tweak django-countries settings

make BillingInfo.phone_number non-nullable
Merge pull request #1422 from ae-utbm/fix-login-button
2026-06-04 23:29:24 +00:00 · 2026-06-05 00:43:56 +02:00 · 2026-06-05 00:43:56 +02:00 · 2026-06-05 00:31:36 +02:00 · 2026-06-05 00:31:19 +02:00 · 2026-06-04 18:04:52 +02:00
47 changed files with 1068 additions and 503 deletions
@@ -46,7 +46,7 @@ from django.http import HttpRequest
 from ninja_extra import ControllerBase
 from ninja_extra.permissions import BasePermission

-from counter.models import Counter
+from counter.utils import is_logged_in_counter


 class IsInGroup(BasePermission):
@@ -186,12 +186,7 @@ class IsLoggedInCounter(BasePermission):
    """Check that a user is logged in a counter."""

    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
-        if "/counter/" not in request.META.get("HTTP_REFERER", ""):
-            return False
-        token = request.session.get("counter_token")
-        if not token:
-            return False
-        return Counter.objects.filter(token=token).exists()
+        return is_logged_in_counter(request)


 CanAccessLookup = IsLoggedInCounter | HasPerm("core.access_lookup")
@@ -392,6 +392,30 @@ class ClubRoleForm(forms.ModelForm):
            self.instance.order = cleaned_data["ORDER"] - 1
        return cleaned_data

+    def save(self, commit=True):  # noqa: FBT002
+        instance: ClubRole = super().save(commit=commit)
+        if commit and "is_board" in self.changed_data:
+            # if the role was moved from board to simple member,
+            # remove all users with that role from the club board group.
+            # If the role became a board role, add users with
+            # that role to the club board group.
+            group_id = instance.club.board_group_id
+            if self.cleaned_data["is_board"]:
+                User.groups.through.objects.bulk_create(
+                    [
+                        User.groups.through(user_id=u, group_id=group_id)
+                        for u in Membership.objects.ongoing()
+                        .filter(role=instance)
+                        .values_list("user_id", flat=True)
+                    ],
+                    ignore_conflicts=True,
+                )
+            else:
+                User.groups.through.objects.filter(
+                    user__memberships__role=instance, group_id=group_id
+                ).delete()
+        return instance
+

 class ClubRoleCreateForm(forms.ModelForm):
    """Form to create a club role.
@@ -25,8 +25,7 @@ class Migration(migrations.Migration):
                    "url_base",
                    models.URLField(
                        help_text=(
-                            "The base url that links with this type "
-                            "must respect (e.g. `https://www.instagram.com`)"
+                            "The base url that links with this type must respect"
                        ),
                        unique=True,
                        verbose_name="url base",
@@ -793,10 +793,7 @@ class LinkType(models.Model):
    url_base = models.URLField(
        "url base",
        unique=True,
-        help_text=_(
-            "The base url that links with this type must respect (e.g. `%(url)s`)"
-        )
-        % {"url": "https://www.instagram.com"},
+        help_text=_("The base url that links with this type must respect"),
    )
    icon = models.CharField(
        _("icon"),
@@ -4,6 +4,7 @@ import pytest
 from django.contrib.auth.models import Permission
 from django.test import Client, TestCase
 from django.urls import reverse
+from django.utils.timezone import now
 from model_bakery import baker, seq
 from model_bakery.recipe import Recipe
 from pytest_django.asserts import assertRedirects
@@ -239,7 +240,7 @@ class TestClubRoleUpdate(TestCase):

    def test_president_moves_itself_out_of_the_presidency(self):
        """Test that if the user moves its own role out of the presidency,
-        then it's redirected to another page and loses access to the update page."""
+        then it loses access to the update page."""
        self.payload["roles-0-is_presidency"] = False
        self.client.force_login(self.user)
        res = self.client.post(self.url, data=self.payload)
@@ -251,3 +252,29 @@ class TestClubRoleUpdate(TestCase):

        res = self.client.get(self.url)
        assert res.status_code == 403
+
+    def test_role_stops_being_board(self):
+        """Test that if a role stops being a board role,
+        its users lose the club board group."""
+        self.payload["roles-0-is_board"] = False
+        self.payload["roles-0-is_presidency"] = False
+        self.payload["roles-1-is_board"] = False
+        formset = ClubRoleFormSet(data=self.payload, instance=self.club)
+        assert formset.is_valid()
+        formset.save()
+        assert not self.user.groups.contains(self.club.board_group)
+
+    def test_role_becomes_board(self):
+        """Test that if a role becomes a board role,
+        its active users get the club board group"""
+        members = [
+            baker.make(Membership, club=self.club, role=self.roles[0], end_date=None),
+            baker.make(Membership, club=self.club, role=self.roles[0], end_date=now()),
+        ]
+        self.payload["roles-2-is_board"] = True
+        formset = ClubRoleFormSet(data=self.payload, instance=self.club)
+        assert formset.is_valid()
+        formset.save()
+        # the second membership is finished, so its user shouldn't get the role
+        assert members[0].user.groups.contains(self.club.board_group)
+        assert not members[1].user.groups.contains(self.club.board_group)
@@ -43,6 +43,7 @@ from core.models import BanGroup, Group, Page, PageRev, SithFile, User
 from core.utils import resize_image
 from counter.models import (
    Counter,
+    CounterSellers,
    Price,
    Product,
    ProductType,
@@ -364,10 +365,10 @@ class Command(BaseCommand):
        Counter.objects.create(name="Carte AE", club=clubs.refound, type="OFFICE")

        # Add barman to counter
-        Counter.sellers.through.objects.bulk_create(
+        CounterSellers.objects.bulk_create(
            [
-                Counter.sellers.through(counter_id=1, user=skia),  # MDE
-                Counter.sellers.through(counter_id=2, user=krophil),  # Foyer
+                CounterSellers(counter_id=1, user=skia, is_regular=True),  # MDE
+                CounterSellers(counter_id=2, user=krophil, is_regular=True),  # Foyer
            ]
        )

@@ -46,6 +46,10 @@ details.accordion>.accordion-content {
  border-bottom-right-radius: 3px;
  border-bottom-left-radius: 3px;
  overflow: hidden;
+
+  @media screen and (max-width: 600px) {
+    padding: .75em 1.5em;
+  }
 }

@mixin animation($selector) {
@@ -29,7 +29,12 @@
  align-items: center;
  gap: 20px;

-  &.clickable:hover {
+  &:disabled {
+    background-color: darken($primary-neutral-light-color, 5%);
+    opacity: 65%;
+  }
+
+  &.clickable:not(:disabled):hover {
    background-color: darken($primary-neutral-light-color, 5%);
  }

@@ -23,7 +23,7 @@
    border-radius: 5px;
    color: black;

-    &:hover {
+    &:not(.link-like):not(:disabled):hover {
      background: hsl(0, 0%, 83%);
    }
  }
@@ -123,7 +123,7 @@ $background-color-hovered: #283747;
      justify-content: center;
    }

-    >.button {
+    a.button {
      box-sizing: border-box;
      height: 35px;
      background-color: transparent;
@@ -139,7 +139,7 @@ $background-color-hovered: #283747;
      font-size: .9em;
      width: 120px;

-      &:hover {
+      &:not(.link-like):not(:disabled):hover {
        background-color: $background-color-hovered;
      }
    }
@@ -22,14 +22,9 @@
        </form>
        <ul class="bars">
          {% cache 100 "counters_activity" %}
-                      {# The sith has no periodic tasks manager
-                         and using cron jobs would be way too overkill here.
-                         Thus the barmen timeout is handled in the only place that
-                         is loaded on every page : the header bar.
-                         However, let's be clear : this has nothing to do here.
-                         It's' merely a contrived workaround that should
-                         replaced by a proper task manager as soon as possible. #}
-            {% set _ = Counter.objects.filter(type="BAR").handle_timeout() %}
+            {# It would be cleaner to handle the timeout with django-celery-beat,
+               but doing it here is simpler and less error-prone #}
+            {% do Counter.objects.filter(type="BAR").handle_timeout() %}
          {% endcache %}
          {% for bar in Counter.objects.annotate_has_barman(user).annotate_is_open().filter(type="BAR") %}
            <li>
@@ -10,7 +10,7 @@
  <template x-for="(message, index) in $notifications.getAll()">
    <div class="alert" :class="`alert-${message.tag}`" x-transition>
      <span class="alert-main" x-text="message.text"></span>
-      <span class="clickable" @click="messages = messages.filter((item, i) => i !== index)">
+      <span class="clickable" @click="$store.notifications = $store.notifications.filter((item, i) => i !== index)">
        <i class="fa fa-close"></i>
      </span>
    </div>
@@ -9,6 +9,7 @@ from django import forms
 from django.core.exceptions import ValidationError
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
+from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import ClockedSchedule
@@ -17,6 +18,7 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User, UserQuerySet
+from core.views import LoginForm
 from core.views.forms import (
    FutureDateTimeField,
    NFCTextInput,
@@ -91,30 +93,18 @@ class StudentCardForm(forms.ModelForm):


 class GetUserForm(forms.Form):
-    """The Form class aims at providing a valid user_id field in its cleaned data, in order to pass it to some view,
-    reverse function, or any other use.
-
-    The Form implements a nice JS widget allowing the user to type a customer account id, or search the database with
-    some nickname, first name, or last name (TODO)
-    """
+    """Find a user to show its click page."""

    code = forms.CharField(
        label="Code",
        max_length=StudentCard.UID_SIZE,
        required=False,
-        widget=NFCTextInput,
+        widget=NFCTextInput(attrs={"autofocus": True}),
    )
    id = forms.CharField(
-        label=_("Select user"),
-        help_text=None,
-        widget=AutoCompleteSelectUser,
-        required=False,
+        label=_("Select user"), widget=AutoCompleteSelectUser, required=False
    )

-    def as_p(self):
-        self.fields["code"].widget.attrs["autofocus"] = True
-        return super().as_p()
-
    def clean(self):
        cleaned_data = super().clean()
        customer = None
@@ -136,11 +126,40 @@ class GetUserForm(forms.Form):

        if customer is None or not customer.can_buy:
            raise forms.ValidationError(_("User not found"))
-        cleaned_data["user_id"] = customer.user.id
+        cleaned_data["user_id"] = customer.user_id
        cleaned_data["user"] = customer.user
        return cleaned_data


+class CounterLoginForm(LoginForm):
+    """LoginForm to log a barman in a counter.
+
+    To be able to log in a counter, a user must :
+
+    - be part of the sellers of the given counter
+    - not being already logged in any counter
+    """
+
+    def __init__(self, *args, request: HttpRequest, counter: Counter, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.counter = counter
+        self.request = request
+
+    def confirm_login_allowed(self, user: User):
+        super().confirm_login_allowed(user)
+        if not self.counter.sellers.contains(user):
+            raise ValidationError(
+                message=_("You are not a barman of this counter."), code="not_barman"
+            )
+        if user in self.request.barmen:
+            message = (
+                _("You are already logged in this counter.")
+                if user in self.counter.barmen_list
+                else _("You are already logged in another counter.")
+            )
+            raise ValidationError(message=message, code="already_logged_in")
+
+
 class RefillForm(forms.ModelForm):
    allowed_refilling_methods = [
        Refilling.PaymentMethod.CASH,
@@ -409,6 +428,7 @@ class ProductForm(forms.ModelForm):
            "club",
            "limit_age",
            "tray",
+            "clic_limit",
            "archived",
        ]
        help_texts = {
@@ -0,0 +1,64 @@
+from typing import TYPE_CHECKING, Callable
+
+from django.db.models import Exists, OuterRef
+from django.http import HttpRequest, HttpResponse
+from django.utils.functional import SimpleLazyObject, empty
+
+from core.models import User
+from counter.models import Permanency
+
+if TYPE_CHECKING:
+    from django.contrib.sessions.backends.base import SessionBase
+
+
+SESSION_BARMEN_KEY = "barmen_ids"
+
+
+def get_cached_barmen(request: HttpRequest) -> set[User]:
+    if not hasattr(request, "_cached_barmen"):
+        session: SessionBase = request.session
+        barmen_ids = session.get(SESSION_BARMEN_KEY, [])
+        if barmen_ids:
+            request._cached_barmen = set(
+                User.objects.filter(
+                    Exists(Permanency.objects.filter(user=OuterRef("pk"), end=None)),
+                    id__in=barmen_ids,
+                )
+            )
+        else:
+            request._cached_barmen = set()
+
+    return request._cached_barmen
+
+
+class BarmenMiddleware:
+    """Inject barmen logged in the current session.
+
+    In a similar fashion as `request.user`, `request.barmen` contains
+    users that are barmen in the current session, and ONLY them ;
+    if a user is logged as a barman on another session,
+    it will not be in `request.barmen`.
+
+    Notes:
+        In case of ended permanence, users will be automatically
+        removed from `request.barmen`.
+        However, in case of newly started permanence, this middleware
+        cannot add new barmen in the session data, so that operation
+        must be explicitly done in the barman login view.
+    """
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        request.barmen = SimpleLazyObject(lambda: get_cached_barmen(request))
+
+        response = self.get_response(request)
+
+        if request.barmen._wrapped is not empty and {
+            b.id for b in request.barmen
+        } != set(request.session.get(SESSION_BARMEN_KEY, [])):
+            # update the session data only if `session.barmen`
+            # has been accessed and modified.
+            request.session[SESSION_BARMEN_KEY] = [b.id for b in request.barmen]
+        return response
@@ -0,0 +1,25 @@
+# Generated by Django 5.2.13 on 2026-05-13 11:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("counter", "0039_price")]
+
+    operations = [
+        migrations.RemoveField(model_name="product", name="buying_groups"),
+        migrations.AddField(
+            model_name="product",
+            name="clic_limit",
+            field=models.PositiveSmallIntegerField(
+                blank=True,
+                help_text=(
+                    "If a limit is set, the product won't be purchasable "
+                    "anymore on the eboutic once the latter is reached."
+                ),
+                null=True,
+                verbose_name="clic limit",
+            ),
+        ),
+        migrations.RemoveField(model_name="counter", name="token"),
+    ]
@@ -0,0 +1,26 @@
+# Generated by Django 5.2.14 on 2026-06-02 10:45
+
+import django_countries.fields
+import phonenumber_field.modelfields
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [("counter", "0040_product_clic_limit")]
+
+    operations = [
+        migrations.AlterField(
+            model_name="billinginfo",
+            name="country",
+            field=django_countries.fields.CountryField(
+                max_length=2, verbose_name="Country"
+            ),
+        ),
+        migrations.AlterField(
+            model_name="billinginfo",
+            name="phone_number",
+            field=phonenumber_field.modelfields.PhoneNumberField(
+                max_length=128, region=None, verbose_name="Phone number"
+            ),
+        ),
+    ]
@@ -22,7 +22,7 @@ import string
 from datetime import date, datetime, timedelta
 from datetime import timezone as tz
 from decimal import Decimal
-from typing import TYPE_CHECKING, Literal, Self
+from typing import Literal, Self

 from dict2xml import dict2xml
 from django.conf import settings
@@ -34,6 +34,7 @@ from django.forms import ValidationError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import PeriodicTask
 from django_countries.fields import CountryField
@@ -47,9 +48,6 @@ from core.utils import get_start_of_semester
 from counter.fields import CurrencyField
 from subscription.models import Subscription

-if TYPE_CHECKING:
-    from collections.abc import Sequence
-

 def get_eboutic() -> Counter:
    return Counter.objects.filter(type="EBOUTIC").order_by("id").first()
@@ -230,15 +228,8 @@ class BillingInfo(models.Model):
    address_2 = models.CharField(_("Address 2"), max_length=50, blank=True, null=True)
    zip_code = models.CharField(_("Zip code"), max_length=16)  # code postal
    city = models.CharField(_("City"), max_length=50)
-    country = CountryField(blank_label=_("Country"))
-
-    # This table was created during the A22 semester.
-    # However, later on, CA asked for the phone number to be added to the billing info.
-    # As the table was already created, this new field had to be nullable,
-    # even tough it is required by the bank and shouldn't be null.
-    # If one day there is no null phone number remaining,
-    # please make the field non-nullable.
-    phone_number = PhoneNumberField(_("Phone number"), null=True, blank=False)
+    country = CountryField(_("Country"))
+    phone_number = PhoneNumberField(_("Phone number"))

    def __str__(self):
        return f"{self.first_name} {self.last_name}"
@@ -353,6 +344,40 @@ class ProductType(OrderedModel):
        return user.is_in_group(pk=settings.SITH_GROUP_ACCOUNTING_ADMIN_ID)


+class ProductQuerySet(models.QuerySet):
+    def under_clic_limit(self) -> Self:
+        """Filter product which clic limit isn't reached yet.
+
+        The clic limit is reached when the amount of sales
+        and of items in a basket for less than 15 minutes
+        is greater or equal than `Product.clic_limit`.
+        """
+        # import here to avoid circular import
+        from eboutic.models import BasketItem
+
+        nb_click_subquery = Subquery(
+            Selling.objects.filter(product_id=OuterRef("id"))
+            .values("product_id")
+            .annotate(res=Sum("quantity", default=0))
+            .values("res")[:1]
+        )
+        nb_basket_items_subquery = Subquery(
+            BasketItem.objects.filter(
+                product_id=OuterRef("id"),
+                basket__date__gt=now()
+                - settings.SITH_EBOUTIC_BASKET_TIMEOUT
+                - settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT,
+            )
+            .values("product_id")
+            .annotate(res=Sum("quantity"))
+            .values("res")[:1]
+        )
+        return self.annotate(
+            clicked=Coalesce(nb_click_subquery, 0),
+            reserved=Coalesce(nb_basket_items_subquery, 0),
+        ).filter(Q(clic_limit=None) | Q(clic_limit__gt=(F("clicked") + F("reserved"))))
+
+
 class Product(models.Model):
    """A product, with all its related information."""

@@ -370,8 +395,7 @@ class Product(models.Model):
    )
    code = models.CharField(_("code"), max_length=16, blank=True)
    purchase_price = CurrencyField(
-        _("purchase price"),
-        help_text=_("Initial cost of purchasing the product"),
+        _("purchase price"), help_text=_("Initial cost of purchasing the product")
    )
    icon = ResizedImageField(
        height=70,
@@ -388,13 +412,21 @@ class Product(models.Model):
    tray = models.BooleanField(
        _("tray price"), help_text=_("Buy five, get the sixth free"), default=False
    )
-    buying_groups = models.ManyToManyField(
-        Group, related_name="products", verbose_name=_("buying groups"), blank=True
+    clic_limit = models.PositiveSmallIntegerField(
+        _("clic limit"),
+        help_text=_(
+            "If a limit is set, the product won't be purchasable "
+            "anymore on the eboutic once the latter is reached."
+        ),
+        null=True,
+        blank=True,
    )
    archived = models.BooleanField(_("archived"), default=False)
    created_at = models.DateTimeField(_("created at"), auto_now_add=True)
    updated_at = models.DateTimeField(_("updated at"), auto_now=True)

+    objects = ProductQuerySet.as_manager()
+
    class Meta:
        verbose_name = _("product")

@@ -580,7 +612,6 @@ class Counter(models.Model):
    view_groups = models.ManyToManyField(
        Group, related_name="viewable_counters", blank=True
    )
-    token = models.CharField(_("token"), max_length=30, null=True, blank=True)

    objects = CounterQuerySet.as_manager()

@@ -733,10 +764,8 @@ class Counter(models.Model):
        # but they share the same primary key
        return self.type == "BAR" and any(b.pk == customer.pk for b in self.barmen_list)

-    def get_prices_for(
-        self, customer: Customer, *, order_by: Sequence[str] | None = None
-    ) -> list[Price]:
-        qs = (
+    def get_prices_for(self, customer: Customer) -> PriceQuerySet:
+        return (
            Price.objects.filter(
                product__counters=self, product__product_type__isnull=False
            )
@@ -744,9 +773,6 @@ class Counter(models.Model):
            .select_related("product", "product__product_type")
            .prefetch_related("groups")
        )
-        if order_by:
-            qs = qs.order_by(*order_by)
-        return list(qs)


 class CounterSellers(models.Model):
@@ -20,41 +20,34 @@
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
+import random

 from django.db.models.signals import pre_delete
 from django.dispatch import receiver

 from core.middleware import get_signal_request
 from core.models import OperationLog
-from counter.models import Counter, Refilling, Selling
+from counter.models import Refilling, Selling


-def write_log(instance, operation_type):
+def write_log(instance: Selling | Refilling, operation_type):
    def get_user():
        request = get_signal_request()

        if not request:
            return None

-        # Get a random barmen if deletion is from a counter
-        session = getattr(request, "session", {})
-        session_token = session.get("counter_token", None)
-        if session_token:
-            counter = Counter.objects.filter(token=session_token).first()
-            if counter and len(counter.barmen_list) > 0:
-                return counter.get_random_barman()
+        if request.barmen:
+            return random.choice(list(request.barmen))

        # Get the current logged user if not from a counter
-        if request.user and not request.user.is_anonymous:
+        if request.user.is_authenticated:
            return request.user

-        # Return None by default
        return None

    OperationLog(
-        label=str(instance),
-        operator=get_user(),
-        operation_type=operation_type,
+        label=str(instance), operator=get_user(), operation_type=operation_type
    ).save()


@@ -1,6 +1,6 @@
-import type { RecursivePartial, TomSettings } from "tom-select/dist/types/types";
-import { AutoCompleteSelectBase } from "#core:core/components/ajax-select-base.ts";
-import { registerComponent } from "#core:utils/web-components.ts";
+import type { RecursivePartial, TomSettings } from "tom-select/src/types";
+import { AutoCompleteSelectBase } from "#core:core/components/ajax-select-base";
+import { registerComponent } from "#core:utils/web-components";

 const productParsingRegex = /^(\d+x)?(.*)/i;
 const codeParsingRegex = / \((\w+)\)$/;
@@ -63,13 +63,6 @@ export class CounterProductSelect extends AutoCompleteSelectBase {
        );
      },
    );
-
-    this.widget.hook("after", "onOptionSelect", () => {
-      /* Focus the next element if it's an input */
-      if (this.nextElementSibling.nodeName === "INPUT") {
-        (this.nextElementSibling as HTMLInputElement).focus();
-      }
-    });
  }
  protected tomSelectSettings(): RecursivePartial<TomSettings> {
    /* We disable the dropdown on focus because we're going to always autofocus the widget */
@@ -80,9 +73,7 @@ export class CounterProductSelect extends AutoCompleteSelectBase {
      // We need to manually set weights or it results on an inconsistent
      // behavior between production and development environment
      searchField: [
-        // @ts-expect-error documentation says it's fine, specified type is wrong
        { field: "code", weight: 2 },
-        // @ts-expect-error documentation says it's fine, specified type is wrong
        { field: "text", weight: 0.5 },
      ],
    };
@@ -25,6 +25,9 @@ document.addEventListener("alpine:init", () => {
      }

      this.codeField = this.$refs.codeField;
+      this.codeField.widget.hook("after", "onOptionSelect", () => {
+        this.handleCode();
+      });
      this.codeField.widget.focus();

      // It's quite tricky to manually apply attributes to the management part
@@ -154,6 +157,7 @@ document.addEventListener("alpine:init", () => {
        this.addToBasket(code, quantity);
      }
      this.codeField.widget.clear();
+      this.codeField.widget.setTextboxValue("");
      this.codeField.widget.focus();
    },
  }));
@@ -42,7 +42,28 @@
  min-width: 350px;

  ul {
-    list-style-type: none;
+    list-style: none;
+    display: flex;
+    flex-direction: column;
+    gap: .5rem;
+    margin-left: 0;
+
+    .basket-row {
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+
+      .product-name {
+        flex: 1 2 0;
+        min-width: 0;
+        text-wrap: wrap;
+      }
+    }
+  }
+
+  form {
+    margin-top: .5rem;
+    margin-bottom: .5rem;
  }
 }

@@ -56,10 +56,15 @@
        <div class="accordion-content">
          {% set counter_click_url = url('counter:click', counter_id=counter.id, user_id=customer.user_id) %}

-          <form method="post" action=""
-                class="code_form" @submit.prevent="handleCode">
+          <form method="post" action="" @submit.prevent="handleCode">

-            <counter-product-select name="code" x-ref="codeField" autofocus required placeholder="{% trans %}Select a product...{% endtrans %}">
+            <counter-product-select
+              name="code"
+              x-ref="codeField"
+              autofocus
+              required
+              placeholder="{% trans %}Select a product...{% endtrans %}"
+            >
              <option value=""></option>
              <optgroup label="{% trans %}Operations{% endtrans %}">
                <option value="FIN">{% trans %}Confirm (FIN){% endtrans %}</option>
@@ -68,13 +73,11 @@
              {%- for category, prices in categories.items() -%}
                <optgroup label="{{ category }}">
                  {%- for price in prices -%}
-                    <option value="{{ price.id }}">{{ price.full_label }}</option>
+                    <option value="{{ price.id }}">{{ price.full_label }} ({{ price.product.code }})</option>
                  {%- endfor -%}
                </optgroup>
              {%- endfor -%}
            </counter-product-select>
-
-            <input type="submit" value="{% trans %}Go{% endtrans %}"/>
          </form>

          {% for error in form.non_form_errors() %}
@@ -102,7 +105,9 @@
              {{ form.management_form }}
            </div>
            <ul>
-              <li x-show="getBasketSize() === 0">{% trans %}This basket is empty{% endtrans %}</li>
+              <li x-show="getBasketSize() === 0">
+                <em>{% trans %}This basket is empty{% endtrans %}</em>
+              </li>
              <template x-for="(item, index) in Object.values(basket)" :key="item.product.price.id">
                <li>
                  <template x-for="error in item.errors">
@@ -110,12 +115,15 @@
                    </div>
                  </template>

+                  <div class="basket-row">
+                    <div>
                      <button @click.prevent="addToBasket(item.product.price.id, -1)">-</button>
                      <span class="quantity" x-text="item.quantity"></span>
                      <button @click.prevent="addToBasket(item.product.price.id, 1)">+</button>
+                    </div>

-                  <span x-text="item.product.name"></span> :
-                  <span x-text="item.sum().toLocaleString(undefined, { minimumFractionDigits: 2 })">€</span>
+                    <span class="product-name" x-text="item.product.name"></span>
+                    <span x-text="`${item.sum().toLocaleString(undefined, { minimumFractionDigits: 2 })} €`"></span>
                    <span x-show="item.getBonusQuantity() > 0"
                          x-text="`${item.getBonusQuantity()} x P`"></span>

@@ -123,6 +131,7 @@
                      class="remove-item"
                      @click.prevent="removeFromBasket(item.product.price.id)"
                    ><i class="fa fa-trash-can delete-action"></i></button>
+                  </div>

                  <input
                    type="hidden"
@@ -32,12 +32,11 @@
      </ul>
      <p><strong>{% trans %}Total: {% endtrans %}{{ last_total }} €</strong></p>
    {% endif %}
-    {% if barmen %}
+    {% if can_click %}
      <p>{% trans %}Enter client code:{% endtrans %}</p>
-      <form method="post" action="">
+      <form method="post" action="" id="select-user-form">
        {% csrf_token %}
-        <input type="hidden" name="counter_token" value="{{ counter.token }}" />
-        {{ form.as_p() }}
+        {{ form }}
        <p><input type="submit" value="{% trans %}validate{% endtrans %}" /></p>
      </form>
    {% else %}
@@ -45,17 +44,36 @@
    {% endif %}
  </div>
  {% if counter.type == 'BAR' %}
+    <h3>{% trans %}Barmen:{% endtrans %}</h3>
+
+    {% if barmen_here %}
+      <div class="row gap-2x">
        <div>
-      <h3>{% trans %}Barman: {% endtrans %}</h3>
+          <h4>{% trans %}On this device{% endtrans %}</h4>
+          {% for b in barmen_here %}
+            <p>{{ barman_logout_link(b) }}</p>
+          {% endfor %}
+        </div>
+        <div>
+          <h4>{% trans %}Elsewhere{% endtrans %}</h4>
+          {% if barmen_here|length == barmen|length %}
+            {# all logged barmen are logged in this session #}
+            <p><em>{% trans %}No barman logged elsewhere{% endtrans %}</em></p>
+          {% else %}
+            {% for b in barmen %}
+              {%- if b not in barmen_here -%}
+                <p>{{ barman_logout_link(b) }}</p>
+              {%- endif -%}
+            {% endfor %}
+          {% endif %}
+        </div>
+      </div>
+    {% else %}
      {% for b in barmen %}
        <p>{{ barman_logout_link(b) }}</p>
      {% endfor %}
-      <form method="post" action="{{ url('counter:login', counter_id=counter.id) }}">
-        {% csrf_token %}
-        {{ login_form.as_p() }}
-        <p><input type="submit" value="{% trans %}login{% endtrans %}" /></p>
-      </form>
-    </div>
+    {% endif %}
+    {{ login_fragment }}
  {% endif %}
 {% endblock %}

@@ -63,10 +81,10 @@
  {{ super() }}
  <script type="text/javascript">
    window.addEventListener("DOMContentLoaded", () => {
-      // The login form annoyingly takes priority over the code form 
-      // This is due to the loading time of the web component
-      // We can't rely on DOMContentLoaded to know if the component is there so we
-      // periodically run a script until the field is there
+      {# The login form annoyingly takes priority over the code form
+         This is due to the loading time of the web component
+         We can't rely on DOMContentLoaded to know if the component is there so we
+         periodically run a script until the field is there #}
      const autofocus = () => {
        const field = document.querySelector("input[id='id_code']");
        if (field === null){
@@ -0,0 +1,5 @@
+<form hx-post="{{ action }}" hx-swap="outerHTML">
+  {% csrf_token %}
+  {{ form }}
+  <input type="submit" value="{% trans %}Confirm{% endtrans %}"/>
+</form>
@@ -118,6 +118,7 @@
        </div>
      </div>
    </fieldset>
+    <fieldset><div>{{ form.clic_limit.as_field_group() }}</div></fieldset>
    <fieldset><div>{{ form.counters.as_field_group() }}</div></fieldset>

    <h3 class="margin-bottom">{% trans %}Prices{% endtrans %}</h3>
@@ -17,9 +17,11 @@ from datetime import timedelta
 from decimal import Decimal

 import pytest
+from bs4 import BeautifulSoup
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.contrib.auth.models import Permission, make_password
+from django.contrib.messages import DEFAULT_LEVELS, get_messages
 from django.http import HttpResponse
 from django.shortcuts import resolve_url
 from django.test import Client, TestCase
@@ -37,6 +39,7 @@ from core.models import BanGroup, Group, User
 from counter.baker_recipes import price_recipe, product_recipe, sale_recipe
 from counter.models import (
    Counter,
+    CounterSellers,
    Customer,
    Permanency,
    ProductType,
@@ -66,10 +69,14 @@ class TestFullClickBase(TestCase):
        cls.subscriber = subscriber_user.make()

        cls.counter = baker.make(Counter, type="BAR")
-        cls.counter.sellers.add(cls.barmen, cls.board_admin)
-
        cls.other_counter = baker.make(Counter, type="BAR")
-        cls.other_counter.sellers.add(cls.barmen)
+        CounterSellers.objects.bulk_create(
+            [
+                CounterSellers(counter=cls.counter, user=cls.barmen),
+                CounterSellers(counter=cls.counter, user=cls.board_admin),
+                CounterSellers(counter=cls.other_counter, user=cls.barmen),
+            ]
+        )

        cls.yet_another_counter = baker.make(Counter, type="BAR")

@@ -114,7 +121,10 @@ class TestRefilling(TestFullClickBase):
    ) -> HttpResponse:
        used_client = client if client is not None else self.client
        return used_client.post(
-            reverse("counter:refilling_create", kwargs={"customer_id": user.pk}),
+            reverse(
+                "counter:refilling_create",
+                kwargs={"customer_id": user.pk, "counter_id": self.counter.pk},
+            ),
            {"amount": str(amount), "payment_method": Refilling.PaymentMethod.CASH},
            HTTP_REFERER=reverse(
                "counter:click", kwargs={"counter_id": counter.id, "user_id": user.pk}
@@ -138,7 +148,10 @@ class TestRefilling(TestFullClickBase):
            return self.client.post(
                reverse(
                    "counter:refilling_create",
-                    kwargs={"customer_id": self.customer.pk},
+                    kwargs={
+                        "customer_id": self.customer.pk,
+                        "counter_id": self.counter.pk,
+                    },
                ),
                {"amount": "10", "payment_method": "CASH"},
            )
@@ -442,9 +455,19 @@ class TestCounterClick(TestFullClickBase):

    def test_click_not_connected(self):
        force_refill_user(self.customer, 10)
+
+        # trying to click on a bar without being logged should result
+        # in a redirect to the counter page with an error message
        res = self.submit_basket(self.customer, [BasketItem(self.snack.id, 2)])
        assertRedirects(res, self.counter.get_absolute_url())
+        messages = list(get_messages(res.wsgi_request))
+        assert len(messages) == 1
+        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
+        assert (
+            messages[0].message == "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+        )

+        # trying to click on an office counter without permission should 403
        res = self.submit_basket(
            self.customer, [BasketItem(self.snack.id, 2)], counter=self.club_counter
        )
@@ -596,7 +619,7 @@ class TestCounterClick(TestFullClickBase):
            product=iter(_product_recipe.make(archived=False, _quantity=2)),
            groups=[group],
        )
-        customer_prices = counter.get_prices_for(customer)
+        customer_prices = list(counter.get_prices_for(customer))
        assert unarchived_prices == customer_prices


@@ -718,59 +741,97 @@ class TestCounterStats(TestCase):
 class TestBarmanConnection(TestCase):
    @classmethod
    def setUpTestData(cls):
-        cls.krophil = User.objects.get(username="krophil")
-        cls.skia = User.objects.get(username="skia")
-        cls.skia.customer.account = 800
-        cls.krophil.customer.save()
-        cls.skia.customer.save()
-
-        cls.counter = Counter.objects.get(id=2)
+        cls.barman = subscriber_user.make()
+        cls.barman.set_password("plop")
+        cls.barman.save()
+        cls.counter = baker.make(Counter, type="BAR", sellers=[cls.barman])
+        cls.login_url = reverse("counter:login", kwargs={"counter_id": cls.counter.id})
+        cls.detail_url = reverse(
+            "counter:details", kwargs={"counter_id": cls.counter.id}
+        )

    def test_barman_granted(self):
+        response = self.client.post(
+            self.login_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.status_code == 200
+        assert response.headers["HX-Redirect"] == self.detail_url
+        last_perm = Permanency.objects.last()
+        assert last_perm.counter == self.counter
+        assert last_perm.user == self.barman
+        assert last_perm.end is None
+        assert self.barman in response.wsgi_request.barmen
+        response = self.client.get(
+            self.detail_url, {"username": self.barman.username, "password": "plop"}
+        )
+        assert response.context_data.get("barmen") == [self.barman]
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is not None
+
+    def assert_counter_login_fails(self, user: User):
+        initial_perms = set(self.counter.permanencies.filter(user=user, end=None))
+        response = self.client.post(
+            self.login_url, {"username": user.username, "password": "plop"}
+        )
+        assert "HX-Redirect" not in response.headers
+        assert (
+            set(self.counter.permanencies.filter(user=user, end=None)) == initial_perms
+        )
+        if initial_perms:
+            # the user was already logged in, and we already tested
+            # that it didn't re-login, so we can skip the next assertions.
+            return
+
+        self.counter.refresh_from_db()
+        assert response.wsgi_request.barmen.isdisjoint(set(self.counter.barmen_list))
+
+        response = self.client.get(self.detail_url)
+        assert response.context_data.get("barmen") == []
+        soup = BeautifulSoup(response.text, "lxml")
+        assert soup.find("form", id="select-user-form") is None
+
+    def test_barman_not_seller(self):
+        """Test when the barman is not a seller of the counter"""
+        not_barman = subscriber_user.make()
+        not_barman.set_password("plop")
+        not_barman.save()
+        self.assert_counter_login_fails(not_barman)
+
+    def test_barman_already_logged(self):
+        """Test when the barman is already logged in the current counter."""
        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
+            self.login_url, {"username": self.barman.username, "password": "plop"}
        )
-        response = self.client.get(reverse("counter:details", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)

-        assert "<p>Entrez un code client : </p>" in str(response.content)
-
-    def test_counters_list_barmen(self):
+    def test_barman_already_logged_elsewhere(self):
+        """Test when the barman is already logged in another counter."""
+        other_counter = baker.make(Counter, type="BAR")
+        CounterSellers.objects.create(counter=other_counter, user=self.barman)
        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
+            reverse("counter:login", kwargs={"counter_id": other_counter.id}),
+            {"username": self.barman.username, "password": "plop"},
        )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
+        self.assert_counter_login_fails(self.barman)

-        assert '<li><a href="/user/10/">Kro Phil&#39;</a></li>' in str(response.content)
-
-    def test_barman_denied(self):
-        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "skia", "password": "plop"},
+    def test_login_on_non_bar_counter(self):
+        counter = baker.make(Counter, type="OFFICE")
+        CounterSellers.objects.create(counter=counter, user=self.barman)
+        url = reverse("counter:login", kwargs={"counter_id": counter.id})
+        response = self.client.get(url)
+        assert response.status_code == 403
+        response = self.client.post(
+            url, {"username": self.barman.username, "password": "plop"}
        )
-        response_get = self.client.get(
-            reverse("counter:details", args=[self.counter.id])
-        )
-
-        assert "<p>Merci de vous identifier</p>" in str(response_get.content)
-
-    def test_counters_list_no_barmen(self):
-        self.client.post(
-            reverse("counter:login", args=[self.counter.id]),
-            {"username": "krophil", "password": "plop"},
-        )
-        response = self.client.get(reverse("counter:activity", args=[self.counter.id]))
-
-        assert '<li><a href="/user/1/">S&#39; Kia</a></li>' not in str(response.content)
+        assert response.status_code == 403


@pytest.mark.django_db
-def test_barman_timeout():
+def test_barman_timeout(client: Client):
    """Test that barmen timeout is well managed."""
    bar = baker.make(Counter, type="BAR")
    user = baker.make(User)
-    bar.sellers.add(user)
+    CounterSellers.objects.create(counter=bar, user=user)
    baker.make(Permanency, counter=bar, user=user, start=now())

    qs = Counter.objects.annotate_is_open().filter(pk=bar.pk)
@@ -786,6 +847,8 @@ def test_barman_timeout():
        bar = qs[0]
        assert not bar.is_open
        assert bar.barmen_list == []
+    res = client.get("")
+    assert res.wsgi_request.barmen == set()


 class TestClubCounterClickAccess(TestCase):
@@ -835,14 +898,14 @@ class TestClubCounterClickAccess(TestCase):

    def test_barman(self):
        """Sellers should be able to click on office counters"""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
        self.client.force_login(self.user)
        res = self.client.get(self.click_url)
        assert res.status_code == 200

    def test_both_barman_and_board_member(self):
        """If the user is barman and board member, he should be authorized as well."""
-        self.counter.sellers.add(self.user)
+        CounterSellers.objects.create(counter=self.counter, user=self.user)
        baker.make(
            Membership, club=self.counter.club, user=self.user, role=self.board_role
        )
@@ -868,14 +931,15 @@ class TestCounterLogout:
            )
        assertRedirects(
            res,
-                reverse(
-                    "counter:details", kwargs={"counter_id": permanence.counter_id}
-                ),
+            reverse("counter:details", kwargs={"counter_id": permanence.counter_id}),
        )
        permanence.refresh_from_db()
-            assert permanence.end == now()
+        assert permanence.end == permanence.activity
+        assert permanence.user not in res.wsgi_request.barmen

    def test_logout_doesnt_change_old_permanences(self, client: Client):
+        # regression test for #1141
+        # https://github.com/ae-utbm/sith/pull/1141
        perm_counter = baker.make(Counter, type="BAR")
        permanence = baker.make(
            Permanency,
@@ -896,6 +960,6 @@ class TestCounterLogout:
                data={"user_id": permanence.user_id},
            )
            permanence.refresh_from_db()
-            assert permanence.end == now()
+            assert permanence.end == permanence.activity
            old_permanence.refresh_from_db()
            assert old_permanence.end == old_end
@@ -1,3 +1,4 @@
+import itertools
 from io import BytesIO
 from typing import Callable
 from uuid import uuid4
@@ -8,6 +9,7 @@ from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import Client, TestCase
 from django.urls import reverse
+from django.utils.timezone import now
 from model_bakery import baker
 from model_bakery.recipe import Recipe
 from PIL import Image
@@ -16,9 +18,10 @@ from pytest_django.asserts import assertNumQueries, assertRedirects
 from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
-from counter.baker_recipes import product_recipe
+from counter.baker_recipes import product_recipe, sale_recipe
 from counter.forms import ProductForm, ProductPriceFormSet
-from counter.models import Price, Product, ProductType
+from counter.models import Price, Product, ProductType, Selling
+from eboutic.models import Basket, BasketItem


@pytest.mark.django_db
@@ -222,3 +225,59 @@ def test_price_for_user():
    assert list(qs.for_user(users[0])) == [prices[0], prices[1], prices[4]]
    assert list(qs.for_user(users[1])) == [prices[0], prices[4]]
    assert list(qs.for_user(users[2])) == [prices[0], prices[3]]
+
+
+class TestProductClicLimit(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.products = product_recipe.make(
+            clic_limit=itertools.chain([5, 10, 15], itertools.repeat(None)),
+            _quantity=6,
+            _bulk_create=True,
+        )
+        cls.qs = Product.objects.filter(id__in=[p.id for p in cls.products])
+
+    def test_no_sales_or_basket(self):
+        """Test that it works if no sales has been made yet"""
+        assert list(self.qs.under_clic_limit()) == self.products
+
+    def test_with_sales(self):
+        """Test that it works when there are existing sales"""
+        sales = sale_recipe.make(
+            product=itertools.cycle(self.products),
+            _quantity=len(self.products) * 5,
+            _bulk_create=True,
+        )
+        Selling.objects.filter(id__in=[s.id for s in sales]).update(quantity=2)
+        assert list(self.qs.under_clic_limit()) == self.products[2:]
+
+    def test_with_sales_and_basket(self):
+        """Test that it works when there are existing sales and basket items."""
+        sales = sale_recipe.make(
+            product=itertools.cycle(self.products),
+            _quantity=len(self.products) * 5,
+            _bulk_create=True,
+        )
+        Selling.objects.filter(id__in=[s.id for s in sales]).update(quantity=1)
+        basket = baker.make(
+            Basket, date=now() - settings.SITH_EBOUTIC_BASKET_TIMEOUT / 2
+        )
+        items = baker.make(
+            BasketItem,
+            product=itertools.cycle(self.products),
+            basket=basket,
+            _quantity=len(self.products) * 5,
+        )
+        BasketItem.objects.filter(id__in=[i.id for i in items]).update(quantity=1)
+        assert list(self.qs.under_clic_limit()) == self.products[2:]
+
+        # expired basket items shouldn't be accounted when computing clic limit
+        item = BasketItem.objects.filter(product=self.products[1])[0]
+        item.basket = baker.make(
+            Basket,
+            date=now()
+            - settings.SITH_EBOUTIC_BASKET_TIMEOUT
+            - settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT,
+        )
+        item.save()
+        assert list(self.qs.under_clic_limit()) == self.products[1:]
@@ -41,7 +41,6 @@ from counter.views.admin import (
    ReturnableProductUpdateView,
    SellingDeleteView,
 )
-from counter.views.auth import counter_login, counter_logout
 from counter.views.cash import (
    CashSummaryEditView,
    CashSummaryListView,
@@ -57,7 +56,9 @@ from counter.views.eticket import (
 from counter.views.home import (
    CounterActivityView,
    CounterLastOperationsView,
+    CounterLoginFragment,
    CounterMain,
+    counter_logout,
 )
 from counter.views.invoice import InvoiceCallView
 from counter.views.student_card import StudentCardDeleteView, StudentCardFormFragment
@@ -66,7 +67,7 @@ urlpatterns = [
    path("<int:counter_id>/", CounterMain.as_view(), name="details"),
    path("<int:counter_id>/click/<int:user_id>/", CounterClick.as_view(), name="click"),
    path(
-        "refill/<int:customer_id>/",
+        "<int:counter_id>/refill/<int:customer_id>/",
        RefillingCreateView.as_view(),
        name="refilling_create",
    ),
@@ -82,7 +83,7 @@ urlpatterns = [
    ),
    path("<int:counter_id>/activity/", CounterActivityView.as_view(), name="activity"),
    path("<int:counter_id>/stats/", CounterStatView.as_view(), name="stats"),
-    path("<int:counter_id>/login/", counter_login, name="login"),
+    path("<int:counter_id>/login/", CounterLoginFragment.as_view(), name="login"),
    path("<int:counter_id>/logout/", counter_logout, name="logout"),
    path("eticket/<int:selling_id>/pdf/", EticketPDFView.as_view(), name="eticket_pdf"),
    path(
@@ -3,8 +3,6 @@ from urllib.parse import urlparse
 from django.http import HttpRequest
 from django.urls import resolve

-from counter.models import Counter
-

 def is_logged_in_counter(request: HttpRequest) -> bool:
    """Check if the request is sent from a device logged to a counter.
@@ -20,24 +18,13 @@ def is_logged_in_counter(request: HttpRequest) -> bool:
      or the request path belongs to the counter app
      (eg. the barman went back to the main by missclick and go back
      to the counter)
-    - The current session has a counter token associated with it.
-    - A counter with this token exists.
-    - The counter is open
+    - There are barmen logged in the current session
    """
    referer_ok = (
        "HTTP_REFERER" in request.META
        and resolve(urlparse(request.META["HTTP_REFERER"]).path).app_name == "counter"
    )
-    has_token = (
-        (referer_ok or request.resolver_match.app_name == "counter")
-        and "counter_token" in request.session
-        and request.session["counter_token"]
-    )
-    if not has_token:
+    if not referer_ok and request.resolver_match.app_name != "counter":
        return False

-    return (
-        Counter.objects.annotate_is_open()
-        .filter(token=request.session["counter_token"], is_open=True)
-        .exists()
-    )
+    return bool(request.barmen)
@@ -1,53 +0,0 @@
-#
-# Copyright 2023 © AE UTBM
-# ae@utbm.fr / ae.info@utbm.fr
-#
-# This file is part of the website of the UTBM Student Association (AE UTBM),
-# https://ae.utbm.fr.
-#
-# You can find the source code of the website at https://github.com/ae-utbm/sith
-#
-# LICENSED UNDER THE GNU GENERAL PUBLIC LICENSE VERSION 3 (GPLv3)
-# SEE : https://raw.githubusercontent.com/ae-utbm/sith/master/LICENSE
-# OR WITHIN THE LOCAL FILE "LICENSE"
-#
-#
-
-from django.http import HttpRequest, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
-from django.utils import timezone
-from django.utils.timezone import now
-from django.views.decorators.http import require_POST
-
-from core.views.forms import LoginForm
-from counter.models import Counter, Permanency
-
-
-@require_POST
-def counter_login(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """Log a user in a counter.
-
-    A successful login will result in the beginning of a counter duty
-    for the user.
-    """
-    counter = get_object_or_404(Counter, pk=counter_id)
-    form = LoginForm(request, data=request.POST)
-    if not form.is_valid():
-        return redirect(counter.get_absolute_url() + "?credentials")
-    user = form.get_user()
-    if not counter.sellers.contains(user) or user in counter.barmen_list:
-        return redirect(counter.get_absolute_url() + "?sellers")
-    if len(counter.barmen_list) == 0:
-        counter.gen_token()
-    request.session["counter_token"] = counter.token
-    counter.permanencies.create(user=user, start=timezone.now())
-    return redirect(counter)
-
-
-@require_POST
-def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
-    """End the permanency of a user in this counter."""
-    Permanency.objects.filter(
-        counter=counter_id, user=request.POST["user_id"], end=None
-    ).update(end=now())
-    return redirect("counter:details", counter_id=counter_id)
@@ -12,8 +12,10 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+import random
 from collections import defaultdict

+from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Q
@@ -21,6 +23,7 @@ from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, resolve_url
 from django.urls import reverse
 from django.utils.safestring import SafeString
+from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django.views.generic.detail import SingleObjectMixin
 from ninja.main import HttpRequest
@@ -29,13 +32,7 @@ from core.auth.mixins import CanViewMixin
 from core.models import User
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BasketForm, RefillForm
-from counter.models import (
-    Counter,
-    Customer,
-    ProductFormula,
-    ReturnableProduct,
-    Selling,
-)
+from counter.models import Counter, Customer, ProductFormula, ReturnableProduct, Selling
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin
 from counter.views.student_card import StudentCardFormFragment
@@ -46,7 +43,7 @@ def get_operator(request: HttpRequest, counter: Counter, customer: Customer) ->
        return request.user
    if counter.customer_is_barman(customer):
        return customer.user
-    return counter.get_random_barman()
+    return random.choice(list(request.barmen))


 class CounterClick(
@@ -78,7 +75,7 @@ class CounterClick(
        return kwargs

    def dispatch(self, request, *args, **kwargs):
-        self.customer = get_object_or_404(Customer, user__id=self.kwargs["user_id"])
+        self.customer = get_object_or_404(Customer, user_id=self.kwargs["user_id"])
        obj: Counter = self.get_object()

        if not self.customer.can_buy or self.customer.user.is_banned_counter:
@@ -96,14 +93,13 @@ class CounterClick(
            # or a seller of this counter.
            raise PermissionDenied

-        if obj.type == "BAR" and (
-            not obj.is_open
-            or "counter_token" not in request.session
-            or request.session["counter_token"] != obj.token
+        if obj.type == "BAR" and not (
+            request.barmen and request.barmen.issubset(set(obj.barmen_list))
        ):
+            messages.error(request, _("You cannot click users on this counter"))
            return redirect(obj)  # Redirect to counter

-        self.prices = obj.get_prices_for(self.customer)
+        self.prices = list(obj.get_prices_for(self.customer))

        return super().dispatch(request, *args, **kwargs)

@@ -199,7 +195,7 @@ class CounterClick(
            )
        if self.object.can_refill():
            res["refilling_fragment"] = RefillingCreateView.as_fragment()(
-                self.request, customer=self.customer
+                self.request, customer=self.customer, counter=self.object
            )
        return res

@@ -237,11 +233,13 @@ class RefillingCreateView(FragmentMixin, FormView):
        if not is_logged_in_counter(request):
            raise PermissionDenied

-        self.counter: Counter = get_object_or_404(
-            Counter, token=request.session["counter_token"]
-        )
+        self.counter: Counter = get_object_or_404(Counter, id=self.kwargs["counter_id"])

-        if not self.counter.can_refill():
+        if not (
+            request.barmen
+            and request.barmen.issubset(self.counter.barmen_list)
+            and self.counter.can_refill()
+        ):
            raise PermissionDenied

        self.operator = get_operator(request, self.counter, self.customer)
@@ -250,6 +248,7 @@ class RefillingCreateView(FragmentMixin, FormView):

    def render_fragment(self, request, **kwargs) -> SafeString:
        self.customer = kwargs.pop("customer")
+        self.counter = kwargs.pop("counter")
        return super().render_fragment(request, **kwargs)

    def form_valid(self, form):
@@ -264,7 +263,8 @@ class RefillingCreateView(FragmentMixin, FormView):
    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
        kwargs["action"] = reverse(
-            "counter:refilling_create", kwargs={"customer_id": self.customer.pk}
+            "counter:refilling_create",
+            kwargs={"customer_id": self.customer.pk, "counter_id": self.counter.pk},
        )
        return kwargs

@@ -15,78 +15,120 @@
 from datetime import timedelta

 from django.conf import settings
-from django.http import HttpResponseRedirect
-from django.urls import reverse, reverse_lazy
+from django.core.exceptions import PermissionDenied
+from django.db.models import F
+from django.http import HttpRequest, HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
+from django.utils.safestring import SafeString
+from django.views.decorators.http import require_POST
 from django.views.generic import DetailView
-from django.views.generic.edit import FormMixin, ProcessFormView
+from django.views.generic.detail import SingleObjectMixin
+from django.views.generic.edit import FormView

 from core.auth.mixins import CanViewMixin
-from core.views.forms import LoginForm
-from counter.forms import GetUserForm
-from counter.models import Counter
+from core.views import FragmentMixin, UseFragmentsMixin
+from counter.forms import CounterLoginForm, GetUserForm
+from counter.models import Counter, Permanency
 from counter.utils import is_logged_in_counter
 from counter.views.mixins import CounterTabsMixin


+class CounterLoginFragment(FragmentMixin, SingleObjectMixin, FormView):
+    model = Counter
+    form_class = CounterLoginForm
+    reload_on_redirect = True
+    pk_url_kwarg = "counter_id"
+    template_name = "counter/fragments/login.jinja"
+
+    def dispatch(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if self.object.type != "BAR":
+            # barmen have to log in only if it is a bar,
+            # so calling this view on a non-bar counter makes no sense
+            raise PermissionDenied
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "request": self.request,
+            "counter": self.object,
+        }
+
+    def form_valid(self, form: CounterLoginForm):
+        user = form.get_user()
+        self.object.permanencies.create(user=user, start=timezone.now())
+        self.request.barmen.add(user)
+        self.success_url = reverse(
+            "counter:details", kwargs={"counter_id": self.object.id}
+        )
+        return super().form_valid(form)
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.pop("counter")
+        return super().render_fragment(request, **kwargs)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "action": reverse("counter:login", kwargs={"counter_id": self.object.id})
+        }
+
+
+@require_POST
+def counter_logout(request: HttpRequest, counter_id: int) -> HttpResponseRedirect:
+    """End the permanency of a user in this counter."""
+    Permanency.objects.filter(
+        counter=counter_id, user=request.POST["user_id"], end=None
+    ).update(end=F("activity"))
+    return redirect("counter:details", counter_id=counter_id)
+
+
 class CounterMain(
-    CounterTabsMixin, CanViewMixin, DetailView, ProcessFormView, FormMixin
+    CounterTabsMixin, UseFragmentsMixin, CanViewMixin, SingleObjectMixin, FormView
 ):
    """The public (barman) view."""

    model = Counter
+    queryset = Counter.objects.exclude(type="EBOUTIC")
    template_name = "counter/counter_main.jinja"
    pk_url_kwarg = "counter_id"
-    form_class = (
-        GetUserForm  # Form to enter a client code and get the corresponding user id
-    )
+    form_class = GetUserForm
    current_tab = "counter"

-    def get_queryset(self):
-        return super().get_queryset().exclude(type="EBOUTIC")
+    def dispatch(self, request, *args, **kwargs):
+        self.object: Counter = self.get_object()
+        if self.object.type == "BAR":
+            self.object.update_activity()
+        return super().dispatch(request, *args, **kwargs)

-    def post(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if self.object.type == "BAR" and not (
-            "counter_token" in self.request.session
-            and self.request.session["counter_token"] == self.object.token
-        ):  # Check the token to avoid the bar to be stolen
-            return HttpResponseRedirect(
-                reverse_lazy(
-                    "counter:details",
-                    args=self.args,
-                    kwargs={"counter_id": self.object.id},
+    def get_fragment_context_data(self) -> dict[str, SafeString]:
+        login_fragment = (
+            CounterLoginFragment.as_fragment()(self.request, counter=self.object)
+            if self.object.type == "BAR"
+            else ""
        )
-                + "?bad_location"
-            )
-        return super().post(request, *args, **kwargs)
+        return super().get_fragment_context_data() | {"login_fragment": login_fragment}

    def get_context_data(self, **kwargs):
        """We handle here the login form for the barman."""
-        if self.request.method == "POST":
-            self.object = self.get_object()
-        self.object.update_activity()
        kwargs = super().get_context_data(**kwargs)
-        kwargs["login_form"] = LoginForm()
-        kwargs["login_form"].fields["username"].widget.attrs["autofocus"] = True
-        kwargs[
-            "login_form"
-        ].cleaned_data = {}  # add_error fails if there are no cleaned_data
-        if "credentials" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("Bad credentials"))
-        if "sellers" in self.request.GET:
-            kwargs["login_form"].add_error(None, _("User is not barman"))
-        kwargs["form"] = self.get_form()
-        kwargs["form"].cleaned_data = {}  # same as above
-        if "bad_location" in self.request.GET:
-            kwargs["form"].add_error(
-                None, _("Bad location, someone is already logged in somewhere else")
-            )
        if self.object.type == "BAR":
            kwargs["barmen"] = self.object.barmen_list
-        elif self.request.user.is_authenticated:
-            kwargs["barmen"] = [self.request.user]
+            kwargs["barmen_here"] = list(
+                self.request.barmen.intersection(self.object.barmen_list)
+            )
+        kwargs["can_click"] = (
+            self.object.type == "BAR"
+            and self.request.barmen
+            and self.request.barmen.issubset(set(self.object.barmen_list))
+        ) or (
+            self.object.type == "OFFICE"
+            and (
+                self.object.sellers.contains(self.request.user)
+                or self.object.club.has_rights_in_club(self.request.user)
+            )
+        )
        if "last_basket" in self.request.session:
            kwargs["last_basket"] = self.request.session.pop("last_basket")
            kwargs["last_customer"] = self.request.session.pop("last_customer")
@@ -96,14 +138,17 @@ class CounterMain(
            )
        return kwargs

-    def form_valid(self, form):
+    def form_valid(self, form: GetUserForm):
        """We handle here the redirection, passing the user id of the asked customer."""
-        self.kwargs["user_id"] = form.cleaned_data["user_id"]
+        self.success_url = reverse(
+            "counter:click",
+            kwargs={
+                "counter_id": self.kwargs["counter_id"],
+                "user_id": form.cleaned_data["user_id"],
+            },
+        )
        return super().form_valid(form)

-    def get_success_url(self):
-        return reverse_lazy("counter:click", args=self.args, kwargs=self.kwargs)
-

 class CounterLastOperationsView(CounterTabsMixin, CanViewMixin, DetailView):
    """Provide the last operations to allow barmen to delete them."""
@@ -1,4 +1,6 @@

+## Fonctionnement général
+
 La boutique en ligne nécessite une interaction
 avec la banque pour son fonctionnement.

@@ -9,3 +11,32 @@ Nous ne pouvons donc que vous redirigez vers la doc du crédit
 agricole : 
 [https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/](https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/)

+## Limite de clic et expiration des paniers
+
+Certains produits peuvent avoir un quota de vente.
+Une fois ce dernier atteint, il ne doit plus être possible de les acheter.
+
+Pour éviter que cette limite soit dépassée si jamais plusieurs utilisateurs
+commandent et achètent ce produit à peu près en même temps,
+un produit est considéré comme « réservé » une fois placé dans un panier.
+La création du panier s'effectue lors de la soumission du formulaire sur l'eboutic.
+Une fois la transaction accomplie, le panier est supprimé.
+
+Cependant, il reste un problème : 
+que faire des utilisateurs qui créent un panier, mais ne terminent
+pas la transaction ?
+Pour résoudre ce cas, les paniers ont une durée de validité,
+définie dans le `settings.py`, grâce à deux variables :
+
+- `settings.SITH_EBOUTIC_BASKET_TIMEOUT` : 
+  le temps pendant lequel un utilisateur peut payer avec son compte AE
+  ou démarrer une etransaction
+- `settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT` :
+  le temps alloué à l'utilisateur pour effectuer une etransaction ;
+  au-delà de cette durée, la banque refusera le paiement
+  et notifiera le sith de l'erreur.
+
+Une fois expiré le temps défini par 
+`settings.SITH_EBOUTIC_BASKET_TIMEOUT + settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT`, 
+les produits contenus dans le panier sont à nouveau 
+disponibles à la vente.
@@ -1,3 +1,6 @@
+from typing import Any
+
+from ninja import Status
 from ninja_extra import ControllerBase, api_controller, route
 from ninja_extra.exceptions import NotFound

@@ -8,13 +11,19 @@ from eboutic.models import Basket

@api_controller("/etransaction", permissions=[CanView])
 class EtransactionInfoController(ControllerBase):
-    @route.get("/data/{basket_id}", url_name="etransaction_data")
+    @route.get(
+        "/data/{basket_id}",
+        url_name="etransaction_data",
+        response={200: dict[str, Any], 410: str},
+    )
    def fetch_etransaction_data(self, basket_id: int):
        """Generate the data to pay an eboutic command with paybox.

        The data is generated with the basket that is used by the current session.
        """
        basket: Basket = self.get_object_or_exception(Basket, pk=basket_id)
+        if basket.is_expired:
+            return Status(410, "This basket is expired.")
        try:
            return dict(basket.get_e_transaction_data())
        except BillingInfo.DoesNotExist as e:
@@ -16,7 +16,6 @@ from __future__ import annotations

 import hmac
 from datetime import datetime
-from enum import Enum
 from typing import Self

 from dict2xml import dict2xml
@@ -24,6 +23,7 @@ from django.conf import settings
 from django.db import DataError, models
 from django.db.models import F, OuterRef, Subquery, Sum
 from django.utils.functional import cached_property
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _

 from core.models import User
@@ -39,30 +39,6 @@ from counter.models import (
 )


-class BillingInfoState(Enum):
-    VALID = 1
-    EMPTY = 2
-    MISSING_PHONE_NUMBER = 3
-
-    @classmethod
-    def from_model(cls, info: BillingInfo | None) -> BillingInfoState:
-        if info is None:
-            return cls.EMPTY
-        for attr in [
-            "first_name",
-            "last_name",
-            "address_1",
-            "zip_code",
-            "city",
-            "country",
-        ]:
-            if getattr(info, attr) == "":
-                return cls.EMPTY
-        if info.phone_number is None:
-            return cls.MISSING_PHONE_NUMBER
-        return cls.VALID
-
-
 class Basket(models.Model):
    """Basket is built when the user connects to an eboutic page."""

@@ -95,6 +71,19 @@ class Basket(models.Model):
            ]
        )

+    @property
+    def is_expired(self) -> bool:
+        """Return True if this basket is expired.
+
+        An expired basket can no longer be used tp pay with sith account
+        or to start an etransaction.
+
+        Warnings:
+            Users have an additional time if they pay with an etransaction,
+            so an expired basket may be purchased after its expiration in that case.
+        """
+        return (self.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT) <= now()
+
    def generate_sales(
        self, counter, seller: User, payment_method: Selling.PaymentMethod
    ):
@@ -133,15 +122,22 @@ class Basket(models.Model):
        ]

    def get_e_transaction_data(self) -> list[tuple[str, str]]:
+        """Get data for etransaction payment.
+
+        Raises:
+            Customer.DoesNotExist: if the user linked to this basket
+                has no customer account
+            BillingInfo.DoesNotExist: if the user linked to this basket has no
+                billing infos, or incorrect billing infos.
+            ValueError: if this is called on a basket which payment delay is expired.
+        """
        user = self.user
        if not hasattr(user, "customer"):
            raise Customer.DoesNotExist
+        if self.is_expired:
+            raise ValueError("This method cannot be called on an expired basket.")
        customer = user.customer
-        if (
-            not hasattr(user.customer, "billing_infos")
-            or BillingInfoState.from_model(user.customer.billing_infos)
-            != BillingInfoState.VALID
-        ):
+        if not hasattr(user.customer, "billing_infos"):
            raise BillingInfo.DoesNotExist
        cart = {
            "shoppingcart": {"total": {"totalQuantity": min(self.items.count(), 99)}}
@@ -155,6 +151,10 @@ class Basket(models.Model):
            ("PBX_IDENTIFIANT", settings.SITH_EBOUTIC_PBX_IDENTIFIANT),
            ("PBX_TOTAL", str(int(self.total * 100))),
            ("PBX_DEVISE", "978"),  # This is Euro
+            (
+                "PBX_DISPLAY",
+                str(int(settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT.total_seconds())),
+            ),
            ("PBX_CMD", str(self.id)),
            ("PBX_PORTEUR", user.email),
            ("PBX_RETOUR", "Amount:M;BasketID:R;Auto:A;Error:E;Sig:K"),
@@ -219,16 +219,14 @@ class Invoice(models.Model):
        if self.validated:
            raise DataError(_("Invoice already validated"))
        customer, _created = Customer.get_or_create(user=self.user)
-        kwargs = {
-            "counter": get_eboutic(),
-            "customer": customer,
-            "date": self.date,
-            "payment_method": Selling.PaymentMethod.CARD,
-        }
+        kwargs = {"counter": get_eboutic(), "customer": customer, "date": self.date}
        for i in self.items.select_related("product"):
            if i.product.product_type_id == settings.SITH_COUNTER_PRODUCTTYPE_REFILLING:
                Refilling.objects.create(
-                    **kwargs, operator=self.user, amount=i.unit_price * i.quantity
+                    **kwargs,
+                    operator=self.user,
+                    amount=i.unit_price * i.quantity,
+                    payment_method=Refilling.PaymentMethod.CARD,
                )
            else:
                Selling.objects.create(
@@ -239,6 +237,7 @@ class Invoice(models.Model):
                    seller=self.user,
                    unit_price=i.unit_price,
                    quantity=i.quantity,
+                    payment_method=Selling.PaymentMethod.CARD,
                )
        self.validated = True
        self.save()
@@ -1,21 +1,71 @@
+import { type Notification, NotificationLevel } from "#core:utils/notifications";
 import { etransactioninfoFetchEtransactionData } from "#openapi";

+interface Basket {
+  id: number;
+  timeout: Date;
+}
 document.addEventListener("alpine:init", () => {
-  Alpine.data("etransaction", (initialData, basketId: number) => ({
+  Alpine.data("etransaction", (initialData, basket: Basket) => ({
    data: initialData,
    isCbAvailable: Object.keys(initialData).length > 0,
+    isSithAvailable: true,

+    init() {
+      const now = new Date();
+      const timeout = basket.timeout.getTime() - now.getTime();
+      if (timeout <= 0) {
+        // basket was already outdated at initial page load
+        this.timeoutBasket();
+      } else {
+        setTimeout(() => this.timeoutBasket(), timeout);
+      }
+    },
+
+    /**
+     * Make this basket into a timeout state.
+     * All submission inputs are disabled, and an error message is displayed.
+     */
+    timeoutBasket() {
+      this.isCbAvailable = false;
+      this.isSithAvailable = false;
+      const message = gettext("Basket expired");
+
+      const existingNotif: Notification | undefined = this.$notifications
+        .getAll()
+        .find(
+          (n: Notification) =>
+            n.tag === NotificationLevel.Error && n.message === message,
+        );
+      if (existingNotif === undefined) {
+        this.$notifications.error(message);
+      }
+    },
+
+    /**
+     * Refresh the data used for etransaction.
+     *
+     * Note: if this is called while the basket is expired, it will be a no-op
+     */
    async fill() {
+      if (new Date() > basket.timeout) {
+        // refresh etransaction data only if the basket is still valid.
+        this.timeoutBasket();
+        return;
+      }
      this.isCbAvailable = false;
      const res = await etransactioninfoFetchEtransactionData({
-        path: {
        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          basket_id: basketId,
-        },
+        path: { basket_id: basket.id },
      });
      if (res.response.ok) {
        this.data = res.data;
        this.isCbAvailable = true;
+      } else if (res.response.status === 410) {
+        // The basket is expired, so no payment method should be available at all.
+        // This shouldn't happen, because we don't send the request
+        // when the timeout is passed, but we are better safe than sorry
+        this.timeoutBasket();
      }
    },
  }));
@@ -11,7 +11,7 @@ const BASKET_CACHE_KEY = "basket";
 const BASKET_CACHE_VERSION = 1;

 document.addEventListener("alpine:init", () => {
-  Alpine.data("basket", (lastPurchaseTime?: number) => ({
+  Alpine.data("basket", (validPrices: number[], lastPurchaseTime?: number) => ({
    basket: [] as BasketItem[],

    init() {
@@ -19,15 +19,6 @@ document.addEventListener("alpine:init", () => {
      this.$watch("basket", () => {
        this.saveBasket();
      });
-      // Invalidate basket if a purchase was made
-      if (lastPurchaseTime !== null && localStorage.basketTimestamp !== undefined) {
-        if (
-          new Date(lastPurchaseTime) >=
-          new Date(Number.parseInt(localStorage.basketTimestamp, 10))
-        ) {
-          this.basket = [];
-        }
-      }
      document
        .getElementById("id_form-TOTAL_FORMS")
        .setAttribute(":value", "basket.length");
@@ -37,7 +28,22 @@ document.addEventListener("alpine:init", () => {
      const cached = versionedLocalStorage.getItem<BasketItem[]>(BASKET_CACHE_KEY, {
        version: BASKET_CACHE_VERSION,
      });
-      return cached ?? [];
+      if (!cached) {
+        return [];
+      }
+      if (
+        lastPurchaseTime !== null &&
+        localStorage.basketTimestamp !== undefined &&
+        new Date(lastPurchaseTime) >=
+          new Date(Number.parseInt(localStorage.basketTimestamp, 10))
+      ) {
+        // Invalidate basket if a purchase was made
+        return [];
+      }
+      // The basket is cached and not expired, so return it,
+      // but without items that are invalid
+      // (e.g. because the product is archived, or sold out)
+      return cached.filter((item) => validPrices.includes(item.priceId));
    },

    saveBasket() {
@@ -21,9 +21,10 @@
      hx-swap="outerHTML"
      hx-target="#billing-infos-fragment"
      x-show="collapsed"
+      x-cloak
    >
      {% csrf_token %}
-      {{ form.as_p() }}
+      {{ form }}
      <br>
      <input
        type="submit" class="btn btn-blue clickable"
@@ -16,10 +16,13 @@
  <h3>{% trans %}Eboutic{% endtrans %}</h3>

  <script type="text/javascript">
-    let billingInfos = {{ billing_infos|safe }};
+    const billingInfos = {{ billing_infos|safe }};
  </script>

-  <div x-data="etransaction(billingInfos, {{ basket.id }})">
+  <div x-data='etransaction(
+               billingInfos,
+               { id: {{ basket.id }}, timeout: new Date("{{ basket.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT }}") }
+               )'>
    <p>{% trans %}Basket: {% endtrans %}</p>
    <table>
      <thead>
@@ -72,7 +75,11 @@
          x-cloak
          type="submit"
          id="bank-submit-button"
+          {% if basket.is_expired %}
+            disabled="disabled"
+          {% else %}
            :disabled="!isCbAvailable"
+          {% endif %}
          class="btn btn-blue"
          value="{% trans %}Pay with credit card{% endtrans %}"
        />
@@ -93,7 +100,16 @@
    {% else %}
      <form method="post" action="{{ url('eboutic:pay_with_sith', basket_id=basket.id) }}" name="sith-pay-form">
        {% csrf_token %}
-        <input class="btn btn-blue" type="submit" value="{% trans %}Pay with Sith account{% endtrans %}"/>
+        <input
+          {% if basket.is_expired %}
+            disabled="disabled"
+          {% else %}
+            :disabled="!isSithAvailable"
+          {% endif %}
+          class="btn btn-blue"
+          type="submit"
+          value="{% trans %}Pay with Sith account{% endtrans %}"
+        />
      </form>
    {% endif %}
  </div>
@@ -30,7 +30,17 @@
 {% block content %}
  <h1 id="eboutic-title">{% trans %}Eboutic{% endtrans %}</h1>

-  <div id="eboutic" x-data="basket({{ last_purchase_time }})">
+  <div
+    id="eboutic"
+    x-data="basket(
+            [{%- for prices in categories -%}
+              {%- for p in prices -%}
+                {% if not p.sold_out %}{{ p.id }},{% endif %}
+              {%- endfor -%}
+            {%- endfor -%}],
+            {{ last_purchase_time }},
+            )"
+  >
    <div id="basket">
      <h3>Panier</h3>
      <form method="post" action="">
@@ -187,9 +197,10 @@
            {% for price in prices %}
              <button
                id="{{ price.id }}"
-                class="card product-button clickable shadow"
+                class="card clickable shadow"
                :class="{selected: basket.some((i) => i.priceId === {{ price.id }})}"
                @click='addFromCatalog({{ price.id }}, {{ price.full_label|tojson }}, {{ price.amount }})'
+                {% if price.sold_out %}disabled{% endif %}
              >
                {% if price.product.icon %}
                  <img
@@ -202,6 +213,9 @@
                {% endif %}
                <div class="card-content">
                  <h4 class="card-title">{{ price.full_label }}</h4>
+                  {% if price.sold_out -%}
+                    <p><em>{% trans %}Product sold out{% endtrans %}</em></p>
+                  {%- endif %}
                  <p>{{ price.amount }} €</p>
                </div>
              </button>
@@ -1,14 +1,19 @@
+import re
 from datetime import datetime, timezone

+import freezegun
 import pytest
+from bs4 import BeautifulSoup
+from django.conf import settings
 from django.http import HttpResponse
 from django.test import TestCase
 from django.test.client import Client
 from django.urls import reverse
-from django.utils.timezone import localdate
+from django.utils.timezone import localdate, now
 from model_bakery import baker
 from pytest_django.asserts import assertRedirects

+import eboutic.models
 from core.baker_recipes import subscriber_user
 from core.models import Group, User
 from counter.baker_recipes import (
@@ -130,9 +135,11 @@ def test_eboutic_basket_expiry(
            _bulk_create=True,
        )

+    soup = BeautifulSoup(client.get(reverse("eboutic:main")).text, "lxml")
    assert (
-        f'x-data="basket({int(expected.timestamp() * 1000) if expected else "null"})"'
-        in client.get(reverse("eboutic:main")).text
+        # remove any space from the value before asserting
+        re.sub(r"\s+", "", soup.find(id="eboutic").attrs["x-data"])
+        == f"basket([],{int(expected.timestamp() * 1000) if expected else 'null'},)"
    )


@@ -231,26 +238,45 @@ class TestEboutic(TestCase):

    def test_add_forbidden_product(self):
        self.client.force_login(self.new_customer)
-        response = self.submit_basket([BasketItem(self.beer.id, 1)])
+        for product in self.beer, self.cotiz, self.not_in_counter:
+            response = self.submit_basket([BasketItem(product.id, 1)])
            assert response.status_code == 200
-        assert Basket.objects.first() is None
+            assert not Basket.objects.exists()

-        response = self.submit_basket([BasketItem(self.cotiz.id, 1)])
+    def test_sold_out_product(self):
+        sold_out = product_recipe.make(
+            clic_limit=3, counters=[self.eboutic], product_type=baker.make(ProductType)
+        )
+        price = price_recipe.make(product=sold_out, groups=[self.group_cotiz], amount=0)
+        sale_recipe.make(
+            product=sold_out,
+            customer=self.subscriber.customer,
+            unit_price=0,
+            quantity=1,
+        )
+        baker.make(
+            eboutic.models.BasketItem,
+            basket=baker.make(Basket),
+            product=sold_out,
+            quantity=2,
+        )
+        self.client.force_login(self.subscriber)
+        response = self.submit_basket([BasketItem(price.id, 1)])
        assert response.status_code == 200
-        assert Basket.objects.first() is None
-
-        response = self.submit_basket([BasketItem(self.not_in_counter.id, 1)])
-        assert response.status_code == 200
-        assert Basket.objects.first() is None
-
-        self.client.force_login(self.new_customer)
-        response = self.submit_basket([BasketItem(self.cotiz.id, 1)])
-        assert response.status_code == 200
-        assert Basket.objects.first() is None
-
-        response = self.submit_basket([BasketItem(self.not_in_counter.id, 1)])
-        assert response.status_code == 200
-        assert Basket.objects.first() is None
+        assert Basket.objects.count() == 1
+        with freezegun.freeze_time(
+            now()
+            + settings.SITH_EBOUTIC_BASKET_TIMEOUT
+            + settings.SITH_EBOUTIC_ETRANSACTION_TIMEOUT
+        ):
+            # after a while, unpaid basket items should expire and make the
+            # product available again.
+            response = self.submit_basket([BasketItem(price.id, 1)])
+        assertRedirects(
+            response,
+            reverse("eboutic:checkout", kwargs={"basket_id": Basket.objects.last().id}),
+        )
+        assert Basket.objects.count() == 2

    def test_create_basket(self):
        self.client.force_login(self.new_customer)
@@ -37,12 +37,9 @@ class TestBillingInfo:

    def test_edit_infos(self, client: Client, payload: dict[str, str]):
        user = subscriber_user.make()
-        baker.make(BillingInfo, customer=user.customer)
+        baker.make(BillingInfo, customer=user.customer, phone_number="06 01 02 03 04")
        client.force_login(user)
-        response = client.post(
-            reverse("eboutic:billing_infos"),
-            payload,
-        )
+        response = client.post(reverse("eboutic:billing_infos"), payload)
        user.refresh_from_db()
        infos = BillingInfo.objects.get(customer__user=user)
        assert response.status_code == 302
@@ -3,6 +3,7 @@ import urllib
 from decimal import Decimal
 from typing import TYPE_CHECKING

+import freezegun
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.hashes import SHA1
@@ -17,7 +18,7 @@ from pytest_django.asserts import assertRedirects

 from core.baker_recipes import old_subscriber_user, subscriber_user
 from counter.baker_recipes import price_recipe, product_recipe
-from counter.models import Product, ProductType, Selling
+from counter.models import Product, ProductType, Refilling, Selling
 from counter.tests.test_counter import force_refill_user
 from eboutic.models import Basket, BasketItem

@@ -105,7 +106,7 @@ class TestPaymentSith(TestPaymentBase):
            ),
            reverse("eboutic:payment_result", kwargs={"result": "success"}),
        )
-        assert Basket.objects.filter(id=self.basket.id).first() is None
+        assert not Basket.objects.filter(id=self.basket.id).exists()
        self.customer.customer.refresh_from_db()
        assert self.customer.customer.amount == Decimal(1)

@@ -139,10 +140,7 @@ class TestPaymentSith(TestPaymentBase):
        assert len(messages) == 1
        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
        assert messages[0].message == "Solde insuffisant"
-
-        assert Basket.objects.contains(self.basket), (
-            "After an unsuccessful request, the basket should be kept"
-        )
+        assert not Basket.objects.filter(id=self.basket.id).exists()

    def test_refilling_in_basket(self):
        BasketItem.from_price(self.refilling.prices.first(), 1, self.basket).save()
@@ -157,7 +155,7 @@ class TestPaymentSith(TestPaymentBase):
            response,
            reverse("eboutic:payment_result", kwargs={"result": "failure"}),
        )
-        assert Basket.objects.filter(id=self.basket.id).first() is not None
+        assert not Basket.objects.filter(id=self.basket.id).exists()
        messages = list(get_messages(response.wsgi_request))
        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
        assert (
@@ -167,6 +165,24 @@ class TestPaymentSith(TestPaymentBase):
        self.customer.customer.refresh_from_db()
        assert self.customer.customer.amount == initial_account_balance

+    def test_basket_expired(self):
+        self.client.force_login(self.customer)
+        initial_account_balance = self.customer.customer.amount
+        with freezegun.freeze_time(settings.SITH_EBOUTIC_BASKET_TIMEOUT):
+            response = self.client.post(
+                reverse("eboutic:pay_with_sith", kwargs={"basket_id": self.basket.id})
+            )
+        assertRedirects(
+            response,
+            reverse("eboutic:payment_result", kwargs={"result": "failure"}),
+        )
+        messages = list(get_messages(response.wsgi_request))
+        assert messages[0].level == DEFAULT_LEVELS["ERROR"]
+        assert messages[0].message == "Panier expiré"
+        assert not Basket.objects.filter(id=self.basket.id).exists()
+        self.customer.customer.refresh_from_db()
+        assert self.customer.customer.amount == initial_account_balance
+

 class TestPaymentCard(TestPaymentBase):
    def generate_bank_valid_answer(self, basket: Basket):
@@ -236,6 +252,10 @@ class TestPaymentCard(TestPaymentBase):

        self.customer.customer.refresh_from_db()
        assert self.customer.customer.amount == price.amount * 2
+        refill = self.customer.customer.refillings.last()
+        assert refill is not None
+        assert refill.amount == price.amount * 2
+        assert refill.payment_method == Refilling.PaymentMethod.CARD

    def test_multiple_responses(self):
        bank_response = self.generate_bank_valid_answer(self.basket)
@@ -33,12 +33,14 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import DatabaseError, transaction
-from django.db.models import Subquery
+from django.db.models import Exists, OuterRef, Subquery
 from django.db.models.fields import forms
 from django.db.utils import cached_property
 from django.http import HttpResponse
 from django.shortcuts import redirect, render
 from django.urls import reverse
+from django.utils.formats import localize
+from django.utils.timezone import localtime
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
 from django.views.generic import DetailView, FormView, TemplateView, UpdateView, View
@@ -56,7 +58,7 @@ from counter.models import (
    Selling,
    get_eboutic,
 )
-from eboutic.models import Basket, BasketItem, BillingInfoState, Invoice, InvoiceItem
+from eboutic.models import Basket, BasketItem, Invoice, InvoiceItem

 if TYPE_CHECKING:
    from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
@@ -90,7 +92,9 @@ class EbouticMainView(LoginRequiredMixin, FormView):
        kwargs["form_kwargs"] = {
            "customer": self.customer,
            "counter": get_eboutic(),
-            "allowed_prices": {price.id: price for price in self.prices},
+            "allowed_prices": {
+                price.id: price for price in self.prices if not price.sold_out
+            },
        }
        return kwargs

@@ -116,9 +120,14 @@ class EbouticMainView(LoginRequiredMixin, FormView):

    @cached_property
    def prices(self) -> list[Price]:
-        return get_eboutic().get_prices_for(
-            self.customer,
-            order_by=["product__product_type__order", "product_id", "amount"],
+        eboutic = get_eboutic()
+        sold_out_subquery = ~Exists(
+            eboutic.products.under_clic_limit().filter(id=OuterRef("product_id"))
+        )
+        return list(
+            eboutic.get_prices_for(self.customer)
+            .annotate(sold_out=sold_out_subquery)
+            .order_by("product__product_type__order", "product_id", "amount")
        )

    @cached_property
@@ -178,7 +187,7 @@ def payment_result(request, result: str) -> HttpResponse:
 class BillingInfoFormFragment(
    LoginRequiredMixin, FragmentMixin, SuccessMessageMixin, UpdateView
 ):
-    """Update billing info"""
+    """Update or create billing info"""

    model = BillingInfo
    form_class = BillingInfoForm
@@ -187,9 +196,7 @@ class BillingInfoFormFragment(

    def get_initial(self):
        if self.object is None:
-            return {
-                "country": Country(code="FR"),
-            }
+            return {"country": Country(code="FR")}
        return {}

    def render_fragment(self, request, **kwargs) -> SafeString:
@@ -211,24 +218,13 @@ class BillingInfoFormFragment(

    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
-        kwargs["billing_infos_state"] = BillingInfoState.from_model(self.object)
        kwargs["action"] = reverse("eboutic:billing_infos")
-        match BillingInfoState.from_model(self.object):
-            case BillingInfoState.EMPTY:
+        if not self.object:
            messages.warning(
                self.request,
                _(
-                        "You must fill your billing infos if you want to pay with your credit card"
-                    ),
-                )
-            case BillingInfoState.MISSING_PHONE_NUMBER:
-                messages.warning(
-                    self.request,
-                    _(
-                        "The Crédit Agricole changed its policy related to the billing "
-                        + "information that must be provided in order to pay with a credit card. "
-                        + "If you want to pay with your credit card, you must add a phone number "
-                        + "to the data you already provided.",
+                    "You must fill your billing infos "
+                    "if you want to pay with your credit card"
                ),
            )
        return kwargs
@@ -255,6 +251,15 @@ class EbouticCheckout(CanViewMixin, UseFragmentsMixin, DetailView):
            kwargs["customer_amount"] = None
        kwargs["billing_infos"] = {}

+        if self.object.is_expired:
+            messages.error(self.request, _("Basket expired"))
+        else:
+            timeout = self.object.date + settings.SITH_EBOUTIC_BASKET_TIMEOUT
+            messages.warning(
+                self.request,
+                _("Basket available until %(until)s")
+                % {"until": localize(localtime(timeout).time())},
+            )
            with contextlib.suppress(BillingInfo.DoesNotExist):
                kwargs["billing_infos"] = json.dumps(
                    dict(self.object.get_e_transaction_data())
@@ -268,9 +273,14 @@ class EbouticPayWithSith(CanViewMixin, SingleObjectMixin, View):

    def post(self, request, *args, **kwargs):
        basket = self.get_object()
+        if basket.is_expired:
+            messages.error(self.request, _("Basket expired"))
+            basket.delete()
+            return redirect("eboutic:payment_result", "failure")
        refilling = settings.SITH_COUNTER_PRODUCTTYPE_REFILLING
        if basket.items.filter(product__product_type_id=refilling).exists():
            messages.error(self.request, _("You can't buy a refilling with sith money"))
+            basket.delete()
            return redirect("eboutic:payment_result", "failure")

        eboutic = get_eboutic()
@@ -288,6 +298,7 @@ class EbouticPayWithSith(CanViewMixin, SingleObjectMixin, View):
        except DatabaseError as e:
            sentry_sdk.capture_exception(e)
        except ValidationError as e:
+            basket.delete()
            messages.error(self.request, e.message)
        return redirect("eboutic:payment_result", "failure")

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-12 11:12+0200\n"
+"POT-Creation-Date: 2026-06-02 10:53+0200\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -363,11 +363,8 @@ msgid "Unregistered user"
 msgstr "Utilisateur non enregistré"

 #: club/models.py
-#, python-format
-msgid "The base url that links with this type must respect (e.g. `%(url)s`)"
-msgstr ""
-"L'url de base que tous les liens de ce type doivent respecter (par exemple "
-"`%(url)s`)"
+msgid "The base url that links with this type must respect"
+msgstr "L'url de base que tous les liens de ce type doivent respecter"

 #: club/models.py counter/models.py
 msgid "icon"
@@ -2203,6 +2200,7 @@ msgstr "Êtes-vous sûr de vouloir supprimer \"%(name)s\" ?"
 #: core/templates/core/delete_confirm.jinja
 #: core/templates/core/file_delete_confirm.jinja
 #: counter/templates/counter/fragments/delete_student_card.jinja
+#: counter/templates/counter/fragments/login.jinja
 msgid "Confirm"
 msgstr "Confirmation"

@@ -3206,6 +3204,18 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"

+#: counter/forms.py
+msgid "You are not a barman of this counter."
+msgstr "Vous n'êtes pas barman sur ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in this counter."
+msgstr "Vous êtes déjà connecté à ce comptoir."
+
+#: counter/forms.py
+msgid "You are already logged in another counter."
+msgstr "Vous êtes déjà connecté à un autre comptoir."
+
 #: counter/forms.py
 msgid "Regular barmen"
 msgstr "Barmen réguliers"
@@ -3408,8 +3418,16 @@ msgid "Buy five, get the sixth free"
 msgstr "Pour cinq achetés, le sixième offert"

 #: counter/models.py
-msgid "buying groups"
-msgstr "groupe d'achat"
+msgid "clic limit"
+msgstr "limite de clic"
+
+#: counter/models.py
+msgid ""
+"If a limit is set, the product won't be purchasable anymore on the eboutic "
+"once the latter is reached."
+msgstr ""
+"Si une limite est donnée, le produit ne sera plus achetable sur l'eboutic "
+"une fois celle-ci atteinte."

 #: counter/models.py election/models.py
 msgid "archived"
@@ -3476,10 +3494,6 @@ msgstr "Bureau"
 msgid "sellers"
 msgstr "vendeurs"

-#: counter/models.py
-msgid "token"
-msgstr "jeton"
-
 #: counter/models.py
 msgid "regular barman"
 msgstr "barman régulier"
@@ -3804,7 +3818,7 @@ msgstr ""

 #: counter/templates/counter/counter_click.jinja
 msgid "No products available on this counter for this user"
-msgstr "Pas de produits disponnibles dans ce comptoir pour cet utilisateur"
+msgstr "Pas de produits disponibles dans ce comptoir pour cet utilisateur"

 #: counter/templates/counter/counter_list.jinja
 msgid "Counter admin list"
@@ -3865,12 +3879,20 @@ msgid "Please, login"
 msgstr "Merci de vous identifier"

 #: counter/templates/counter/counter_main.jinja
-msgid "Barman: "
-msgstr "Barman : "
+msgid "Barmen:"
+msgstr "Barmen :"

 #: counter/templates/counter/counter_main.jinja
-msgid "login"
-msgstr "login"
+msgid "On this device"
+msgstr "Sur cet appareil"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "Elsewhere"
+msgstr "Ailleurs"
+
+#: counter/templates/counter/counter_main.jinja
+msgid "No barman logged elsewhere"
+msgstr "Pas de barman connecté ailleurs"

 #: counter/templates/counter/eticket_list.jinja
 msgid "Eticket list"
@@ -4275,22 +4297,14 @@ msgstr "Montant du chèque"
 msgid "Check quantity"
 msgstr "Nombre de chèque"

+#: counter/views/click.py
+msgid "You cannot click users on this counter"
+msgstr "Vous ne pouvez pas cliquer des gens sur ce comptoir"
+
 #: counter/views/eticket.py
 msgid "people(s)"
 msgstr "personne(s)"

-#: counter/views/home.py
-msgid "Bad credentials"
-msgstr "Mauvais identifiants"
-
-#: counter/views/home.py
-msgid "User is not barman"
-msgstr "L'utilisateur n'est pas barman."
-
-#: counter/views/home.py
-msgid "Bad location, someone is already logged in somewhere else"
-msgstr "Mauvais comptoir, quelqu'un est déjà connecté ailleurs"
-
 #: counter/views/invoice.py
 msgid "Invoice calls status has been updated."
 msgstr "Le statut des appels à facture a été mis à jour."
@@ -4462,6 +4476,10 @@ msgstr ""
 "billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
 "du vendredi au dimanche."

+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Product sold out"
+msgstr "Produit épuisé"
+
 #: eboutic/templates/eboutic/eboutic_main.jinja
 msgid "There are no items available for sale"
 msgstr "Aucun article n'est disponible à la vente"
@@ -4494,16 +4512,13 @@ msgstr ""
 "par carte bancaire"

 #: eboutic/views.py
-msgid ""
-"The Crédit Agricole changed its policy related to the billing information "
-"that must be provided in order to pay with a credit card. If you want to pay "
-"with your credit card, you must add a phone number to the data you already "
-"provided."
-msgstr ""
-"Le Crédit Agricole a changé  sa politique relative aux informations à "
-"fournir pour effectuer un paiement par carte bancaire. De ce fait, si vous "
-"souhaitez payer par carte, vous devez rajouter un numéro de téléphone aux "
-"données que vous aviez déjà fourni."
+msgid "Basket expired"
+msgstr "Panier expiré"
+
+#: eboutic/views.py
+#, python-format
+msgid "Basket available until %(until)s"
+msgstr "Panier disponible jusqu'à %(until)s"

 #: eboutic/views.py
 msgid "You can't buy a refilling with sith money"
@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-17 22:42+0200\n"
+"POT-Creation-Date: 2026-05-17 10:03+0200\n"
 "PO-Revision-Date: 2024-09-17 11:54+0200\n"
 "Last-Translator: Sli <antoine@bartuccio.fr>\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -263,6 +263,10 @@ msgstr "Types de produits réordonnés !"
 msgid "Product type reorganisation failed with status code : %d"
 msgstr "La réorganisation des types de produit a échoué avec le code : %d"

+#: eboutic/static/bundled/eboutic/checkout-index.ts
+msgid "Basket expired"
+msgstr "Panier expiré"
+
 #: sas/static/bundled/sas/pictures-download-index.ts
 msgid "pictures.%(extension)s"
 msgstr "photos.%(extension)s"
@@ -34,6 +34,7 @@ https://docs.djangoproject.com/en/1.8/ref/settings/
 """

 import binascii
+import contextlib
 import os
 import sys
 from datetime import timedelta
@@ -41,6 +42,7 @@ from pathlib import Path

 import sentry_sdk
 from dateutil.relativedelta import relativedelta
+from django.utils.deprecation import RemovedInDjango60Warning
 from django.utils.translation import gettext_lazy as _
 from environs import Env
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -91,7 +93,8 @@ ALLOWED_HOSTS = ["*"]
 # RemovedInDjango60Warning: It's a transitional setting helpful in early
 # adoption of "https" as the new default value of forms.URLField.assume_scheme.
 # Remove this after upgrading to Django 6.x
-FORMS_URLFIELD_ASSUME_HTTPS = True
+with contextlib.suppress(RemovedInDjango60Warning):
+    FORMS_URLFIELD_ASSUME_HTTPS = True

 # Application definition

@@ -112,6 +115,7 @@ INSTALLED_APPS = (
    "django_jinja",
    "ninja_extra",
    "haystack",
+    "django_countries",
    "django_celery_results",
    "django_celery_beat",
    "captcha",
@@ -138,13 +142,13 @@ MIDDLEWARE = (
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "core.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "django.middleware.security.SecurityMiddleware",
-    "core.middleware.AuthenticationMiddleware",
    "core.middleware.SignalRequestMiddleware",
+    "counter.middleware.BarmenMiddleware",
 )

 ROOT_URLCONF = "sith.urls"
@@ -291,7 +295,11 @@ USE_TZ = True

 LOCALE_PATHS = [BASE_DIR / "locale"]

+# for PhoneNumberField
 PHONENUMBER_DEFAULT_REGION = "FR"
+# for CountryField
+COUNTRIES_FIRST = ["FR", "CH", "DE"]
+COUNTRIES_FIRST_BREAK = "───────────"

 # Medias
 MEDIA_URL = "/data/"
@@ -571,6 +579,11 @@ SITH_BARMAN_TIMEOUT = 30
 # Minutes to delete the last operations
 SITH_LAST_OPERATIONS_LIMIT = 10

+# time before a basket is considered expired
+SITH_EBOUTIC_BASKET_TIMEOUT = timedelta(minutes=10)
+# time that a user can spend on the CB payment page before it to timeout
+SITH_EBOUTIC_ETRANSACTION_TIMEOUT = timedelta(minutes=10)
+
 # ET variables
 SITH_EBOUTIC_CB_ENABLED = env.bool("SITH_EBOUTIC_CB_ENABLED", default=True)
 SITH_EBOUTIC_ET_URL = env.str(
Author	SHA1	Message	Date
imperosol	177002b8b8	tweak django-countries settings	2026-06-05 00:43:56 +02:00
imperosol	e629b36465	make BillingInfo.phone_number non-nullable	2026-06-05 00:43:56 +02:00
thomas girod	30a3911fa1	Merge pull request #1422 from ae-utbm/fix-login-button fix: login button background-color	2026-06-05 00:31:36 +02:00
thomas girod	7c9ba29db1	Merge pull request #1413 from ae-utbm/counter-barmen feat: `request.barmen`	2026-06-05 00:31:19 +02:00
imperosol	cf31182429	fix: login button background-color	2026-06-04 18:04:52 +02:00
imperosol	29cacf8efc	add tests	2026-06-03 23:51:40 +02:00
imperosol	1e592e657f	update translations	2026-06-03 23:51:40 +02:00
imperosol	fb1790020b	remove `Counter.token` Ce paramètre n'est plus utilisé, maintenant que la gestion de la session du comptoir se fait avec `request.barmen`	2026-06-03 23:51:40 +02:00
imperosol	3cf142f3f1	show barmen logged on current device in counter	2026-06-03 23:43:19 +02:00
imperosol	222b0d16a7	feat: `request.barmen`	2026-06-03 23:43:19 +02:00
imperosol	074ebcb011	use fragment for counter login	2026-06-03 23:43:19 +02:00
thomas girod	a26e06216e	Merge pull request #1421 from ae-utbm/clic-limit fix etransaction after clic limit changes	2026-06-02 14:22:54 +02:00
imperosol	78c541dd36	fix etransaction after clic limit changes	2026-06-02 14:21:58 +02:00
thomas girod	b4d76c4f85	Merge pull request #1407 from ae-utbm/clic-limit Clic limit	2026-06-02 13:12:28 +02:00
imperosol	b5a2ec78df	add translations	2026-06-01 10:46:28 +02:00
imperosol	8022589902	add doc	2026-06-01 10:46:28 +02:00
imperosol	6ae73a28b4	test sold out items in eboutic	2026-06-01 10:46:28 +02:00
imperosol	7f415c6a6c	clean invalid items from eboutic baskets	2026-06-01 10:46:28 +02:00
imperosol	dd4887ead4	exclude products over clic limit from eboutic	2026-06-01 10:46:28 +02:00
imperosol	a8b6a2e43b	add clic limit to product form	2026-06-01 10:46:28 +02:00
imperosol	f90cb5b91c	add field `Product.clic_limit`	2026-06-01 10:46:28 +02:00
imperosol	d604147a93	remove `Product.buying_groups` Savoir quel groupe a le droit d'acheter quel produit est maintenant déterminé avec le modèle `Price`. `Product.buying_groups` avait juste été laissé temporairement pour permettre un rollback si le déploiement des prix ne se passait pas bien. Comme il n'y a pas eu de problème, on peut maintenant le retirer.	2026-06-01 10:46:28 +02:00
imperosol	3f2908eb8d	feat: basket timeout	2026-06-01 10:46:28 +02:00
thomas girod	e811aeaecd	Merge pull request #1412 from ae-utbm/improve-mobile-counter Improve counter click on smartphones	2026-05-31 11:48:07 +02:00
thomas girod	549a778be0	Merge pull request #1411 from ae-utbm/fix-club-role fix: forgotten group assignation on club role update	2026-05-31 11:47:40 +02:00
thomas girod	5c42da273b	Merge pull request #1392 from ae-utbm/basket-timeout Basket timeout	2026-05-30 12:56:35 +02:00
thomas girod	b8e0294df6	Merge pull request #1410 from ae-utbm/fix-payment-method fix: wrong payment method for refills with eboutic	2026-05-30 12:41:44 +02:00
imperosol	78b24dc1e7	fix: product research with code	2026-05-28 18:10:56 +02:00
imperosol	ebf0196bef	improve counter basket item style	2026-05-27 18:22:07 +02:00
imperosol	362b9eea06	automatically add item to basket on counter product search	2026-05-27 18:22:07 +02:00
imperosol	3b3e33ed80	fix: forgotten group assignation on club role update	2026-05-27 12:24:27 +02:00
imperosol	649190debe	fix: wrong payment method for refills with eboutic	2026-05-26 23:46:38 +02:00
imperosol	50c880719a	feat: basket timeout	2026-05-22 11:38:03 +02:00