Merge pull request #1422 from ae-utbm/fix-login-button

fix: login button background-color

api/permissions.py

@@ -46,7 +46,7 @@ from django.http import HttpRequest
 from ninja_extra import ControllerBase
 from ninja_extra.permissions import BasePermission
 
-from counter.models import Counter
+from counter.utils import is_logged_in_counter
 
 
 class IsInGroup(BasePermission):
@@ -186,12 +186,7 @@ class IsLoggedInCounter(BasePermission):
     """Check that a user is logged in a counter."""
 
     def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
-        if "/counter/" not in request.META.get("HTTP_REFERER", ""):
+        return is_logged_in_counter(request)
-            return False
-        token = request.session.get("counter_token")
-        if not token:
-            return False
-        return Counter.objects.filter(token=token).exists()
 
 
 CanAccessLookup = IsLoggedInCounter | HasPerm("core.access_lookup")

club/migrations/0017_linktype_clublink.py

@@ -25,8 +25,7 @@ class Migration(migrations.Migration):
                     "url_base",
                     models.URLField(
                         help_text=(
-                            "The base url that links with this type "
+                            "The base url that links with this type must respect"
-                            "must respect (e.g. `https://www.instagram.com`)"
                         ),
                         unique=True,
                         verbose_name="url base",

club/models.py

@@ -793,10 +793,7 @@ class LinkType(models.Model):
     url_base = models.URLField(
         "url base",
         unique=True,
-        help_text=_(
+        help_text=_("The base url that links with this type must respect"),
-            "The base url that links with this type must respect (e.g. `%(url)s`)"
-        )
-        % {"url": "https://www.instagram.com"},
     )
     icon = models.CharField(
         _("icon"),

core/management/commands/populate.py

@@ -43,6 +43,7 @@ from core.models import BanGroup, Group, Page, PageRev, SithFile, User
 from core.utils import resize_image
 from counter.models import (
     Counter,
+    CounterSellers,
     Price,
     Product,
     ProductType,
@@ -364,10 +365,10 @@ class Command(BaseCommand):
         Counter.objects.create(name="Carte AE", club=clubs.refound, type="OFFICE")
 
         # Add barman to counter
-        Counter.sellers.through.objects.bulk_create(
+        CounterSellers.objects.bulk_create(
             [
-                Counter.sellers.through(counter_id=1, user=skia),  # MDE
+                CounterSellers(counter_id=1, user=skia, is_regular=True),  # MDE
-                Counter.sellers.through(counter_id=2, user=krophil),  # Foyer
+                CounterSellers(counter_id=2, user=krophil, is_regular=True),  # Foyer
             ]
         )
 

core/static/core/components/card.scss

@@ -29,7 +29,12 @@
   align-items: center;
   gap: 20px;
 
-  &.clickable:hover {
+  &:disabled {
+    background-color: darken($primary-neutral-light-color, 5%);
+    opacity: 65%;
+  }
+
+  &.clickable:not(:disabled):hover {
     background-color: darken($primary-neutral-light-color, 5%);
   }
 

core/static/core/forms.scss

@@ -23,7 +23,7 @@
     border-radius: 5px;
     color: black;
 
-    &:hover {
+    &:not(.link-like):not(:disabled):hover {
       background: hsl(0, 0%, 83%);
     }
   }

core/static/core/header.scss

@@ -123,7 +123,7 @@ $background-color-hovered: #283747;
       justify-content: center;
     }
 
-    >.button {
+    a.button {
       box-sizing: border-box;
       height: 35px;
       background-color: transparent;
@@ -139,7 +139,7 @@ $background-color-hovered: #283747;
       font-size: .9em;
       width: 120px;
 
-      &:hover {
+      &:not(.link-like):not(:disabled):hover {
         background-color: $background-color-hovered;
       }
     }

core/templates/core/base/header.jinja

@@ -22,14 +22,9 @@
         </form>
         <ul class="bars">
           {% cache 100 "counters_activity" %}
-                      {# The sith has no periodic tasks manager
+            {# It would be cleaner to handle the timeout with django-celery-beat,
-                         and using cron jobs would be way too overkill here.
+               but doing it here is simpler and less error-prone #}
-                         Thus the barmen timeout is handled in the only place that
+            {% do Counter.objects.filter(type="BAR").handle_timeout() %}
-                         is loaded on every page : the header bar.
-                         However, let's be clear : this has nothing to do here.
-                         It's' merely a contrived workaround that should
-                         replaced by a proper task manager as soon as possible. #}
-            {% set _ = Counter.objects.filter(type="BAR").handle_timeout() %}
           {% endcache %}
           {% for bar in Counter.objects.annotate_has_barman(user).annotate_is_open().filter(type="BAR") %}
             <li>

core/templates/core/base/notifications.jinja

@@ -10,7 +10,7 @@
   <template x-for="(message, index) in $notifications.getAll()">
     <div class="alert" :class="`alert-${message.tag}`" x-transition>
       <span class="alert-main" x-text="message.text"></span>
-      <span class="clickable" @click="messages = messages.filter((item, i) => i !== index)">
+      <span class="clickable" @click="$store.notifications = $store.notifications.filter((item, i) => i !== index)">
         <i class="fa fa-close"></i>
       </span>
     </div>

counter/forms.py

@@ -9,6 +9,7 @@ from django import forms
 from django.core.exceptions import ValidationError
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
+from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import ClockedSchedule
@@ -17,6 +18,7 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User, UserQuerySet
+from core.views import LoginForm
 from core.views.forms import (
     FutureDateTimeField,
     NFCTextInput,
@@ -91,30 +93,18 @@ class StudentCardForm(forms.ModelForm):
 
 
 class GetUserForm(forms.Form):
-    """The Form class aims at providing a valid user_id field in its cleaned data, in order to pass it to some view,
+    """Find a user to show its click page."""
-    reverse function, or any other use.
-
-    The Form implements a nice JS widget allowing the user to type a customer account id, or search the database with
-    some nickname, first name, or last name (TODO)
-    """
 
     code = forms.CharField(
         label="Code",
         max_length=StudentCard.UID_SIZE,
         required=False,
-        widget=NFCTextInput,
+        widget=NFCTextInput(attrs={"autofocus": True}),
     )
     id = forms.CharField(
-        label=_("Select user"),
+        label=_("Select user"), widget=AutoCompleteSelectUser, required=False
-        help_text=None,
-        widget=AutoCompleteSelectUser,
-        required=False,
     )
 
-    def as_p(self):
-        self.fields["code"].widget.attrs["autofocus"] = True
-        return super().as_p()
-
     def clean(self):
         cleaned_data = super().clean()
         customer = None
@@ -136,11 +126,40 @@ class GetUserForm(forms.Form):
 
         if customer is None or not customer.can_buy:
             raise forms.ValidationError(_("User not found"))
-        cleaned_data["user_id"] = customer.user.id
+        cleaned_data["user_id"] = customer.user_id
         cleaned_data["user"] = customer.user
         return cleaned_data
 
 
+class CounterLoginForm(LoginForm):
+    """LoginForm to log a barman in a counter.
+
+    To be able to log in a counter, a user must :
+
+    - be part of the sellers of the given counter
+    - not being already logged in any counter
+    """
+
+    def __init__(self, *args, request: HttpRequest, counter: Counter, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.counter = counter
+        self.request = request
+
+    def confirm_login_allowed(self, user: User):
+        super().confirm_login_allowed(user)
+        if not self.counter.sellers.contains(user):
+            raise ValidationError(
+                message=_("You are not a barman of this counter."), code="not_barman"
+            )
+        if user in self.request.barmen:
+            message = (
+                _("You are already logged in this counter.")
+                if user in self.counter.barmen_list
+                else _("You are already logged in another counter.")
+            )
+            raise ValidationError(message=message, code="already_logged_in")
+
+
 class RefillForm(forms.ModelForm):
     allowed_refilling_methods = [
         Refilling.PaymentMethod.CASH,
@@ -409,6 +428,7 @@ class ProductForm(forms.ModelForm):
             "club",
             "limit_age",
             "tray",
+            "clic_limit",
             "archived",
         ]
         help_texts = {

counter/middleware.py

@@ -0,0 +1,64 @@
+from typing import TYPE_CHECKING, Callable
+
+from django.db.models import Exists, OuterRef
+from django.http import HttpRequest, HttpResponse
+from django.utils.functional import SimpleLazyObject, empty
+
+from core.models import User
+from counter.models import Permanency
+
+if TYPE_CHECKING:
+    from django.contrib.sessions.backends.base import SessionBase
+
+
+SESSION_BARMEN_KEY = "barmen_ids"
+
+
+def get_cached_barmen(request: HttpRequest) -> set[User]:
+    if not hasattr(request, "_cached_barmen"):
+        session: SessionBase = request.session
+        barmen_ids = session.get(SESSION_BARMEN_KEY, [])
+        if barmen_ids:
+            request._cached_barmen = set(
+                User.objects.filter(
+                    Exists(Permanency.objects.filter(user=OuterRef("pk"), end=None)),
+                    id__in=barmen_ids,
+                )
+            )
+        else:
+            request._cached_barmen = set()
+
+    return request._cached_barmen
+
+
+class BarmenMiddleware:
+    """Inject barmen logged in the current session.
+
+    In a similar fashion as `request.user`, `request.barmen` contains
+    users that are barmen in the current session, and ONLY them ;
+    if a user is logged as a barman on another session,
+    it will not be in `request.barmen`.
+
+    Notes:
+        In case of ended permanence, users will be automatically
+        removed from `request.barmen`.
+        However, in case of newly started permanence, this middleware
+        cannot add new barmen in the session data, so that operation
+        must be explicitly done in the barman login view.
+    """
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        request.barmen = SimpleLazyObject(lambda: get_cached_barmen(request))
+
+        response = self.get_response(request)
+
+        if request.barmen._wrapped is not empty and {
+            b.id for b in request.barmen
+        } != set(request.session.get(SESSION_BARMEN_KEY, [])):
+            # update the session data only if `session.barmen`
+            # has been accessed and modified.
+            request.session[SESSION_BARMEN_KEY] = [b.id for b in request.barmen]
+        return response

counter/migrations/0040_product_clic_limit.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.2.13 on 2026-05-13 11:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("counter", "0039_price")]
+
+    operations = [
+        migrations.RemoveField(model_name="product", name="buying_groups"),
+        migrations.AddField(
+            model_name="product",
+            name="clic_limit",
+            field=models.PositiveSmallIntegerField(
+                blank=True,
+                help_text=(
+                    "If a limit is set, the product won't be purchasable "
+                    "anymore once the latter is reached."
+                ),
+                null=True,
+                verbose_name="clic limit",
+            ),
+        ),
+        migrations.RemoveField(model_name="counter", name="token"),
+    ]

counter/models.py

@@ -22,7 +22,7 @@ import string
 from datetime import date, datetime, timedelta
 from datetime import timezone as tz
 from decimal import Decimal
-from typing import TYPE_CHECKING, Literal, Self
+from typing import Literal, Self
 
 from dict2xml import dict2xml
 from django.conf import settings
@@ -34,6 +34,7 @@ from django.forms import ValidationError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import PeriodicTask
 from django_countries.fields import CountryField
@@ -47,9 +48,6 @@ from core.utils import get_start_of_semester
 from counter.fields import CurrencyField
 from subscription.models import Subscription
 
-if TYPE_CHECKING:
-    from collections.abc import Sequence
-
 
 def get_eboutic() -> Counter:
     return Counter.objects.filter(type="EBOUTIC").order_by("id").first()
@@ -353,6 +351,40 @@ class ProductType(OrderedModel):
         return user.is_in_group(pk=settings.SITH_GROUP_ACCOUNTING_ADMIN_ID)
 
 
+class ProductQuerySet(models.QuerySet):
+    def under_clic_limit(self) -> Self:
+        """Filter product which clic limit isn't reached yet.
+
+        The clic limit is reached when the amount of sales
+        and of items in a basket for less than 15 minutes
+        is greater or equal than `Product.clic_limit`.
+        """
+        # import here to avoid circular import
+        from eboutic.models import BasketItem
+
+        nb_click_subquery = Subquery(
+            Selling.objects.filter(product_id=OuterRef("id"))
+            .values("product_id")
+            .annotate(res=Sum("quantity", default=0))
+            .values("res")[:1]
+        )
+        nb_basket_items_subquery = Subquery(
+            BasketItem.objects.filter(
+                product_id=OuterRef("id"),
+                basket__date__gt=now()
+                - settings.SITH_EBOUTIC_BASKET_TIMEOUT
+                - settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT,
+            )
+            .values("product_id")
+            .annotate(res=Sum("quantity"))
+            .values("res")[:1]
+        )
+        return self.annotate(
+            clicked=Coalesce(nb_click_subquery, 0),
+            reserved=Coalesce(nb_basket_items_subquery, 0),
+        ).filter(Q(clic_limit=None) | Q(clic_limit__gt=(F("clicked") + F("reserved"))))
+
+
 class Product(models.Model):
     """A product, with all its related information."""
 
@@ -370,8 +402,7 @@ class Product(models.Model):
     )
     code = models.CharField(_("code"), max_length=16, blank=True)
     purchase_price = CurrencyField(
-        _("purchase price"),
+        _("purchase price"), help_text=_("Initial cost of purchasing the product")
-        help_text=_("Initial cost of purchasing the product"),
     )
     icon = ResizedImageField(
         height=70,
@@ -388,13 +419,21 @@ class Product(models.Model):
     tray = models.BooleanField(
         _("tray price"), help_text=_("Buy five, get the sixth free"), default=False
     )
-    buying_groups = models.ManyToManyField(
+    clic_limit = models.PositiveSmallIntegerField(
-        Group, related_name="products", verbose_name=_("buying groups"), blank=True
+        _("clic limit"),
+        help_text=_(
+            "If a limit is set, the product won't be purchasable "
+            "anymore on the eboutic once the latter is reached."
+        ),
+        null=True,
+        blank=True,
     )
     archived = models.BooleanField(_("archived"), default=False)
     created_at = models.DateTimeField(_("created at"), auto_now_add=True)
     updated_at = models.DateTimeField(_("updated at"), auto_now=True)
 
+    objects = ProductQuerySet.as_manager()
+
     class Meta:
         verbose_name = _("product")
 
@@ -580,7 +619,6 @@ class Counter(models.Model):
     view_groups = models.ManyToManyField(
         Group, related_name="viewable_counters", blank=True
     )
-    token = models.CharField(_("token"), max_length=30, null=True, blank=True)
 
     objects = CounterQuerySet.as_manager()
 
@@ -733,10 +771,8 @@ class Counter(models.Model):
         # but they share the same primary key
         return self.type == "BAR" and any(b.pk == customer.pk for b in self.barmen_list)
 
-    def get_prices_for(
+    def get_prices_for(self, customer: Customer) -> PriceQuerySet:
-        self, customer: Customer, *, order_by: Sequence[str] | None = None
+        return (
-    ) -> list[Price]:
-        qs = (
             Price.objects.filter(
                 product__counters=self, product__product_type__isnull=False
             )
@@ -744,9 +780,6 @@ class Counter(models.Model):
             .select_related("product", "product__product_type")
             .prefetch_related("groups")
         )
-        if order_by:
-            qs = qs.order_by(*order_by)
-        return list(qs)
 
 
 class CounterSellers(models.Model):

counter/signals.py

@@ -20,41 +20,34 @@
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
+import random
 
 from django.db.models.signals import pre_delete
 from django.dispatch import receiver
 
 from core.middleware import get_signal_request
 from core.models import OperationLog
-from counter.models import Counter, Refilling, Selling
+from counter.models import Refilling, Selling
 
 
-def write_log(instance, operation_type):
+def write_log(instance: Selling | Refilling, operation_type):
     def get_user():
         request = get_signal_request()
 
         if not request:
             return None
 
-        # Get a random barmen if deletion is from a counter
+        if request.barmen:
-        session = getattr(request, "session", {})
+            return random.choice(list(request.barmen))
-        session_token = session.get("counter_token", None)
-        if session_token:
-            counter = Counter.objects.filter(token=session_token).first()
-            if counter and len(counter.barmen_list) > 0:
-                return counter.get_random_barman()
 
         # Get the current logged user if not from a counter
-        if request.user and not request.user.is_anonymous:
+        if request.user.is_authenticated:
             return request.user
 
-        # Return None by default
         return None
 
     OperationLog(
-        label=str(instance),
+        label=str(instance), operator=get_user(), operation_type=operation_type
-        operator=get_user(),
-        operation_type=operation_type,
     ).save()
 
 

counter/templates/counter/counter_main.jinja

@@ -32,12 +32,11 @@
       </ul>
       <p><strong>{% trans %}Total: {% endtrans %}{{ last_total }} €</strong></p>
     {% endif %}
-    {% if barmen %}
+    {% if can_click %}
       <p>{% trans %}Enter client code:{% endtrans %}</p>
-      <form method="post" action="">
+      <form method="post" action="" id="select-user-form">
         {% csrf_token %}
-        <input type="hidden" name="counter_token" value="{{ counter.token }}" />
+        {{ form }}
-        {{ form.as_p() }}
         <p><input type="submit" value="{% trans %}validate{% endtrans %}" /></p>
       </form>
     {% else %}
@@ -45,17 +44,36 @@
     {% endif %}
   </div>
   {% if counter.type == 'BAR' %}
+    <h3>{% trans %}Barmen:{% endtrans %}</h3>
+
+    {% if barmen_here %}
+      <div class="row gap-2x">
         <div>
-      <h3>{% trans %}Barman: {% endtrans %}</h3>
+          <h4>{% trans %}On this device{% endtrans %}</h4>
+          {% for b in barmen_here %}
+            <p>{{ barman_logout_link(b) }}</p>
+          {% endfor %}
+        </div>
+        <div>
+          <h4>{% trans %}Elsewhere{% endtrans %}</h4>
+          {% if barmen_here|length == barmen|length %}
+            {# all logged barmen are logged in this session #}
+            <p><em>{% trans %}No barman logged elsewhere{% endtrans %}</em></p>
+          {% else %}
+            {% for b in barmen %}
+              {%- if b not in barmen_here -%}
+                <p>{{ barman_logout_link(b) }}</p>
+              {%- endif -%}
+            {% endfor %}
+          {% endif %}
+        </div>
+      </div>
+    {% else %}
       {% for b in barmen %}
         <p>{{ barman_logout_link(b) }}</p>
       {% endfor %}
-      <form method="post" action="{{ url('counter:login', counter_id=counter.id) }}">
+    {% endif %}
-        {% csrf_token %}
+    {{ login_fragment }}
-        {{ login_form.as_p() }}
-        <p><input type="submit" value="{% trans %}login{% endtrans %}" /></p>
-      </form>
-    </div>
   {% endif %}
 {% endblock %}
 
@@ -63,10 +81,10 @@
   {{ super() }}
   <script type="text/javascript">
     window.addEventListener("DOMContentLoaded", () => {
-      // The login form annoyingly takes priority over the code form 
+      {# The login form annoyingly takes priority over the code form
-      // This is due to the loading time of the web component
+         This is due to the loading time of the web component
-      // We can't rely on DOMContentLoaded to know if the component is there so we
+         We can't rely on DOMContentLoaded to know if the component is there so we
-      // periodically run a script until the field is there
+         periodically run a script until the field is there #}
       const autofocus = () => {
         const field = document.querySelector("input[id='id_code']");
         if (field === null){

counter/templates/counter/fragments/login.jinja

@@ -0,0 +1,5 @@
+<form hx-post="{{ action }}" hx-swap="outerHTML">
+  {% csrf_token %}
+  {{ form }}
+  <input type="submit" value="{% trans %}Confirm{% endtrans %}"/>
+</form>

counter/templates/counter/product_form.jinja

@@ -118,6 +118,7 @@
         </div>
       </div>
     </fieldset>
+    <fieldset><div>{{ form.clic_limit.as_field_group() }}</div></fieldset>
     <fieldset><div>{{ form.counters.as_field_group() }}</div></fieldset>
 
     <h3 class="margin-bottom">{% trans %}Prices{% endtrans %}</h3>

counter/tests/test_counter.py

@@ -17,9 +17,11 @@ from datetime import timedelta
 from decimal import Decimal
 
 import pytest
+from bs4 import BeautifulSoup
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.contrib.auth.models import Permission, make_password
+from django.contrib.messages import DEFAULT_LEVELS, get_messages
 from django.http import HttpResponse
 from django.shortcuts import resolve_url
 from django.test import Client, TestCase
@@ -37,6 +39,7 @@ from core.models import BanGroup, Group, User
 from counter.baker_recipes import price_recipe, product_recipe, sale_recipe
 from counter.models import (
     Counter,
+    CounterSellers,
     Customer,
     Permanency,
     ProductType,
@@ -66,10 +69,14 @@ class TestFullClickBase(TestCase):
         cls.subscriber = subscriber_user.make()
 
         cls.counter = baker.make(Counter, type="BAR")
-        cls.counter.sellers.add(cls.barmen, cls.board_admin)
-
         cls.other_counter = baker.make(Counter, type="BAR")
-        cls.other_counter.sellers.add(cls.barmen)
+        CounterSellers.objects.bulk_create(
+            [
+                CounterSellers(counter=cls.counter, user=cls.barmen),
+                CounterSellers(counter=cls.counter, user=cls.board_admin),
+                CounterSellers(counter=cls.other_counter, user=cls.barmen),
+            ]
+        )
 
         cls.yet_another_counter = baker.make(Counter, type="BAR")
 
@@ -114,7 +121,10 @@ class TestRefilling(TestFullClickBase):
     ) -> HttpResponse:
         used_client = client if client is not None else self.client
         return used_client.post(
-            reverse("counter:refilling_create", kwargs={"customer_id": user.pk}),
+            reverse(
+                "counter:refilling_create",
+                kwargs={"customer_id": user.pk, "counter_id": self.counter.pk},
+            ),
             {"amount": str(amount), "payment_method": Refilling.PaymentMethod.CASH},
             HTTP_REFERER=reverse(
                 "counter:click", kwargs={"counter_id": counter.id, "user_id": user.pk}
@@ -138,7 +148,10 @@ class TestRefilling(TestFullClickBase):
             return self.client.post(
                 reverse(
                     "counter:refilling_create",
-                    kwargs={"customer_id": self.customer.pk},
+                    kwargs={
+                        "customer_id": self.customer.pk,
+                        "counter_id": self.counter.pk,
+                    },
                 ),
                 {"amount": "10", "payment_method": "CASH"},
             )
@@ -442,9 +455,19 @@ class TestCounterClick(TestFullClickBase):
 
     def test_click_not_connected(self):
         force_refill_user(self.customer, 10)
+
+        # trying to click on a bar without being logged should result
+        # in a redirect to the counter page with an error message
         res = self.submit_basket(self.customer, [BasketItem(self.snack.id, 2)])
         assertRedirects(res, self.counter.get_absolute_url())
+        messages = list(get_messages(res.wsgi_request))
+        assert len(messages) == 1
+        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
+        assert (
+            messages[0].message == "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+        )
 
+        # trying to click on an office counter without permission should 403
         res = self.submit_basket(
             self.customer, [BasketItem(self.snack.id, 2)], counter=self.club_counter
         )
@@ -596,7 +619,7 @@ class TestCounterClick(TestFullClickBase):
             product=iter(_product_recipe.make(archived=False, _quantity=2)),
             groups=[group],
         )
-        customer_prices = counter.get_prices_for(customer)
+        customer_prices = list(counter.get_prices_for(customer))
         assert unarchived_prices == customer_prices
 
 
@@ -718,59 +741,97 @@ class TestCounterStats(TestCase):
 class TestBarmanConnection(TestCase):
     @classmethod
     def setUpTestData(cls):
-        cls.krophil = User.objects.get(username="krophil")
+        cls.barman = subscriber_user.make()
-        cls.skia = User.objects.get(username="skia")
+        cls.barman.set_password("plop")
-        cls.skia.customer.account = 800
+        cls.barman.save()
-        cls.krophil.customer.save()
+        cls.counter = baker.make(Counter, type="BAR", sellers=[cls.barman])
-        cls.skia.customer.save()
+        cls.login_url = reverse("counter:login", kwargs={"counter_id": cls.counter.id})
-
+        cls.detail_url = reverse(
-        cls.counter = Counter.objects.get(id=2)
+            "counter:details", kwargs={"counter_id": cls.counter.id}
+        )
 
     def test_barman_granted(self):
+        response = self.client.post(
+            self.login_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.status_code == 200
+        assert response.headers["HX-Redirect"] == self.detail_url
+        last_perm = Permanency.objects.last()
+        assert last_perm.counter == self.counter
+        assert last_perm.user == self.barman
+        assert last_perm.end is None
+        assert self.barman in response.wsgi_request.barmen
+        response = self.client.get(
+            self.detail_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.context_data.get("barmen") == [self.barman]
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is not None
+
+    def assert_counter_login_fails(self, user: User):
+        initial_perms = set(self.counter.permanencies.filter(user=user, end=None))
+        response = self.client.post(
+            self.login_url, {"username": user.username, "password": "plop"}
+        )
+        assert "HX-Redirect" not in response.headers
+        assert (
+            set(self.counter.permanencies.filter(user=user, end=None)) == initial_perms
+        )
+        if initial_perms:
+            # the user was already logged in, and we already tested
+            # that it didn't re-login, so we can skip the next assertions.
+            return
+
+        self.counter.refresh_from_db()
+        assert response.wsgi_request.barmen.isdisjoint(set(self.counter.barmen_list))
+
+        response = self.client.get(self.detail_url)
+        assert response.context_data.get("barmen") == []
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is None
+
+    def test_barman_not_seller(self):
+        """Test when the barman is not a seller of the counter"""
+        not_barman = subscriber_user.make()
+        not_barman.set_password("plop")
+        not_barman.save()
+        self.assert_counter_login_fails(not_barman)
+
+    def test_barman_already_logged(self):
+        """Test when the barman is already logged in the current counter."""
         self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
+            self.login_url, {"username": self.barman.username, "password": "plop"}
-            {"username": "krophil", "password": "plop"},
         )
-        response = self.client.get(reverse("counter:details", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)
 
-        assert "<p>Entrez un code client : </p>" in str(response.content)
+    def test_barman_already_logged_elsewhere(self):
-
+        """Test when the barman is already logged in another counter."""
-    def test_counters_list_barmen(self):
+        other_counter = baker.make(Counter, type="BAR")
+        CounterSellers.objects.create(counter=other_counter, user=self.barman)
         self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
+            reverse("counter:login", kwargs={"counter_id": other_counter.id}),
-            {"username": "krophil", "password": "plop"},
+            {"username": self.barman.username, "password": "plop"},
         )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)
 
-        assert '<li><a href="/user/10/">Kro Phil&#39;</a></li>' in str(response.content)
+    def test_login_on_non_bar_counter(self):
-
+        counter = baker.make(Counter, type="OFFICE")
-    def test_barman_denied(self):
+        CounterSellers.objects.create(counter=counter, user=self.barman)
-        self.client.post(
+        url = reverse("counter:login", kwargs={"counter_id": counter.id})
-            reverse("counter:login", args=[self.counter.id]),
+        response = self.client.get(url)
-            {"username": "skia", "password": "plop"},
+        assert response.status_code == 403
+        response = self.client.post(
+            url, {"username": self.barman.username, "password": "plop"}
         )
-        response_get = self.client.get(
+        assert response.status_code == 403
-            reverse("counter:details", args=[self.counter.id])
-        )
-
-        assert "<p>Merci de vous identifier</p>" in str(response_get.content)
-
-    def test_counters_list_no_barmen(self):
-        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
-        )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
-
-        assert '<li><a href="/user/1/">S&#39; Kia</a></li>' not in str(response.content)
 
 
 @pytest.mark.django_db
-def test_barman_timeout():
+def test_barman_timeout(client: Client):
     """Test that barmen timeout is well managed."""
     bar = baker.make(Counter, type="BAR")
     user = baker.make(User)
-    bar.sellers.add(user)
+    CounterSellers.objects.create(counter=bar, user=user)
     baker.make(Permanency, counter=bar, user=user, start=now())
 
     qs = Counter.objects.annotate_is_open().filter(pk=bar.pk)
@@ -786,6 +847,8 @@ def test_barman_timeout():
         bar = qs[0]
         assert not bar.is_open
         assert bar.barmen_list == []
+    res = client.get("")
+    assert res.wsgi_request.barmen == set()
 
 
 class TestClubCounterClickAccess(TestCase):
@@ -835,14 +898,14 @@ class TestClubCounterClickAccess(TestCase):
 
     def test_barman(self):
         """Sellers should be able to click on office counters"""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
         self.client.force_login(self.user)
         res = self.client.get(self.click_url)
         assert res.status_code == 200
 
     def test_both_barman_and_board_member(self):
         """If the user is barman and board member, he should be authorized as well."""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
         baker.make(
             Membership, club=self.counter.club, user=self.user, role=self.board_role
         )
@@ -868,14 +931,15 @@ class TestCounterLogout:
             )
         assertRedirects(
             res,
-                reverse(
+            reverse("counter:details", kwargs={"counter_id": permanence.counter_id}),
-                    "counter:details", kwargs={"counter_id": permanence.counter_id}
-                ),
         )
         permanence.refresh_from_db()
-            assert permanence.end == now()
+        assert permanence.end == permanence.activity
+        assert permanence.user not in res.wsgi_request.barmen
 
     def test_logout_doesnt_change_old_permanences(self, client: Client):
+        # regression test for #1141
+        # https://github.com/ae-utbm/sith/pull/1141
         perm_counter = baker.make(Counter, type="BAR")
         permanence = baker.make(
             Permanency,
@@ -896,6 +960,6 @@ class TestCounterLogout:
                 data={"user_id": permanence.user_id},
             )
             permanence.refresh_from_db()
-            assert permanence.end == now()
+            assert permanence.end == permanence.activity
             old_permanence.refresh_from_db()
             assert old_permanence.end == old_end

counter/tests/test_product.py

@@ -1,3 +1,4 @@
+import itertools
 from io import BytesIO
 from typing import Callable
 from uuid import uuid4
@@ -8,6 +9,7 @@ from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import Client, TestCase
 from django.urls import reverse
+from django.utils.timezone import now
 from model_bakery import baker
 from model_bakery.recipe import Recipe
 from PIL import Image
@@ -16,9 +18,10 @@ from pytest_django.asserts import assertNumQueries, assertRedirects
 from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
-from counter.baker_recipes import product_recipe
+from counter.baker_recipes import product_recipe, sale_recipe
 from counter.forms import ProductForm, ProductPriceFormSet
-from counter.models import Price, Product, ProductType
+from counter.models import Price, Product, ProductType, Selling
+from eboutic.models import Basket, BasketItem
 
 
 @pytest.mark.django_db
@@ -222,3 +225,59 @@ def test_price_for_user():
     assert list(qs.for_user(users[0])) == [prices[0], prices[1], prices[4]]
     assert list(qs.for_user(users[1])) == [prices[0], prices[4]]
     assert list(qs.for_user(users[2])) == [prices[0], prices[3]]
+
+
+class TestProductClicLimit(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.products = product_recipe.make(
+            clic_limit=itertools.chain([5, 10, 15], itertools.repeat(None)),
+            _quantity=6,
+            _bulk_create=True,
+        )
+        cls.qs = Product.objects.filter(id__in=[p.id for p in cls.products])
+
+    def test_no_sales_or_basket(self):
+        """Test that it works if no sales has been made yet"""
+        assert list(self.qs.under_clic_limit()) == self.products
+
+    def test_with_sales(self):
+        """Test that it works when there are existing sales"""
+        sales = sale_recipe.make(
+            product=itertools.cycle(self.products),
+            _quantity=len(self.products) * 5,
+            _bulk_create=True,
+        )
+        Selling.objects.filter(id__in=[s.id for s in sales]).update(quantity=2)
+        assert list(self.qs.under_clic_limit()) == self.products[2:]
+
+    def test_with_sales_and_basket(self):
+        """Test that it works when there are existing sales and basket items."""
+        sales = sale_recipe.make(
+            product=itertools.cycle(self.products),
+            _quantity=len(self.products) * 5,
+            _bulk_create=True,
+        )
+        Selling.objects.filter(id__in=[s.id for s in sales]).update(quantity=1)
+        basket = baker.make(
+            Basket, date=now() - settings.SITH_EBOUTIC_BASKET_TIMEOUT / 2
+        )
+        items = baker.make(
+            BasketItem,
+            product=itertools.cycle(self.products),
+            basket=basket,
+            _quantity=len(self.products) * 5,
+        )
+        BasketItem.objects.filter(id__in=[i.id for i in items]).update(quantity=1)
+        assert list(self.qs.under_clic_limit()) == self.products[2:]
+
+        # expired basket items shouldn't be accounted when computing clic limit
+        item = BasketItem.objects.filter(product=self.products[1])[0]
+        item.basket = baker.make(
+            Basket,
+            date=now()
+            - settings.SITH_EBOUTIC_BASKET_TIMEOUT
+            - settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT,
+        )
+        item.save()
+        assert list(self.qs.under_clic_limit()) == self.products[1:]

counter/urls.py

@@ -41,7 +41,6 @@ from counter.views.admin import (
     ReturnableProductUpdateView,
     SellingDeleteView,
 )
-from counter.views.auth import counter_login, counter_logout
 from counter.views.cash import (
     CashSummaryEditView,
     CashSummaryListView,
@@ -57,7 +56,9 @@ from counter.views.eticket import (
 from counter.views.home import (
     CounterActivityView,
     CounterLastOperationsView,
+    CounterLoginFragment,
     CounterMain,
+    counter_logout,
 )
 from counter.views.invoice import InvoiceCallView
 from counter.views.student_card import StudentCardDeleteView, StudentCardFormFragment
@@ -66,7 +67,7 @@ urlpatterns = [
     path("<int:counter_id>/", CounterMain.as_view(), name="details"),
     path("<int:counter_id>/click/<int:user_id>/", CounterClick.as_view(), name="click"),
     path(
-        "refill/<int:customer_id>/",
+        "<int:counter_id>/refill/<int:customer_id>/",
         RefillingCreateView.as_view(),
         name="refilling_create",
     ),
@@ -82,7 +83,7 @@ urlpatterns = [
     ),
     path("<int:counter_id>/activity/", CounterActivityView.as_view(), name="activity"),
     path("<int:counter_id>/stats/", CounterStatView.as_view(), name="stats"),
-    path("<int:counter_id>/login/", counter_login, name="login"),
+    path("<int:counter_id>/login/", CounterLoginFragment.as_view(), name="login"),
     path("<int:counter_id>/logout/", counter_logout, name="logout"),
     path("eticket/<int:selling_id>/pdf/", EticketPDFView.as_view(), name="eticket_pdf"),
     path(

counter/utils.py

@@ -3,8 +3,6 @@ from urllib.parse import urlparse
 from django.http import HttpRequest
 from django.urls import resolve
 
-from counter.models import Counter
-
 
 def is_logged_in_counter(request: HttpRequest) -> bool:
     """Check if the request is sent from a device logged to a counter.
@@ -20,24 +18,13 @@ def is_logged_in_counter(request: HttpRequest) -> bool:
       or the request path belongs to the counter app
       (eg. the barman went back to the main by missclick and go back
       to the counter)
-    - The current session has a counter token associated with it.
+    - There are barmen logged in the current session
-    - A counter with this token exists.
-    - The counter is open
     """
     referer_ok = (
         "HTTP_REFERER" in request.META
         and resolve(urlparse(request.META["HTTP_REFERER"]).path).app_name == "counter"
     )
-    has_token = (
+    if not referer_ok and request.resolver_match.app_name != "counter":
-        (referer_ok or request.resolver_match.app_name == "counter")
-        and "counter_token" in request.session
-        and request.session["counter_token"]
-    )
-    if not has_token:
         return False
 
-    return (
+    return bool(request.barmen)
-        Counter.objects.annotate_is_open()
-        .filter(token=request.session["counter_token"], is_open=True)
-        .exists()
-    )

counter/views/auth.py

@@ -1,53 +0,0 @@
-#
-# Copyright 2023 © AE UTBM
-# ae@utbm.fr / ae.info@utbm.fr
-#
-# This file is part of the website of the UTBM Student Association (AE UTBM),
-# https://ae.utbm.fr.
-#
-# You can find the source code of the website at https://github.com/ae-utbm/sith
-#
-# LICENSED UNDER THE GNU GENERAL PUBLIC LICENSE VERSION 3 (GPLv3)
-# SEE : https://raw.githubusercontent.com/ae-utbm/sith/master/LICENSE
-# OR WITHIN THE LOCAL FILE "LICENSE"
-#
-#
-
-from django.http import HttpRequest, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
-from django.utils import timezone
-from django.utils.timezone import now
-from django.views.decorators.http import require_POST
-
-from core.views.forms import LoginForm
-from counter.models import Counter, Permanency
-
-
-@require_POST
-def counter_login(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """Log a user in a counter.
-
-    A successful login will result in the beginning of a counter duty
-    for the user.
-    """
-    counter = get_object_or_404(Counter, pk=counter_id)
-    form = LoginForm(request, data=request.POST)
-    if not form.is_valid():
-        return redirect(counter.get_absolute_url() + "?credentials")
-    user = form.get_user()
-    if not counter.sellers.contains(user) or user in counter.barmen_list:
-        return redirect(counter.get_absolute_url() + "?sellers")
-    if len(counter.barmen_list) == 0:
-        counter.gen_token()
-    request.session["counter_token"] = counter.token
-    counter.permanencies.create(user=user, start=timezone.now())
-    return redirect(counter)
-
-
-@require_POST
-def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """End the permanency of a user in this counter."""
-    Permanency.objects.filter(
-        counter=counter_id, user=request.POST["user_id"], end=None
-    ).update(end=now())
-    return redirect("counter:details", counter_id=counter_id)

counter/views/click.py

@@ -12,8 +12,10 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+import random
 from collections import defaultdict
 
+from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Q
@@ -21,6 +23,7 @@ from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, resolve_url
 from django.urls import reverse
 from django.utils.safestring import SafeString
+from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django.views.generic.detail import SingleObjectMixin
 from ninja.main import HttpRequest
@@ -29,13 +32,7 @@ from core.auth.mixins import CanViewMixin
 from core.models import User
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BasketForm, RefillForm
-from counter.models import (
+from counter.models import Counter, Customer, ProductFormula, ReturnableProduct, Selling
-    Counter,
-    Customer,
-    ProductFormula,
-    ReturnableProduct,
-    Selling,
-)
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin
 from counter.views.student_card import StudentCardFormFragment
@@ -46,7 +43,7 @@ def get_operator(request: HttpRequest, counter: Counter, customer: Customer) ->
         return request.user
     if counter.customer_is_barman(customer):
         return customer.user
-    return counter.get_random_barman()
+    return random.choice(list(request.barmen))
 
 
 class CounterClick(
@@ -78,7 +75,7 @@ class CounterClick(
         return kwargs
 
     def dispatch(self, request, *args, **kwargs):
-        self.customer = get_object_or_404(Customer, user__id=self.kwargs["user_id"])
+        self.customer = get_object_or_404(Customer, user_id=self.kwargs["user_id"])
         obj: Counter = self.get_object()
 
         if not self.customer.can_buy or self.customer.user.is_banned_counter:
@@ -96,14 +93,13 @@ class CounterClick(
             # or a seller of this counter.
             raise PermissionDenied
 
-        if obj.type == "BAR" and (
+        if obj.type == "BAR" and not (
-            not obj.is_open
+            request.barmen and request.barmen.issubset(set(obj.barmen_list))
-            or "counter_token" not in request.session
-            or request.session["counter_token"] != obj.token
         ):
+            messages.error(request, _("You cannot click users on this counter"))
             return redirect(obj)  # Redirect to counter
 
-        self.prices = obj.get_prices_for(self.customer)
+        self.prices = list(obj.get_prices_for(self.customer))
 
         return super().dispatch(request, *args, **kwargs)
 
@@ -199,7 +195,7 @@ class CounterClick(
             )
         if self.object.can_refill():
             res["refilling_fragment"] = RefillingCreateView.as_fragment()(
-                self.request, customer=self.customer
+                self.request, customer=self.customer, counter=self.object
             )
         return res
 
@@ -237,11 +233,13 @@ class RefillingCreateView(FragmentMixin, FormView):
         if not is_logged_in_counter(request):
             raise PermissionDenied
 
-        self.counter: Counter = get_object_or_404(
+        self.counter: Counter = get_object_or_404(Counter, id=self.kwargs["counter_id"])
-            Counter, token=request.session["counter_token"]
-        )
 
-        if not self.counter.can_refill():
+        if not (
+            request.barmen
+            and request.barmen.issubset(self.counter.barmen_list)
+            and self.counter.can_refill()
+        ):
             raise PermissionDenied
 
         self.operator = get_operator(request, self.counter, self.customer)
@@ -250,6 +248,7 @@ class RefillingCreateView(FragmentMixin, FormView):
 
     def render_fragment(self, request, **kwargs) -> SafeString:
         self.customer = kwargs.pop("customer")
+        self.counter = kwargs.pop("counter")
         return super().render_fragment(request, **kwargs)
 
     def form_valid(self, form):
@@ -264,7 +263,8 @@ class RefillingCreateView(FragmentMixin, FormView):
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         kwargs["action"] = reverse(
-            "counter:refilling_create", kwargs={"customer_id": self.customer.pk}
+            "counter:refilling_create",
+            kwargs={"customer_id": self.customer.pk, "counter_id": self.counter.pk},
         )
         return kwargs
 

counter/views/home.py

@@ -15,78 +15,120 @@
 from datetime import timedelta
 
 from django.conf import settings
-from django.http import HttpResponseRedirect
+from django.core.exceptions import PermissionDenied
-from django.urls import reverse, reverse_lazy
+from django.db.models import F
+from django.http import HttpRequest, HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
+from django.utils.safestring import SafeString
+from django.views.decorators.http import require_POST
 from django.views.generic import DetailView
-from django.views.generic.edit import FormMixin, ProcessFormView
+from django.views.generic.detail import SingleObjectMixin
+from django.views.generic.edit import FormView
 
 from core.auth.mixins import CanViewMixin
-from core.views.forms import LoginForm
+from core.views import FragmentMixin, UseFragmentsMixin
-from counter.forms import GetUserForm
+from counter.forms import CounterLoginForm, GetUserForm
-from counter.models import Counter
+from counter.models import Counter, Permanency
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin
 
 
+class CounterLoginFragment(FragmentMixin, SingleObjectMixin, FormView):
+    model = Counter
+    form_class = CounterLoginForm
+    reload_on_redirect = True
+    pk_url_kwarg = "counter_id"
+    template_name = "counter/fragments/login.jinja"
+
+    def dispatch(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if self.object.type != "BAR":
+            # barmen have to log in only if it is a bar,
+            # so calling this view on a non-bar counter makes no sense
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "request": self.request,
+            "counter": self.object,
+        }
+
+    def form_valid(self, form: CounterLoginForm):
+        user = form.get_user()
+        self.object.permanencies.create(user=user, start=timezone.now())
+        self.request.barmen.add(user)
+        self.success_url = reverse(
+            "counter:details", kwargs={"counter_id": self.object.id}
+        )
+        return super().form_valid(form)
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.pop("counter")
+        return super().render_fragment(request, **kwargs)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "action": reverse("counter:login", kwargs={"counter_id": self.object.id})
+        }
+
+
+@require_POST
+def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
+    """End the permanency of a user in this counter."""
+    Permanency.objects.filter(
+        counter=counter_id, user=request.POST["user_id"], end=None
+    ).update(end=F("activity"))
+    return redirect("counter:details", counter_id=counter_id)
+
+
 class CounterMain(
-    CounterTabsMixin, CanViewMixin, DetailView, ProcessFormView, FormMixin
+    CounterTabsMixin, UseFragmentsMixin, CanViewMixin, SingleObjectMixin, FormView
 ):
     """The public (barman) view."""
 
     model = Counter
+    queryset = Counter.objects.exclude(type="EBOUTIC")
     template_name = "counter/counter_main.jinja"
     pk_url_kwarg = "counter_id"
-    form_class = (
+    form_class = GetUserForm
-        GetUserForm  # Form to enter a client code and get the corresponding user id
-    )
     current_tab = "counter"
 
-    def get_queryset(self):
+    def dispatch(self, request, *args, **kwargs):
-        return super().get_queryset().exclude(type="EBOUTIC")
+        self.object: Counter = self.get_object()
+        if self.object.type == "BAR":
+            self.object.update_activity()
+        return super().dispatch(request, *args, **kwargs)
 
-    def post(self, request, *args, **kwargs):
+    def get_fragment_context_data(self) -> dict[str, SafeString]:
-        self.object = self.get_object()
+        login_fragment = (
-        if self.object.type == "BAR" and not (
+            CounterLoginFragment.as_fragment()(self.request, counter=self.object)
-            "counter_token" in self.request.session
+            if self.object.type == "BAR"
-            and self.request.session["counter_token"] == self.object.token
+            else ""
-        ):  # Check the token to avoid the bar to be stolen
-            return HttpResponseRedirect(
-                reverse_lazy(
-                    "counter:details",
-                    args=self.args,
-                    kwargs={"counter_id": self.object.id},
         )
-                + "?bad_location"
+        return super().get_fragment_context_data() | {"login_fragment": login_fragment}
-            )
-        return super().post(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):
         """We handle here the login form for the barman."""
-        if self.request.method == "POST":
-            self.object = self.get_object()
-        self.object.update_activity()
         kwargs = super().get_context_data(**kwargs)
-        kwargs["login_form"] = LoginForm()
-        kwargs["login_form"].fields["username"].widget.attrs["autofocus"] = True
-        kwargs[
-            "login_form"
-        ].cleaned_data = {}  # add_error fails if there are no cleaned_data
-        if "credentials" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("Bad credentials"))
-        if "sellers" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("User is not barman"))
-        kwargs["form"] = self.get_form()
-        kwargs["form"].cleaned_data = {}  # same as above
-        if "bad_location" in self.request.GET:
-            kwargs["form"].add_error(
-                None, _("Bad location, someone is already logged in somewhere else")
-            )
         if self.object.type == "BAR":
             kwargs["barmen"] = self.object.barmen_list
-        elif self.request.user.is_authenticated:
+            kwargs["barmen_here"] = list(
-            kwargs["barmen"] = [self.request.user]
+                self.request.barmen.intersection(self.object.barmen_list)
+            )
+        kwargs["can_click"] = (
+            self.object.type == "BAR"
+            and self.request.barmen
+            and self.request.barmen.issubset(set(self.object.barmen_list))
+        ) or (
+            self.object.type == "OFFICE"
+            and (
+                self.object.sellers.contains(self.request.user)
+                or self.object.club.has_rights_in_club(self.request.user)
+            )
+        )
         if "last_basket" in self.request.session:
             kwargs["last_basket"] = self.request.session.pop("last_basket")
             kwargs["last_customer"] = self.request.session.pop("last_customer")
@@ -96,14 +138,17 @@ class CounterMain(
             )
         return kwargs
 
-    def form_valid(self, form):
+    def form_valid(self, form: GetUserForm):
         """We handle here the redirection, passing the user id of the asked customer."""
-        self.kwargs["user_id"] = form.cleaned_data["user_id"]
+        self.success_url = reverse(
+            "counter:click",
+            kwargs={
+                "counter_id": self.kwargs["counter_id"],
+                "user_id": form.cleaned_data["user_id"],
+            },
+        )
         return super().form_valid(form)
 
-    def get_success_url(self):
-        return reverse_lazy("counter:click", args=self.args, kwargs=self.kwargs)
-
 
 class CounterLastOperationsView(CounterTabsMixin, CanViewMixin, DetailView):
     """Provide the last operations to allow barmen to delete them."""

docs/tutorial/etransaction.md

@@ -1,4 +1,6 @@
 
+## Fonctionnement général
+
 La boutique en ligne nécessite une interaction
 avec la banque pour son fonctionnement.
 
@@ -9,3 +11,32 @@ Nous ne pouvons donc que vous redirigez vers la doc du crédit
 agricole : 
 [https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/](https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/)
 
+## Limite de clic et expiration des paniers
+
+Certains produits peuvent avoir un quota de vente.
+Une fois ce dernier atteint, il ne doit plus être possible de les acheter.
+
+Pour éviter que cette limite soit dépassée si jamais plusieurs utilisateurs
+commandent et achètent ce produit à peu près en même temps,
+un produit est considéré comme « réservé » une fois placé dans un panier.
+La création du panier s'effectue lors de la soumission du formulaire sur l'eboutic.
+Une fois la transaction accomplie, le panier est supprimé.
+
+Cependant, il reste un problème : 
+que faire des utilisateurs qui créent un panier, mais ne terminent
+pas la transaction ?
+Pour résoudre ce cas, les paniers ont une durée de validité,
+définie dans le `settings.py`, grâce à deux variables :
+
+- `settings.SITH_EBOUTIC_BASKET_TIMEOUT` : 
+  le temps pendant lequel un utilisateur peut payer avec son compte AE
+  ou démarrer une etransaction
+- `settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT` :
+  le temps alloué à l'utilisateur pour effectuer une etransaction ;
+  au-delà de cette durée, la banque refusera le paiement
+  et notifiera le sith de l'erreur.
+
+Une fois expiré le temps défini par 
+`settings.SITH_EBOUTIC_BASKET_TIMEOUT + settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT`, 
+les produits contenus dans le panier sont à nouveau 
+disponibles à la vente.

eboutic/models.py

@@ -98,6 +98,15 @@ class Basket(models.Model):
 
     @property
     def is_expired(self) -> bool:
+        """Return True if this basket is expired.
+
+        An expired basket can no longer be used tp pay with sith account
+        or to start an etransaction.
+
+        Warnings:
+            Users have an additional time if they pay with an etransaction,
+            so an expired basket may be purchased after its expiration in that case.
+        """
         return (self.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT) <= now()
 
     def generate_sales(

eboutic/static/bundled/eboutic/eboutic-index.ts

@@ -11,7 +11,7 @@ const BASKET_CACHE_KEY = "basket";
 const BASKET_CACHE_VERSION = 1;
 
 document.addEventListener("alpine:init", () => {
-  Alpine.data("basket", (lastPurchaseTime?: number) => ({
+  Alpine.data("basket", (validPrices: number[], lastPurchaseTime?: number) => ({
     basket: [] as BasketItem[],
 
     init() {
@@ -19,15 +19,6 @@ document.addEventListener("alpine:init", () => {
       this.$watch("basket", () => {
         this.saveBasket();
       });
-      // Invalidate basket if a purchase was made
-      if (lastPurchaseTime !== null && localStorage.basketTimestamp !== undefined) {
-        if (
-          new Date(lastPurchaseTime) >=
-          new Date(Number.parseInt(localStorage.basketTimestamp, 10))
-        ) {
-          this.basket = [];
-        }
-      }
       document
         .getElementById("id_form-TOTAL_FORMS")
         .setAttribute(":value", "basket.length");
@@ -37,7 +28,22 @@ document.addEventListener("alpine:init", () => {
       const cached = versionedLocalStorage.getItem<BasketItem[]>(BASKET_CACHE_KEY, {
         version: BASKET_CACHE_VERSION,
       });
-      return cached ?? [];
+      if (!cached) {
+        return [];
+      }
+      if (
+        lastPurchaseTime !== null &&
+        localStorage.basketTimestamp !== undefined &&
+        new Date(lastPurchaseTime) >=
+          new Date(Number.parseInt(localStorage.basketTimestamp, 10))
+      ) {
+        // Invalidate basket if a purchase was made
+        return [];
+      }
+      // The basket is cached and not expired, so return it,
+      // but without items that are invalid
+      // (e.g. because the product is archived, or sold out)
+      return cached.filter((item) => validPrices.includes(item.priceId));
     },
 
     saveBasket() {

eboutic/templates/eboutic/eboutic_checkout.jinja

@@ -15,9 +15,13 @@
 {% block content %}
   <h3>{% trans %}Eboutic{% endtrans %}</h3>
 
+  <script type="text/javascript">
+    const billingInfos = {{ billing_infos|safe }};
+  </script>
+
   <div x-data='etransaction(
-               {{ billing_infos|tojson }},
+               billingInfos,
-               { id: {{ basket.id }}, timeout: new Date('{{ basket.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT }}') }
+               { id: {{ basket.id }}, timeout: new Date("{{ basket.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT }}") }
                )'>
     <p>{% trans %}Basket: {% endtrans %}</p>
     <table>

eboutic/templates/eboutic/eboutic_main.jinja

@@ -30,7 +30,17 @@
 {% block content %}
   <h1 id="eboutic-title">{% trans %}Eboutic{% endtrans %}</h1>
 
-  <div id="eboutic" x-data="basket({{ last_purchase_time }})">
+  <div
+    id="eboutic"
+    x-data="basket(
+            [{%- for prices in categories -%}
+              {%- for p in prices -%}
+                {% if not p.sold_out %}{{ p.id }},{% endif %}
+              {%- endfor -%}
+            {%- endfor -%}],
+            {{ last_purchase_time }},
+            )"
+  >
     <div id="basket">
       <h3>Panier</h3>
       <form method="post" action="">
@@ -187,9 +197,10 @@
             {% for price in prices %}
               <button
                 id="{{ price.id }}"
-                class="card product-button clickable shadow"
+                class="card clickable shadow"
                 :class="{selected: basket.some((i) => i.priceId === {{ price.id }})}"
                 @click='addFromCatalog({{ price.id }}, {{ price.full_label|tojson }}, {{ price.amount }})'
+                {% if price.sold_out %}disabled{% endif %}
               >
                 {% if price.product.icon %}
                   <img
@@ -202,6 +213,9 @@
                 {% endif %}
                 <div class="card-content">
                   <h4 class="card-title">{{ price.full_label }}</h4>
+                  {% if price.sold_out -%}
+                    <p><em>{% trans %}Product sold out{% endtrans %}</em></p>
+                  {%- endif %}
                   <p>{{ price.amount }} €</p>
                 </div>
               </button>

eboutic/tests/test_basket.py

@@ -1,14 +1,19 @@
+import re
 from datetime import datetime, timezone
 
+import freezegun
 import pytest
+from bs4 import BeautifulSoup
+from django.conf import settings
 from django.http import HttpResponse
 from django.test import TestCase
 from django.test.client import Client
 from django.urls import reverse
-from django.utils.timezone import localdate
+from django.utils.timezone import localdate, now
 from model_bakery import baker
 from pytest_django.asserts import assertRedirects
 
+import eboutic.models
 from core.baker_recipes import subscriber_user
 from core.models import Group, User
 from counter.baker_recipes import (
@@ -130,9 +135,11 @@ def test_eboutic_basket_expiry(
             _bulk_create=True,
         )
 
+    soup = BeautifulSoup(client.get(reverse("eboutic:main")).text, "lxml")
     assert (
-        f'x-data="basket({int(expected.timestamp() * 1000) if expected else "null"})"'
+        # remove any space from the value before asserting
-        in client.get(reverse("eboutic:main")).text
+        re.sub(r"\s+", "", soup.find(id="eboutic").attrs["x-data"])
+        == f"basket([],{int(expected.timestamp() * 1000) if expected else 'null'},)"
     )
 
 
@@ -231,26 +238,45 @@ class TestEboutic(TestCase):
 
     def test_add_forbidden_product(self):
         self.client.force_login(self.new_customer)
-        response = self.submit_basket([BasketItem(self.beer.id, 1)])
+        for product in self.beer, self.cotiz, self.not_in_counter:
+            response = self.submit_basket([BasketItem(product.id, 1)])
             assert response.status_code == 200
-        assert Basket.objects.first() is None
+            assert not Basket.objects.exists()
 
-        response = self.submit_basket([BasketItem(self.cotiz.id, 1)])
+    def test_sold_out_product(self):
+        sold_out = product_recipe.make(
+            clic_limit=3, counters=[self.eboutic], product_type=baker.make(ProductType)
+        )
+        price = price_recipe.make(product=sold_out, groups=[self.group_cotiz], amount=0)
+        sale_recipe.make(
+            product=sold_out,
+            customer=self.subscriber.customer,
+            unit_price=0,
+            quantity=1,
+        )
+        baker.make(
+            eboutic.models.BasketItem,
+            basket=baker.make(Basket),
+            product=sold_out,
+            quantity=2,
+        )
+        self.client.force_login(self.subscriber)
+        response = self.submit_basket([BasketItem(price.id, 1)])
         assert response.status_code == 200
-        assert Basket.objects.first() is None
+        assert Basket.objects.count() == 1
-
+        with freezegun.freeze_time(
-        response = self.submit_basket([BasketItem(self.not_in_counter.id, 1)])
+            now()
-        assert response.status_code == 200
+            + settings.SITH_EBOUTIC_BASKET_TIMEOUT
-        assert Basket.objects.first() is None
+            + settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT
-
+        ):
-        self.client.force_login(self.new_customer)
+            # after a while, unpaid basket items should expire and make the
-        response = self.submit_basket([BasketItem(self.cotiz.id, 1)])
+            # product available again.
-        assert response.status_code == 200
+            response = self.submit_basket([BasketItem(price.id, 1)])
-        assert Basket.objects.first() is None
+        assertRedirects(
-
+            response,
-        response = self.submit_basket([BasketItem(self.not_in_counter.id, 1)])
+            reverse("eboutic:checkout", kwargs={"basket_id": Basket.objects.last().id}),
-        assert response.status_code == 200
+        )
-        assert Basket.objects.first() is None
+        assert Basket.objects.count() == 2
 
     def test_create_basket(self):
         self.client.force_login(self.new_customer)

eboutic/views.py

@@ -33,7 +33,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import DatabaseError, transaction
-from django.db.models import Subquery
+from django.db.models import Exists, OuterRef, Subquery
 from django.db.models.fields import forms
 from django.db.utils import cached_property
 from django.http import HttpResponse
@@ -92,7 +92,9 @@ class EbouticMainView(LoginRequiredMixin, FormView):
         kwargs["form_kwargs"] = {
             "customer": self.customer,
             "counter": get_eboutic(),
-            "allowed_prices": {price.id: price for price in self.prices},
+            "allowed_prices": {
+                price.id: price for price in self.prices if not price.sold_out
+            },
         }
         return kwargs
 
@@ -118,9 +120,14 @@ class EbouticMainView(LoginRequiredMixin, FormView):
 
     @cached_property
     def prices(self) -> list[Price]:
-        return get_eboutic().get_prices_for(
+        eboutic = get_eboutic()
-            self.customer,
+        sold_out_subquery = ~Exists(
-            order_by=["product__product_type__order", "product_id", "amount"],
+            eboutic.products.under_clic_limit().filter(id=OuterRef("product_id"))
+        )
+        return list(
+            eboutic.get_prices_for(self.customer)
+            .annotate(sold_out=sold_out_subquery)
+            .order_by("product__product_type__order", "product_id", "amount")
         )
 
     @cached_property

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-15 11:46+0200\n"
+"POT-Creation-Date: 2026-06-02 10:53+0200\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -363,11 +363,8 @@ msgid "Unregistered user"
 msgstr "Utilisateur non enregistré"
 
 #: club/models.py
-#, python-format
+msgid "The base url that links with this type must respect"
-msgid "The base url that links with this type must respect (e.g. `%(url)s`)"
+msgstr "L'url de base que tous les liens de ce type doivent respecter"
-msgstr ""
-"L'url de base que tous les liens de ce type doivent respecter (par exemple "
-"`%(url)s`)"
 
 #: club/models.py counter/models.py
 msgid "icon"
@@ -2203,6 +2200,7 @@ msgstr "Êtes-vous sûr de vouloir supprimer \"%(name)s\" ?"
 #: core/templates/core/delete_confirm.jinja
 #: core/templates/core/file_delete_confirm.jinja
 #: counter/templates/counter/fragments/delete_student_card.jinja
+#: counter/templates/counter/fragments/login.jinja
 msgid "Confirm"
 msgstr "Confirmation"
 
@@ -3206,6 +3204,18 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"
 
+#: counter/forms.py
+msgid "You are not a barman of this counter."
+msgstr "Vous n'êtes pas barman sur ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in this counter."
+msgstr "Vous êtes déjà connecté à ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in another counter."
+msgstr "Vous êtes déjà connecté à un autre comptoir."
+
 #: counter/forms.py
 msgid "Regular barmen"
 msgstr "Barmen réguliers"
@@ -3408,8 +3418,16 @@ msgid "Buy five, get the sixth free"
 msgstr "Pour cinq achetés, le sixième offert"
 
 #: counter/models.py
-msgid "buying groups"
+msgid "clic limit"
-msgstr "groupe d'achat"
+msgstr "limite de clic"
+
+#: counter/models.py
+msgid ""
+"If a limit is set, the product won't be purchasable anymore on the eboutic "
+"once the latter is reached."
+msgstr ""
+"Si une limite est donnée, le produit ne sera plus achetable sur l'eboutic "
+"une fois celle-ci atteinte."
 
 #: counter/models.py election/models.py
 msgid "archived"
@@ -3476,10 +3494,6 @@ msgstr "Bureau"
 msgid "sellers"
 msgstr "vendeurs"
 
-#: counter/models.py
-msgid "token"
-msgstr "jeton"
-
 #: counter/models.py
 msgid "regular barman"
 msgstr "barman régulier"
@@ -3804,7 +3818,7 @@ msgstr ""
 
 #: counter/templates/counter/counter_click.jinja
 msgid "No products available on this counter for this user"
-msgstr "Pas de produits disponnibles dans ce comptoir pour cet utilisateur"
+msgstr "Pas de produits disponibles dans ce comptoir pour cet utilisateur"
 
 #: counter/templates/counter/counter_list.jinja
 msgid "Counter admin list"
@@ -3865,12 +3879,20 @@ msgid "Please, login"
 msgstr "Merci de vous identifier"
 
 #: counter/templates/counter/counter_main.jinja
-msgid "Barman: "
+msgid "Barmen:"
-msgstr "Barman : "
+msgstr "Barmen :"
 
 #: counter/templates/counter/counter_main.jinja
-msgid "login"
+msgid "On this device"
-msgstr "login"
+msgstr "Sur cet appareil"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "Elsewhere"
+msgstr "Ailleurs"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "No barman logged elsewhere"
+msgstr "Pas de barman connecté ailleurs"
 
 #: counter/templates/counter/eticket_list.jinja
 msgid "Eticket list"
@@ -4275,22 +4297,14 @@ msgstr "Montant du chèque"
 msgid "Check quantity"
 msgstr "Nombre de chèque"
 
+#: counter/views/click.py
+msgid "You cannot click users on this counter"
+msgstr "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+
 #: counter/views/eticket.py
 msgid "people(s)"
 msgstr "personne(s)"
 
-#: counter/views/home.py
-msgid "Bad credentials"
-msgstr "Mauvais identifiants"
-
-#: counter/views/home.py
-msgid "User is not barman"
-msgstr "L'utilisateur n'est pas barman."
-
-#: counter/views/home.py
-msgid "Bad location, someone is already logged in somewhere else"
-msgstr "Mauvais comptoir, quelqu'un est déjà connecté ailleurs"
-
 #: counter/views/invoice.py
 msgid "Invoice calls status has been updated."
 msgstr "Le statut des appels à facture a été mis à jour."
@@ -4462,6 +4476,10 @@ msgstr ""
 "billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
 "du vendredi au dimanche."
 
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Product sold out"
+msgstr "Produit épuisé"
+
 #: eboutic/templates/eboutic/eboutic_main.jinja
 msgid "There are no items available for sale"
 msgstr "Aucun article n'est disponible à la vente"

sith/settings.py

@@ -34,6 +34,7 @@ https://docs.djangoproject.com/en/1.8/ref/settings/
 """
 
 import binascii
+import contextlib
 import os
 import sys
 from datetime import timedelta
@@ -41,6 +42,7 @@ from pathlib import Path
 
 import sentry_sdk
 from dateutil.relativedelta import relativedelta
+from django.utils.deprecation import RemovedInDjango60Warning
 from django.utils.translation import gettext_lazy as _
 from environs import Env
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -91,7 +93,8 @@ ALLOWED_HOSTS = ["*"]
 # RemovedInDjango60Warning: It's a transitional setting helpful in early
 # adoption of "https" as the new default value of forms.URLField.assume_scheme.
 # Remove this after upgrading to Django 6.x
-FORMS_URLFIELD_ASSUME_HTTPS = True
+with contextlib.suppress(RemovedInDjango60Warning):
+    FORMS_URLFIELD_ASSUME_HTTPS = True
 
 # Application definition
 
@@ -138,13 +141,13 @@ MIDDLEWARE = (
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "core.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.locale.LocaleMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "django.middleware.security.SecurityMiddleware",
-    "core.middleware.AuthenticationMiddleware",
     "core.middleware.SignalRequestMiddleware",
+    "counter.middleware.BarmenMiddleware",
 )
 
 ROOT_URLCONF = "sith.urls"