifications"
-     x-data="{
+     x-data='{
              messages: [
              {%- for message in messages -%}
                {%- if not message.extra_tags -%}
-                 { tag: '{{ message.tags }}', text: '{{ message }}' },
+                 { tag: {{ message.tags|string|tojson }}, text: {{ message|string|tojson }} },
                {%- endif -%}
              {%- endfor -%}
              ]
-             }"
+             }'
      @quick-notification-add="(e) => messages.push(e?.detail)"
      @quick-notification-delete="messages = []">
   <template x-for="(message, index) in messages">

core/tests/test_files.py

@@ -344,3 +344,14 @@ def test_quick_upload_image(
     assert (
         parsed["name"] == Path(file.name).stem[: QuickUploadImage.IMAGE_NAME_SIZE - 1]
     )
+
+
+@pytest.mark.django_db
+def test_populated_sas_is_in_sas():
+    """Test that, in the data generated by the populate command,
+    the SAS has value is_in_sas=True.
+
+    If it's not the case, it has no incidence in prod, but it's annoying
+    in dev and may cause misunderstandings.
+    """
+    assert SithFile.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID).is_in_sas

core/tests/test_user.py

@@ -410,12 +410,20 @@ class TestUserQuerySetViewableBy:
         assert set(viewable) == set(users)
 
     @pytest.mark.parametrize(
-        "user_factory", [old_subscriber_user.make, subscriber_user.make]
+        "user_factory",
+        [
+            old_subscriber_user.make,
+            lambda: old_subscriber_user.make(is_viewable=False),
+            subscriber_user.make,
+            lambda: subscriber_user.make(is_viewable=False),
+        ],
     )
-    def test_subscriber(self, users: list[User], user_factory):
+    def test_can_search(self, users: list[User], user_factory):
         user = user_factory()
-        viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
-        assert set(viewable) == {users[0], users[1]}
+        viewable = User.objects.filter(
+            id__in=[u.id for u in [*users, user]]
+        ).viewable_by(user)
+        assert set(viewable) == {user, users[0], users[1]}
 
     def test_whitelist(self, users: list[User]):
         user = subscriber_user.make()

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-23 22:21+0100\n"
+"POT-Creation-Date: 2026-04-25 01:00+0200\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -181,6 +181,22 @@ msgstr "Vous devez être cotisant pour faire partie d'un club"
 msgid "You are already a member of this club"
 msgstr "Vous êtes déjà membre de ce club."
 
+#: club/forms.py
+msgid "Club status"
+msgstr "État du club"
+
+#: club/forms.py
+msgid "Active"
+msgstr "Actif"
+
+#: club/forms.py
+msgid "Inactive"
+msgstr "Inactif"
+
+#: club/forms.py
+msgid "All clubs"
+msgstr "Tous les clubs"
+
 #: club/models.py
 msgid "slug name"
 msgstr "nom slug"
@@ -301,37 +317,22 @@ msgstr "Cet email est déjà abonné à cette mailing"
 msgid "Unregistered user"
 msgstr "Utilisateur non enregistré"
 
-#: club/templates/club/club_list.jinja
-msgid "Club list"
-msgstr "Liste des clubs"
-
 #: club/templates/club/club_list.jinja
 msgid "The list of all clubs existing at UTBM."
 msgstr "La liste de tous les clubs existants à l'UTBM"
 
+#: club/templates/club/club_list.jinja
+msgid "Club list"
+msgstr "Liste des clubs"
+
 #: club/templates/club/club_list.jinja
 msgid "Filters"
 msgstr "Filtres"
 
-#: club/templates/club/club_list.jinja
-msgid "Name"
-msgstr "Nom"
-
-#: club/templates/club/club_list.jinja
-msgid "Club state"
-msgstr "Etat du club"
-
-#: club/templates/club/club_list.jinja
-msgid "Active"
-msgstr "Actif"
-
-#: club/templates/club/club_list.jinja
-msgid "Inactive"
-msgstr "Inactif"
-
-#: club/templates/club/club_list.jinja
-msgid "All clubs"
-msgstr "Tous les clubs"
+#: club/templates/club/club_list.jinja core/templates/core/base/header.jinja
+#: forum/templates/forum/macros.jinja matmat/templates/matmat/search_form.jinja
+msgid "Search"
+msgstr "Recherche"
 
 #: club/templates/club/club_list.jinja core/templates/core/user_tools.jinja
 msgid "New club"
@@ -1863,11 +1864,6 @@ msgstr "Connexion"
 msgid "Register"
 msgstr "Inscription"
 
-#: core/templates/core/base/header.jinja forum/templates/forum/macros.jinja
-#: matmat/templates/matmat/search_form.jinja
-msgid "Search"
-msgstr "Recherche"
-
 #: core/templates/core/base/header.jinja
 msgid "Logout"
 msgstr "Déconnexion"
@@ -4212,6 +4208,47 @@ msgstr ""
 msgid "this page"
 msgstr "cette page"
 
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Eurockéennes 2025 partnership"
+msgstr "Partenariat Eurockéennes 2025"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"Our partner uses Weezevent to sell tickets. Weezevent may collect user info "
+"according to its own privacy policy. By clicking the accept button you "
+"consent to their terms of services."
+msgstr ""
+"Notre partenaire utilises Wezevent pour vendre ses billets. Weezevent peut "
+"collecter des informations utilisateur conformément à sa propre politique de "
+"confidentialité. En cliquant sur le bouton d'acceptation vous consentez à "
+"leurs termes de service."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Privacy policy"
+msgstr "Politique de confidentialité"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+#: trombi/templates/trombi/comment_moderation.jinja
+msgid "Accept"
+msgstr "Accepter"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"You must be subscribed to benefit from the partnership with the Eurockéennes."
+msgstr ""
+"Vous devez être cotisant pour bénéficier du partenariat avec les "
+"Eurockéennes."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+#, python-format
+msgid ""
+"This partnership offers a discount of up to 33%% on tickets for Friday, "
+"Saturday and Sunday, as well as the 3-day package from Friday to Sunday."
+msgstr ""
+"Ce partenariat permet de profiter d'une réduction jusqu'à 33%% sur les "
+"billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
+"du vendredi au dimanche."
+
 #: eboutic/templates/eboutic/eboutic_main.jinja
 msgid "There are no items available for sale"
 msgstr "Aucun article n'est disponible à la vente"
@@ -4985,6 +5022,14 @@ msgstr "Envoyer les images"
 msgid "You already requested moderation for this picture."
 msgstr "Vous avez déjà déposé une demande de retrait pour cette photo."
 
+#: sas/forms.py
+msgid "Left"
+msgstr ""
+
+#: sas/forms.py
+msgid "Right"
+msgstr "Droite"
+
 #: sas/models.py
 msgid "picture"
 msgstr "photo"
@@ -5106,6 +5151,14 @@ msgstr "Photos de %(user_name)s"
 msgid "Download all my pictures"
 msgstr "Télécharger toutes mes photos"
 
+#: sas/views.py
+msgid ""
+"Newly rotated image might not be immediately displayed due to your web "
+"browser's cache"
+msgstr ""
+"Les images nouvellements pivotées peuvent ne pas s'afficher immédiatement "
+"à cause du cache de votre navigateur internet"
+
 #: sith/settings.py
 msgid "English"
 msgstr "Anglais"
@@ -5638,10 +5691,6 @@ msgstr "fin"
 msgid "Moderate Trombi comments"
 msgstr "Modérer les commentaires du Trombi"
 
-#: trombi/templates/trombi/comment_moderation.jinja
-msgid "Accept"
-msgstr "Accepter"
-
 #: trombi/templates/trombi/comment_moderation.jinja
 msgid "Reject"
 msgstr "Refuser"
@@ -5883,39 +5932,3 @@ msgstr "Vous ne pouvez plus écrire de commentaires, la date est passée."
 #, python-format
 msgid "Maximum characters: %(max_length)s"
 msgstr "Nombre de caractères max: %(max_length)s"
-
-#: eboutic/templates/eboutic/eboutic_main.jinja
-msgid "Eurockéennes 2025 partnership"
-msgstr "Partenariat Eurockéennes 2025"
-
-#: eboutic/templates/eboutic/eboutic_main.jinja
-msgid ""
-"Our partner uses Weezevent to sell tickets. Weezevent may collect user info "
-"according to its own privacy policy. By clicking the accept button you "
-"consent to their terms of services."
-msgstr ""
-"Notre partenaire utilises Wezevent pour vendre ses billets. Weezevent peut "
-"collecter des informations utilisateur conformément à sa propre politique de "
-"confidentialité. En cliquant sur le bouton d'acceptation vous consentez à "
-"leurs termes de service."
-
-#: eboutic/templates/eboutic/eboutic_main.jinja
-msgid "Privacy policy"
-msgstr "Politique de confidentialité"
-
-#: eboutic/templates/eboutic/eboutic_main.jinja
-msgid ""
-"You must be subscribed to benefit from the partnership with the Eurockéennes."
-msgstr ""
-"Vous devez être cotisant pour bénéficier du partenariat avec les "
-"Eurockéennes."
-
-#: eboutic/templates/eboutic/eboutic_main.jinja
-#, python-format
-msgid ""
-"This partnership offers a discount of up to 33%% on tickets for Friday, "
-"Saturday and Sunday, as well as the 3-day package from Friday to Sunday."
-msgstr ""
-"Ce partenariat permet de profiter d'une réduction jusqu'à 33%% sur les "
-"billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
-"du vendredi au dimanche."

pyproject.toml

@@ -68,7 +68,7 @@ dev = [
     "pre-commit>=4.5.1,<5.0.0",
     "ruff>=0.15.5,<1.0.0",
     "djhtml>=3.0.10,<4.0.0",
-    "faker>=40.13.0,<41.0.0",
+    "faker>=40.8.0,<41.0.0",
     "rjsmin>=1.2.5,<2.0.0",
 ]
 tests = [

sas/forms.py

@@ -50,13 +50,15 @@ class AlbumEditForm(forms.ModelForm):
         model = Album
         fields = ["name", "date", "file", "parent", "edit_groups"]
         widgets = {
-            "parent": AutoCompleteSelectAlbum,
             "edit_groups": AutoCompleteSelectMultipleGroup,
         }
 
     name = forms.CharField(max_length=Album.NAME_MAX_LENGTH, label=_("file name"))
     date = forms.DateField(label=_("Date"), widget=SelectDate, required=True)
     recursive = forms.BooleanField(label=_("Apply rights recursively"), required=False)
+    parent = forms.ModelChoiceField(
+        Album.objects.all(), required=True, widget=AutoCompleteSelectAlbum
+    )
 
 
 class PictureModerationRequestForm(forms.ModelForm):
@@ -88,3 +90,10 @@ class PictureModerationRequestForm(forms.ModelForm):
         self.instance.author = self.user
         self.instance.picture = self.picture
         return super().save(commit)
+
+
+class PictureRotationForm(forms.Form):
+    picture = forms.ModelChoiceField(Picture.objects.all(), required=True)
+    direction = forms.ChoiceField(
+        choices=[("LEFT", _("Left")), ("RIGHT", _("Right"))], required=True
+    )

sas/models.py

@@ -139,20 +139,20 @@ class Picture(SasFile):
         self.compressed.name = new_extension_name
 
     def rotate(self, degree):
-        for attr in ["file", "compressed", "thumbnail"]:
-            name = self.__getattribute__(attr).name
-            with open(settings.MEDIA_ROOT / name, "r+b") as file:
-                if file:
-                    im = Image.open(BytesIO(file.read()))
-                    file.seek(0)
-                    im = im.rotate(degree, expand=True)
-                    im.save(
-                        fp=file,
-                        format=self.mime_type.split("/")[-1].upper(),
-                        quality=90,
-                        optimize=True,
-                        progressive=True,
-                    )
+        im = Image.open(BytesIO(self.file.read()))
+        self.file.seek(0)
+        with open(self.file.path, "r+b") as f:
+            im = im.rotate(degree, expand=True)
+            im.save(
+                fp=f,
+                format=self.mime_type.split("/")[-1].upper(),
+                quality=90,
+                optimize=True,
+                progressive=True,
+            )
+        self.file.seek(0)
+        self.generate_thumbnails(overwrite=True)
+        self.save()
 
     def get_next(self):
         if self.is_moderated:

sas/static/sas/css/picture.scss

@@ -134,7 +134,7 @@
           --loading-size: 20px
         }
 
-        @media (max-width: 1000px) {
+        @media (min-width: 700px) and (max-width: 1000px) {
           max-width: calc(50% - 5px);
         }
 
@@ -191,7 +191,9 @@
     }
 
     >form {
-      input, .ts-wrapper {
+
+      input,
+      .ts-wrapper {
         min-width: 100%;
         max-width: 100%;
         margin: 5px;
@@ -201,75 +203,83 @@
   }
 }
 
-.general {
+#pict .general {
   display: flex;
   flex-direction: row;
-  gap: 20px;
+  gap: 3em;
+  justify-content: space-evenly;
 
   @media (max-width: 1000px) {
+    gap: 1em;
     flex-direction: column;
   }
 
-  >.infos {
+  .infos,
+  .tools {
+    flex: 1;
     display: flex;
     flex-direction: column;
-    width: 50%;
+    gap: .5em;
 
-    >div>div {
-      display: flex;
-      flex-direction: row;
-      justify-content: space-between;
-
-      >*:first-child {
-        min-width: 150px;
-
-        @media (max-width: 1000px) {
-          min-width: auto;
-        }
-      }
+    @media (min-width: 700px) {
+      max-width: 350px;
     }
   }
 
-  >.tools {
+  .infos>div,
+  .tools>div>div {
     display: flex;
     flex-direction: column;
-    width: 50%;
+    gap: .35em;
+  }
 
-    >div {
-      display: flex;
-      flex-direction: row;
-      justify-content: space-between;
+  .tools>div,
+  >.infos>div>div {
+    display: flex;
+    flex-direction: row;
+    justify-content: space-between;
+  }
 
-      >div {
-        >a.button {
-          box-sizing: border-box;
-          background-color: $primary-neutral-light-color;
-          display: flex;
-          justify-content: center;
-          align-items: center;
-          padding: 10px;
-          color: black;
-          border-radius: 5px;
-          width: 40px;
-          height: 40px;
+  >.tools {
+    flex: 1;
 
-          &:hover {
-            background-color: #aaa;
-          }
+    >div>div {
+
+      >form {
+        margin: 0;
+        padding: 0;
+        display: flex;
+      }
+
+      >a.btn,
+      >form>button {
+        background-color: $primary-neutral-light-color;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        padding: 0;
+        color: black;
+        width: 40px;
+        height: 40px;
+        font-size: 20px;
+
+        &:hover {
+          background-color: #aaa;
         }
+      }
 
-        >a.text.danger {
-          color: red;
+      >a.text.danger {
+        color: red;
 
-          &:hover {
-            color: darkred;
-          }
+        &:hover {
+          color: darkred;
         }
+      }
 
-        &.buttons {
-          display: flex;
-          gap: 5px;
-        }
+      &.buttons {
+        display: flex;
+        flex-direction: row;
+        gap: 5px;
       }
     }
   }

sas/templates/sas/main.jinja

@@ -12,6 +12,17 @@
   {% trans %}See all the photos taken during events organised by the AE.{% endtrans %}
 {%- endblock %}
 
+{% block metatags %}
+  <meta property="og:url" content="{{ request.build_absolute_uri() }}" />
+  <meta property="og:type" content="website" />
+  <meta property="og:title" content="Stock à souvenirs" />
+  <meta
+    property="og:description"
+    content="Retrouvez toutes les photos prises durant les événements organisés par l'AE."
+  />
+  <meta property="og:image" content="{{ request.build_absolute_uri(static("core/img/logo_no_text.png")) }}" />
+{% endblock %}
+
 {% set is_sas_admin = user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID) %}
 
 {% from "sas/macros.jinja" import display_album %}

sas/templates/sas/picture.jinja

@@ -118,15 +118,35 @@
                 <a class="text" :href="currentPicture.full_size_url">
                   {% trans %}HD version{% endtrans %}
                 </a>
-                <br>
-                <a class="text danger" :href="currentPicture.report_url">
+                <a class="text danger " :href="currentPicture.report_url">
                   {% trans %}Ask for removal{% endtrans %}
                 </a>
               </div>
-              <div class="buttons">
-                <a class="button" :href="currentPicture.edit_url"><i class="fa-regular fa-pen-to-square edit-action"></i></a>
-                <a class="button" href="?rotate_left"><i class="fa-solid fa-rotate-left"></i></a>
-                <a class="button" href="?rotate_right"><i class="fa-solid fa-rotate-right"></i></a>
+              <div class="buttons"
+              >
+                <a
+                  class="btn btn-no-text"
+                  :href="currentPicture.edit_url"
+                  x-show="{{ user.has_perm("sas.change_sasfile")|tojson }} || currentPicture.owner.id === {{ user.id }}"
+                >
+                  <i class="fa-regular fa-pen-to-square edit-action"></i>
+                </a>
+                <form method="post" action="{{ url("sas:picture_rotate") }}"
+                      x-show="{{ user.has_perm("sas.change_sasfile")|tojson}}"
+                >
+                  {% csrf_token %}
+                  <input type="hidden" name="picture" :value="currentPicture.id">
+                  <input type="hidden" name="direction" value="LEFT">
+                  <button><i class="fa-solid fa-rotate-left"></i></button>
+                </form>
+                <form method="post" action="{{ url("sas:picture_rotate") }}"
+                      x-show="{{ user.has_perm("sas.change_sasfile")|tojson}}"
+                >
+                  {% csrf_token %}
+                  <input type="hidden" name="picture" :value="currentPicture.id">
+                  <input type="hidden" name="direction" value="RIGHT">
+                  <button><i class="fa-solid fa-rotate-right"></i></button>
+                </form>
               </div>
             </div>
           </div>

sas/tests/test_views.py

@@ -12,20 +12,25 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from io import BytesIO
 from typing import Callable
 
 import pytest
 from bs4 import BeautifulSoup
 from django.conf import settings
 from django.core.cache import cache
+from django.core.files.base import ContentFile
 from django.test import Client, TestCase
 from django.urls import reverse
+from django.utils.timezone import localdate
 from model_bakery import baker
+from PIL import Image
 from pytest_django.asserts import assertHTMLEqual, assertInHTML, assertRedirects
 
 from core.baker_recipes import old_subscriber_user, subscriber_user
 from core.models import Group, User
 from sas.baker_recipes import picture_recipe
+from sas.forms import AlbumEditForm
 from sas.models import Album, Picture
 
 # Create your tests here.
@@ -64,6 +69,25 @@ def test_main_page_no_form_for_regular_users(client: Client):
     assert len(forms) == 0
 
 
+@pytest.mark.django_db
+def test_main_page_displayed_albums(client: Client):
+    """Test that the right data is displayed on the SAS main page"""
+    sas = Album.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
+    Album.objects.exclude(id=sas.id).delete()
+    album_a = baker.make(Album, parent=sas, is_moderated=True)
+    album_b = baker.make(Album, parent=album_a, is_moderated=True)
+    album_c = baker.make(Album, parent=sas, is_moderated=True)
+    baker.make(Album, parent=sas, is_moderated=False)
+    client.force_login(subscriber_user.make())
+    res = client.get(reverse("sas:main"))
+    # album_b is not a direct child of the SAS, so it shouldn't be displayed
+    # in the categories, but it should appear in the latest albums.
+    # album_d isn't moderated, so it shouldn't appear at all for a simple user.
+    # Also, the SAS itself shouldn't be listed in the albums.
+    assert res.context_data["latest"] == [album_c, album_b, album_a]
+    assert res.context_data["categories"] == [album_a, album_c]
+
+
 @pytest.mark.django_db
 def test_main_page_content_anonymous(client: Client):
     """Test that public users see only an incentive to login"""
@@ -89,6 +113,15 @@ def test_album_access_non_subscriber(client: Client):
     assert res.status_code == 200
 
 
+@pytest.mark.django_db
+def test_accessing_sas_from_album_view_is_404(client: Client):
+    """Test that trying to see the SAS with a regular album view isn't allowed."""
+    res = client.get(
+        reverse("sas:album", kwargs={"album_id": settings.SITH_SAS_ROOT_DIR_ID})
+    )
+    assert res.status_code == 404
+
+
 @pytest.mark.django_db
 class TestAlbumUpload:
     @staticmethod
@@ -133,6 +166,227 @@ class TestAlbumUpload:
         assert not album.children.exists()
 
 
+@pytest.mark.django_db
+class TestAlbumEdit:
+    @pytest.fixture
+    def sas_root(self) -> Album:
+        return Album.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
+
+    @pytest.fixture
+    def album(self) -> Album:
+        return baker.make(
+            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, is_moderated=True
+        )
+
+    @pytest.mark.parametrize(
+        "user",
+        [None, lambda: baker.make(User), subscriber_user.make],
+    )
+    def test_permission_denied(
+        self,
+        client: Client,
+        album: Album,
+        user: Callable[[], User] | None,
+    ):
+        if user:
+            client.force_login(user())
+
+        url = reverse("sas:album_edit", kwargs={"album_id": album.pk})
+        response = client.get(url)
+        assert response.status_code == 403
+        response = client.post(url)
+        assert response.status_code == 403
+
+    def test_sas_root_read_only(self, client: Client, sas_root: Album):
+        moderator = baker.make(
+            User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
+        )
+        client.force_login(moderator)
+        url = reverse("sas:album_edit", kwargs={"album_id": sas_root.pk})
+        response = client.get(url)
+        assert response.status_code == 404
+        response = client.post(url)
+        assert response.status_code == 404
+
+    @pytest.mark.parametrize(
+        ("excluded", "is_valid"),
+        [
+            ("name", False),
+            ("date", False),
+            ("file", True),
+            ("parent", False),
+            ("edit_groups", True),
+            ("recursive", True),
+        ],
+    )
+    def test_form_required(self, album: Album, excluded: str, is_valid: bool):  # noqa: FBT001
+        data = {
+            "name": album.name[: Album.NAME_MAX_LENGTH],
+            "parent": baker.make(Album, parent=album.parent, is_moderated=True).pk,
+            "date": localdate().strftime("%Y-%m-%d"),
+            "file": "/random/path",
+            "edit_groups": [settings.SITH_GROUP_SAS_ADMIN_ID],
+            "recursive": False,
+        }
+        del data[excluded]
+        assert AlbumEditForm(data=data).is_valid() == is_valid
+
+    def test_form_album_name(self, album: Album):
+        data = {
+            "name": album.name[: Album.NAME_MAX_LENGTH],
+            "parent": album.pk,
+            "date": localdate().strftime("%Y-%m-%d"),
+        }
+        assert AlbumEditForm(data=data).is_valid()
+
+        data["name"] = album.name[: Album.NAME_MAX_LENGTH + 1]
+        assert not AlbumEditForm(data=data).is_valid()
+
+    def test_update_recursive_parent(self, client: Client, album: Album):
+        client.force_login(baker.make(User, is_superuser=True))
+
+        payload = {
+            "name": album.name[: Album.NAME_MAX_LENGTH],
+            "parent": album.pk,
+            "date": localdate().strftime("%Y-%m-%d"),
+        }
+        response = client.post(
+            reverse("sas:album_edit", kwargs={"album_id": album.pk}), payload
+        )
+        assertInHTML("<li>Boucle dans l'arborescence des dossiers</li>", response.text)
+        assert response.status_code == 200
+
+    @pytest.mark.parametrize(
+        "user",
+        [
+            lambda: baker.make(User, is_superuser=True),
+            lambda: baker.make(
+                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
+            ),
+        ],
+    )
+    @pytest.mark.parametrize(
+        "parent",
+        [
+            lambda: baker.make(
+                Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, is_moderated=True
+            ),
+            lambda: Album.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID),
+        ],
+    )
+    def test_update(
+        self,
+        client: Client,
+        album: Album,
+        sas_root: Album,
+        user: Callable[[], User],
+        parent: Callable[[], Album],
+    ):
+        client.force_login(user())
+        expected_redirect = reverse("sas:album", kwargs={"album_id": album.pk})
+        payload = {
+            "name": album.name[: Album.NAME_MAX_LENGTH],
+            "parent": parent().id,
+            "date": localdate().strftime("%Y-%m-%d"),
+            "recursive": False,
+        }
+        response = client.post(
+            reverse("sas:album_edit", kwargs={"album_id": album.pk}), payload
+        )
+        assertRedirects(response, expected_redirect)
+        album.refresh_from_db()
+        assert album.name == payload["name"]
+        assert album.parent.id == payload["parent"]
+        assert localdate(album.date) == localdate()
+
+
+@pytest.mark.django_db
+class TestPictureRotation:
+    @pytest.fixture
+    def picture(self) -> Picture:
+        # Creating a fake image from scratch is painful
+        # One of the base image in the test set is good enough
+        return Picture.objects.get(name="sli.jpg")
+
+    def load_image(self, file: ContentFile) -> Image.Image:
+        file.seek(0)
+        im = Image.open(BytesIO(file.read()))
+        file.seek(0)
+        return im
+
+    @pytest.mark.parametrize(
+        "user",
+        [
+            None,
+            lambda: baker.make(User),
+            subscriber_user.make,
+            old_subscriber_user.make,
+        ],
+    )
+    def test_permission_denied(
+        self,
+        client: Client,
+        picture: Picture,
+        user: Callable[[], User] | None,
+    ):
+        if user:
+            client.force_login(user())
+
+        payload = {
+            "picture": picture.pk,
+            "direction": "LEFT",
+        }
+        url = reverse("sas:picture_rotate")
+        response = client.post(url, payload)
+        if user:
+            assert response.status_code == 403
+        else:
+            assertRedirects(
+                response,
+                reverse(
+                    "core:login",
+                    query={
+                        "next": url,
+                    },
+                ),
+            )
+
+    @pytest.mark.parametrize(
+        "user",
+        [
+            lambda: baker.make(User, is_superuser=True),
+            lambda: baker.make(
+                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
+            ),
+        ],
+    )
+    def test_rotation(
+        self,
+        client: Client,
+        picture: Picture,
+        user: Callable[[], User],
+    ):
+        client.force_login(user())
+
+        payload = {
+            "picture": picture.pk,
+            "direction": "LEFT",
+        }
+        response = client.post(reverse("sas:picture_rotate"), payload)
+        assertRedirects(
+            response, reverse("sas:picture", kwargs={"picture_id": picture.pk})
+        )
+
+        payload = {
+            "picture": picture.pk,
+            "direction": "RIGHT",
+        }
+        response = client.post(reverse("sas:picture_rotate"), payload)
+        assertRedirects(
+            response, reverse("sas:picture", kwargs={"picture_id": picture.pk})
+        )
+
+
 class TestSasModeration(TestCase):
     @classmethod
     def setUpTestData(cls):

sas/urls.py

@@ -22,6 +22,7 @@ from sas.views import (
     ModerationView,
     PictureAskRemovalView,
     PictureEditView,
+    PictureRotateView,
     PictureView,
     SASMainView,
     UserPicturesView,
@@ -52,6 +53,7 @@ urlpatterns = [
         send_compressed,
         name="download_compressed",
     ),
+    path("picture/rotate", PictureRotateView.as_view(), name="picture_rotate"),
     path("picture/<int:picture_id>/download/thumb/", send_thumb, name="download_thumb"),
     path(
         "user/<int:user_id>/pictures/", UserPicturesView.as_view(), name="user_pictures"

sas/views.py

@@ -15,12 +15,14 @@
 from typing import Any
 
 from django.conf import settings
+from django.contrib import messages
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.db.models import Count, OuterRef, Subquery
 from django.http import Http404, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.safestring import SafeString
+from django.utils.translation import gettext_lazy as _
 from django.views.generic import CreateView, DetailView, TemplateView
 from django.views.generic.edit import FormView, UpdateView
 
@@ -35,6 +37,7 @@ from sas.forms import (
     AlbumEditForm,
     PictureEditForm,
     PictureModerationRequestForm,
+    PictureRotationForm,
     PictureUploadForm,
 )
 from sas.models import Album, PeoplePictureRelation, Picture
@@ -85,7 +88,9 @@ class SASMainView(UseFragmentsMixin, TemplateView):
         kwargs["categories"] = list(
             albums_qs.filter(parent_id=settings.SITH_SAS_ROOT_DIR_ID).order_by("id")
         )
-        kwargs["latest"] = list(albums_qs.order_by("-id")[:5])
+        kwargs["latest"] = list(
+            albums_qs.exclude(id=settings.SITH_SAS_ROOT_DIR_ID).order_by("-id")[:5]
+        )
         return kwargs
 
 
@@ -94,20 +99,39 @@ class PictureView(CanViewMixin, DetailView):
     pk_url_kwarg = "picture_id"
     template_name = "sas/picture.jinja"
 
-    def get(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if "rotate_right" in request.GET:
-            self.object.rotate(270)
-        if "rotate_left" in request.GET:
-            self.object.rotate(90)
-        return super().get(request, *args, **kwargs)
-
     def get_context_data(self, **kwargs):
         return super().get_context_data(**kwargs) | {
             "album": Album.objects.get(children=self.object)
         }
 
 
+class PictureRotateView(PermissionRequiredMixin, FormView):
+    form_class = PictureRotationForm
+    template_name = "core/edit.jinja"
+    permission_required = "sas.moderate_sasfile"
+
+    def form_valid(self, form: PictureRotationForm):
+        angles = {"RIGHT": 270, "LEFT": 90}
+        cleaned = form.clean()
+        cleaned["picture"].rotate(angles[cleaned["direction"]])
+        self._success_url = reverse(
+            "sas:picture",
+            kwargs={
+                "picture_id": cleaned["picture"].pk,
+            },
+        )
+        messages.warning(
+            self.request,
+            _(
+                "Newly rotated image might not be immediately displayed due to your web browser's cache"
+            ),
+        )
+        return super().form_valid(form)
+
+    def get_success_url(self):
+        return self._success_url
+
+
 def send_album(request, album_id):
     return send_file(request, album_id, Album)
 
@@ -126,6 +150,9 @@ def send_thumb(request, picture_id):
 
 class AlbumView(CanViewMixin, UseFragmentsMixin, DetailView):
     model = Album
+    # exclude the SAS from the album accessible with this view
+    # the SAS can be viewed only with SASMainView
+    queryset = Album.objects.exclude(id=settings.SITH_SAS_ROOT_DIR_ID)
     pk_url_kwarg = "album_id"
     template_name = "sas/album.jinja"
 
@@ -262,6 +289,7 @@ class PictureAskRemovalView(CanViewMixin, DetailView, FormView):
 
 class AlbumEditView(CanEditMixin, UpdateView):
     model = Album
+    queryset = Album.objects.exclude(id=settings.SITH_SAS_ROOT_DIR_ID)
     form_class = AlbumEditForm
     template_name = "core/edit.jinja"
     pk_url_kwarg = "album_id"