doc: third-party auth

C'est pas la branche la plus appropriée, mais ça gène mon debug de devoir scroller plus longtemps dans l'html des réponses à cause de la place que prennent les notifs.

.github/auto_assign.yml

@@ -6,7 +6,7 @@ addAssignees: author
 
 # A list of team reviewers to be added to pull requests (GitHub team slug)
 reviewers:
-  - ae-utbm/sith-3-developers
+  - ae-utbm/developpeurs
 
 # Number of reviewers has no impact on GitHub teams
 # Set 0 to add all the reviewers (default: 0)

.github/dependabot.yml

@@ -16,7 +16,16 @@ multi-ecosystem-groups:
 
 updates:
   - package-ecosystem: "uv"
+    patterns: ["*"]
     multi-ecosystem-group: "common"
 
   - package-ecosystem: "npm"
+    patterns: ["*"]
     multi-ecosystem-group: "common"
+    groups:
+      # npm supports production and development groups, but not uv
+      # cf. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-groups
+      main-deps:
+        dependency-type: "production"
+      dev-deps:
+        dependency-type: "development"

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.11.13
+    rev: v0.15.0
     hooks:
       - id: ruff-check  # just check the code, and print the errors
       - id: ruff-check  # actually fix the fixable errors, but print nothing
@@ -12,9 +12,9 @@ repos:
     rev: v0.6.1
     hooks:
       - id: biome-check
-        additional_dependencies: ["@biomejs/biome@1.9.4"]
+        additional_dependencies: ["@biomejs/biome@2.3.14"]
   - repo: https://github.com/rtts/djhtml
-    rev: 3.0.7
+    rev: 3.0.10
     hooks:
       - id: djhtml
         name: format templates

api/admin.py

@@ -17,6 +17,15 @@ class ApiClientAdmin(admin.ModelAdmin):
         "owner__nick_name",
     )
     autocomplete_fields = ("owner", "groups", "client_permissions")
+    readonly_fields = ("hmac_key",)
+    actions = ("reset_hmac_key",)
+
+    @admin.action(permissions=["change"], description=_("Reset HMAC key"))
+    def reset_hmac_key(self, _request: HttpRequest, queryset: QuerySet[ApiClient]):
+        objs = list(queryset)
+        for obj in objs:
+            obj.reset_hmac(commit=False)
+        ApiClient.objects.bulk_update(objs, fields=["hmac_key"])
 
 
 @admin.register(ApiKey)

api/api.py

@@ -0,0 +1,16 @@
+from ninja_extra import ControllerBase, api_controller, route
+
+from api.auth import ApiKeyAuth
+from api.schemas import ApiClientSchema
+
+
+@api_controller("/client")
+class ApiClientController(ControllerBase):
+    @route.get(
+        "/me",
+        auth=[ApiKeyAuth()],
+        response=ApiClientSchema,
+        url_name="api-client-infos",
+    )
+    def get_client_info(self):
+        return self.context.request.auth

api/auth.py

@@ -6,6 +6,8 @@ from api.models import ApiClient, ApiKey
 
 
 class ApiKeyAuth(APIKeyHeader):
+    """Authentication through client api keys."""
+
     param_name = "X-APIKey"
 
     def authenticate(self, request: HttpRequest, key: str | None) -> ApiClient | None:

api/forms.py

@@ -0,0 +1,35 @@
+from django import forms
+from django.forms import HiddenInput
+from django.utils.translation import gettext_lazy as _
+
+
+class ThirdPartyAuthForm(forms.Form):
+    """Form to complete to authenticate on the sith from a third-party app.
+
+    For the form to be valid, the user approve the EULA (french: CGU)
+    and give its username from the third-party app.
+    """
+
+    cgu_accepted = forms.BooleanField(
+        required=True,
+        label=_("I have read and I accept the terms and conditions of use"),
+        error_messages={
+            "required": _("You must approve the terms and conditions of use.")
+        },
+    )
+    is_username_valid = forms.BooleanField(
+        required=True,
+        error_messages={"required": _("You must confirm that this is your username.")},
+    )
+    client_id = forms.IntegerField(widget=HiddenInput())
+    third_party_app = forms.CharField(widget=HiddenInput())
+    privacy_link = forms.URLField(widget=HiddenInput())
+    username = forms.CharField(widget=HiddenInput())
+    callback_url = forms.URLField(widget=HiddenInput())
+    signature = forms.CharField(widget=HiddenInput())
+
+    def __init__(self, *args, label_suffix: str = "", initial, **kwargs):
+        super().__init__(*args, label_suffix=label_suffix, initial=initial, **kwargs)
+        self.fields["is_username_valid"].label = _(
+            "I confirm that %(username)s is my username on %(app)s"
+        ) % {"username": initial.get("username"), "app": initial.get("third_party_app")}

api/hashers.py

@@ -8,7 +8,7 @@ from django.utils.crypto import constant_time_compare
 
 class Sha512ApiKeyHasher(BasePasswordHasher):
     """
-    An API key hasher using the sha256 algorithm.
+    An API key hasher using the sha512 algorithm.
 
     This hasher shouldn't be used in Django's `PASSWORD_HASHERS` setting.
     It is insecure for use in hashing passwords, but is safe for hashing

api/migrations/0002_apiclient_hmac_key.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.3 on 2025-10-26 10:15
+
+from django.db import migrations, models
+
+import api.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("api", "0001_initial")]
+
+    operations = [
+        migrations.AddField(
+            model_name="apiclient",
+            name="hmac_key",
+            field=models.CharField(
+                default=api.models.get_hmac_key, max_length=128, verbose_name="HMAC Key"
+            ),
+        ),
+    ]

api/models.py

@@ -1,13 +1,20 @@
+import secrets
 from typing import Iterable
 
 from django.contrib.auth.models import Permission
 from django.db import models
+from django.db.models import Q
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import pgettext_lazy
 
 from core.models import Group, User
 
 
+def get_hmac_key():
+    return secrets.token_hex(64)
+
+
 class ApiClient(models.Model):
     name = models.CharField(_("name"), max_length=64)
     owner = models.ForeignKey(
@@ -26,11 +33,10 @@ class ApiClient(models.Model):
         help_text=_("Specific permissions for this api client."),
         related_name="clients",
     )
+    hmac_key = models.CharField(_("HMAC Key"), max_length=128, default=get_hmac_key)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
-    _perm_cache: set[str] | None = None
-
     class Meta:
         verbose_name = _("api client")
         verbose_name_plural = _("api clients")
@@ -38,33 +44,38 @@ class ApiClient(models.Model):
     def __str__(self):
         return self.name
 
+    @cached_property
+    def all_permissions(self) -> set[str]:
+        permissions = (
+            Permission.objects.filter(
+                Q(group__group__in=self.groups.all()) | Q(clients=self)
+            )
+            .values_list("content_type__app_label", "codename")
+            .order_by()
+        )
+        return {f"{content_type}.{name}" for content_type, name in permissions}
+
     def has_perm(self, perm: str):
         """Return True if the client has the specified permission."""
+        return perm in self.all_permissions
 
-        if self._perm_cache is None:
-            group_permissions = (
-                Permission.objects.filter(group__group__in=self.groups.all())
-                .values_list("content_type__app_label", "codename")
-                .order_by()
-            )
-            client_permissions = self.client_permissions.values_list(
-                "content_type__app_label", "codename"
-            ).order_by()
-            self._perm_cache = {
-                f"{content_type}.{name}"
-                for content_type, name in (*group_permissions, *client_permissions)
-            }
-        return perm in self._perm_cache
-
-    def has_perms(self, perm_list):
-        """
-        Return True if the client has each of the specified permissions. If
-        object is passed, check if the client has all required perms for it.
-        """
+    def has_perms(self, perm_list: Iterable[str]) -> bool:
+        """Return True if the client has each of the specified permissions."""
         if not isinstance(perm_list, Iterable) or isinstance(perm_list, str):
             raise ValueError("perm_list must be an iterable of permissions.")
         return all(self.has_perm(perm) for perm in perm_list)
 
+    def reset_hmac(self, *, commit: bool = True) -> str:
+        """Reset and return the HMAC key for this client.
+
+        Args:
+            commit: if True (the default), persist the new hmac in db.
+        """
+        self.hmac_key = get_hmac_key()
+        if commit:
+            self.save()
+        return self.hmac_key
+
 
 class ApiKey(models.Model):
     PREFIX_LENGTH = 5

api/schemas.py

@@ -0,0 +1,23 @@
+from ninja import ModelSchema, Schema
+from pydantic import Field, HttpUrl
+
+from api.models import ApiClient
+from core.schemas import SimpleUserSchema
+
+
+class ApiClientSchema(ModelSchema):
+    class Meta:
+        model = ApiClient
+        fields = ["id", "name"]
+
+    owner: SimpleUserSchema
+    permissions: list[str] = Field(alias="all_permissions")
+
+
+class ThirdPartyAuthParamsSchema(Schema):
+    client_id: int
+    third_party_app: str
+    privacy_link: HttpUrl
+    username: str
+    callback_url: HttpUrl
+    signature: str

api/templates/api/third_party/auth.jinja

@@ -0,0 +1,32 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  <form method="post">
+    {% csrf_token %}
+    <h3>{% trans %}Confidentiality{% endtrans %}</h3>
+    <p>
+      {% trans trimmed app=third_party_app %}
+        By ticking this box and clicking on the send button, you
+        acknowledge and agree to provide {{ app }} with your
+        first name, last name, nickname and any other information
+        that was the third party app was explicitly authorized to fetch
+        and that it must have acknowledged to you, in a complete and accurate manner.
+      {% endtrans %}
+    </p>
+    <p class="margin-bottom">
+      {% trans trimmed app=third_party_app, privacy_link=third_party_cgu, sith_cgu_link=sith_cgu %}
+        The privacy policies of <a href="{{ privacy_link }}">{{ app }}</a>
+        and of <a href="{{ sith_cgu_link }}">the Students' Association</a>
+        applies as soon as the form is submitted.
+      {% endtrans %}
+    </p>
+    <div class="row">{{ form.cgu_accepted }} {{ form.cgu_accepted.label_tag() }}</div>
+    <br>
+    <h3 class="margin-bottom">{% trans %}Confirmation of identity{% endtrans %}</h3>
+    <div class="row margin-bottom">
+      {{ form.is_username_valid }} {{ form.is_username_valid.label_tag() }}
+    </div>
+    {% for field in form.hidden_fields() %}{{ field }}{% endfor %}
+    <input type="submit" class="btn btn-blue">
+  </form>
+{% endblock %}

api/tests/test_admin.py

@@ -0,0 +1,24 @@
+import pytest
+from django.contrib.admin import AdminSite
+from django.http import HttpRequest
+from model_bakery import baker
+from pytest_django.asserts import assertNumQueries
+
+from api.admin import ApiClientAdmin
+from api.models import ApiClient
+
+
+@pytest.mark.django_db
+def test_reset_hmac_action():
+    client_admin = ApiClientAdmin(ApiClient, AdminSite())
+    api_clients = baker.make(ApiClient, _quantity=4, _bulk_create=True)
+    old_hmac_keys = [c.hmac_key for c in api_clients]
+    with assertNumQueries(2):
+        qs = ApiClient.objects.filter(id__in=[c.id for c in api_clients[2:4]])
+        client_admin.reset_hmac_key(HttpRequest(), qs)
+    for c in api_clients:
+        c.refresh_from_db()
+    assert api_clients[0].hmac_key == old_hmac_keys[0]
+    assert api_clients[1].hmac_key == old_hmac_keys[1]
+    assert api_clients[2].hmac_key != old_hmac_keys[2]
+    assert api_clients[3].hmac_key != old_hmac_keys[3]

api/tests/test_api_client_controller.py

@@ -0,0 +1,18 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+from api.schemas import ApiClientSchema
+
+
+@pytest.mark.django_db
+def test_api_client_controller(client: Client):
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    res = client.get(reverse("api:api-client-infos"), headers={"X-APIKey": key})
+    assert res.status_code == 200
+    assert res.json() == ApiClientSchema.from_orm(api_client).model_dump()

api/tests/test_client.py

@@ -0,0 +1,59 @@
+import pytest
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from api.models import ApiClient
+from core.models import Group
+
+
+class TestClientPermissions(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.api_client = baker.make(ApiClient)
+        cls.perms = baker.make(Permission, _quantity=10, _bulk_create=True)
+        cls.api_client.groups.set(
+            [
+                baker.make(Group, permissions=cls.perms[0:3]),
+                baker.make(Group, permissions=cls.perms[3:5]),
+            ]
+        )
+        cls.api_client.client_permissions.set(
+            [cls.perms[3], cls.perms[5], cls.perms[6], cls.perms[7]]
+        )
+
+    def test_all_permissions(self):
+        assert self.api_client.all_permissions == {
+            f"{p.content_type.app_label}.{p.codename}" for p in self.perms[0:8]
+        }
+
+    def test_has_perm(self):
+        assert self.api_client.has_perm(
+            f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}"
+        )
+        assert not self.api_client.has_perm(
+            f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}"
+        )
+
+    def test_has_perms(self):
+        assert self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[2].content_type.app_label}.{self.perms[2].codename}",
+            ]
+        )
+        assert not self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}",
+            ],
+        )
+
+
+@pytest.mark.django_db
+def test_reset_hmac_key():
+    client = baker.make(ApiClient)
+    original_key = client.hmac_key
+    client.reset_hmac(commit=True)
+    assert len(client.hmac_key) == len(original_key)
+    assert client.hmac_key != original_key

api/tests/test_mixed_auth.py

@@ -0,0 +1,48 @@
+import pytest
+from django.test import Client
+from django.urls import path
+from model_bakery import baker
+from ninja import NinjaAPI
+from ninja.security import SessionAuth
+
+from api.auth import ApiKeyAuth
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+
+api = NinjaAPI()
+
+
+@api.post("", auth=[ApiKeyAuth(), SessionAuth()])
+def post_method(*args, **kwargs) -> None:
+    """Dummy POST route authenticated by either api key or session cookie."""
+    pass
+
+
+urlpatterns = [path("", api.urls)]
+
+
+@pytest.mark.django_db
+@pytest.mark.urls(__name__)
+@pytest.mark.parametrize("user_logged_in", [False, True])
+def test_csrf_token(user_logged_in):
+    """Test that CSRF check happens only when no api key is used."""
+    client = Client(enforce_csrf_checks=True)
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    if user_logged_in:
+        client.force_login(api_client.owner)
+
+    response = client.post("")
+    assert response.status_code == 403
+    assert response.json()["detail"] == "CSRF check Failed"
+
+    # if using a valid API key, CSRF check should not occur
+    response = client.post("", headers={"X-APIKey": key})
+    assert response.status_code == 200
+
+    # if using a wrong API key, ApiKeyAuth should fail,
+    # leading to a fallback into SessionAuth and a CSRF check
+    response = client.post("", headers={"X-APIKey": generate_key()[0]})
+    assert response.status_code == 403
+    assert response.json()["detail"] == "CSRF check Failed"

api/tests/test_third_party_auth.py

@@ -0,0 +1,114 @@
+from unittest import mock
+from unittest.mock import Mock
+
+from django.db.models import Max
+from django.test import TestCase
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from api.models import ApiClient, get_hmac_key
+from core.baker_recipes import subscriber_user
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+def mocked_post(*, ok: bool):
+    class MockedResponse(Mock):
+        @property
+        def ok(self):
+            return ok
+
+    def mocked():
+        return MockedResponse()
+
+    return mocked
+
+
+class TestThirdPartyAuth(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        cls.api_client = baker.make(ApiClient)
+
+    def setUp(self):
+        self.query = {
+            "client_id": self.api_client.id,
+            "third_party_app": "app",
+            "privacy_link": "https://foobar.fr/",
+            "username": "bibou",
+            "callback_url": "https://callback.fr/",
+        }
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        self.callback_data = {
+            "user": UserProfileSchema.from_orm(self.user).model_dump()
+        }
+        self.callback_data["signature"] = hmac_hexdigest(
+            self.api_client.hmac_key, self.callback_data["user"]
+        )
+
+    def test_auth_ok(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        with mock.patch("requests.post", new_callable=mocked_post(ok=True)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "success"}),
+        )
+
+    def test_callback_error(self):
+        """Test that the user see the failure page if the callback request failed."""
+        self.client.force_login(self.user)
+        with mock.patch("requests.post", new_callable=mocked_post(ok=False)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "failure"}),
+        )
+
+    def test_wrong_signature(self):
+        """Test that a 403 is raised if the signature of the query is wrong."""
+        self.client.force_login(subscriber_user.make())
+        new_key = get_hmac_key()
+        del self.query["signature"]
+        self.query["signature"] = hmac_hexdigest(new_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_cgu_not_accepted(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        res = self.client.post(reverse("api-link:third-party-auth"), data=self.query)
+        assert res.status_code == 200  # no redirect means invalid form
+        res = self.client.post(
+            reverse("api-link:third-party-auth"),
+            data={"cgu_accepted": False, "is_username_valid": False, **self.query},
+        )
+        assert res.status_code == 200
+
+    def test_invalid_client(self):
+        self.query["client_id"] = ApiClient.objects.aggregate(res=Max("id"))["res"] + 1
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_missing_parameter(self):
+        """Test that a 403 is raised if there is a missing parameter."""
+        del self.query["username"]
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403

api/urls.py

@@ -1,10 +1,26 @@
+from django.urls import path, register_converter
+from ninja.security import SessionAuth
 from ninja_extra import NinjaExtraAPI
 
+from api.views import ThirdPartyAuthResultView, ThirdPartyAuthView
+from core.converters import ResultConverter
+
 api = NinjaExtraAPI(
     title="PICON",
     description="Portail Interactif de Communication avec les Outils Numériques",
     version="0.2.0",
     urls_namespace="api",
-    csrf=True,
+    auth=[SessionAuth()],
 )
 api.auto_discover_controllers()
+
+register_converter(ResultConverter, "res")
+
+urlpatterns = [
+    path("auth/", ThirdPartyAuthView.as_view(), name="third-party-auth"),
+    path(
+        "auth/<res:result>/",
+        ThirdPartyAuthResultView.as_view(),
+        name="third-party-auth-result",
+    ),
+]

api/views.py

@@ -0,0 +1,119 @@
+import hmac
+from urllib.parse import unquote
+
+import pydantic
+import requests
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView, TemplateView
+from ninja_extra.shortcuts import get_object_or_none
+
+from api.forms import ThirdPartyAuthForm
+from api.models import ApiClient
+from api.schemas import ThirdPartyAuthParamsSchema
+from core.models import SithFile
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+class ThirdPartyAuthView(LoginRequiredMixin, FormView):
+    form_class = ThirdPartyAuthForm
+    template_name = "api/third_party/auth.jinja"
+    success_url = reverse_lazy("core:index")
+
+    def parse_params(self) -> ThirdPartyAuthParamsSchema:
+        """Parse and check the authentication parameters.
+
+        Raises:
+            PermissionDenied: if the verification failed.
+        """
+        # This is here rather than in ThirdPartyAuthForm because
+        # the given parameters and their signature are checked during both
+        # POST (for obvious reasons) and GET (in order not to make
+        # the user fill a form just to get an error he won't understand)
+        params = self.request.GET or self.request.POST
+        params = {key: unquote(val) for key, val in params.items()}
+        try:
+            params = ThirdPartyAuthParamsSchema(**params)
+        except pydantic.ValidationError as e:
+            raise PermissionDenied("Wrong data format") from e
+        client: ApiClient = get_object_or_none(ApiClient, id=params.client_id)
+        if not client:
+            raise PermissionDenied
+        if not hmac.compare_digest(
+            hmac_hexdigest(client.hmac_key, params.model_dump(exclude={"signature"})),
+            params.signature,
+        ):
+            raise PermissionDenied("Bad signature")
+        return params
+
+    def dispatch(self, request, *args, **kwargs):
+        self.params = self.parse_params()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get(self, *args, **kwargs):
+        messages.warning(
+            self.request,
+            _(
+                "You are going to link your AE account and your %(app)s account. "
+                "Continue only if this page was opened from %(app)s."
+            )
+            % {"app": self.params.third_party_app},
+        )
+        return super().get(*args, **kwargs)
+
+    def get_initial(self):
+        return self.params.model_dump()
+
+    def form_valid(self, form):
+        client = ApiClient.objects.get(id=form.cleaned_data["client_id"])
+        user = UserProfileSchema.from_orm(self.request.user).model_dump()
+        data = {"user": user, "signature": hmac_hexdigest(client.hmac_key, user)}
+        response = requests.post(form.cleaned_data["callback_url"], json=data)
+        self.success_url = reverse(
+            "api-link:third-party-auth-result",
+            kwargs={"result": "success" if response.ok else "failure"},
+        )
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "third_party_app": self.params.third_party_app,
+            "third_party_cgu": self.params.privacy_link,
+            "sith_cgu": SithFile.objects.get(id=settings.SITH_CGU_FILE_ID),
+        }
+
+
+class ThirdPartyAuthResultView(LoginRequiredMixin, TemplateView):
+    """View that the user will see if its authentication on sith was successful.
+
+    This can show either a success or a failure message :
+    - success : everything is good, the user is successfully authenticated
+      and can close the page
+    - failure : the authentication has been processed on the sith side,
+      but the request to the callback url received an error.
+      In such a case, there is nothing much we can do but to advice
+      the user to contact the developers of the third-party app.
+    """
+
+    template_name = "core/base.jinja"
+    success_message = _(
+        "You have been successfully authenticated. You can now close this page."
+    )
+    error_message = _(
+        "Your authentication on the AE website was successful, "
+        "but an error happened during the interaction "
+        "with the third-party application. "
+        "Please contact the managers of the latter."
+    )
+
+    def get(self, request, *args, **kwargs):
+        if self.kwargs.get("result") == "success":
+            messages.success(request, self.success_message)
+        else:
+            messages.error(request, self.error_message)
+        return super().get(request, *args, **kwargs)

biome.json

@@ -7,20 +7,34 @@
   },
   "files": {
     "ignoreUnknown": false,
-    "ignore": ["*.min.*", "staticfiles/generated"]
+    "includes": ["**/static/**"]
   },
   "formatter": {
     "enabled": true,
     "indentStyle": "space",
     "lineWidth": 88
   },
-  "organizeImports": {
-    "enabled": true
-  },
   "linter": {
     "enabled": true,
     "rules": {
-      "all": true
+      "recommended": true,
+      "style": {
+        "useNamingConvention": "error"
+      },
+      "performance": {
+        "noNamespaceImport": "error"
+      },
+      "suspicious": {
+        "noConsole": {
+          "level": "error",
+          "options": { "allow": ["error", "warn"] }
+        }
+      },
+      "correctness": {
+        "noUnusedVariables": "error",
+        "noUndeclaredVariables": "error",
+        "noUndeclaredDependencies": "error"
+      }
     }
   },
   "javascript": {

club/api.py

@@ -1,16 +1,20 @@
-from typing import Annotated
-
-from annotated_types import MinLen
 from django.db.models import Prefetch
+from ninja import Query
 from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.pagination import PageNumberPaginationExtra
 from ninja_extra.schemas import PaginatedResponseSchema
 
 from api.auth import ApiKeyAuth
-from api.permissions import CanAccessLookup, HasPerm
+from api.permissions import CanAccessLookup, CanView, HasPerm
 from club.models import Club, Membership
-from club.schemas import ClubSchema, SimpleClubSchema
+from club.schemas import (
+    ClubSchema,
+    ClubSearchFilterSchema,
+    SimpleClubSchema,
+    UserMembershipSchema,
+)
+from core.models import User
 
 
 @api_controller("/club")
@@ -18,18 +22,18 @@ class ClubController(ControllerBase):
     @route.get(
         "/search",
         response=PaginatedResponseSchema[SimpleClubSchema],
-        auth=[SessionAuth(), ApiKeyAuth()],
+        auth=[ApiKeyAuth(), SessionAuth()],
         permissions=[CanAccessLookup],
         url_name="search_club",
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
-    def search_club(self, search: Annotated[str, MinLen(1)]):
-        return Club.objects.filter(name__icontains=search).values()
+    def search_club(self, filters: Query[ClubSearchFilterSchema]):
+        return filters.filter(Club.objects.all())
 
     @route.get(
         "/{int:club_id}",
         response=ClubSchema,
-        auth=[SessionAuth(), ApiKeyAuth()],
+        auth=[ApiKeyAuth(), SessionAuth()],
         permissions=[HasPerm("club.view_club")],
         url_name="fetch_club",
     )
@@ -40,3 +44,22 @@ class ClubController(ControllerBase):
         return self.get_object_or_exception(
             Club.objects.prefetch_related(prefetch), id=club_id
         )
+
+
+@api_controller("/user/{int:user_id}/club")
+class UserClubController(ControllerBase):
+    @route.get(
+        "",
+        response=list[UserMembershipSchema],
+        auth=[ApiKeyAuth(), SessionAuth()],
+        permissions=[CanView],
+        url_name="fetch_user_clubs",
+    )
+    def fetch_user_clubs(self, user_id: int):
+        """Get all the active memberships of the given user."""
+        user = self.get_object_or_exception(User, id=user_id)
+        return (
+            Membership.objects.ongoing()
+            .filter(user=user)
+            .select_related("club", "user")
+        )

club/forms.py

@@ -26,13 +26,18 @@ from django import forms
 from django.conf import settings
 from django.db.models import Exists, OuterRef, Q
 from django.db.models.functions import Lower
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 
 from club.models import Club, Mailing, MailingSubscription, Membership
 from core.models import User
-from core.views.forms import SelectDate, SelectDateTime
-from core.views.widgets.ajax_select import AutoCompleteSelectMultipleUser
+from core.views.forms import SelectDateTime
+from core.views.widgets.ajax_select import (
+    AutoCompleteSelectMultipleUser,
+    AutoCompleteSelectUser,
+)
 from counter.models import Counter, Selling
+from counter.schemas import SaleFilterSchema
 
 
 class ClubEditForm(forms.ModelForm):
@@ -187,106 +192,126 @@ class SellingsForm(forms.Form):
             required=False,
         )
 
+    def to_filter_schema(self) -> SaleFilterSchema:
+        products = (
+            *self.cleaned_data["products"],
+            *self.cleaned_data["archived_products"],
+        )
+        return SaleFilterSchema(
+            after=self.cleaned_data["begin_date"],
+            before=self.cleaned_data["end_date"],
+            counters={c.id for c in self.cleaned_data["counters"]} or None,
+            products={p.id for p in products} or None,
+        )
 
-class ClubMemberForm(forms.Form):
-    """Form handling the members of a club."""
+
+class ClubOldMemberForm(forms.Form):
+    members_old = forms.ModelMultipleChoiceField(
+        Membership.objects.none(),
+        label=_("Mark as old"),
+        widget=forms.CheckboxSelectMultiple,
+        required=False,
+    )
+
+    def __init__(self, *args, user: User, club: Club, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["members_old"].queryset = (
+            Membership.objects.ongoing().filter(club=club).editable_by(user)
+        )
+
+
+class ClubMemberForm(forms.ModelForm):
+    """Form to add a member to the club, as a board member."""
 
     error_css_class = "error"
     required_css_class = "required"
 
-    users = forms.ModelMultipleChoiceField(
-        label=_("Users to add"),
-        help_text=_("Search users to add (one or more)."),
-        required=False,
-        widget=AutoCompleteSelectMultipleUser,
-        queryset=User.objects.all(),
-    )
+    class Meta:
+        model = Membership
+        fields = ["role", "description"]
 
-    def __init__(self, *args, **kwargs):
-        self.club = kwargs.pop("club")
-        self.request_user = kwargs.pop("request_user")
-        self.club_members = kwargs.pop("club_members", None)
-        if not self.club_members:
-            self.club_members = self.club.members.ongoing().order_by("-role").all()
+    def __init__(self, *args, club: Club, request_user: User, **kwargs):
+        self.club = club
+        self.request_user = request_user
         self.request_user_membership = self.club.get_membership_for(self.request_user)
         super().__init__(*args, **kwargs)
+        self.fields["role"].required = True
+        self.fields["role"].choices = [
+            (value, name)
+            for value, name in settings.SITH_CLUB_ROLES.items()
+            if value <= self.max_available_role
+        ]
+        self.instance.club = club
 
-        # Using a ModelForm binds too much the form with the model and we don't want that
-        # We want the view to process the model creation since they are multiple users
-        # We also want the form to handle bulk deletion
-        self.fields.update(
-            forms.fields_for_model(
-                Membership,
-                fields=("role", "start_date", "description"),
-                widgets={"start_date": SelectDate},
-            )
-        )
+    @property
+    def max_available_role(self):
+        """The greatest role that will be obtainable with this form."""
+        # this is unreachable, because it will be overridden by subclasses
+        return -1  # pragma: no cover
 
-        # Role is required only if users is specified
-        self.fields["role"].required = False
 
-        # Start date and description are never really required
-        self.fields["start_date"].required = False
-        self.fields["description"].required = False
+class ClubAddMemberForm(ClubMemberForm):
+    """Form to add a member to the club, as a board member."""
 
-        self.fields["users_old"] = forms.ModelMultipleChoiceField(
-            User.objects.filter(
-                id__in=[
-                    ms.user.id
-                    for ms in self.club_members
-                    if ms.can_be_edited_by(self.request_user)
-                ]
-            ).all(),
-            label=_("Mark as old"),
-            required=False,
-            widget=forms.CheckboxSelectMultiple,
-        )
-        if not self.request_user.is_root:
-            self.fields.pop("start_date")
+    class Meta(ClubMemberForm.Meta):
+        fields = ["user", *ClubMemberForm.Meta.fields]
+        widgets = {"user": AutoCompleteSelectUser}
 
-    def clean_users(self):
-        """Check that the user is not trying to add an user already in the club.
+    @cached_property
+    def max_available_role(self):
+        """The greatest role that will be obtainable with this form.
+
+        Admins and the club president can attribute any role.
+        Board members can attribute roles lower than their own.
+        Other users cannot attribute roles with this form
+        """
+        if self.request_user.has_perm("club.add_membership"):
+            return settings.SITH_CLUB_ROLES_ID["President"]
+        membership = self.request_user_membership
+        if membership is None or membership.role <= settings.SITH_MAXIMUM_FREE_ROLE:
+            return -1
+        if membership.role == settings.SITH_CLUB_ROLES_ID["President"]:
+            return membership.role
+        return membership.role - 1
+
+    def clean_user(self):
+        """Check that the user is not trying to add a user already in the club.
 
         Also check that the user is valid and has a valid subscription.
         """
-        cleaned_data = super().clean()
-        users = []
-        for user in cleaned_data["users"]:
-            if not user.is_subscribed:
-                raise forms.ValidationError(
-                    _("User must be subscriber to take part to a club"), code="invalid"
-                )
-            if self.club.get_membership_for(user):
-                raise forms.ValidationError(
-                    _("You can not add the same user twice"), code="invalid"
-                )
-            users.append(user)
-        return users
+        user = self.cleaned_data["user"]
+        if not user.is_subscribed:
+            raise forms.ValidationError(
+                _("User must be subscriber to take part to a club"), code="invalid"
+            )
+        if self.club.get_membership_for(user):
+            raise forms.ValidationError(
+                _("You can not add the same user twice"), code="invalid"
+            )
+        return user
+
+
+class JoinClubForm(ClubMemberForm):
+    """Form to join a club."""
+
+    def __init__(self, *args, club: Club, request_user: User, **kwargs):
+        super().__init__(*args, club=club, request_user=request_user, **kwargs)
+        # this form doesn't manage the user who will join the club,
+        # so we must set this here to avoid errors
+        self.instance.user = self.request_user
+
+    @cached_property
+    def max_available_role(self):
+        return settings.SITH_MAXIMUM_FREE_ROLE
 
     def clean(self):
-        """Check user rights for adding an user."""
-        cleaned_data = super().clean()
-
-        if "start_date" in cleaned_data and not cleaned_data["start_date"]:
-            # Drop start_date if allowed to edition but not specified
-            cleaned_data.pop("start_date")
-
-        if not cleaned_data.get("users"):
-            # No user to add equals no check needed
-            return cleaned_data
-
-        if cleaned_data.get("role", "") == "":
-            # Role is required if users exists
-            self.add_error("role", _("You should specify a role"))
-            return cleaned_data
-
-        request_user = self.request_user
-        membership = self.request_user_membership
-        if not (
-            cleaned_data["role"] <= settings.SITH_MAXIMUM_FREE_ROLE
-            or (membership is not None and membership.role >= cleaned_data["role"])
-            or request_user.is_board_member
-            or request_user.is_root
-        ):
-            raise forms.ValidationError(_("You do not have the permission to do that"))
-        return cleaned_data
+        """Check that the user is subscribed and isn't already in the club."""
+        if not self.request_user.is_subscribed:
+            raise forms.ValidationError(
+                _("You must be subscribed to join a club"), code="invalid"
+            )
+        if self.club.get_membership_for(self.request_user):
+            raise forms.ValidationError(
+                _("You are already a member of this club"), code="invalid"
+            )
+        return super().clean()

club/migrations/0012_club_board_group_club_members_group.py

@@ -34,12 +34,10 @@ def migrate_meta_groups(apps: StateApps, schema_editor):
     clubs = list(Club.objects.all())
     for club in clubs:
         club.board_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_BOARD_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-bureau", defaults={"is_meta": True}
         )[0]
         club.members_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_MEMBER_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-membres", defaults={"is_meta": True}
         )[0]
         club.save()
         club.refresh_from_db()

club/models.py

@@ -26,11 +26,11 @@ from __future__ import annotations
 from typing import Iterable, Self
 
 from django.conf import settings
-from django.core.cache import cache
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.core.validators import RegexValidator, validate_email
 from django.db import models, transaction
-from django.db.models import Exists, F, OuterRef, Q
+from django.db.models import Exists, F, OuterRef, Q, Value
+from django.db.models.functions import Greatest
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
@@ -42,6 +42,13 @@ from core.fields import ResizedImageField
 from core.models import Group, Notification, Page, SithFile, User
 
 
+class ClubQuerySet(models.QuerySet):
+    def having_board_member(self, user: User) -> Self:
+        """Filter all club in which the given user is a board member."""
+        active_memberships = user.memberships.board().ongoing()
+        return self.filter(Exists(active_memberships.filter(club=OuterRef("pk"))))
+
+
 class Club(models.Model):
     """The Club class, made as a tree to allow nice tidy organization."""
 
@@ -91,6 +98,8 @@ class Club(models.Model):
         Group, related_name="club_board", on_delete=models.PROTECT
     )
 
+    objects = ClubQuerySet.as_manager()
+
     class Meta:
         ordering = ["name"]
 
@@ -177,9 +186,6 @@ class Club(models.Model):
         self.page.save(force_lock=True)
 
     def delete(self, *args, **kwargs) -> tuple[int, dict[str, int]]:
-        # Invalidate the cache of this club and of its memberships
-        for membership in self.members.ongoing().select_related("user"):
-            cache.delete(f"membership_{self.id}_{membership.user.id}")
         self.board_group.delete()
         self.members_group.delete()
         return super().delete(*args, **kwargs)
@@ -200,28 +206,15 @@ class Club(models.Model):
         """Method to see if that object can be edited by the given user."""
         return self.has_rights_in_club(user)
 
-    def can_be_viewed_by(self, user: User) -> bool:
-        """Method to see if that object can be seen by the given user."""
-        return user.was_subscribed
+    @cached_property
+    def current_members(self) -> list[Membership]:
+        return list(self.members.ongoing().select_related("user").order_by("-role"))
 
     def get_membership_for(self, user: User) -> Membership | None:
-        """Return the current membership the given user.
-
-        Note:
-            The result is cached.
-        """
+        """Return the current membership of the given user."""
         if user.is_anonymous:
             return None
-        membership = cache.get(f"membership_{self.id}_{user.id}")
-        if membership == "not_member":
-            return None
-        if membership is None:
-            membership = self.members.filter(user=user, end_date=None).first()
-            if membership is None:
-                cache.set(f"membership_{self.id}_{user.id}", "not_member")
-            else:
-                cache.set(f"membership_{self.id}_{user.id}", membership)
-        return membership
+        return next((m for m in self.current_members if m.user_id == user.id), None)
 
     def has_rights_in_club(self, user: User) -> bool:
         return user.is_in_group(pk=self.board_group_id)
@@ -239,47 +232,72 @@ class MembershipQuerySet(models.QuerySet):
         are included, even if there are no more members.
 
         If you want to get the users who are currently in the board,
-        mind combining this with the :meth:`ongoing` queryset method
+        mind combining this with the `ongoing` queryset method
         """
         return self.filter(role__gt=settings.SITH_MAXIMUM_FREE_ROLE)
 
-    def update(self, **kwargs) -> int:
-        """Refresh the cache and edit group ownership.
+    def editable_by(self, user: User) -> Self:
+        """Filter Memberships that this user can edit.
 
-        Update the cache, when necessary, remove
-        users from club groups they are no more in
+        Users with the `club.change_membership` permission can edit all Membership.
+        The other users can edit :
+        - their own membership
+        - if they are board members, ongoing memberships with a role lower than their own
+
+        For example, let's suppose the following users :
+        - A : board member
+        - B : board member
+        - C : simple member
+        - D : curious
+        - E : old member
+
+        A will be able to edit the memberships of A, C and D ;
+        C and D will be able to edit only their own membership ;
+        nobody will be able to edit E's membership.
+        """
+        if user.has_perm("club.change_membership"):
+            return self.all()
+        return self.filter(
+            Q(user=user)
+            | Exists(
+                Membership.objects.filter(
+                    Q(
+                        role__gt=Greatest(
+                            OuterRef("role"), Value(settings.SITH_MAXIMUM_FREE_ROLE)
+                        )
+                    ),
+                    user=user,
+                    end_date=None,
+                    club=OuterRef("club"),
+                )
+            ),
+            end_date=None,
+        )
+
+    def update(self, **kwargs) -> int:
+        """Remove users from club groups they are no more in
         and add them in the club groups they should be in.
 
         Be aware that this adds three db queries :
-        one to retrieve the updated memberships,
-        one to perform group removal and one to perform
-        group attribution.
+
+        - one to retrieve the updated memberships
+        - one to perform group removal
+        - and one to perform group attribution.
         """
         nb_rows = super().update(**kwargs)
         if nb_rows == 0:
-            # if no row was affected, no need to refresh the cache
+            # if no row was affected, no need to edit club groups
             return 0
 
-        cache_memberships = {}
         memberships = set(self.select_related("club"))
         # delete all User-Group relations and recreate the necessary ones
-        # It's more concise to write and more reliable
         Membership._remove_club_groups(memberships)
         Membership._add_club_groups(memberships)
-        for member in memberships:
-            cache_key = f"membership_{member.club_id}_{member.user_id}"
-            if member.end_date is None:
-                cache_memberships[cache_key] = member
-            else:
-                cache_memberships[cache_key] = "not_member"
-        cache.set_many(cache_memberships)
         return nb_rows
 
     def delete(self) -> tuple[int, dict[str, int]]:
         """Work just like the default Django's delete() method,
-        but add a cache invalidation for the elements of the queryset
-        before the deletion,
-        and a removal of the user from the club groups.
+        but also remove the concerned users from the club groups.
 
         Be aware that this adds some db queries :
 
@@ -295,12 +313,6 @@ class MembershipQuerySet(models.QuerySet):
         nb_rows, rows_counts = super().delete()
         if nb_rows > 0:
             Membership._remove_club_groups(memberships)
-            cache.set_many(
-                {
-                    f"membership_{m.club_id}_{m.user_id}": "not_member"
-                    for m in memberships
-                }
-            )
         return nb_rows, rows_counts
 
 
@@ -319,16 +331,12 @@ class Membership(models.Model):
         User,
         verbose_name=_("user"),
         related_name="memberships",
-        null=False,
-        blank=False,
         on_delete=models.CASCADE,
     )
     club = models.ForeignKey(
         Club,
         verbose_name=_("club"),
         related_name="members",
-        null=False,
-        blank=False,
         on_delete=models.CASCADE,
     )
     start_date = models.DateField(_("start date"), default=timezone.now)
@@ -368,9 +376,6 @@ class Membership(models.Model):
         self._remove_club_groups([self])
         if self.end_date is None:
             self._add_club_groups([self])
-            cache.set(f"membership_{self.club_id}_{self.user_id}", self)
-        else:
-            cache.set(f"membership_{self.club_id}_{self.user_id}", "not_member")
 
     def get_absolute_url(self):
         return reverse("club:club_members", kwargs={"club_id": self.club_id})
@@ -391,7 +396,6 @@ class Membership(models.Model):
     def delete(self, *args, **kwargs):
         self._remove_club_groups([self])
         super().delete(*args, **kwargs)
-        cache.delete(f"membership_{self.club_id}_{self.user_id}")
 
     @staticmethod
     def _remove_club_groups(

club/schemas.py

@@ -1,7 +1,22 @@
-from ninja import ModelSchema
+from typing import Annotated
+
+from django.db.models import Q
+from ninja import FilterLookup, FilterSchema, ModelSchema
 
 from club.models import Club, Membership
-from core.schemas import SimpleUserSchema
+from core.schemas import NonEmptyStr, SimpleUserSchema
+
+
+class ClubSearchFilterSchema(FilterSchema):
+    search: Annotated[NonEmptyStr | None, FilterLookup("name__icontains")] = None
+    is_active: bool | None = None
+    parent_id: int | None = None
+    exclude_ids: set[int] | None = None
+
+    def filter_exclude_ids(self, value: set[int] | None):
+        if value is None:
+            return Q()
+        return ~Q(id__in=value)
 
 
 class SimpleClubSchema(ModelSchema):
@@ -25,6 +40,8 @@ class ClubProfileSchema(ModelSchema):
 
 
 class ClubMemberSchema(ModelSchema):
+    """A schema to represent all memberships in a club."""
+
     class Meta:
         model = Membership
         fields = ["start_date", "end_date", "role", "description"]
@@ -38,3 +55,13 @@ class ClubSchema(ModelSchema):
         fields = ["id", "name", "logo", "is_active", "short_description", "address"]
 
     members: list[ClubMemberSchema]
+
+
+class UserMembershipSchema(ModelSchema):
+    """A schema to represent the active club memberships of a user."""
+
+    class Meta:
+        model = Membership
+        fields = ["id", "start_date", "role", "description"]
+
+    club: SimpleClubSchema

club/static/bundled/club/components/ajax-select-index.ts

@@ -1,7 +1,7 @@
-import { AjaxSelect } from "#core:core/components/ajax-select-base";
-import { registerComponent } from "#core:utils/web-components";
 import type { TomOption } from "tom-select/dist/types/types";
 import type { escape_html } from "tom-select/dist/types/utils";
+import { AjaxSelect } from "#core:core/components/ajax-select-base.ts";
+import { registerComponent } from "#core:utils/web-components.ts";
 import { type ClubSchema, clubSearchClub } from "#openapi";
 
 @registerComponent("club-ajax-select")

club/static/club/members.scss

@@ -0,0 +1,24 @@
+#club_members_table {
+  tbody label {
+    margin: 0;
+    padding: 0;
+  }
+}
+
+#add_club_members_form {
+  fieldset {
+    display: flex;
+    flex-direction: row;
+    column-gap: 2em;
+    row-gap: 1em;
+    flex-wrap: wrap;
+
+    @media (max-width: 1100px) {
+      justify-content: space-evenly;
+    }
+
+    .errorlist {
+      max-width: 300px;
+    }
+  }
+}

club/templates/club/club_detail.jinja

@@ -9,6 +9,18 @@
   {{ club.short_description }}
 {%- endblock %}
 
+{% block metatags %}
+  <meta property="og:url" content="{{ request.build_absolute_uri(club.get_absolute_url()) }}" />
+  <meta property="og:type" content="website" />
+  <meta property="og:title" content="{{ club.name }}" />
+  <meta property="og:description" content="{{ club.short_description }}" />
+  {% if club.logo %}
+    <meta property="og:image" content="{{ request.build_absolute_uri(club.logo.url) }}" />
+  {% else %}
+    <meta property="og:image" content="{{ request.build_absolute_uri(static("core/img/logo_no_text.png")) }}" />
+  {% endif %}
+{% endblock %}
+
 {% block content %}
   <div id="club_detail">
     {% if club.logo %}
@@ -17,7 +29,7 @@
     {% if page_revision %}
       {{ page_revision|markdown }}
     {% else %}
-      <h3>{% trans %}Club{% endtrans %}</h3>
+      <h3>{{ club.name }}</h3>
     {% endif %}
   </div>
 {% endblock %}

club/templates/club/club_members.jinja

@@ -1,15 +1,33 @@
 {% extends "core/base.jinja" %}
 {% from 'core/macros.jinja' import user_profile_link, select_all_checkbox %}
 
+{% block additional_js %}
+  <script type="module" src="{{ static("bundled/core/components/ajax-select-index.ts") }}"></script>
+{% endblock %}
+{% block additional_css %}
+  <link rel="stylesheet" href="{{ static("bundled/core/components/ajax-select-index.css") }}">
+  <link rel="stylesheet" href="{{ static("club/members.scss") }}">
+{% endblock %}
+
 {% block content %}
+  {% block notifications %}
+    {# Notifications are moved a little bit below #}
+  {% endblock %}
+
   <h2>{% trans %}Club members{% endtrans %}</h2>
+
+  {% if add_member_fragment %}
+    <br />
+    {{ add_member_fragment }}
+    <br />
+  {% endif %}
+  {% include "core/base/notifications.jinja" %}
   {% if members %}
-    <form action="{{ url('club:club_members', club_id=club.id) }}" id="users_old" method="post">
+    <form action="{{ url('club:club_members', club_id=club.id) }}" id="members_old" method="post">
       {% csrf_token %}
-      {% set users_old = dict(form.users_old | groupby("choice_label")) %}
-      {% if users_old %}
-        {{ select_all_checkbox("users_old") }}
-        <p></p>
+      {% if can_end_membership %}
+        {{ select_all_checkbox("members_old") }}
+        <br />
       {% endif %}
       <table id="club_members_table">
         <thead>
@@ -18,7 +36,7 @@
             <td>{% trans %}Role{% endtrans %}</td>
             <td>{% trans %}Description{% endtrans %}</td>
             <td>{% trans %}Since{% endtrans %}</td>
-            {% if users_old %}
+            {% if can_end_membership %}
               <td>{% trans %}Mark as old{% endtrans %}</td>
             {% endif %}
           </tr>
@@ -30,20 +48,24 @@
               <td>{{ settings.SITH_CLUB_ROLES[m.role] }}</td>
               <td>{{ m.description }}</td>
               <td>{{ m.start_date }}</td>
-              {% if users_old %}
+              {%- if can_end_membership -%}
                 <td>
-                  {% set user_old = users_old[m.user.get_display_name()] %}
-                  {% if user_old %}
-                    {{ user_old[0].tag() }}
-                  {% endif %}
+                  {%- if m.is_editable -%}
+                    <label for="id_members_old_{{ loop.index }}"></label>
+                    <input
+                      type="checkbox"
+                      name="members_old"
+                      value="{{ m.id }}"
+                      id="id_members_old_{{ loop.index }}"
+                    >
+                  {%- endif -%}
                 </td>
-              {% endif %}
+              {%- endif -%}
             </tr>
           {% endfor %}
         </tbody>
       </table>
-      {{ form.users_old.errors }}
-      {% if users_old %}
+      {% if can_end_membership %}
         <p></p>
         <input type="submit" name="submit" value="{% trans %}Mark as old{% endtrans %}">
       {% endif %}
@@ -51,32 +73,4 @@
   {% else %}
     <p>{% trans %}There are no members in this club.{% endtrans %}</p>
   {% endif %}
-  <form action="{{ url('club:club_members', club_id=club.id) }}" id="add_users" method="post">
-    {% csrf_token %}
-    {{ form.non_field_errors() }}
-    <p>
-      {{ form.users.errors }}
-      <label for="{{ form.users.id_for_label }}">{{ form.users.label }} :</label>
-      {{ form.users }}
-      <span class="helptext">{{ form.users.help_text }}</span>
-    </p>
-    <p>
-      {{ form.role.errors }}
-      <label for="{{ form.role.id_for_label }}">{{ form.role.label }} :</label>
-      {{ form.role }}
-    </p>
-    {% if form.start_date %}
-      <p>
-        {{ form.start_date.errors }}
-        <label for="{{ form.start_date.id_for_label }}">{{ form.start_date.label }} :</label>
-        {{ form.start_date }}
-      </p>
-    {% endif %}
-    <p>
-      {{ form.description.errors }}
-      <label for="{{ form.description.id_for_label }}">{{ form.description.label }} :</label>
-      {{ form.description }}
-    </p>
-    <p><input type="submit" value="{% trans %}Add{% endtrans %}" /></p>
-  </form>
 {% endblock %}

club/templates/club/club_old_members.jinja

@@ -5,20 +5,22 @@
   <h2>{% trans %}Club old members{% endtrans %}</h2>
   <table>
     <thead>
-      <td>{% trans %}User{% endtrans %}</td>
-      <td>{% trans %}Role{% endtrans %}</td>
-      <td>{% trans %}Description{% endtrans %}</td>
-      <td>{% trans %}From{% endtrans %}</td>
-      <td>{% trans %}To{% endtrans %}</td>
+      <tr>
+        <td>{% trans %}User{% endtrans %}</td>
+        <td>{% trans %}Role{% endtrans %}</td>
+        <td>{% trans %}Description{% endtrans %}</td>
+        <td>{% trans %}From{% endtrans %}</td>
+        <td>{% trans %}To{% endtrans %}</td>
+      </tr>
     </thead>
     <tbody>
-      {% for m in club.members.exclude(end_date=None).order_by('-role', 'description', '-end_date').all() %}
+      {% for member in old_members %}
         <tr>
-          <td>{{ user_profile_link(m.user) }}</td>
-          <td>{{ settings.SITH_CLUB_ROLES[m.role] }}</td>
-          <td>{{ m.description }}</td>
-          <td>{{ m.start_date }}</td>
-          <td>{{ m.end_date }}</td>
+          <td>{{ user_profile_link(member.user) }}</td>
+          <td>{{ settings.SITH_CLUB_ROLES[member.role] }}</td>
+          <td>{{ member.description }}</td>
+          <td>{{ member.start_date }}</td>
+          <td>{{ member.end_date }}</td>
         </tr>
       {% endfor %}
     </tbody>

club/templates/club/club_sellings.jinja

@@ -6,11 +6,11 @@ because it works with a somewhat dynamic form,
 but was written before Alpine was introduced in the project.
 TODO : rewrite the pagination used in this template an Alpine one
 #}
-{% macro paginate(page_obj, paginator, js_action) %}
-  {% set js = js_action|default('') %}
+{% macro paginate(page_obj, paginator) %}
+  {% set js = "formPagination(this)" %}
   {% if page_obj.has_previous() or page_obj.has_next() %}
     {% if page_obj.has_previous() %}
-      <a {% if js %} type="submit" onclick="{{ js }}" {% endif %} href="?page={{ page_obj.previous_page_number() }}">{% trans %}Previous{% endtrans %}</a>
+      <a type="submit" onclick="{{ js }}" href="?page={{ page_obj.previous_page_number() }}">{% trans %}Previous{% endtrans %}</a>
     {% else %}
       <span class="disabled">{% trans %}Previous{% endtrans %}</span>
     {% endif %}
@@ -18,11 +18,11 @@ TODO : rewrite the pagination used in this template an Alpine one
       {% if page_obj.number == i %}
         <span class="active">{{ i }} <span class="sr-only">({% trans %}current{% endtrans %})</span></span>
       {% else %}
-        <a {% if js %} type="submit" onclick="{{ js }}" {% endif %} href="?page={{ i }}">{{ i }}</a>
+        <a type="submit" onclick="{{ js }}" href="?page={{ i }}">{{ i }}</a>
       {% endif %}
     {% endfor %}
     {% if page_obj.has_next() %}
-      <a {% if js %} type="submit" onclick="{{ js }}" {% endif %} href="?page={{ page_obj.next_page_number() }}">{% trans %}Next{% endtrans %}</a>
+      <a type="submit" onclick="{{ js }}" href="?page={{ page_obj.next_page_number() }}">{% trans %}Next{% endtrans %}</a>
     {% else %}
       <span class="disabled">{% trans %}Next{% endtrans %}</span>
     {% endif %}
@@ -35,7 +35,7 @@ TODO : rewrite the pagination used in this template an Alpine one
     {% csrf_token %}
     {{ form }}
     <p><input type="submit" value="{% trans %}Show{% endtrans %}" /></p>
-    <p><input type="submit" value="{% trans %}Download as cvs{% endtrans %}" formaction="{{ url('club:sellings_csv', club_id=object.id) }}"/></p>
+    <p><input type="submit" value="{% trans %}Download as CSV{% endtrans %}" formaction="{{ url('club:sellings_csv', club_id=object.id) }}"/></p>
   </form>
   <p>
     {% trans %}Quantity: {% endtrans %}{{ total_quantity }} {% trans %}units{% endtrans %}<br/>
@@ -81,14 +81,18 @@ TODO : rewrite the pagination used in this template an Alpine one
       {% endfor %}
     </tbody>
   </table>
+  {{ paginate(paginated_result, paginator) }}
+{% endblock %}
+
+{% block script %}
   <script type="text/javascript">
     function formPagination(link){
-      $("form").attr("action", link.href);
+      const form = document.getElementById("form")
+      form.action = link.href;
       link.href = "javascript:void(0)"; // block link action
-      $("form").submit();
+      form.submit();
     }
   </script>
-  {{ paginate(paginated_result, paginator, "formPagination(this)") }}
 {% endblock %}
 
 

club/templates/club/fragments/add_member.jinja

@@ -0,0 +1,46 @@
+<section id="member-fragment-container">
+  {% if form.user %}
+    <h4>{% trans %}Add a new member{% endtrans %}</h4>
+  {% else %}
+    <h4>{% trans %}Join club{% endtrans %}</h4>
+  {% endif %}
+
+  <form
+    hx-post="{{ url('club:club_new_members', club_id=club.id) }}"
+    hx-disabled-elt="find input[type='submit']"
+    hx-swap="outerHTML"
+    hx-target="#member-fragment-container"
+    id="add_club_members_form"
+  >
+    {% csrf_token %}
+    {{ form.non_field_errors() }}
+    <fieldset>
+      {% if form.user %}
+        <div>
+          {{ form.user.label_tag() }}
+          <span class="helptext">{{ form.user.help_text }}</span>
+          {{ form.user }}
+          {{ form.user.errors }}
+        </div>
+      {% endif %}
+      <div>
+        {{ form.role.label_tag() }}
+        {{ form.role }}
+        {{ form.role.errors }}
+      </div>
+      <div>
+        {{ form.description.label_tag() }}
+        {{ form.description }}
+        {{ form.description.errors }}
+      </div>
+    </fieldset>
+    <button type="submit" class="btn btn-blue">
+      <i class="fa fa-user-plus"></i>
+      {%- if form.user -%}
+        {% trans %}Add{% endtrans %}
+      {%- else -%}
+        {% trans %}Join{% endtrans %}
+      {%- endif -%}
+    </button>
+  </form>
+</section>

club/templates/club/page_history.jinja

@@ -1,12 +1,8 @@
 {% extends "core/base.jinja" %}
-{% from 'core/macros_pages.jinja' import page_history %}
+{% from 'core/page/macros.jinja' import page_history %}
 
 {% block content %}
-  {% if club.page %}
-    {{ page_history(club.page) }}
-  {% else %}
-    {% trans %}No page existing for this club{% endtrans %}
-  {% endif %}
+  {{ page_history(club.page) }}
 {% endblock %}
 
 

club/templates/club/pagerev_edit.jinja

@@ -1,8 +1,12 @@
 {% extends "core/base.jinja" %}
-{% from 'core/macros_pages.jinja' import page_edit_form %}
 
 {% block content %}
-  {{ page_edit_form(page, form, url('club:club_edit_page', club_id=page.club.id), csrf_token) }}
+  <h2>{% trans %}Edit page{% endtrans %}</h2>
+  <form action="{{ url('club:club_edit_page', club_id=page.club.id) }}" method="post">
+    {% csrf_token %}
+    {{ form.as_p() }}
+    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+  </form>
 {% endblock %}
 
 

club/tests/base.py

@@ -43,6 +43,9 @@ class TestClub(TestCase):
 
         cls.ae = Club.objects.get(pk=settings.SITH_MAIN_CLUB_ID)
         cls.club = baker.make(Club)
+        cls.new_members_url = reverse(
+            "club:club_new_members", kwargs={"club_id": cls.club.id}
+        )
         cls.members_url = reverse("club:club_members", kwargs={"club_id": cls.club.id})
         a_month_ago = now() - timedelta(days=30)
         yesterday = now() - timedelta(days=1)

club/tests/test_club.py

@@ -0,0 +1,27 @@
+from datetime import timedelta
+
+import pytest
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+def test_club_queryset_having_board_member():
+    clubs = baker.make(Club, _quantity=5)
+    user = subscriber_user.make()
+    membership_recipe = Recipe(
+        Membership, user=user, start_date=localdate() - timedelta(days=3)
+    )
+    membership_recipe.make(club=clubs[0], role=1)
+    membership_recipe.make(club=clubs[1], role=3)
+    membership_recipe.make(club=clubs[2], role=7)
+    membership_recipe.make(
+        club=clubs[3], role=3, end_date=localdate() - timedelta(days=1)
+    )
+
+    club_ids = Club.objects.having_board_member(user).values_list("id", flat=True)
+    assert set(club_ids) == {clubs[1].id, clubs[2].id}

club/tests/test_club_controller.py

@@ -1,7 +1,8 @@
 from datetime import date, timedelta
 
 import pytest
-from django.test import Client
+from django.contrib.auth.models import Permission
+from django.test import Client, TestCase
 from django.urls import reverse
 from model_bakery import baker
 from model_bakery.recipe import Recipe
@@ -9,6 +10,54 @@ from pytest_django.asserts import assertNumQueries
 
 from club.models import Club, Membership
 from core.baker_recipes import subscriber_user
+from core.models import Group, Page, User
+
+
+class TestClubSearch(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.url = reverse("api:search_club")
+        cls.user = baker.make(
+            User, user_permissions=[Permission.objects.get(codename="access_lookup")]
+        )
+        # delete existing clubs to avoid side effect
+        groups = list(
+            Group.objects.exclude(club=None, club_board=None).values_list(
+                "id", flat=True
+            )
+        )
+        Page.objects.exclude(club=None).delete()
+        Club.objects.all().delete()
+        Group.objects.filter(id__in=groups).delete()
+
+        cls.clubs = baker.make(
+            Club,
+            _quantity=5,
+            name=iter(["AE", "ae 1", "Troll", "Dev AE", "pdf"]),
+            is_active=True,
+        )
+
+    def test_inactive_club(self):
+        self.client.force_login(self.user)
+        inactive_ids = {self.clubs[0].id, self.clubs[2].id}
+        Club.objects.filter(id__in=inactive_ids).update(is_active=False)
+        response = self.client.get(self.url, {"is_active": False})
+        assert response.status_code == 200
+        assert {d["id"] for d in response.json()["results"]} == inactive_ids
+
+    def test_excluded_id(self):
+        self.client.force_login(self.user)
+        response = self.client.get(self.url, {"exclude_ids": [self.clubs[1].id]})
+        assert response.status_code == 200
+        ids = {d["id"] for d in response.json()["results"]}
+        assert ids == {c.id for c in [self.clubs[0], *self.clubs[2:]]}
+
+    def test_club_search(self):
+        self.client.force_login(self.user)
+        response = self.client.get(self.url, {"search": "AE"})
+        assert response.status_code == 200
+        ids = {d["id"] for d in response.json()["results"]}
+        assert ids == {c.id for c in [self.clubs[0], self.clubs[1], self.clubs[3]]}
 
 
 @pytest.mark.django_db

club/tests/test_membership.py

@@ -1,13 +1,20 @@
+from collections.abc import Callable
+from datetime import timedelta
+
+import pytest
 from bs4 import BeautifulSoup
 from django.conf import settings
+from django.contrib.auth.models import Permission
 from django.core.cache import cache
 from django.db.models import Max
+from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.timezone import localdate, localtime, now
 from model_bakery import baker
+from pytest_django.asserts import assertRedirects
 
-from club.forms import ClubMemberForm
-from club.models import Membership
+from club.forms import ClubAddMemberForm, JoinClubForm
+from club.models import Club, Membership
 from club.tests.base import TestClub
 from core.baker_recipes import subscriber_user
 from core.models import AnonymousUser, User
@@ -65,25 +72,6 @@ class TestMembershipQuerySet(TestClub):
         expected.sort(key=lambda i: i.id)
         assert members == expected
 
-    def test_update_invalidate_cache(self):
-        """Test that the `update` queryset method properly invalidate cache."""
-        mem_skia = self.simple_board_member.memberships.get(club=self.club)
-        cache.set(f"membership_{mem_skia.club_id}_{mem_skia.user_id}", mem_skia)
-        self.simple_board_member.memberships.update(end_date=localtime(now()).date())
-        assert (
-            cache.get(f"membership_{mem_skia.club_id}_{mem_skia.user_id}")
-            == "not_member"
-        )
-
-        mem_richard = self.richard.memberships.get(club=self.club)
-        cache.set(
-            f"membership_{mem_richard.club_id}_{mem_richard.user_id}", mem_richard
-        )
-        self.richard.memberships.update(role=5)
-        new_mem = self.richard.memberships.get(club=self.club)
-        assert new_mem != "not_member"
-        assert new_mem.role == 5
-
     def test_update_change_club_groups(self):
         """Test that `update` set the user groups accordingly."""
         user = baker.make(User)
@@ -105,24 +93,6 @@ class TestMembershipQuerySet(TestClub):
         assert not user.groups.contains(members_group)
         assert not user.groups.contains(board_group)
 
-    def test_delete_invalidate_cache(self):
-        """Test that the `delete` queryset properly invalidate cache."""
-        mem_skia = self.simple_board_member.memberships.get(club=self.club)
-        mem_comptable = self.president.memberships.get(club=self.club)
-        cache.set(f"membership_{mem_skia.club_id}_{mem_skia.user_id}", mem_skia)
-        cache.set(
-            f"membership_{mem_comptable.club_id}_{mem_comptable.user_id}", mem_comptable
-        )
-
-        # should delete the subscriptions of simple_board_member and president
-        self.club.members.ongoing().board().delete()
-
-        for membership in (mem_skia, mem_comptable):
-            cached_mem = cache.get(
-                f"membership_{membership.club_id}_{membership.user_id}"
-            )
-            assert cached_mem == "not_member"
-
     def test_delete_remove_from_groups(self):
         """Test that `delete` removes from club groups"""
         user = baker.make(User)
@@ -137,6 +107,38 @@ class TestMembershipQuerySet(TestClub):
         assert set(user.groups.all()).isdisjoint(club_groups)
 
 
+class TestMembershipEditableBy(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        Membership.objects.all().delete()
+        cls.club_a, cls.club_b = baker.make(Club, _quantity=2)
+        cls.memberships = [
+            *baker.make(
+                Membership, role=iter([7, 3, 3, 1]), club=cls.club_a, _quantity=4
+            ),
+            *baker.make(
+                Membership, role=iter([7, 3, 3, 1]), club=cls.club_b, _quantity=4
+            ),
+        ]
+
+    def test_admin_user(self):
+        perm = Permission.objects.get(codename="change_membership")
+        user = baker.make(User, user_permissions=[perm])
+        qs = Membership.objects.editable_by(user).values_list("id", flat=True)
+        assert set(qs) == set(Membership.objects.values_list("id", flat=True))
+
+    def test_simple_subscriber_user(self):
+        user = subscriber_user.make()
+        assert not Membership.objects.editable_by(user).exists()
+
+    def test_board_member(self):
+        # a board member can end lower memberships and its own one
+        user = self.memberships[2].user
+        qs = Membership.objects.editable_by(user).values_list("id", flat=True)
+        expected = {self.memberships[2].id, self.memberships[3].id}
+        assert set(qs) == expected
+
+
 class TestMembership(TestClub):
     def assert_membership_started_today(self, user: User, role: int):
         """Assert that the given membership is active and started today."""
@@ -151,7 +153,7 @@ class TestMembership(TestClub):
 
     def assert_membership_ended_today(self, user: User):
         """Assert that the given user have a membership which ended today."""
-        today = localtime(now()).date()
+        today = localdate()
         assert user.memberships.filter(club=self.club, end_date=today).exists()
         assert self.club.get_membership_for(user) is None
 
@@ -160,7 +162,9 @@ class TestMembership(TestClub):
         cannot see the page.
         """
         response = self.client.post(self.members_url)
-        assert response.status_code == 403
+        assertRedirects(
+            response, reverse("core:login", query={"next": self.members_url})
+        )
 
         self.client.force_login(self.public)
         response = self.client.post(self.members_url)
@@ -171,7 +175,9 @@ class TestMembership(TestClub):
         information are displayed.
         """
         self.client.force_login(self.simple_board_member)
-        response = self.client.get(self.members_url)
+        response = self.client.get(
+            reverse("club:club_members", kwargs={"club_id": self.club.id})
+        )
         assert response.status_code == 200
         soup = BeautifulSoup(response.text, "lxml")
         table = soup.find("table", id="club_members_table")
@@ -197,59 +203,45 @@ class TestMembership(TestClub):
             assert cols[2].text == membership.description
             assert cols[3].text == str(membership.start_date)
 
-            if membership.role <= 3:  # 3 is the role of simple_board_member
+            if membership.role < 3 or membership.user_id == self.simple_board_member.id:
+                # 3 is the role of simple_board_member
                 form_input = cols[4].find("input")
                 expected_attrs = {
                     "type": "checkbox",
-                    "name": "users_old",
-                    "value": str(user.id),
+                    "name": "members_old",
+                    "value": str(membership.id),
                 }
                 assert form_input.attrs.items() >= expected_attrs.items()
             else:
                 assert cols[4].find_all() == []
 
     def test_root_add_one_club_member(self):
-        """Test that root users can add members to clubs, one at a time."""
+        """Test that root users can add members to clubs"""
         self.client.force_login(self.root)
         response = self.client.post(
-            self.members_url,
-            {"users": [self.subscriber.id], "role": 3},
+            self.new_members_url, {"user": self.subscriber.id, "role": 3}
+        )
+        assert response.status_code == 200
+        assert response.headers.get("HX-Redirect", "") == reverse(
+            "club:club_members", kwargs={"club_id": self.club.id}
         )
-        self.assertRedirects(response, self.members_url)
         self.subscriber.refresh_from_db()
         self.assert_membership_started_today(self.subscriber, role=3)
 
-    def test_root_add_multiple_club_member(self):
-        """Test that root users can add multiple members at once to clubs."""
-        self.client.force_login(self.root)
-        response = self.client.post(
-            self.members_url,
-            {
-                "users": (self.subscriber.id, self.krophil.id),
-                "role": 3,
-            },
-        )
-        self.assertRedirects(response, self.members_url)
-        self.subscriber.refresh_from_db()
-        self.assert_membership_started_today(self.subscriber, role=3)
-        self.assert_membership_started_today(self.krophil, role=3)
-
     def test_add_unauthorized_members(self):
         """Test that users who are not currently subscribed
         cannot be members of clubs.
         """
         for user in self.public, self.old_subscriber:
-            form = ClubMemberForm(
-                data={"users": [user.id], "role": 1},
+            form = ClubAddMemberForm(
+                data={"user": user.id, "role": 1},
                 request_user=self.root,
                 club=self.club,
             )
 
             assert not form.is_valid()
             assert form.errors == {
-                "users": [
-                    "L'utilisateur doit être cotisant pour faire partie d'un club"
-                ]
+                "user": ["L'utilisateur doit être cotisant pour faire partie d'un club"]
             }
 
     def test_add_members_already_members(self):
@@ -281,16 +273,16 @@ class TestMembership(TestClub):
         nb_memberships = self.club.members.count()
         max_id = User.objects.aggregate(id=Max("id"))["id"]
         for members in [max_id + 1], [max_id + 1, self.subscriber.id]:
-            form = ClubMemberForm(
-                data={"users": members, "role": 1},
+            form = ClubAddMemberForm(
+                data={"user": members, "role": 1},
                 request_user=self.root,
                 club=self.club,
             )
             assert not form.is_valid()
             assert form.errors == {
-                "users": [
+                "user": [
                     "Sélectionnez un choix valide. "
-                    f"{max_id + 1} n\u2019en fait pas partie."
+                    "Ce choix ne fait pas partie de ceux disponibles."
                 ]
             }
         self.club.refresh_from_db()
@@ -303,10 +295,12 @@ class TestMembership(TestClub):
         nb_subscriber_memberships = self.subscriber.memberships.count()
         self.client.force_login(president)
         response = self.client.post(
-            self.members_url,
-            {"users": self.subscriber.id, "role": 9},
+            self.new_members_url, {"user": self.subscriber.id, "role": 9}
+        )
+        assert response.status_code == 200
+        assert response.headers.get("HX-Redirect", "") == reverse(
+            "club:club_members", kwargs={"club_id": self.club.id}
         )
-        self.assertRedirects(response, self.members_url)
         self.club.refresh_from_db()
         self.subscriber.refresh_from_db()
         assert self.club.members.count() == nb_club_membership + 1
@@ -317,8 +311,8 @@ class TestMembership(TestClub):
         """Test that a member of the club member cannot create
         a membership with a greater role than its own.
         """
-        form = ClubMemberForm(
-            data={"users": [self.subscriber.id], "role": 10},
+        form = ClubAddMemberForm(
+            data={"user": self.subscriber.id, "role": 10},
             request_user=self.simple_board_member,
             club=self.club,
         )
@@ -326,7 +320,7 @@ class TestMembership(TestClub):
 
         assert not form.is_valid()
         assert form.errors == {
-            "__all__": ["Vous n'avez pas la permission de faire cela"]
+            "role": ["Sélectionnez un choix valide. 10 n\u2019en fait pas partie."]
         }
         self.club.refresh_from_db()
         assert nb_memberships == self.club.members.count()
@@ -334,23 +328,53 @@ class TestMembership(TestClub):
 
     def test_add_member_without_role(self):
         """Test that trying to add members without specifying their role fails."""
-        self.client.force_login(self.root)
-        form = ClubMemberForm(
-            data={"users": [self.subscriber.id]},
-            request_user=self.simple_board_member,
-            club=self.club,
+        form = ClubAddMemberForm(
+            data={"user": self.subscriber.id}, request_user=self.root, club=self.club
         )
 
         assert not form.is_valid()
-        assert form.errors == {"role": ["Vous devez choisir un rôle"]}
+        assert form.errors == {"role": ["Ce champ est obligatoire."]}
+
+    def test_add_member_already_there(self):
+        form = ClubAddMemberForm(
+            data={"user": self.simple_board_member, "role": 3},
+            request_user=self.root,
+            club=self.club,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "user": ["Vous ne pouvez pas ajouter deux fois le même utilisateur"]
+        }
+
+    def test_add_other_member_forbidden(self):
+        non_member = subscriber_user.make()
+        simple_member = baker.make(Membership, club=self.club, role=1).user
+        for user in non_member, simple_member:
+            form = ClubAddMemberForm(
+                data={"user": subscriber_user.make(), "role": 1},
+                request_user=user,
+                club=self.club,
+            )
+            assert not form.is_valid()
+            assert form.errors == {
+                "role": ["Sélectionnez un choix valide. 1 n\u2019en fait pas partie."]
+            }
+
+    def test_simple_members_dont_see_form_anymore(self):
+        """Test that simple club members don't see the form to add members"""
+        user = subscriber_user.make()
+        baker.make(Membership, club=self.club, user=user, role=1)
+        self.client.force_login(user)
+        res = self.client.get(self.members_url)
+        assert res.status_code == 200
+        soup = BeautifulSoup(res.text, "lxml")
+        assert not soup.find(id="add_club_members_form")
 
     def test_end_membership_self(self):
         """Test that a member can end its own membership."""
         self.client.force_login(self.simple_board_member)
-        self.client.post(
-            self.members_url,
-            {"users_old": self.simple_board_member.id},
-        )
+        membership = self.club.members.get(end_date=None, user=self.simple_board_member)
+        self.client.post(self.members_url, {"members_old": [membership.id]})
         self.simple_board_member.refresh_from_db()
         self.assert_membership_ended_today(self.simple_board_member)
 
@@ -358,15 +382,13 @@ class TestMembership(TestClub):
         """Test that board members of the club can end memberships
         of users with lower roles.
         """
-        # remainder : simple_board_member has role 3, president has role 10, richard has role 1
+        # reminder : simple_board_member has role 3
         self.client.force_login(self.simple_board_member)
-        response = self.client.post(
-            self.members_url,
-            {"users_old": self.richard.id},
-        )
+        membership = baker.make(Membership, club=self.club, role=2, end_date=None)
+        response = self.client.post(self.members_url, {"members_old": [membership.id]})
         self.assertRedirects(response, self.members_url)
         self.club.refresh_from_db()
-        self.assert_membership_ended_today(self.richard)
+        self.assert_membership_ended_today(membership.user)
 
     def test_end_membership_higher_role(self):
         """Test that board members of the club cannot end memberships
@@ -374,46 +396,30 @@ class TestMembership(TestClub):
         """
         membership = self.president.memberships.filter(club=self.club).first()
         self.client.force_login(self.simple_board_member)
-        self.client.post(
-            self.members_url,
-            {"users_old": self.president.id},
-        )
+        self.client.post(self.members_url, {"members_old": [membership.id]})
         self.club.refresh_from_db()
         new_membership = self.club.get_membership_for(self.president)
         assert new_membership is not None
         assert new_membership == membership
 
-        membership = self.president.memberships.filter(club=self.club).first()
+        membership.refresh_from_db()
         assert membership.end_date is None
 
-    def test_end_membership_as_main_club_board(self):
-        """Test that board members of the main club can end the membership
-        of anyone.
-        """
+    def test_end_membership_with_permission(self):
+        """Test that users with permission can end any membership."""
         # make subscriber a board member
-        subscriber = subscriber_user.make()
-        Membership.objects.create(club=self.ae, user=subscriber, role=3)
-
         nb_memberships = self.club.members.ongoing().count()
-        self.client.force_login(subscriber)
+        self.client.force_login(
+            subscriber_user.make(
+                user_permissions=[Permission.objects.get(codename="change_membership")]
+            )
+        )
+        president_membership = self.club.president
         response = self.client.post(
-            self.members_url,
-            {"users_old": self.president.id},
+            self.members_url, {"members_old": [president_membership.id]}
         )
         self.assertRedirects(response, self.members_url)
-        self.assert_membership_ended_today(self.president)
-        assert self.club.members.ongoing().count() == nb_memberships - 1
-
-    def test_end_membership_as_root(self):
-        """Test that root users can end the membership of anyone."""
-        nb_memberships = self.club.members.ongoing().count()
-        self.client.force_login(self.root)
-        response = self.client.post(
-            self.members_url,
-            {"users_old": [self.president.id]},
-        )
-        self.assertRedirects(response, self.members_url)
-        self.assert_membership_ended_today(self.president)
+        self.assert_membership_ended_today(president_membership.user)
         assert self.club.members.ongoing().count() == nb_memberships - 1
 
     def test_end_membership_as_foreigner(self):
@@ -421,14 +427,11 @@ class TestMembership(TestClub):
         nb_memberships = self.club.members.count()
         membership = self.richard.memberships.filter(club=self.club).first()
         self.client.force_login(self.subscriber)
-        self.client.post(
-            self.members_url,
-            {"users_old": [self.richard.id]},
-        )
+        self.client.post(self.members_url, {"members_old": [self.richard.id]})
         # nothing should have changed
-        new_mem = self.club.get_membership_for(self.richard)
+        membership.refresh_from_db()
         assert self.club.members.count() == nb_memberships
-        assert membership == new_mem
+        assert membership.end_date is None
 
     def test_remove_from_club_group(self):
         """Test that when a membership ends, the user is removed from club groups."""
@@ -490,3 +493,114 @@ class TestMembership(TestClub):
         new_board = set(self.club.board_group.users.values_list("id", flat=True))
         assert new_members == initial_members
         assert new_board == initial_board
+
+
+@pytest.mark.django_db
+def test_membership_set_old(client: Client):
+    membership = baker.make(Membership, end_date=None, user=(subscriber_user.make()))
+    client.force_login(membership.user)
+    response = client.post(
+        reverse("club:membership_set_old", kwargs={"membership_id": membership.id})
+    )
+    assertRedirects(
+        response, reverse("core:user_clubs", kwargs={"user_id": membership.user_id})
+    )
+    membership.refresh_from_db()
+    assert membership.end_date == localdate()
+
+
+@pytest.mark.django_db
+def test_membership_delete(client: Client):
+    user = baker.make(User, is_superuser=True)
+    membership = baker.make(Membership)
+    client.force_login(user)
+    url = reverse("club:membership_delete", kwargs={"membership_id": membership.id})
+    response = client.get(url)
+    assert response.status_code == 200
+    response = client.post(url)
+    assertRedirects(
+        response, reverse("core:user_clubs", kwargs={"user_id": membership.user_id})
+    )
+    assert not Membership.objects.filter(id=membership.id).exists()
+
+
+@pytest.mark.django_db
+class TestJoinClub:
+    @pytest.fixture(autouse=True)
+    def clear_cache(self):
+        cache.clear()
+
+    @pytest.mark.parametrize(
+        ("user_factory", "role", "errors"),
+        [
+            (
+                subscriber_user.make,
+                2,
+                {
+                    "role": [
+                        "Sélectionnez un choix valide. 2 n\u2019en fait pas partie."
+                    ]
+                },
+            ),
+            (
+                lambda: baker.make(User),
+                1,
+                {"__all__": ["Vous devez être cotisant pour faire partie d'un club"]},
+            ),
+        ],
+    )
+    def test_join_club_errors(
+        self, user_factory: Callable[[], User], role: int, errors: dict
+    ):
+        club = baker.make(Club)
+        user = user_factory()
+        form = JoinClubForm(club=club, request_user=user, data={"role": role})
+        assert not form.is_valid()
+        assert form.errors == errors
+
+    def test_user_already_in_club(self):
+        club = baker.make(Club)
+        user = subscriber_user.make()
+        baker.make(Membership, user=user, club=club)
+        form = JoinClubForm(club=club, request_user=user, data={"role": 1})
+        assert not form.is_valid()
+        assert form.errors == {"__all__": ["Vous êtes déjà membre de ce club."]}
+
+    def test_ok(self):
+        club = baker.make(Club)
+        user = subscriber_user.make()
+        form = JoinClubForm(club=club, request_user=user, data={"role": 1})
+        assert form.is_valid()
+        form.save()
+        assert Membership.objects.ongoing().filter(user=user, club=club).exists()
+
+
+class TestOldMembersView(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        club = baker.make(Club)
+        roles = [1, 1, 1, 2, 2, 4, 4, 5, 7, 9, 10]
+        cls.memberships = baker.make(
+            Membership,
+            role=iter(roles),
+            club=club,
+            start_date=now() - timedelta(days=14),
+            end_date=now() - timedelta(days=7),
+            _quantity=len(roles),
+            _bulk_create=True,
+        )
+        cls.url = reverse("club:club_old_members", kwargs={"club_id": club.id})
+
+    def test_ok(self):
+        user = subscriber_user.make()
+        self.client.force_login(user)
+        res = self.client.get(self.url)
+        assert res.status_code == 200
+
+    def test_access_forbidden(self):
+        res = self.client.get(self.url)
+        assertRedirects(res, reverse("core:login", query={"next": self.url}))
+
+        self.client.force_login(baker.make(User))
+        res = self.client.get(self.url)
+        assert res.status_code == 403

club/tests/test_page.py

@@ -3,9 +3,10 @@ from bs4 import BeautifulSoup
 from django.test import Client
 from django.urls import reverse
 from model_bakery import baker
-from pytest_django.asserts import assertHTMLEqual
+from pytest_django.asserts import assertHTMLEqual, assertRedirects
 
-from club.models import Club
+from club.models import Club, Membership
+from core.baker_recipes import subscriber_user
 from core.markdown import markdown
 from core.models import PageRev, User
 
@@ -16,7 +17,6 @@ def test_page_display_on_club_main_page(client: Client):
     club = baker.make(Club)
     content = "# foo\nLorem ipsum dolor sit amet"
     baker.make(PageRev, page=club.page, revision=1, content=content)
-    client.force_login(baker.make(User))
     res = client.get(reverse("club:club_view", kwargs={"club_id": club.id}))
 
     assert res.status_code == 200
@@ -30,10 +30,42 @@ def test_club_main_page_without_content(client: Client):
     """Test the club view works, even if the club page is empty"""
     club = baker.make(Club)
     club.page.revisions.all().delete()
-    client.force_login(baker.make(User))
     res = client.get(reverse("club:club_view", kwargs={"club_id": club.id}))
 
     assert res.status_code == 200
     soup = BeautifulSoup(res.text, "lxml")
     detail_html = soup.find(id="club_detail")
     assert detail_html.find_all("markdown") == []
+
+
+@pytest.mark.django_db
+def test_page_revision(client: Client):
+    club = baker.make(Club)
+    revisions = baker.make(
+        PageRev, page=club.page, _quantity=3, content=iter(["foo", "bar", "baz"])
+    )
+    client.force_login(baker.make(User))
+    url = reverse(
+        "club:club_view_rev", kwargs={"club_id": club.id, "rev_id": revisions[1].id}
+    )
+    res = client.get(url)
+    assert res.status_code == 200
+    soup = BeautifulSoup(res.text, "lxml")
+    detail_html = soup.find(class_="markdown")
+    assertHTMLEqual(detail_html.decode_contents(), markdown(revisions[1].content))
+
+
+@pytest.mark.django_db
+def test_edit_page(client: Client):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    baker.make(Membership, user=user, club=club, role=3)
+    client.force_login(user)
+    url = reverse("club:club_edit_page", kwargs={"club_id": club.id})
+    content = "# foo\nLorem ipsum dolor sit amet"
+
+    res = client.get(url)
+    assert res.status_code == 200
+    res = client.post(url, data={"content": content})
+    assertRedirects(res, reverse("club:club_view", kwargs={"club_id": club.id}))
+    assert club.page.revisions.last().content == content

club/tests/test_posters.py

@@ -0,0 +1,35 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from club.models import Club
+from com.models import Poster
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_list", "club:poster_create"])
+def test_access(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    url = reverse(route_url, kwargs={"club_id": club.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_edit", "club:poster_delete"])
+def test_access_specific_poster(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    poster = baker.make(Poster)
+    url = reverse(route_url, kwargs={"club_id": club.id, "poster_id": poster.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200

club/tests/test_sales.py

@@ -1,3 +1,6 @@
+import csv
+import itertools
+
 import pytest
 from django.test import Client
 from django.urls import reverse
@@ -7,16 +10,20 @@ from club.forms import SellingsForm
 from club.models import Club
 from core.models import User
 from counter.baker_recipes import product_recipe, sale_recipe
-from counter.models import Counter, Customer
+from counter.models import Counter, Customer, Product, Selling
 
 
 @pytest.mark.django_db
 def test_sales_page_doesnt_crash(client: Client):
+    """Basic crashtest on club sales view."""
     club = baker.make(Club)
+    product = baker.make(Product, club=club)
     admin = baker.make(User, is_superuser=True)
     client.force_login(admin)
-    response = client.get(reverse("club:club_sellings", kwargs={"club_id": club.id}))
-    assert response.status_code == 200
+    url = reverse("club:club_sellings", kwargs={"club_id": club.id})
+    assert client.get(url).status_code == 200
+    assert client.post(url).status_code == 200
+    assert client.post(url, data={"products": [product.id]}).status_code == 200
 
 
 @pytest.mark.django_db
@@ -36,3 +43,62 @@ def test_sales_form_counter_filter():
     form = SellingsForm(club)
     form_counters = list(form.fields["counters"].queryset)
     assert form_counters == [counters[1], counters[2], counters[0]]
+
+
+@pytest.mark.django_db
+def test_club_sales_csv(client: Client):
+    client.force_login(baker.make(User, is_superuser=True))
+    club = baker.make(Club)
+    counter = baker.make(Counter, club=club)
+    product = product_recipe.make(club=club, counters=[counter], purchase_price=0.5)
+    customers = baker.make(Customer, amount=100, _quantity=2, _bulk_create=True)
+    sales: list[Selling] = sale_recipe.make(
+        club=club,
+        counter=counter,
+        quantity=2,
+        unit_price=1.5,
+        product=iter([product, product, None]),
+        customer=itertools.cycle(customers),
+        _quantity=3,
+    )
+    url = reverse("club:sellings_csv", kwargs={"club_id": club.id})
+    response = client.post(url, data={"counters": [counter.id]})
+    assert response.status_code == 200
+    reader = csv.reader(s.decode() for s in response.streaming_content)
+    data = list(reader)
+    sale_rows = [
+        [
+            str(s.date),
+            str(counter),
+            str(s.seller),
+            s.customer.user.get_display_name(),
+            s.label,
+            "2",
+            "1.50",
+            "3.00",
+            "Compte utilisateur",
+        ]
+        for s in sales[::-1]
+    ]
+    sale_rows[2].extend(["0.50", "1.00"])
+    sale_rows[1].extend(["0.50", "1.00"])
+    sale_rows[0].extend(["", ""])
+    assert data == [
+        ["Quantité", "6"],
+        ["Total", "9"],
+        ["Bénéfice", "1"],
+        [
+            "Date",
+            "Comptoir",
+            "Barman",
+            "Client",
+            "Étiquette",
+            "Quantité",
+            "Prix unitaire",
+            "Total",
+            "Méthode de paiement",
+            "Prix d'achat",
+            "Bénéfice",
+        ],
+        *sale_rows,
+    ]

club/tests/test_user_club_controller.py

@@ -0,0 +1,50 @@
+from datetime import timedelta
+
+from django.test import TestCase
+from django.urls import reverse
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from club.schemas import UserMembershipSchema
+from core.baker_recipes import subscriber_user
+from core.models import Page
+
+
+class TestFetchClub(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        pages = baker.make(Page, _quantity=3, _bulk_create=True)
+        clubs = baker.make(Club, page=iter(pages), _quantity=3, _bulk_create=True)
+        recipe = Recipe(
+            Membership, user=cls.user, start_date=localdate() - timedelta(days=2)
+        )
+        cls.members = Membership.objects.bulk_create(
+            [
+                recipe.prepare(club=clubs[0]),
+                recipe.prepare(club=clubs[1], end_date=localdate() - timedelta(days=1)),
+                recipe.prepare(club=clubs[1]),
+            ]
+        )
+
+    def test_fetch_memberships(self):
+        self.client.force_login(subscriber_user.make())
+        res = self.client.get(
+            reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+        )
+        assert res.status_code == 200
+        assert [UserMembershipSchema.model_validate(m) for m in res.json()] == [
+            UserMembershipSchema.from_orm(m) for m in (self.members[0], self.members[2])
+        ]
+
+    def test_fetch_club_nb_queries(self):
+        self.client.force_login(subscriber_user.make())
+        with self.assertNumQueries(6):
+            # - 5 queries for authentication
+            # - 1 query for the actual data
+            res = self.client.get(
+                reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+            )
+            assert res.status_code == 200

club/urls.py

@@ -25,6 +25,7 @@
 from django.urls import path
 
 from club.views import (
+    ClubAddMembersFragment,
     ClubCreateView,
     ClubEditView,
     ClubListView,
@@ -60,6 +61,11 @@ urlpatterns = [
     path("<int:club_id>/edit/", ClubEditView.as_view(), name="club_edit"),
     path("<int:club_id>/edit/page/", ClubPageEditView.as_view(), name="club_edit_page"),
     path("<int:club_id>/members/", ClubMembersView.as_view(), name="club_members"),
+    path(
+        "fragment/<int:club_id>/members/",
+        ClubAddMembersFragment.as_view(),
+        name="club_new_members",
+    ),
     path(
         "<int:club_id>/elderlies/",
         ClubOldMembersView.as_view(),

club/views.py

@@ -22,53 +22,67 @@
 #
 #
 
+from __future__ import annotations
+
 import csv
+import itertools
+from typing import TYPE_CHECKING, Any
 
 from django.conf import settings
-from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import NON_FIELD_ERRORS, PermissionDenied, ValidationError
 from django.core.paginator import InvalidPage, Paginator
-from django.db.models import Sum
-from django.http import (
-    Http404,
-    HttpResponseRedirect,
-    StreamingHttpResponse,
-)
+from django.db.models import F, Q, Sum
+from django.http import Http404, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone
 from django.utils.functional import cached_property
-from django.utils.translation import gettext as _t
+from django.utils.timezone import now
+from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView, View
+from django.views.generic.detail import SingleObjectMixin
 from django.views.generic.edit import CreateView, DeleteView, UpdateView
 
 from club.forms import (
+    ClubAddMemberForm,
     ClubAdminEditForm,
     ClubEditForm,
-    ClubMemberForm,
+    ClubOldMemberForm,
+    JoinClubForm,
     MailingForm,
     SellingsForm,
 )
 from club.models import Club, Mailing, MailingSubscription, Membership
+from com.models import Poster
 from com.views import (
     PosterCreateBaseView,
     PosterDeleteBaseView,
     PosterEditBaseView,
     PosterListBaseView,
 )
-from core.auth.mixins import CanCreateMixin, CanEditMixin, CanViewMixin
-from core.models import PageRev
-from core.views import DetailFormView, PageEditViewBase
-from core.views.mixins import TabedViewMixin
+from core.auth.mixins import CanEditMixin, PermissionOrClubBoardRequiredMixin
+from core.models import Page, PageRev
+from core.views import BasePageEditView, DetailFormView, UseFragmentsMixin
+from core.views.mixins import FragmentMixin, FragmentRenderer, TabedViewMixin
 from counter.models import Selling
 
+if TYPE_CHECKING:
+    from django.utils.safestring import SafeString
+
 
 class ClubTabsMixin(TabedViewMixin):
     def get_tabs_title(self):
-        obj = self.get_object()
-        if isinstance(obj, PageRev):
-            self.object = obj.page.club
+        if not hasattr(self, "object") or not self.object:
+            self.object = self.get_object()
+        if isinstance(self.object, PageRev):
+            self.object = self.object.page.club
+        elif isinstance(self.object, Poster):
+            self.object = self.object.club
+        elif hasattr(self, "club"):
+            self.object = self.club
         return self.object.get_display_name()
 
     def get_list_of_tabs(self):
@@ -79,7 +93,7 @@ class ClubTabsMixin(TabedViewMixin):
                 "name": _("Infos"),
             }
         ]
-        if self.request.user.can_view(self.object):
+        if self.request.user.has_perm("club.view_club"):
             tab_list.extend(
                 [
                     {
@@ -98,16 +112,16 @@ class ClubTabsMixin(TabedViewMixin):
                     },
                 ]
             )
-        if self.object.page:
-            tab_list.append(
-                {
-                    "url": reverse(
-                        "club:club_hist", kwargs={"club_id": self.object.id}
-                    ),
-                    "slug": "history",
-                    "name": _("History"),
-                }
-            )
+            if self.object.page:
+                tab_list.append(
+                    {
+                        "url": reverse(
+                            "club:club_hist", kwargs={"club_id": self.object.id}
+                        ),
+                        "slug": "history",
+                        "name": _("History"),
+                    }
+                )
         if self.request.user.can_edit(self.object):
             tab_list.extend(
                 [
@@ -159,7 +173,7 @@ class ClubTabsMixin(TabedViewMixin):
                             "club:poster_list", kwargs={"club_id": self.object.id}
                         ),
                         "slug": "posters",
-                        "name": _("Posters list"),
+                        "name": _("Posters"),
                     },
                 ]
             )
@@ -196,7 +210,7 @@ class ClubView(ClubTabsMixin, DetailView):
         return kwargs
 
 
-class ClubRevView(ClubView):
+class ClubRevView(LoginRequiredMixin, ClubView):
     """Display a specific page revision."""
 
     def dispatch(self, request, *args, **kwargs):
@@ -210,31 +224,32 @@ class ClubRevView(ClubView):
         return kwargs
 
 
-class ClubPageEditView(ClubTabsMixin, PageEditViewBase):
+class ClubPageEditView(ClubTabsMixin, BasePageEditView):
     template_name = "club/pagerev_edit.jinja"
     current_tab = "page_edit"
 
-    def dispatch(self, request, *args, **kwargs):
-        self.club = get_object_or_404(Club, pk=kwargs["club_id"])
-        if not self.club.page:
-            raise Http404
-        return super().dispatch(request, *args, **kwargs)
+    @cached_property
+    def club(self):
+        return get_object_or_404(Club, pk=self.kwargs["club_id"])
 
-    def get_object(self):
-        self.page = self.club.page
-        return self._get_revision()
+    @cached_property
+    def page(self) -> Page:
+        page = self.club.page
+        page.set_lock(self.request.user)
+        return page
 
     def get_success_url(self, **kwargs):
         return reverse_lazy("club:club_view", kwargs={"club_id": self.club.id})
 
 
-class ClubPageHistView(ClubTabsMixin, CanViewMixin, DetailView):
-    """Modification hostory of the page."""
+class ClubPageHistView(ClubTabsMixin, PermissionRequiredMixin, DetailView):
+    """Modification history of the page."""
 
     model = Club
     pk_url_kwarg = "club_id"
     template_name = "club/page_history.jinja"
     current_tab = "history"
+    permission_required = "club.view_club"
 
 
 class ClubToolsView(ClubTabsMixin, CanEditMixin, DetailView):
@@ -246,61 +261,125 @@ class ClubToolsView(ClubTabsMixin, CanEditMixin, DetailView):
     current_tab = "tools"
 
 
-class ClubMembersView(ClubTabsMixin, CanViewMixin, DetailFormView):
+class ClubAddMembersFragment(
+    FragmentMixin, PermissionRequiredMixin, SuccessMessageMixin, CreateView
+):
+    template_name = "club/fragments/add_member.jinja"
+    model = Membership
+    object = None
+    reload_on_redirect = True
+    permission_required = "club.view_club"
+
+    def dispatch(self, *args, **kwargs):
+        self.club = get_object_or_404(Club, pk=kwargs.get("club_id"))
+        return super().dispatch(*args, **kwargs)
+
+    def get_form_class(self):
+        user = self.request.user
+        if user.has_perm("club.add_membership") or self.club.get_membership_for(user):
+            return ClubAddMemberForm
+        return JoinClubForm
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "request_user": self.request.user,
+            "club": self.club,
+        }
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.club = kwargs.get("club")
+        return super().render_fragment(request, **kwargs)
+
+    def get_success_url(self):
+        return reverse("club:club_members", kwargs={"club_id": self.club.id})
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {"club": self.club}
+
+    def get_success_message(self, cleaned_data):
+        if "user" not in cleaned_data or cleaned_data["user"] == self.request.user:
+            return _("You are now a member of this club.")
+        return _("%(user)s has been added to club.") % cleaned_data
+
+
+class ClubMembersView(
+    ClubTabsMixin, UseFragmentsMixin, PermissionRequiredMixin, DetailFormView
+):
     """View of a club's members."""
 
     model = Club
     pk_url_kwarg = "club_id"
-    form_class = ClubMemberForm
+    form_class = ClubOldMemberForm
     template_name = "club/club_members.jinja"
     current_tab = "members"
+    permission_required = "club.view_club"
 
-    @cached_property
-    def members(self) -> list[Membership]:
-        return list(self.object.members.ongoing().order_by("-role"))
+    def get_fragments(self) -> dict[str, type[FragmentMixin] | FragmentRenderer]:
+        membership = self.object.get_membership_for(self.request.user)
+        if (
+            membership
+            and membership.role <= settings.SITH_MAXIMUM_FREE_ROLE
+            and not self.request.user.has_perm("club.add_membership")
+        ):
+            # Simple club members won't see the form anymore.
+            # Even if they saw it, they couldn't add anyone to the club anyway
+            return {}
+        return {"add_member_fragment": ClubAddMembersFragment}
+
+    def get_fragment_data(self) -> dict[str, Any]:
+        return {"add_member_fragment": {"club": self.object}}
 
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["request_user"] = self.request.user
-        kwargs["club"] = self.object
-        kwargs["club_members"] = self.members
-        return kwargs
+        return super().get_form_kwargs() | {
+            "user": self.request.user,
+            "club": self.object,
+        }
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        kwargs["members"] = self.members
+        editable = list(
+            kwargs["form"].fields["members_old"].queryset.values_list("id", flat=True)
+        )
+        kwargs["members"] = list(
+            self.object.members.ongoing()
+            .annotate(is_editable=Q(id__in=editable))
+            .order_by("-role")
+            .select_related("user")
+        )
+        kwargs["can_end_membership"] = len(editable) > 0
         return kwargs
 
     def form_valid(self, form):
-        """Check user rights."""
-        resp = super().form_valid(form)
-
-        data = form.clean()
-        users = data.pop("users", [])
-        users_old = data.pop("users_old", [])
-        for user in users:
-            Membership(club=self.object, user=user, **data).save()
-        for user in users_old:
-            membership = self.object.get_membership_for(user)
-            membership.end_date = timezone.now()
+        for membership in form.cleaned_data.get("members_old"):
+            membership.end_date = now()
             membership.save()
-        return resp
+        return super().form_valid(form)
 
     def get_success_url(self, **kwargs):
         return self.request.path
 
 
-class ClubOldMembersView(ClubTabsMixin, CanViewMixin, DetailView):
+class ClubOldMembersView(ClubTabsMixin, PermissionRequiredMixin, DetailView):
     """Old members of a club."""
 
     model = Club
     pk_url_kwarg = "club_id"
     template_name = "club/club_old_members.jinja"
     current_tab = "elderlies"
+    permission_required = "club.view_club"
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "old_members": (
+                self.object.members.exclude(end_date=None)
+                .order_by("-role", "description", "-end_date")
+                .select_related("user")
+            )
+        }
 
 
 class ClubSellingView(ClubTabsMixin, CanEditMixin, DetailFormView):
-    """Sellings of a club."""
+    """Sales of a club."""
 
     model = Club
     pk_url_kwarg = "club_id"
@@ -326,45 +405,28 @@ class ClubSellingView(ClubTabsMixin, CanEditMixin, DetailFormView):
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        qs = Selling.objects.filter(club=self.object)
 
-        kwargs["result"] = qs[:0]
-        kwargs["paginated_result"] = kwargs["result"]
+        kwargs["result"] = Selling.objects.none()
         kwargs["total"] = 0
         kwargs["total_quantity"] = 0
         kwargs["benefit"] = 0
 
-        form = self.get_form()
-        if form.is_valid():
-            if not len([v for v in form.cleaned_data.values() if v is not None]):
-                qs = Selling.objects.filter(id=-1)
-            if form.cleaned_data["begin_date"]:
-                qs = qs.filter(date__gte=form.cleaned_data["begin_date"])
-            if form.cleaned_data["end_date"]:
-                qs = qs.filter(date__lte=form.cleaned_data["end_date"])
-
-            if form.cleaned_data["counters"]:
-                qs = qs.filter(counter__in=form.cleaned_data["counters"])
-
-            selected_products = []
-            if form.cleaned_data["products"]:
-                selected_products.extend(form.cleaned_data["products"])
-            if form.cleaned_data["archived_products"]:
-                selected_products.extend(form.cleaned_data["archived_products"])
-
-            if len(selected_products) > 0:
-                qs = qs.filter(product__in=selected_products)
-
-            kwargs["result"] = qs.all().order_by("-id")
-            kwargs["total"] = sum([s.quantity * s.unit_price for s in kwargs["result"]])
-            total_quantity = qs.all().aggregate(Sum("quantity"))
-            if total_quantity["quantity__sum"]:
-                kwargs["total_quantity"] = total_quantity["quantity__sum"]
-            benefit = (
-                qs.exclude(product=None).all().aggregate(Sum("product__purchase_price"))
-            )
-            if benefit["product__purchase_price__sum"]:
-                kwargs["benefit"] = benefit["product__purchase_price__sum"]
+        form: SellingsForm = self.get_form()
+        if form.is_valid() and any(v for v in form.cleaned_data.values()):
+            filters = form.to_filter_schema()
+            qs = filters.filter(Selling.objects.filter(club=self.object))
+            kwargs["total"] = qs.annotate(
+                price=F("quantity") * F("unit_price")
+            ).aggregate(total=Sum("price", default=0))["total"]
+            kwargs["result"] = qs.select_related(
+                "counter", "counter__club", "customer", "customer__user", "seller"
+            ).order_by("-id")
+            kwargs["total_quantity"] = qs.aggregate(total=Sum("quantity", default=0))[
+                "total"
+            ]
+            kwargs["benefit"] = qs.exclude(product=None).aggregate(
+                res=Sum("product__purchase_price", default=0)
+            )["res"]
 
         kwargs["paginator"] = Paginator(kwargs["result"], self.paginate_by)
         try:
@@ -399,15 +461,15 @@ class ClubSellingCSVView(ClubSellingView):
             *row,
             selling.label,
             selling.quantity,
+            selling.unit_price,
             selling.quantity * selling.unit_price,
             selling.get_payment_method_display(),
         ]
         if selling.product:
-            row.append(selling.product.selling_price)
             row.append(selling.product.purchase_price)
-            row.append(selling.product.selling_price - selling.product.purchase_price)
+            row.append(selling.unit_price - selling.product.purchase_price)
         else:
-            row = [*row, "", "", ""]
+            row = [*row, "", ""]
         return row
 
     def get(self, request, *args, **kwargs):
@@ -415,40 +477,40 @@ class ClubSellingCSVView(ClubSellingView):
         kwargs = self.get_context_data(**kwargs)
 
         # Use the StreamWriter class instead of request for streaming
-        pseudo_buffer = self.StreamWriter()
-        writer = csv.writer(
-            pseudo_buffer, delimiter=";", lineterminator="\n", quoting=csv.QUOTE_ALL
-        )
+        writer = csv.writer(self.StreamWriter())
 
-        writer.writerow([_t("Quantity"), kwargs["total_quantity"]])
-        writer.writerow([_t("Total"), kwargs["total"]])
-        writer.writerow([_t("Benefit"), kwargs["benefit"]])
-        writer.writerow(
+        first_rows = [
+            [gettext("Quantity"), kwargs["total_quantity"]],
+            [gettext("Total"), kwargs["total"]],
+            [gettext("Benefit"), kwargs["benefit"]],
             [
-                _t("Date"),
-                _t("Counter"),
-                _t("Barman"),
-                _t("Customer"),
-                _t("Label"),
-                _t("Quantity"),
-                _t("Total"),
-                _t("Payment method"),
-                _t("Selling price"),
-                _t("Purchase price"),
-                _t("Benefit"),
-            ]
-        )
+                gettext("Date"),
+                gettext("Counter"),
+                gettext("Barman"),
+                gettext("Customer"),
+                gettext("Label"),
+                gettext("Quantity"),
+                gettext("Unit price"),
+                gettext("Total"),
+                gettext("Payment method"),
+                gettext("Purchase price"),
+                gettext("Benefit"),
+            ],
+        ]
 
         # Stream response
         response = StreamingHttpResponse(
-            (
-                writer.writerow(self.write_selling(selling))
-                for selling in kwargs["result"]
+            itertools.chain(
+                (writer.writerow(r) for r in first_rows),
+                (
+                    writer.writerow(self.write_selling(selling))
+                    for selling in kwargs["result"]
+                ),
             ),
             content_type="text/csv",
         )
-        name = _("Sellings") + "_" + self.object.name + ".csv"
-        response["Content-Disposition"] = "filename=" + name
+        name = f"{gettext('Sellings')}_{self.object.name}.csv"
+        response["Content-Disposition"] = f"attachment; filename={name}"
 
         return response
 
@@ -483,33 +545,17 @@ class ClubCreateView(PermissionRequiredMixin, CreateView):
     permission_required = "club.add_club"
 
 
-class MembershipSetOldView(CanEditMixin, DetailView):
-    """Set a membership as beeing old."""
+class MembershipSetOldView(CanEditMixin, SingleObjectMixin, View):
+    """Set a membership as being old."""
 
     model = Membership
     pk_url_kwarg = "membership_id"
 
-    def get(self, request, *args, **kwargs):
+    def post(self, *_args, **_kwargs):
         self.object = self.get_object()
         self.object.end_date = timezone.now()
         self.object.save()
-        return HttpResponseRedirect(
-            reverse(
-                "club:club_members",
-                args=self.args,
-                kwargs={"club_id": self.object.club.id},
-            )
-        )
-
-    def post(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        return HttpResponseRedirect(
-            reverse(
-                "club:club_members",
-                args=self.args,
-                kwargs={"club_id": self.object.club.id},
-            )
-        )
+        return redirect("core:user_clubs", user_id=self.object.user_id)
 
 
 class MembershipDeleteView(PermissionRequiredMixin, DeleteView):
@@ -521,7 +567,7 @@ class MembershipDeleteView(PermissionRequiredMixin, DeleteView):
     permission_required = "club.delete_membership"
 
     def get_success_url(self):
-        return reverse_lazy("core:user_clubs", kwargs={"user_id": self.object.user.id})
+        return reverse_lazy("core:user_clubs", kwargs={"user_id": self.object.user_id})
 
 
 class ClubMailingView(ClubTabsMixin, CanEditMixin, DetailFormView):
@@ -686,48 +732,58 @@ class MailingAutoGenerationView(View):
         return redirect("club:mailing", club_id=club.id)
 
 
-class PosterListView(ClubTabsMixin, PosterListBaseView, CanViewMixin):
+class PosterListView(
+    PermissionOrClubBoardRequiredMixin, ClubTabsMixin, PosterListBaseView
+):
     """List communication posters."""
 
+    current_tab = "posters"
+    permission_required = "com.view_poster"
+
+    def get_queryset(self):
+        return super().get_queryset().filter(club=self.club.id)
+
     def get_object(self):
         return self.club
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {
+            "create_url": reverse_lazy(
+                "club:poster_create", kwargs={"club_id": self.club.id}
+            ),
+            "get_edit_url": lambda poster: reverse(
+                "club:poster_edit",
+                kwargs={"club_id": self.club.id, "poster_id": poster.id},
+            ),
+        }
 
 
-class PosterCreateView(PosterCreateBaseView, CanCreateMixin):
+class PosterCreateView(ClubTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
-    pk_url_kwarg = "club_id"
-
-    def get_object(self):
-        obj = super().get_object()
-        if not obj:
-            return self.club
-        return obj
+    current_tab = "posters"
 
     def get_success_url(self, **kwargs):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
+    def get_object(self, *args, **kwargs):
+        return self.club
 
-class PosterEditView(ClubTabsMixin, PosterEditBaseView, CanEditMixin):
+
+class PosterEditView(ClubTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
+    extra_context = {"app": "club"}
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        return kwargs
 
-
-class PosterDeleteView(PosterDeleteBaseView, ClubTabsMixin, CanEditMixin):
+class PosterDeleteView(ClubTabsMixin, PosterDeleteBaseView):
     """Delete communication poster."""
 
+    current_tab = "posters"
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})

com/api.py

@@ -5,7 +5,6 @@ from django.utils.cache import add_never_cache_headers
 from ninja import Query
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.pagination import PageNumberPaginationExtra
-from ninja_extra.permissions import IsAuthenticated
 from ninja_extra.schemas import PaginatedResponseSchema
 
 from api.permissions import HasPerm
@@ -17,17 +16,13 @@ from core.views.files import send_raw_file
 
 @api_controller("/calendar")
 class CalendarController(ControllerBase):
-    @route.get("/internal.ics", url_name="calendar_internal")
+    @route.get("/internal.ics", auth=None, url_name="calendar_internal")
     def calendar_internal(self):
         response = send_raw_file(IcsCalendar.get_internal())
         add_never_cache_headers(response)
         return response
 
-    @route.get(
-        "/unpublished.ics",
-        permissions=[IsAuthenticated],
-        url_name="calendar_unpublished",
-    )
+    @route.get("/unpublished.ics", url_name="calendar_unpublished")
     def calendar_unpublished(self):
         response = HttpResponse(
             IcsCalendar.get_unpublished(self.context.request.user),
@@ -74,6 +69,7 @@ class NewsController(ControllerBase):
 
     @route.get(
         "/date",
+        auth=None,
         url_name="fetch_news_dates",
         response=PaginatedResponseSchema[NewsDateSchema],
     )

com/forms.py

@@ -2,7 +2,6 @@ from datetime import date
 
 from dateutil.relativedelta import relativedelta
 from django import forms
-from django.db.models import Exists, OuterRef
 from django.forms import CheckboxInput
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -35,20 +34,18 @@ class PosterForm(forms.ModelForm):
         label=_("Start date"),
         widget=SelectDateTime,
         required=True,
-        initial=timezone.now().strftime("%Y-%m-%d %H:%M:%S"),
+        initial=timezone.now(),
     )
     date_end = forms.DateTimeField(
         label=_("End date"), widget=SelectDateTime, required=False
     )
 
-    def __init__(self, *args, **kwargs):
-        self.user = kwargs.pop("user", None)
+    def __init__(self, *args, user: User, **kwargs):
         super().__init__(*args, **kwargs)
-        if self.user and not self.user.is_com_admin:
-            self.fields["club"].queryset = Club.objects.filter(
-                id__in=self.user.clubs_with_rights
-            )
-            self.fields.pop("display_time")
+        if user.is_root or user.is_com_admin:
+            self.fields["club"].widget = AutoCompleteSelectClub()
+        else:
+            self.fields["club"].queryset = Club.objects.having_board_member(user)
 
 
 class NewsDateForm(forms.ModelForm):
@@ -161,16 +158,9 @@ class NewsForm(forms.ModelForm):
         # if the author is an admin, he/she can choose any club,
         # otherwise, only clubs for which he/she is a board member can be selected
         if author.is_root or author.is_com_admin:
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.all(), widget=AutoCompleteSelectClub
-            )
+            self.fields["club"].widget = AutoCompleteSelectClub()
         else:
-            active_memberships = author.memberships.board().ongoing()
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.filter(
-                    Exists(active_memberships.filter(club=OuterRef("pk")))
-                )
-            )
+            self.fields["club"].queryset = Club.objects.having_board_member(author)
 
     def is_valid(self):
         return super().is_valid() and self.date_form.is_valid()

com/ics_calendar.py

@@ -4,15 +4,16 @@ from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.contrib.sites.models import Site
 from django.contrib.syndication.views import add_domain
-from django.db.models import F, QuerySet
+from django.db.models import Count, OuterRef, QuerySet, Subquery
 from django.http import HttpRequest
 from django.urls import reverse
 from django.utils import timezone
 from ical.calendar import Calendar
 from ical.calendar_stream import IcsCalendarStream
 from ical.event import Event
+from ical.types import Frequency, Recur
 
-from com.models import NewsDate
+from com.models import News, NewsDate
 from core.models import User
 
 
@@ -42,9 +43,9 @@ class IcsCalendar:
         with open(cls._INTERNAL_CALENDAR, "wb") as f:
             _ = f.write(
                 cls.ics_from_queryset(
-                    NewsDate.objects.filter(
-                        news__is_published=True,
-                        end_date__gte=timezone.now() - (relativedelta(months=6)),
+                    News.objects.filter(
+                        is_published=True,
+                        dates__end_date__gte=timezone.now() - relativedelta(months=6),
                     )
                 )
             )
@@ -53,24 +54,35 @@ class IcsCalendar:
     @classmethod
     def get_unpublished(cls, user: User) -> bytes:
         return cls.ics_from_queryset(
-            NewsDate.objects.viewable_by(user).filter(
-                news__is_published=False,
-                end_date__gte=timezone.now() - (relativedelta(months=6)),
-            ),
+            News.objects.viewable_by(user).filter(
+                is_published=False,
+                dates__end_date__gte=timezone.now() - relativedelta(months=6),
+            )
         )
 
     @classmethod
-    def ics_from_queryset(cls, queryset: QuerySet[NewsDate]) -> bytes:
+    def ics_from_queryset(cls, queryset: QuerySet[News]) -> bytes:
         calendar = Calendar()
-        for news_date in queryset.annotate(news_title=F("news__title")):
+        date_subquery = NewsDate.objects.filter(news=OuterRef("pk")).order_by(
+            "start_date"
+        )
+        queryset = queryset.annotate(
+            start=Subquery(date_subquery.values("start_date")[:1]),
+            end=Subquery(date_subquery.values("end_date")[:1]),
+            nb_dates=Count("dates"),
+        )
+        for news in queryset:
             event = Event(
-                summary=news_date.news_title,
-                start=news_date.start_date,
-                end=news_date.end_date,
+                summary=news.title,
+                description=news.summary,
+                dtstart=news.start,
+                dtend=news.end,
                 url=as_absolute_url(
-                    reverse("com:news_detail", kwargs={"news_id": news_date.news_id})
+                    reverse("com:news_detail", kwargs={"news_id": news.id})
                 ),
             )
+            if news.nb_dates > 1:
+                event.rrule = Recur(freq=Frequency.WEEKLY, count=news.nb_dates)
             calendar.events.append(event)
 
         return IcsCalendarStream.calendar_to_ics(calendar).encode("utf-8")

com/models.py

@@ -144,7 +144,7 @@ class News(models.Model):
                 ),
                 groups__id=settings.SITH_GROUP_COM_ADMIN_ID,
             )
-            notif_url = reverse("com:news_admin_list")
+            notif_url = reverse("com:news_admin_list", fragment="moderation")
             new_notifs = [
                 Notification(user=user, url=notif_url, type="NEWS_MODERATION")
                 for user in admins_without_notif
@@ -402,9 +402,7 @@ class Poster(models.Model):
                 groups__id__in=[settings.SITH_GROUP_COM_ADMIN_ID]
             ):
                 Notification.objects.create(
-                    user=user,
-                    url=reverse("com:poster_moderate_list"),
-                    type="POSTER_MODERATION",
+                    user=user, url=reverse("com:poster_list"), type="POSTER_MODERATION"
                 )
         return super().save(*args, **kwargs)
 
@@ -412,17 +410,5 @@ class Poster(models.Model):
         if self.date_end and self.date_begin > self.date_end:
             raise ValidationError(_("Begin date should be before end date"))
 
-    def is_owned_by(self, user):
-        if user.is_anonymous:
-            return False
-        return user.is_com_admin or len(user.clubs_with_rights) > 0
-
-    def can_be_moderated_by(self, user):
-        return user.is_com_admin
-
     def get_display_name(self):
         return self.club.get_display_name()
-
-    @property
-    def page(self):
-        return self.club.page

com/schemas.py

@@ -1,9 +1,9 @@
 from datetime import datetime
+from typing import Annotated
 
-from ninja import FilterSchema, ModelSchema
+from ninja import FilterLookup, FilterSchema, ModelSchema
 from ninja_extra import service_resolver
 from ninja_extra.context import RouteContext
-from pydantic import Field
 
 from club.schemas import ClubProfileSchema
 from com.models import News, NewsDate
@@ -11,12 +11,12 @@ from core.markdown import markdown
 
 
 class NewsDateFilterSchema(FilterSchema):
-    before: datetime | None = Field(None, q="end_date__lt")
-    after: datetime | None = Field(None, q="start_date__gt")
-    club_id: int | None = Field(None, q="news__club_id")
+    before: Annotated[datetime | None, FilterLookup("end_date__lt")] = None
+    after: Annotated[datetime | None, FilterLookup("start_date__gt")] = None
+    club_id: Annotated[int | None, FilterLookup("news__club_id")] = None
     news_id: int | None = None
-    is_published: bool | None = Field(None, q="news__is_published")
-    title: str | None = Field(None, q="news__title__icontains")
+    is_published: Annotated[bool | None, FilterLookup("news__is_published")] = None
+    title: Annotated[str | None, FilterLookup("news__title__icontains")] = None
 
 
 class NewsSchema(ModelSchema):

com/static/bundled/com/components/ics-calendar-index.ts

@@ -1,6 +1,4 @@
-import { makeUrl } from "#core:utils/api";
-import { inheritHtmlElement, registerComponent } from "#core:utils/web-components";
-import { Calendar, type EventClickArg } from "@fullcalendar/core";
+import { Calendar, type EventClickArg, type EventContentArg } from "@fullcalendar/core";
 import type { EventImpl } from "@fullcalendar/core/internal";
 import enLocale from "@fullcalendar/core/locales/en-gb";
 import frLocale from "@fullcalendar/core/locales/fr";
@@ -8,6 +6,8 @@ import dayGridPlugin from "@fullcalendar/daygrid";
 import iCalendarPlugin from "@fullcalendar/icalendar";
 import listPlugin from "@fullcalendar/list";
 import { type HTMLTemplateResult, html, render } from "lit-html";
+import { makeUrl } from "#core:utils/api.ts";
+import { inheritHtmlElement, registerComponent } from "#core:utils/web-components.ts";
 import {
   calendarCalendarInternal,
   calendarCalendarUnpublished,
@@ -25,6 +25,11 @@ export class IcsCalendar extends inheritHtmlElement("div") {
   private canDelete = false;
   private helpUrl = "";
 
+  // Hack variable to detect recurring events
+  // The underlying ics library doesn't include any info about rrules
+  // That's why we have to detect those events ourselves
+  private recurrenceMap: Map<string, EventImpl> = new Map();
+
   attributeChangedCallback(name: string, _oldValue?: string, newValue?: string) {
     if (name === "locale") {
       this.locale = newValue;
@@ -90,11 +95,13 @@ export class IcsCalendar extends inheritHtmlElement("div") {
         .split("/")
         .filter((s) => s) // Remove blank characters
         .pop(),
+      10,
     );
   }
 
   refreshEvents() {
     this.click(); // Remove focus from popup
+    this.recurrenceMap.clear(); // Avoid double detection of the same non recurring event
     this.calendar.refetchEvents();
   }
 
@@ -153,12 +160,24 @@ export class IcsCalendar extends inheritHtmlElement("div") {
   }
 
   async getEventSources() {
+    const tagRecurringEvents = (eventData: EventImpl) => {
+      // This functions tags events with a similar event url
+      // We rely on the fact that the event url is always the same
+      // for recurring events and always different for single events
+      const firstEvent = this.recurrenceMap.get(eventData.url);
+      if (firstEvent !== undefined) {
+        eventData.extendedProps.isRecurring = true;
+        firstEvent.extendedProps.isRecurring = true; // Don't forget the first event
+      }
+      this.recurrenceMap.set(eventData.url, eventData);
+    };
     return [
       {
         url: `${await makeUrl(calendarCalendarInternal)}`,
         format: "ics",
         className: "internal",
         cache: false,
+        eventDataTransform: tagRecurringEvents,
       },
       {
         url: `${await makeUrl(calendarCalendarUnpublished)}`,
@@ -166,6 +185,7 @@ export class IcsCalendar extends inheritHtmlElement("div") {
         color: "red",
         className: "unpublished",
         cache: false,
+        eventDataTransform: tagRecurringEvents,
       },
     ];
   }
@@ -361,6 +381,14 @@ export class IcsCalendar extends inheritHtmlElement("div") {
         event.jsEvent.preventDefault();
         this.createEventDetailPopup(event);
       },
+      eventClassNames: (classNamesEvent: EventContentArg) => {
+        const classes: string[] = [];
+        if (classNamesEvent.event.extendedProps?.isRecurring) {
+          classes.push("recurring");
+        }
+
+        return classes;
+      },
     });
     this.calendar.render();
 

com/static/bundled/com/moderation-alert-index.ts

@@ -1,4 +1,4 @@
-import { exportToHtml } from "#core:utils/globals";
+import { exportToHtml } from "#core:utils/globals.ts";
 import { newsDeleteNews, newsFetchNewsDates, newsPublishNews } from "#openapi";
 
 // This will be used in jinja templates,

com/static/bundled/com/slideshow-index.ts

@@ -0,0 +1,49 @@
+const INTERVAL = 10;
+
+interface Poster {
+  url: string; // URL of the poster
+  displayTime: number; // Number of seconds to display that poster
+}
+
+document.addEventListener("alpine:init", () => {
+  Alpine.data("slideshow", (posters: Poster[]) => ({
+    posters: posters,
+    progress: 0,
+    elapsed: 0,
+
+    current: 0,
+    previous: 0,
+
+    init() {
+      this.$watch("elapsed", () => {
+        const displayTime = this.posters[this.current].displayTime * 1000;
+        if (this.elapsed > displayTime) {
+          this.previous = this.current;
+          this.current = this.getNext();
+          this.elapsed = 0;
+        }
+        if (displayTime === 0) {
+          this.progress = 100;
+        } else {
+          this.progress = (100 * this.elapsed) / displayTime;
+        }
+      });
+      setInterval(() => {
+        this.elapsed += INTERVAL;
+      }, INTERVAL);
+    },
+
+    getNext() {
+      return (this.current + 1) % this.posters.length;
+    },
+
+    async toggleFullScreen(event: Event) {
+      if (document.fullscreenElement) {
+        await document.exitFullscreen();
+        return;
+      }
+      const target = event.target as HTMLElement;
+      await target.requestFullscreen();
+    },
+  }));
+});

com/static/com/components/ics-calendar.scss

@@ -18,6 +18,8 @@
   --event-details-border-radius: 4px;
   --event-details-box-shadow: 0px 6px 20px 4px rgb(0 0 0 / 16%);
   --event-details-max-width: 600px;
+  --event-recurring-internal-color: #6f69cd;
+  --event-recurring-unpublished-color: orange;
 }
 
 ics-calendar {
@@ -146,4 +148,29 @@ ics-calendar {
 .tooltip.calendar-copy-tooltip.text-copied {
   opacity: 0;
   transition: opacity 500ms ease-out;
-}
+}
+
+// We have to override the color set by the lib in the html
+// Hence the !important tag everywhere
+.internal.recurring {
+  .fc-daygrid-event-dot {
+    border-color: var(--event-recurring-internal-color) !important;
+  }
+
+  &.fc-daygrid-block-event {
+    background-color: var(--event-recurring-internal-color) !important;
+    border-color: var(--event-recurring-internal-color) !important;
+  }
+
+}
+
+.unpublished.recurring {
+  .fc-daygrid-event-dot {
+    border-color: var(--event-recurring-unpublished-color) !important;
+  }
+
+  &.fc-daygrid-block-event {
+    background-color: var(--event-recurring-unpublished-color) !important;
+    border-color: var(--event-recurring-unpublished-color) !important;
+  }
+}

com/static/com/css/news-list.scss

@@ -83,7 +83,8 @@
     #links_content {
       overflow: auto;
       box-shadow: $shadow-color 1px 1px 1px;
-      height: 20em;
+      min-height: 20em;
+      padding-bottom: 1em;
 
       h4 {
         margin-left: 5px;

com/static/com/css/posters.scss

@@ -20,33 +20,7 @@
       position: absolute;
       display: flex;
       bottom: 5px;
-
-      &.left {
-        left: 0;
-      }
-
-      &.right {
-        right: 0;
-      }
-
-      .link {
-        padding: 5px;
-        padding-left: 20px;
-        padding-right: 20px;
-        margin-left: 5px;
-        border-radius: 20px;
-        background-color: hsl(40, 100%, 50%);
-        color: black;
-
-        &:hover {
-          color: black;
-          background-color: hsl(40, 58%, 50%);
-        }
-
-        &.delete {
-          background-color: hsl(0, 100%, 40%);
-        }
-      }
+      left: 0;
     }
   }
 
@@ -111,7 +85,7 @@
             top: 0;
             left: 0;
             z-index: 10;
-            content: "Click to expand";
+            content: attr(hover);
             color: white;
             background-color: rgba(black, 0.5);
           }
@@ -143,43 +117,15 @@
         }
       }
 
-      .edit,
-      .moderate,
-      .slideshow {
-        padding: 5px;
-        border-radius: 20px;
-        background-color: hsl(40, 100%, 50%);
-        color: black;
-
-        &:hover {
-          color: black;
-          background-color: hsl(40, 58%, 50%);
-        }
-
-        &:nth-child(2n) {
-          margin-top: 5px;
-          margin-bottom: 5px;
-        }
-      }
-
-      .tooltip {
-        visibility: hidden;
-        width: 120px;
-        background-color: hsl(210, 20%, 98%);
-        color: hsl(0, 0%, 0%);
-        text-align: center;
-        padding: 5px 0;
-        border-radius: 6px;
-        position: absolute;
-        z-index: 10;
-
-        ul {
-          margin-left: 0;
-          display: inline-block;
-
-          li {
-            display: list-item;
-            list-style-type: none;
+      .actions {
+        display: flex;
+        flex-direction: column;
+        align-items: stretch;
+        form {
+          margin: unset;
+          padding: unset;
+          button {
+            width: 100%;
           }
         }
       }

com/static/com/js/poster_list.js

@@ -1,23 +0,0 @@
-$(document).ready(() => {
-  $("#poster_list #view").click(() => {
-    $("#view").removeClass("active");
-  });
-
-  $("#poster_list .poster .image").click((e) => {
-    let el = $(e.target);
-    if (el.hasClass("image")) {
-      el = el.find("img");
-    }
-    $("#poster_list #view #placeholder").html(el.clone());
-
-    $("#view").addClass("active");
-  });
-
-  $(document).keyup((e) => {
-    if (e.keyCode === 27) {
-      // escape key maps to keycode `27`
-      e.preventDefault();
-      $("#view").removeClass("active");
-    }
-  });
-});

com/static/com/js/slideshow.js

@@ -1,98 +0,0 @@
-$(document).ready(() => {
-  const transitionTime = 1000;
-
-  let i = 0;
-  const max = $("#slideshow .slide").length;
-
-  function enterFullscreen() {
-    const element = document.getElementById("slideshow");
-    $(element).addClass("fullscreen");
-    if (element.requestFullscreen) {
-      element.requestFullscreen();
-    } else if (element.mozRequestFullScreen) {
-      element.mozRequestFullScreen();
-    } else if (element.webkitRequestFullscreen) {
-      element.webkitRequestFullscreen();
-    } else if (element.msRequestFullscreen) {
-      element.msRequestFullscreen();
-    }
-  }
-
-  function exitFullscreen() {
-    const element = document.getElementById("slideshow");
-    $(element).removeClass("fullscreen");
-    if (document.exitFullscreen) {
-      document.exitFullscreen();
-    } else if (document.webkitExitFullscreen) {
-      document.webkitExitFullscreen();
-    } else if (document.mozCancelFullScreen) {
-      document.mozCancelFullScreen();
-    } else if (document.msExitFullscreen) {
-      document.msExitFullscreen();
-    }
-  }
-
-  function initProgressBar() {
-    $("#slideshow #progress_bar").css("transition", "none");
-    $("#slideshow #progress_bar").removeClass("progress");
-    $("#slideshow #progress_bar").addClass("init");
-  }
-
-  function startProgressBar(displayTime) {
-    $("#slideshow #progress_bar").removeClass("init");
-    $("#slideshow #progress_bar").addClass("progress");
-    $("#slideshow #progress_bar").css("transition", `width ${displayTime}s linear`);
-  }
-
-  function next() {
-    initProgressBar();
-    const slide = $($("#slideshow .slide").get(i % max));
-    slide.removeClass("center");
-    slide.addClass("left");
-
-    const nextSlide = $($("#slideshow .slide").get((i + 1) % max));
-    nextSlide.removeClass("right");
-    nextSlide.addClass("center");
-    const displayTime = nextSlide.attr("display_time") || 2;
-
-    $("#slideshow .bullet").removeClass("active");
-    const bullet = $("#slideshow .bullet")[(i + 1) % max];
-    $(bullet).addClass("active");
-
-    i = (i + 1) % max;
-
-    setTimeout(() => {
-      const othersLeft = $("#slideshow .slide.left");
-      othersLeft.removeClass("left");
-      othersLeft.addClass("right");
-
-      startProgressBar(displayTime);
-      setTimeout(next, displayTime * 1000);
-    }, transitionTime);
-  }
-
-  const displayTime = $("#slideshow .center").attr("display_time");
-  initProgressBar();
-  setTimeout(() => {
-    if (max > 1) {
-      startProgressBar(displayTime);
-      setTimeout(next, displayTime * 1000);
-    }
-  }, 10);
-
-  $("#slideshow").click(() => {
-    if ($("#slideshow").hasClass("fullscreen")) {
-      exitFullscreen();
-    } else {
-      enterFullscreen();
-    }
-  });
-
-  $(document).keyup((e) => {
-    if (e.keyCode === 27) {
-      // escape key maps to keycode `27`
-      e.preventDefault();
-      exitFullscreen();
-    }
-  });
-});

com/static/css/slideshow.scss

@@ -1,4 +1,4 @@
-body{
+body {
   position: absolute;
   width: 100vw;
   height: 100vh;
@@ -7,22 +7,22 @@ body{
   margin: 0;
 }
 
-#slideshow{
+#slideshow {
   position: relative;
   background-color: lightgrey;
 
   height: 100%;
 
-  *{
+  * {
     -webkit-user-select: none;
     -moz-user-select: none;
     -ms-user-select: none;
     user-select: none;
   }
 
-  &:hover{
+  &:hover {
 
-    &::before{
+    &::before {
 
       position: absolute;
       width: 100%;
@@ -34,7 +34,7 @@ body{
 
       z-index: 10;
 
-      content: "Click to expand";
+      content: attr(hover);
 
       color: white;
       background-color: rgba(black, 0.5);
@@ -43,7 +43,7 @@ body{
 
   }
 
-  &.fullscreen{
+  &:fullscreen {
     position: fixed;
     width: 100%;
     height: 100%;
@@ -51,57 +51,78 @@ body{
     left: 0;
     background: none;
 
-    &:before{
-      display:none;
+    &:before {
+      display: none;
     }
 
-    #slides{
+    #slides {
       height: 100vh;
     }
 
   }
 
-  #slides{
+  #slides {
     position: relative;
     height: 100%;
     overflow: hidden;
+    background-color: grey;
 
-    .slide{
+    .slide {
       position: absolute;
       width: 100%;
       height: 100%;
 
-      display: inline-flex;
+      display: none;
       justify-content: center;
 
       top: 0px;
+      left: 0%;
 
-      background-color: grey;
-      transition: left 1s ease-out;
-
-      img{
+      img {
         max-width: 100%;
         max-height: 100%;
         object-fit: contain;
       }
-    }
 
-    .slide.left{
-      left: -100%;
-    }
+      &.current {
+        display: inline-flex;
+        left: 0%;
+        animation: scrolling-in 1s linear;
+      }
 
-    .slide.center{
-      left: 0px;
-    }
+      &.previous {
+        display: inline-flex;
+        animation: scrolling-out 1s linear;
+        opacity: 0;
+        transition: opacity 0.1s;
+        transition-delay: 0.9s;
+      }
+
+      @keyframes scrolling-in {
+        0% {
+          transform: translateX(100%);
+        }
+
+        100% {
+          transform: translateX(0%);
+        }
+      }
+
+      @keyframes scrolling-out {
+        0% {
+          transform: translateX(0%);
+        }
+
+        100% {
+          transform: translateX(-100%);
+        }
+      }
 
-    .slide.right{
-      left: 100%;
-      transition: none;
     }
   }
 
 
-  #progress_bullets{
+  #progress_bullets {
     position: absolute;
     bottom: 10px;
     width: 100%;
@@ -112,7 +133,7 @@ body{
 
     margin-bottom: 10px;
 
-    .bullet{
+    .bullet {
       height: 10px;
       width: 10px;
 
@@ -123,27 +144,33 @@ body{
 
       background-color: grey;
 
-      &.active{
+      &.active {
         background-color: #c99836;
       }
     }
   }
 
-  #progress_bar{
+  progress {
+    --color: #304c83;
+
     position: absolute;
     bottom: 0px;
     height: 10px;
-    background-color: #304c83;
+    color: var(--color);
+    width: 100%;
+    margin-bottom: 0px;
+    border: none;
 
-    &.init{
-      width: 0px;
-      transition: none;
+    &::-moz-progress-bar {
+      background: var(--color);
     }
 
-    &.progress{
-      width: 100%;
-      transition: width 10s linear;
+    &::-webkit-progress-value {
+      background: var(--color);
+    }
+
+    &[value] {
+      background-color: transparent;
     }
   }
-}
-
+}

com/templates/com/macros.jinja

@@ -76,18 +76,20 @@
               It will stay hidden for other users until it has been published.
             {% endtrans %}
           </p>
-          {% if user.has_perm("com.moderate_news") %}
+          {%- if user.has_perm("com.moderate_news") -%}
             {# This is an additional query for each non-moderated news,
             but it will be executed only for admin users, and only one time
-            (if they do their job and moderated news as soon as they see them),
+            (if they do their job and moderate news as soon as they see them),
             so it's still reasonable #}
             <div
-              {% if news is integer or news is string %}
+              {% if news is integer or news is string -%}
                 x-data="{ nbEvents: 0 }"
                 x-init="nbEvents = await nbToPublish()"
-              {% else %}
+              {%- elif news.is_published -%}
+                x-data="{ nbEvents: 0 }"
+              {%- else -%}
                 x-data="{ nbEvents: {{ news.dates.count() }} }"
-              {% endif %}
+              {%- endif -%}
             >
               <template x-if="nbEvents > 1">
                 <div>

com/templates/com/news_admin_list.jinja

@@ -131,7 +131,7 @@
       {% endfor %}
     </tbody>
   </table>
-  <h5>{% trans %}Events to moderate{% endtrans %}</h5>
+  <h5 id="moderation">{% trans %}Events to moderate{% endtrans %}</h5>
   <table>
     <thead>
       <tr>
@@ -165,6 +165,3 @@
     </tbody>
   </table>
 {% endblock %}
-
-
-

com/templates/com/news_detail.jinja

@@ -1,15 +1,20 @@
 {% extends "core/base.jinja" %}
-{% from 'core/macros.jinja' import user_profile_link, facebook_share, tweet, link_news_logo, gen_news_metatags %}
+{% from 'core/macros.jinja' import user_profile_link, link_news_logo %}
 {% from "com/macros.jinja" import news_moderation_alert %}
 
 {% block title %}
-  {% trans %}News{% endtrans %} -
-  {{ object.title }}
+  {% trans %}News{% endtrans %} - {{ object.title }}
 {% endblock %}
 
-{% block head %}
-  {{ super() }}
-  {{ gen_news_metatags(news) }}
+{% block description %}{{ news.summary }}{% endblock %}
+
+{% block metatags %}
+  <meta property="og:url" content="{{ news.get_full_url() }}" />
+  <meta property="og:type" content="article" />
+  <meta property="article:section" content="{% trans %}News{% endtrans %}" />
+  <meta property="og:title" content="{{ news.title }}" />
+  <meta property="og:description" content="{{ news.summary }}" />
+  <meta property="og:image" content="{{ request.build_absolute_uri(link_news_logo(news)) }}" />
 {% endblock %}
 
 
@@ -44,8 +49,14 @@
         <div><em>{{ news.summary|markdown }}</em></div>
         <br/>
         <div>{{ news.content|markdown }}</div>
-        {{ facebook_share(news) }}
-        {{ tweet(news) }}
+        <a
+          rel="nofollow"
+          target="#"
+          class="share_button facebook"
+          href="https://www.facebook.com/sharer/sharer.php?u={{ news.get_full_url() }}"
+        >
+          {% trans %}Share on Facebook{% endtrans %}
+        </a>
         <div class="news_meta">
           <p>{% trans %}Author: {% endtrans %}{{ user_profile_link(news.author) }}</p>
           {% if news.moderator %}

com/templates/com/news_list.jinja

@@ -203,11 +203,15 @@
           <ul>
             <li>
               <i class="fa-solid fa-graduation-cap fa-xl"></i>
-              <a href="{{ url("pedagogy:guide") }}">{% trans %}UV Guide{% endtrans %}</a>
+              <a href="{{ url("pedagogy:guide") }}">{% trans %}UE Guide{% endtrans %}</a>
+            </li>
+            <li>
+              <i class="fa-solid fa-calendar-days fa-xl"></i>
+              <a href="{{ url("timetable:generator") }}">{% trans %}Timetable{% endtrans %}</a>
             </li>
             <li>
               <i class="fa-solid fa-magnifying-glass fa-xl"></i>
-              <a href="{{ url("matmat:search_clear") }}">{% trans %}Matmatronch{% endtrans %}</a>
+              <a href="{{ url("matmat:search") }}">{% trans %}Matmatronch{% endtrans %}</a>
             </li>
             <li>
               <i class="fa-solid fa-check-to-slot fa-xl"></i>

com/templates/com/poster_list.jinja

@@ -1,11 +1,5 @@
 {% extends "core/base.jinja" %}
 
-{% block script %}
-  {{ super() }}
-  <script src="{{ static('com/js/poster_list.js') }}"></script>
-{% endblock %}
-
-
 {% block title %}
   {% trans %}Poster{% endtrans %}
 {% endblock %}
@@ -15,54 +9,69 @@
 {% endblock %}
 
 {% block content %}
-  <div id="poster_list">
+  <div id="poster_list" x-data="{ active: null }">
 
     <div id="title">
       <h3>{% trans %}Posters{% endtrans %}</h3>
-      <div id="links" class="right">
-        {% if app == "com" %}
-          <a id="create" class="link" href="{{ url(app + ":poster_create") }}">{% trans %}Create{% endtrans %}</a>
-          <a id="moderation" class="link" href="{{ url("com:poster_moderate_list") }}">{% trans %}Moderation{% endtrans %}</a>
-        {% elif app == "club" %}
-          <a id="create" class="link" href="{{ url(app + ":poster_create", club.id) }}">{% trans %}Create{% endtrans %}</a>
-        {% endif %}
+      <div id="links">
+        <a id="create" class="btn btn-blue" href="{{ create_url }}">
+          <i class="fa fa-plus"></i>
+          {% trans %}Create{% endtrans %}
+        </a>
       </div>
     </div>
 
     <div id="posters">
-
-      {% if poster_list.count() == 0 %}
-        <div id="no-posters">{% trans %}No posters{% endtrans %}</div>
-      {% else %}
-
-        {% for poster in poster_list %}
-          <div class="poster{% if not poster.is_moderated %} not_moderated{% endif %}">
-            <div class="name">{{ poster.name }}</div>
-            <div class="image"><img src="{{ poster.file.url }}"></img></div>
-            <div class="dates">
-              <div class="begin">{{ poster.date_begin | localtime | date("d/M/Y H:m") }}</div>
-              <div class="end">{{ poster.date_end | localtime | date("d/M/Y H:m") }}</div>
-            </div>
-            {% if app == "com" %}
-              <a class="edit" href="{{ url(app + ":poster_edit", poster.id) }}">{% trans %}Edit{% endtrans %}</a>
-            {% elif app == "club" %}
-              <a class="edit" href="{{ url(app + ":poster_edit", club.id, poster.id) }}">{% trans %}Edit{% endtrans %}</a>
-            {% endif %}
-            <div class="tooltip">
-              <ul>
-                {% for screen in poster.screens.all() %}
-                  <li>{{ screen }}</li>
-                {% endfor %}
-              </ul>
-            </div>
+      {% for poster in poster_list %}
+        <div class="poster{% if not poster.is_moderated %} not_moderated{% endif %}">
+          <div class="name">{{ poster.name }}</div>
+          <div
+            class="image"
+            hover="{% trans %}Click to expand{% endtrans %}"
+            @click="active = $el.firstElementChild"
+            tooltip="{%- for screen in poster.screens.all() -%}
+                       {{ screen }}
+                     {% endfor %}"
+          >
+            <img src="{{ poster.file.url }}" alt="{{ poster.name }}">
           </div>
-        {% endfor %}
-
-      {% endif %}
-
+          <div class="dates">
+            <div class="begin">{{ poster.date_begin | localtime | date("d/M/Y H:m") }}</div>
+            <div class="end">{{ poster.date_end | localtime | date("d/M/Y H:m") }}</div>
+          </div>
+          <div class="actions">
+            {% if poster.is_editable %}
+              <a class="btn btn-blue" href="{{ get_edit_url(poster) }}">
+                <i class="fa fa-pen-to-square"></i>
+                {% trans %}Edit{% endtrans %}
+              </a>
+            {% endif %}
+            {% if not poster.is_moderated and user.has_perm("com.moderate_poster") %}
+              <form action="{{ url("com:poster_moderate", object_id=poster.id) }}" method="post">
+                {% csrf_token %}
+                <button type="submit" class="btn btn-green">
+                  <i class="fa fa-check"></i>
+                  {% trans %}Moderate{% endtrans %}
+                </button>
+              </form>
+            {% endif %}
+          </div>
+        </div>
+      {% else %}
+        <div id="no-posters">{% trans %}No posters{% endtrans %}</div>
+      {% endfor %}
     </div>
 
-    <div id="view"><div id="placeholder"></div></div>
+    <div
+      id="view"
+      @keyup.escape.window="active = null"
+      @click="active = null"
+      :class="{active: active !== null}"
+    >
+      <div id="placeholder">
+        <img :src="active?.src" :alt="active?.name">
+      </div>
+    </div>
 
   </div>
 {% endblock %}

com/templates/com/poster_moderate.jinja

@@ -1,43 +0,0 @@
-{% extends "core/base.jinja" %}
-
-{% block script %}
-  {{ super() }}
-  <script src="{{ static('com/js/poster_list.js') }}"></script>
-{% endblock %}
-
-{% block additional_css %}
-  <link rel="stylesheet" href="{{ static('com/css/posters.scss') }}">
-{% endblock %}
-
-{% block content %}
-  <div id="poster_list">
-
-    <div id="title">
-      <div id="links" class="left">
-        <a id="list" class="link" href="{{ url("com:poster_list") }}">{% trans %}List{% endtrans %}</a>
-      </div>
-      <h3>{% trans %}Posters - moderation{% endtrans %}</h3>
-    </div>
-
-    <div id="posters">
-
-      {% if object_list.count == 0 %}
-        <div id="no-posters">{% trans %}No objects{% endtrans %}</div>
-      {% else %}
-
-        {% for poster in object_list %}
-          <div class="poster{% if not poster.is_moderated %} not_moderated{% endif %}">
-            <div class="name"> {{ poster.name }} </div>
-            <div class="image"> <img src="{{ poster.file.url }}"></img> </div>
-            <a class="moderate" href="{{ url("com:poster_moderate", object_id=poster.id) }}">Moderate</a>
-          </div>
-        {% endfor %}
-
-      {% endif %}
-
-    </div>
-
-    <div id="view"><div id="placeholder"></div></div>
-
-  </div>
-{% endblock %}

com/templates/com/screen_slideshow.jinja

@@ -2,28 +2,44 @@
 <html lang="fr">
   <head>
     <title>{% trans %}Slideshow{% endtrans %}</title>
+    <link rel="shortcut icon" href="{{ static('core/img/favicon.ico') }}">
     <link href="{{ static('css/slideshow.scss') }}" rel="stylesheet" type="text/css" />
-    <script src="{{ static('bundled/vendored/jquery.min.js') }}"></script>
-    <script src="{{ static('com/js/slideshow.js') }}"></script>
+    <script type="module" src="{{ static('bundled/alpine-index.js') }}"></script>
+    <script type="module" src="{{ static('bundled/com/slideshow-index.ts') }}"></script>
   </head>
-  <body>
-    <div id="slideshow">
+  <body x-data="slideshow([
+                {% for poster in posters %}
+                  {
+                  url: '{{ poster.file.url }}',
+                  displayTime: {{ poster.display_time }}
+                  },
+                {% endfor %}
+                ])">
+    <div
+      id="slideshow"
+      @click="toggleFullScreen"
+      hover="{% trans %}Click to expand{% endtrans %}"
+      @keyup.f.window="toggleFullScreen"
+    >
 
       <div id="slides">
-        {% for poster in posters %}
-          <div class="slide {% if loop.first %}center{% else %}right{% endif %}" display_time="{{ poster.display_time }}">
-            <img src="{{ poster.file.url }}">
+        <template x-for="(poster, index) in posters">
+          <div class="slide" :class="{
+                                     current: index === current,
+                                     previous: index !== current && index === previous,
+                                     }">
+            <img :src="poster.url">
           </div>
-        {% endfor %}
+        </template>
       </div>
 
       <div id="progress_bullets">
-        {% for poster in posters %}
-          <div class="bullet {% if loop.first %}active{% endif %}"></div>
-        {% endfor %}
+        <template x-for="(poster, index) in posters">
+          <div class="bullet" :class="{active: current === index}"></div>
+        </template>
       </div>
 
-      <div id="progress_bar"></div>
+      <progress :value="progress" max="100" x-show="posters.length > 1 && progress > 0"></progress>
 
     </div>
   </body>

com/templates/com/weekmail.jinja

@@ -31,9 +31,7 @@
           <td>
             <a href="{{ url('com:weekmail_article_edit', article_id=a.id) }}">{% trans %}Edit{% endtrans %}</a> |
             <a href="{{ url('com:weekmail_article_delete', article_id=a.id) }}">{% trans %}Delete{% endtrans %}</a> |
-            <a href="?add_article={{ a.id }}">{% trans %}Add to weekmail{% endtrans %}</a> |
-            <a href="?up_article={{ a.id }}">{% trans %}Up{% endtrans %}</a> |
-            <a href="?down_article={{ a.id }}">{% trans %}Down{% endtrans %}</a>
+            <a href="?add_article={{ a.id }}">{% trans %}Add to weekmail{% endtrans %}</a>
           </td>
         </tr>
       {% endfor %}

com/tests/test_api.py

@@ -1,4 +1,3 @@
-from dataclasses import dataclass
 from datetime import timedelta
 from pathlib import Path
 
@@ -18,16 +17,6 @@ from core.markdown import markdown
 from core.models import User
 
 
-@dataclass
-class MockResponse:
-    ok: bool
-    value: str
-
-    @property
-    def content(self):
-        return self.value.encode("utf8")
-
-
 def accel_redirect_to_file(response: HttpResponse) -> Path | None:
     redirect = Path(response.headers.get("X-Accel-Redirect", ""))
     if not redirect.is_relative_to(Path("/") / settings.MEDIA_ROOT.stem):

com/tests/test_views.py

@@ -17,12 +17,13 @@ from unittest.mock import patch
 
 import pytest
 from django.conf import settings
+from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils import html
-from django.utils.timezone import localtime, now
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from model_bakery import baker
 from pytest_django.asserts import assertNumQueries, assertRedirects
@@ -31,6 +32,7 @@ from club.models import Club, Membership
 from com.models import News, NewsDate, Poster, Sith, Weekmail, WeekmailArticle
 from core.baker_recipes import subscriber_user
 from core.models import AnonymousUser, Group, User
+from core.utils import RED_PIXEL_PNG
 
 
 @pytest.fixture()
@@ -207,31 +209,6 @@ class TestWeekmailArticle(TestCase):
         assert not self.article.is_owned_by(self.sli)
 
 
-class TestPoster(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        cls.com_admin = User.objects.get(username="comunity")
-        cls.poster = Poster.objects.create(
-            name="dummy",
-            file=SimpleUploadedFile("dummy.jpg", b"azertyuiop"),
-            club=Club.objects.first(),
-            date_begin=localtime(now()),
-        )
-        cls.sli = User.objects.get(username="sli")
-        cls.sli.memberships.all().delete()
-        Membership(user=cls.sli, club=Club.objects.first(), role=5).save()
-        cls.susbcriber = User.objects.get(username="subscriber")
-        cls.anonymous = AnonymousUser()
-
-    def test_poster_owner(self):
-        """Test that poster are owned by com admins and board members in clubs."""
-        assert self.poster.is_owned_by(self.com_admin)
-        assert not self.poster.is_owned_by(self.anonymous)
-
-        assert not self.poster.is_owned_by(self.susbcriber)
-        assert self.poster.is_owned_by(self.sli)
-
-
 class TestNewsCreation(TestCase):
     @classmethod
     def setUpTestData(cls):
@@ -340,7 +317,6 @@ def test_feed(client: Client):
     [
         reverse("com:poster_list"),
         reverse("com:poster_create"),
-        reverse("com:poster_moderate_list"),
     ],
 )
 def test_poster_management_views_crash_test(client: Client, url: str):
@@ -351,3 +327,37 @@ def test_poster_management_views_crash_test(client: Client, url: str):
     client.force_login(user)
     res = client.get(url)
     assert res.status_code == 200
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "referer",
+    [
+        None,
+        reverse("com:poster_list"),
+        reverse("club:poster_list", kwargs={"club_id": settings.SITH_MAIN_CLUB_ID}),
+    ],
+)
+def test_moderate_poster(client: Client, referer: str | None):
+    poster = baker.make(
+        Poster,
+        is_moderated=False,
+        file=SimpleUploadedFile("test.png", content=RED_PIXEL_PNG),
+        club_id=settings.SITH_MAIN_CLUB_ID,
+    )
+    user = baker.make(
+        User,
+        user_permissions=Permission.objects.filter(
+            codename__in=["view_poster", "moderate_poster"]
+        ),
+    )
+    client.force_login(user)
+    headers = {"REFERER": f"https://{settings.SITH_URL}{referer}"} if referer else {}
+    response = client.post(
+        reverse("com:poster_moderate", kwargs={"object_id": poster.id}), headers=headers
+    )
+    result_url = referer or reverse("com:poster_list")
+    assertRedirects(response, result_url)
+    poster.refresh_from_db()
+    assert poster.is_moderated
+    assert poster.moderator == user

com/urls.py

@@ -33,7 +33,6 @@ from com.views import (
     PosterDeleteView,
     PosterEditView,
     PosterListView,
-    PosterModerateListView,
     PosterModerateView,
     ScreenCreateView,
     ScreenDeleteView,
@@ -102,11 +101,6 @@ urlpatterns = [
         PosterDeleteView.as_view(),
         name="poster_delete",
     ),
-    path(
-        "poster/moderate/",
-        PosterModerateListView.as_view(),
-        name="poster_moderate_list",
-    ),
     path(
         "poster/<int:object_id>/moderate/",
         PosterModerateView.as_view(),

com/views.py

@@ -25,13 +25,17 @@ import itertools
 from datetime import date, timedelta
 from smtplib import SMTPRecipientsRefused
 from typing import Any
+from urllib.parse import urlparse
 
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
-from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
+from django.contrib import messages
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin,
+)
 from django.contrib.syndication.views import Feed
 from django.core.exceptions import PermissionDenied, ValidationError
-from django.db.models import Max
+from django.db.models import Exists, Max, OuterRef, Value
 from django.forms.models import modelform_factory
 from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect
@@ -42,7 +46,7 @@ from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView, TemplateView, View
 from django.views.generic.edit import CreateView, DeleteView, UpdateView
 
-from club.models import Club, Mailing
+from club.models import Club, Mailing, Membership
 from com.forms import NewsDateForm, NewsForm, PosterForm
 from com.ics_calendar import IcsCalendar
 from com.models import News, NewsDate, Poster, Screen, Sith, Weekmail, WeekmailArticle
@@ -50,9 +54,10 @@ from core.auth.mixins import (
     CanEditPropMixin,
     CanViewMixin,
     PermissionOrAuthorRequiredMixin,
+    PermissionOrClubBoardRequiredMixin,
 )
 from core.models import User
-from core.views.mixins import QuickNotifMixin, TabedViewMixin
+from core.views.mixins import TabedViewMixin
 from core.views.widgets.markdown import MarkdownInput
 
 # Sith object
@@ -99,13 +104,6 @@ class ComTabsMixin(TabedViewMixin):
         ]
 
 
-class IsComAdminMixin(AccessMixin):
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_com_admin:
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
-
-
 class ComEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     model = Sith
     template_name = "core/edit.jinja"
@@ -242,10 +240,11 @@ class NewsListView(TemplateView):
         if not self.request.user.has_perm("core.view_user"):
             return []
         return itertools.groupby(
-            User.objects.filter(
+            User.objects.viewable_by(self.request.user)
+            .filter(
                 date_of_birth__month=localdate().month,
                 date_of_birth__day=localdate().day,
-                is_subscriber_viewable=True,
+                is_viewable=True,
             )
             .filter(role__in=["STUDENT", "FORMER STUDENT"])
             .order_by("-date_of_birth"),
@@ -337,7 +336,7 @@ class NewsFeed(Feed):
 # Weekmail
 
 
-class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, DetailView):
+class WeekmailPreviewView(ComTabsMixin, CanEditPropMixin, DetailView):
     model = Weekmail
     template_name = "com/weekmail_preview.jinja"
     success_url = reverse_lazy("com:weekmail")
@@ -349,12 +348,11 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
 
     def post(self, request, *args, **kwargs):
         self.object = self.get_object()
+        messages.success(self.request, _("Weekmail sent successfully"))
         if request.POST["send"] == "validate":
             try:
                 self.object.send()
-                return HttpResponseRedirect(
-                    reverse("com:weekmail") + "?qn_weekmail_send_success"
-                )
+                return HttpResponseRedirect(reverse("com:weekmail"))
             except SMTPRecipientsRefused as e:
                 self.bad_recipients = e.recipients
         elif request.POST["send"] == "clean":
@@ -365,7 +363,6 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
                 for u in users:
                     u.preferences.receive_weekmail = False
                     u.preferences.save()
-                self.quick_notif_list += ["qn_success"]
         return super().get(request, *args, **kwargs)
 
     def get_object(self, queryset=None):
@@ -379,7 +376,7 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
         return kwargs
 
 
-class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateView):
+class WeekmailEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     model = Weekmail
     template_name = "com/weekmail.jinja"
     form_class = modelform_factory(
@@ -419,7 +416,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
                 art.rank, prev_art.rank = prev_art.rank, art.rank
                 art.save()
                 prev_art.save()
-                self.quick_notif_list += ["qn_success"]
+                messages.success(
+                    self.request,
+                    _("%(title)s moved up in the Weekmail") % {"title": art.title},
+                )
         if "down_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["down_article"], weekmail=self.object
@@ -431,7 +431,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
                 art.rank, next_art.rank = next_art.rank, art.rank
                 art.save()
                 next_art.save()
-                self.quick_notif_list += ["qn_success"]
+                messages.success(
+                    self.request,
+                    _("%(title)s moved down in the Weekmail") % {"title": art.title},
+                )
         if "add_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["add_article"], weekmail=None
@@ -440,7 +443,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
             art.rank = self.object.articles.aggregate(Max("rank"))["rank__max"] or 0
             art.rank += 1
             art.save()
-            self.quick_notif_list += ["qn_success"]
+            messages.success(
+                self.request,
+                _("%(title)s added to the Weekmail") % {"title": art.title},
+            )
         if "del_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["del_article"], weekmail=self.object
@@ -448,7 +454,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
             art.weekmail = None
             art.rank = -1
             art.save()
-            self.quick_notif_list += ["qn_success"]
+            messages.success(
+                self.request,
+                _("%(title)s removed from the Weekmail") % {"title": art.title},
+            )
         return super().get(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):
@@ -458,9 +467,7 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
         return kwargs
 
 
-class WeekmailArticleEditView(
-    ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateView
-):
+class WeekmailArticleEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     """Edit an article."""
 
     model = WeekmailArticle
@@ -472,11 +479,10 @@ class WeekmailArticleEditView(
     pk_url_kwarg = "article_id"
     template_name = "core/edit.jinja"
     success_url = reverse_lazy("com:weekmail")
-    quick_notif_url_arg = "qn_weekmail_article_edit"
     current_tab = "weekmail"
 
 
-class WeekmailArticleCreateView(QuickNotifMixin, CreateView):
+class WeekmailArticleCreateView(CreateView):
     """Post an article."""
 
     model = WeekmailArticle
@@ -487,7 +493,6 @@ class WeekmailArticleCreateView(QuickNotifMixin, CreateView):
     )
     template_name = "core/create.jinja"
     success_url = reverse_lazy("core:user_tools")
-    quick_notif_url_arg = "qn_weekmail_new_article"
 
     def get_initial(self):
         if "club" not in self.request.GET:
@@ -558,161 +563,115 @@ class MailingModerateView(View):
         raise PermissionDenied
 
 
-class PosterAdminViewMixin(IsComAdminMixin, ComTabsMixin):
-    current_tab = "posters"
-
-
-class PosterListBaseView(PosterAdminViewMixin, ListView):
+class PosterListBaseView(ListView):
     """List communication posters."""
 
-    current_tab = "posters"
     model = Poster
     template_name = "com/poster_list.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        club_id = kwargs.pop("club_id", None)
-        self.club = None
-        if club_id:
-            self.club = get_object_or_404(Club, pk=club_id)
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.view_poster"
 
     def get_queryset(self):
-        if self.request.user.is_com_admin:
-            return Poster.objects.all().order_by("-date_begin")
+        qs = Poster.objects.prefetch_related("screens")
+        if self.request.user.has_perm("com.edit_poster"):
+            qs = qs.annotate(is_editable=Value(value=True))
         else:
-            return Poster.objects.filter(club=self.club.id)
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+            qs = qs.annotate(
+                is_editable=Exists(
+                    Membership.objects.ongoing()
+                    .board()
+                    .filter(user=self.request.user, club=OuterRef("club_id"))
+                )
+            )
+        return qs.order_by("-date_begin")
 
 
-class PosterCreateBaseView(PosterAdminViewMixin, CreateView):
+class PosterCreateBaseView(PermissionOrClubBoardRequiredMixin, CreateView):
     """Create communication poster."""
 
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "core/create.jinja"
+    permission_required = "com.add_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
-    def dispatch(self, request, *args, **kwargs):
-        if "club_id" in kwargs:
-            self.club = get_object_or_404(Club, pk=kwargs["club_id"])
-        return super().dispatch(request, *args, **kwargs)
-
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
+
+    def get_initial(self):
+        return {"club": self.club}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = True
         return super().form_valid(form)
 
 
-class PosterEditBaseView(PosterAdminViewMixin, UpdateView):
+class PosterEditBaseView(PermissionOrClubBoardRequiredMixin, UpdateView):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "com/poster_edit.jinja"
-
-    def get_initial(self):
-        return {
-            "date_begin": self.object.date_begin.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_begin
-            else None,
-            "date_end": self.object.date_end.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_end
-            else None,
-        }
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.change_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if hasattr(self, "club"):
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if not self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = False
         return super().form_valid(form)
 
 
-class PosterDeleteBaseView(PosterAdminViewMixin, DeleteView):
+class PosterDeleteBaseView(
+    PermissionOrClubBoardRequiredMixin, ComTabsMixin, DeleteView
+):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
     current_tab = "posters"
     model = Poster
     template_name = "core/delete_confirm.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.delete_poster"
 
 
-class PosterListView(PosterListBaseView):
+class PosterListView(PermissionRequiredMixin, ComTabsMixin, PosterListBaseView):
     """List communication posters."""
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    current_tab = "posters"
+    extra_context = {
+        "create_url": reverse_lazy("com:poster_create"),
+        "get_edit_url": lambda poster: reverse(
+            "com:poster_edit", kwargs={"poster_id": poster.id}
+        ),
+    }
+    permission_required = "com.view_poster"
 
 
-class PosterCreateView(PosterCreateBaseView):
+class PosterCreateView(ComTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
-class PosterEditView(PosterEditBaseView):
+class PosterEditView(ComTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
 class PosterDeleteView(PosterDeleteBaseView):
@@ -721,44 +680,37 @@ class PosterDeleteView(PosterDeleteBaseView):
     success_url = reverse_lazy("com:poster_list")
 
 
-class PosterModerateListView(PosterAdminViewMixin, ListView):
-    """Moderate list communication poster."""
-
-    current_tab = "posters"
-    model = Poster
-    template_name = "com/poster_moderate.jinja"
-    queryset = Poster.objects.filter(is_moderated=False).all()
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
-
-
-class PosterModerateView(PosterAdminViewMixin, View):
+class PosterModerateView(PermissionRequiredMixin, ComTabsMixin, View):
     """Moderate communication poster."""
 
-    def get(self, request, *args, **kwargs):
+    current_tab = "posters"
+    permission_required = "com.moderate_poster"
+    extra_context = {"app": "com"}
+
+    def post(self, request, *args, **kwargs):
         obj = get_object_or_404(Poster, pk=kwargs["object_id"])
-        if obj.can_be_moderated_by(request.user):
-            obj.is_moderated = True
-            obj.moderator = request.user
-            obj.save()
-            return redirect("com:poster_moderate_list")
-        raise PermissionDenied
-
-    def get_context_data(self, **kwargs):
-        kwargs = super(PosterModerateListView, self).get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+        obj.is_moderated = True
+        obj.moderator = request.user
+        obj.save()
+        # The moderation request may be originated from a club context (/club/poster)
+        # or a global context (/com/poster),
+        # so the redirection URL will be the URL of the page that called this view,
+        # as long as the latter belongs to the sith.
+        referer = self.request.META.get("HTTP_REFERER")
+        if referer:
+            parsed = urlparse(referer)
+            if parsed.netloc == settings.SITH_URL:
+                return redirect(parsed.path)
+        return redirect("com:poster_list")
 
 
-class ScreenListView(IsComAdminMixin, ComTabsMixin, ListView):
+class ScreenListView(PermissionRequiredMixin, ComTabsMixin, ListView):
     """List communication screens."""
 
     current_tab = "screens"
     model = Screen
     template_name = "com/screen_list.jinja"
+    permission_required = "com.view_screen"
 
 
 class ScreenSlideshowView(DetailView):
@@ -769,12 +721,12 @@ class ScreenSlideshowView(DetailView):
     template_name = "com/screen_slideshow.jinja"
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["posters"] = self.object.active_posters()
-        return kwargs
+        return super().get_context_data(**kwargs) | {
+            "posters": self.object.active_posters()
+        }
 
 
-class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
+class ScreenCreateView(PermissionRequiredMixin, ComTabsMixin, CreateView):
     """Create communication screen."""
 
     current_tab = "screens"
@@ -782,9 +734,10 @@ class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
     fields = ["name"]
     template_name = "core/create.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.add_screen"
 
 
-class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
+class ScreenEditView(PermissionRequiredMixin, ComTabsMixin, UpdateView):
     """Edit communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -793,9 +746,10 @@ class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
     fields = ["name"]
     template_name = "com/screen_edit.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.change_screen"
 
 
-class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
+class ScreenDeleteView(PermissionRequiredMixin, ComTabsMixin, DeleteView):
     """Delete communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -803,3 +757,4 @@ class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
     model = Screen
     template_name = "core/delete_confirm.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.delete_screen"

core/admin.py

@@ -74,9 +74,19 @@ class UserBanAdmin(admin.ModelAdmin):
     autocomplete_fields = ("user", "ban_group")
 
 
+class GroupInline(admin.TabularInline):
+    model = Group.permissions.through
+    readonly_fields = ("group",)
+    extra = 0
+
+    def has_add_permission(self, request, obj):
+        return False
+
+
 @admin.register(Permission)
 class PermissionAdmin(admin.ModelAdmin):
     search_fields = ("codename",)
+    inlines = (GroupInline,)
 
 
 @admin.register(Page)

core/api.py

@@ -1,6 +1,6 @@
 from typing import Annotated, Any, Literal
 
-import annotated_types
+from annotated_types import Ge, Le, MinLen
 from django.conf import settings
 from django.db.models import F
 from django.http import HttpResponse
@@ -25,8 +25,10 @@ from core.schemas import (
     UserFamilySchema,
     UserFilterSchema,
     UserProfileSchema,
+    UserSchema,
 )
 from core.templatetags.renderer import markdown
+from counter.utils import is_logged_in_counter
 
 
 @api_controller("/markdown")
@@ -69,22 +71,33 @@ class MailingListController(ControllerBase):
         return data
 
 
-@api_controller("/user", permissions=[CanAccessLookup])
+@api_controller("/user")
 class UserController(ControllerBase):
     @route.get("", response=list[UserProfileSchema])
     def fetch_profiles(self, pks: Query[set[int]]):
-        return User.objects.filter(pk__in=pks)
+        return User.objects.viewable_by(self.context.request.user).filter(pk__in=pks)
+
+    @route.get("/{int:user_id}", response=UserSchema, permissions=[CanView])
+    def fetch_user(self, user_id: int):
+        """Fetch a single user"""
+        return self.get_object_or_exception(User, id=user_id)
 
     @route.get(
         "/search",
         response=PaginatedResponseSchema[UserProfileSchema],
         url_name="search_users",
+        # logged in barmen aren't authenticated stricto sensu, so no auth here
+        auth=None,
     )
     @paginate(PageNumberPaginationExtra, page_size=20)
     def search_users(self, filters: Query[UserFilterSchema]):
-        return filters.filter(
-            User.objects.order_by(F("last_login").desc(nulls_last=True))
-        )
+        qs = User.objects
+        # the logged in barmen can see all users (even the hidden one),
+        # because they have a temporary administrative function during
+        # which they may have to deal with hidden users
+        if not is_logged_in_counter(self.context.request):
+            qs = qs.viewable_by(self.context.request.user)
+        return filters.filter(qs.order_by(F("last_login").desc(nulls_last=True)))
 
 
 @api_controller("/file")
@@ -92,11 +105,11 @@ class SithFileController(ControllerBase):
     @route.get(
         "/search",
         response=PaginatedResponseSchema[SithFileSchema],
-        auth=[SessionAuth(), ApiKeyAuth()],
+        auth=[ApiKeyAuth(), SessionAuth()],
         permissions=[CanAccessLookup],
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
-    def search_files(self, search: Annotated[str, annotated_types.MinLen(1)]):
+    def search_files(self, search: Annotated[str, MinLen(1)]):
         return SithFile.objects.filter(is_in_sas=False).filter(name__icontains=search)
 
 
@@ -105,15 +118,15 @@ class GroupController(ControllerBase):
     @route.get(
         "/search",
         response=PaginatedResponseSchema[GroupSchema],
-        auth=[SessionAuth(), ApiKeyAuth()],
+        auth=[ApiKeyAuth(), SessionAuth()],
         permissions=[CanAccessLookup],
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
-    def search_group(self, search: Annotated[str, annotated_types.MinLen(1)]):
+    def search_group(self, search: Annotated[str, MinLen(1)]):
         return Group.objects.filter(name__icontains=search).values()
 
 
-DepthValue = Annotated[int, annotated_types.Ge(0), annotated_types.Le(10)]
+DepthValue = Annotated[int, Ge(0), Le(10)]
 DEFAULT_DEPTH = 4
 
 

core/auth/mixins.py

@@ -24,13 +24,18 @@
 from __future__ import annotations
 
 import types
-import warnings
 from typing import TYPE_CHECKING, Any, LiteralString
 
 from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
+from django.http import Http404
+from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
+from django.utils.translation import gettext as _
 from django.views.generic.base import View
 
+from club.models import Club
+
 if TYPE_CHECKING:
     from django.db.models import Model
 
@@ -141,45 +146,6 @@ class GenericContentPermissionMixinBuilder(View):
         return super().dispatch(request, *arg, **kwargs)
 
 
-class CanCreateMixin(View):
-    """Protect any child view that would create an object.
-
-    Raises:
-        PermissionDenied:
-            If the user has not the necessary permission
-            to create the object of the view.
-    """
-
-    def __init_subclass__(cls, **kwargs):
-        warnings.warn(
-            f"{cls.__name__} is deprecated and should be replaced "
-            "by other permission verification mecanism.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-        super().__init_subclass__(**kwargs)
-
-    def __init__(self, *args, **kwargs):
-        warnings.warn(
-            f"{self.__class__.__name__} is deprecated and should be replaced "
-            "by other permission verification mecanism.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-        super().__init__(*args, **kwargs)
-
-    def dispatch(self, request, *arg, **kwargs):
-        if not request.user.is_authenticated:
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
-
-    def form_valid(self, form):
-        obj = form.instance
-        if can_edit_prop(obj, self.request.user):
-            return super().form_valid(form)
-        raise PermissionDenied
-
-
 class CanEditPropMixin(GenericContentPermissionMixinBuilder):
     """Ensure the user has owner permissions on the child view object.
 
@@ -297,3 +263,51 @@ class PermissionOrAuthorRequiredMixin(PermissionRequiredMixin):
             self.author_field += "_id"
         author_id = getattr(obj, self.author_field, None)
         return author_id == self.request.user.id
+
+
+class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
+    """Require that the user has the required perm or is the board of the club.
+
+    This mixin can be used in any view that is called from a url
+    having a `club_id` kwarg.
+
+    Example:
+
+        In `urls.py` :
+        ```python
+        urlpatterns = [
+            path("foo/<int:club_id>/bar/", FooView.as_view())
+        ]
+        ```
+
+        In `views.py` :
+
+        ```python
+        # this view is available to users that either have the
+        # "foo.view_foo" permission or are in the board of the club
+        # which id was given in the url
+        class FooView(PermissionOrClubBoardRequiredMixin, View):
+            permission_required = "foo.view_foo"
+        ```
+    """
+
+    club_pk_url_kwarg = "club_id"
+
+    @cached_property
+    def club(self):
+        club_id: str | int = self.kwargs.pop(self.club_pk_url_kwarg, None)
+        if club_id is None:
+            return None
+        if isinstance(club_id, int) or club_id.isdigit():
+            return get_object_or_404(Club, pk=club_id)
+        raise Http404(_("No club found with id %(id)s") % {"id": club_id})
+
+    def has_permission(self):
+        if self.request.user.is_anonymous:
+            return False
+        if super().has_permission():
+            return True
+        return (
+            self.club is not None
+            and self.club.board_group_id in self.request.user.all_groups
+        )

core/converters.py

@@ -1,19 +1,16 @@
-class FourDigitYearConverter:
-    regex = "[0-9]{4}"
+from django.urls.converters import IntConverter, StringConverter
 
-    def to_python(self, value):
-        return int(value)
+
+class FourDigitYearConverter(IntConverter):
+    regex = "[0-9]{4}"
 
     def to_url(self, value):
         return str(value).zfill(4)
 
 
-class TwoDigitMonthConverter:
+class TwoDigitMonthConverter(IntConverter):
     regex = "[0-9]{2}"
 
-    def to_python(self, value):
-        return int(value)
-
     def to_url(self, value):
         return str(value).zfill(2)
 
@@ -28,3 +25,9 @@ class BooleanStringConverter:
 
     def to_url(self, value):
         return str(value)
+
+
+class ResultConverter(StringConverter):
+    """Converter whose regex match either "success" or "failure"."""
+
+    regex = "(success|failure)"

core/management/commands/check_fs.py

@@ -1,40 +0,0 @@
-#
-# Copyright 2018
-# - Skia <skia@libskia.so>
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-#
-
-from django.core.management.base import BaseCommand
-
-from core.models import SithFile
-
-
-class Command(BaseCommand):
-    help = "Recursively check the file system with respect to the DB"
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "ids", metavar="ID", type=int, nargs="+", help="The file IDs to process"
-        )
-
-    def handle(self, *args, **options):
-        files = SithFile.objects.filter(id__in=options["ids"]).all()
-        for f in files:
-            f._check_fs()

core/management/commands/populate.py

@@ -28,6 +28,7 @@ from typing import ClassVar, NamedTuple
 from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
+from django.core.files.base import ContentFile
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django.db import connection
@@ -44,7 +45,7 @@ from core.utils import resize_image
 from counter.models import Counter, Product, ProductType, ReturnableProduct, StudentCard
 from election.models import Candidature, Election, ElectionList, Role
 from forum.models import Forum
-from pedagogy.models import UV
+from pedagogy.models import UE
 from sas.models import Album, PeoplePictureRelation, Picture
 from subscription.models import Subscription
 
@@ -104,13 +105,21 @@ class Command(BaseCommand):
         )
         self.profiles_root = SithFile.objects.create(name="profiles", owner=root)
         home_root = SithFile.objects.create(name="users", owner=root)
+        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
+        SithFile.objects.create(
+            name="CGU",
+            is_folder=False,
+            file=ContentFile(
+                content="Conditions générales d'utilisation", name="cgu.txt"
+            ),
+            owner=root,
+        )
 
         # Page needed for club creation
         p = Page(name=settings.SITH_CLUB_ROOT_PAGE)
         p.save(force_lock=True)
 
-        club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )
@@ -150,7 +159,8 @@ class Command(BaseCommand):
 
         Weekmail().save()
 
-        # Here we add a lot of test datas, that are not necessary for the Sith, but that provide a basic development environment
+        # Here we add a lot of test datas, that are not necessary for the Sith,
+        # but that provide a basic development environment
         self.now = timezone.now().replace(hour=12, second=0)
 
         skia = User.objects.create_user(
@@ -660,20 +670,20 @@ class Command(BaseCommand):
 
         # Create some data for pedagogy
 
-        UV(
+        UE(
             code="PA00",
             author=User.objects.get(id=0),
-            credit_type=settings.SITH_PEDAGOGY_UV_TYPE[3][0],
+            credit_type=settings.SITH_PEDAGOGY_UE_TYPE[3][0],
             manager="Laurent HEYBERGER",
-            semester=settings.SITH_PEDAGOGY_UV_SEMESTER[3][0],
-            language=settings.SITH_PEDAGOGY_UV_LANGUAGE[0][0],
+            semester=settings.SITH_PEDAGOGY_UE_SEMESTER[3][0],
+            language=settings.SITH_PEDAGOGY_UE_LANGUAGE[0][0],
             department=settings.SITH_PROFILE_DEPARTMENTS[-2][0],
             credits=5,
             title="Participation dans une association étudiante",
             objectives="* Permettre aux étudiants de réaliser, pendant un semestre, un projet culturel ou associatif et de le valoriser.",
             program="""* Semestre précédent proposition d'un projet et d'un cahier des charges
 * Evaluation par un jury de six membres
-* Si accord réalisation dans le cadre de l'UV
+* Si accord réalisation dans le cadre de l'UE
 * Compte-rendu de l'expérience
 * Présentation""",
             skills="""* Gérer un projet associatif ou une action éducative en autonomie:
@@ -768,7 +778,7 @@ class Command(BaseCommand):
         s = Subscription(
             member=user,
             subscription_type=subscription_type,
-            payment_method=settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[0][0],
+            payment_method=settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[1][0],
         )
         s.subscription_start = s.compute_start(start)
         s.subscription_end = s.compute_end(
@@ -789,16 +799,16 @@ class Command(BaseCommand):
 
         subscribers = Group.objects.create(name="Cotisants")
         subscribers.permissions.add(
-            *list(perms.filter(codename__in=["add_news", "add_uvcomment"]))
+            *list(perms.filter(codename__in=["add_news", "add_uecomment"]))
         )
         old_subscribers = Group.objects.create(name="Anciens cotisants")
         old_subscribers.permissions.add(
             *list(
                 perms.filter(
                     codename__in=[
-                        "view_uv",
-                        "view_uvcomment",
-                        "add_uvcommentreport",
+                        "view_ue",
+                        "view_uecomment",
+                        "add_uecommentreport",
                         "view_user",
                         "view_picture",
                         "view_album",
@@ -874,7 +884,7 @@ class Command(BaseCommand):
         pedagogy_admin.permissions.add(
             *list(
                 perms.filter(content_type__app_label="pedagogy")
-                .exclude(codename__in=["change_uvcomment"])
+                .exclude(codename__in=["change_uecomment"])
                 .values_list("pk", flat=True)
             )
         )

core/management/commands/populate_more.py

@@ -1,3 +1,4 @@
+import math
 import random
 from datetime import date, timedelta
 from datetime import timezone as tz
@@ -12,7 +13,7 @@ from django.utils.timezone import localdate, make_aware, now
 from faker import Faker
 
 from club.models import Club, Membership
-from core.models import Group, User
+from core.models import Group, User, UserBan
 from counter.models import (
     Counter,
     Customer,
@@ -23,7 +24,7 @@ from counter.models import (
     Selling,
 )
 from forum.models import Forum, ForumMessage, ForumTopic
-from pedagogy.models import UV
+from pedagogy.models import UE
 from subscription.models import Subscription
 
 
@@ -34,12 +35,18 @@ class Command(BaseCommand):
         super().__init__(*args, **kwargs)
         self.faker = Faker("fr_FR")
 
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-n", "--nb-users", help="Number of users to create", type=int, default=600
+        )
+
     def handle(self, *args, **options):
         if not settings.DEBUG:
             raise Exception("Never call this command in prod. Never.")
 
         self.stdout.write("Creating users...")
-        users = self.create_users()
+        users = self.create_users(options["nb_users"])
+        self.create_bans(random.sample(users, k=len(users) // 200))  # 0.5% of users
         subscribers = random.sample(users, k=int(0.8 * len(users)))
         self.stdout.write("Creating subscriptions...")
         self.create_subscriptions(subscribers)
@@ -74,11 +81,11 @@ class Command(BaseCommand):
             random.sample(old_subscribers, k=min(80, len(old_subscribers))),
         )
         self.stdout.write("Creating uvs...")
-        self.create_uvs()
+        self.create_ues()
         self.stdout.write("Creating products...")
         self.create_products()
         self.stdout.write("Creating sales and refills...")
-        sellers = random.sample(list(User.objects.all()), 100)
+        sellers = random.sample(users, len(users) // 10)
         self.create_sales(sellers)
         self.stdout.write("Creating permanences...")
         self.create_permanences(sellers)
@@ -87,20 +94,26 @@ class Command(BaseCommand):
 
         self.stdout.write("Done")
 
-    def create_users(self) -> list[User]:
+    def create_users(self, nb_users: int = 600) -> list[User]:
+        # Create a single password hash for all users to make it faster.
+        # It's insecure as hell, but it's ok since it's only for dev purposes.
         password = make_password("plop")
         users = [
             User(
                 username=self.faker.user_name(),
                 first_name=self.faker.first_name(),
                 last_name=self.faker.last_name(),
-                date_of_birth=self.faker.date_of_birth(minimum_age=15, maximum_age=25),
+                date_of_birth=(
+                    None
+                    if random.random() < 0.2
+                    else self.faker.date_of_birth(minimum_age=15, maximum_age=25)
+                ),
                 email=self.faker.email(),
                 phone=self.faker.phone_number(),
                 address=self.faker.address(),
                 password=password,
             )
-            for _ in range(600)
+            for _ in range(nb_users)
         ]
         # there may a duplicate or two
         # Not a problem, we will just have 599 users instead of 600
@@ -110,14 +123,33 @@ class Command(BaseCommand):
         public_group.users.add(*users)
         return users
 
+    def create_bans(self, users: list[User]):
+        ban_groups = [
+            settings.SITH_GROUP_BANNED_COUNTER_ID,
+            settings.SITH_GROUP_BANNED_SUBSCRIPTION_ID,
+            settings.SITH_GROUP_BANNED_ALCOHOL_ID,
+        ]
+        UserBan.objects.bulk_create(
+            [
+                UserBan(
+                    user=user,
+                    ban_group_id=i,
+                    reason=self.faker.sentence(),
+                    expires_at=make_aware(self.faker.future_datetime("+1y")),
+                )
+                for user in users
+                for i in random.sample(ban_groups, k=random.randint(1, len(ban_groups)))
+            ]
+        )
+
     def create_subscriptions(self, users: list[User]):
         def prepare_subscription(_user: User, start_date: date) -> Subscription:
             payment_method = random.choice(settings.SITH_SUBSCRIPTION_PAYMENT_METHOD)[0]
             duration = random.randint(1, 4)
-            sub = Subscription(member=_user, payment_method=payment_method)
-            sub.subscription_start = sub.compute_start(d=start_date, duration=duration)
-            sub.subscription_end = sub.compute_end(duration)
-            return sub
+            s = Subscription(member=_user, payment_method=payment_method)
+            s.subscription_start = s.compute_start(d=start_date, duration=duration)
+            s.subscription_end = s.compute_end(duration)
+            return s
 
         subscriptions = []
         customers = []
@@ -188,7 +220,7 @@ class Command(BaseCommand):
         memberships = Membership.objects.bulk_create(memberships)
         Membership._add_club_groups(memberships)
 
-    def create_uvs(self):
+    def create_ues(self):
         root = User.objects.get(username="root")
         categories = ["CS", "TM", "OM", "QC", "EC"]
         branches = ["TC", "GMC", "GI", "EDIM", "E", "IMSI", "HUMA"]
@@ -203,7 +235,7 @@ class Command(BaseCommand):
                 + str(random.randint(10, 90))
             )
             uvs.append(
-                UV(
+                UE(
                     code=code,
                     author=root,
                     manager=random.choice(teachers),
@@ -225,7 +257,7 @@ class Command(BaseCommand):
                     hours_TE=random.randint(15, 40),
                 )
             )
-        UV.objects.bulk_create(uvs, ignore_conflicts=True)
+        UE.objects.bulk_create(uvs, ignore_conflicts=True)
 
     def create_products(self):
         categories = [
@@ -346,7 +378,6 @@ class Command(BaseCommand):
                         date=make_aware(
                             self.faker.date_time_between(customer.since, localdate())
                         ),
-                        is_validated=True,
                     )
                 )
             sales.extend(this_customer_sales)
@@ -385,8 +416,9 @@ class Command(BaseCommand):
         Permanency.objects.bulk_create(perms)
 
     def create_forums(self):
-        forumers = random.sample(list(User.objects.all()), 100)
-        most_actives = random.sample(forumers, 10)
+        users = list(User.objects.all())
+        forumers = random.sample(users, math.ceil(len(users) / 10))
+        most_actives = random.sample(forumers, math.ceil(len(forumers) / 6))
         categories = list(Forum.objects.filter(is_category=True))
         new_forums = [
             Forum(name=self.faker.text(20), parent=random.choice(categories))

core/management/commands/repair_fs.py

@@ -1,41 +0,0 @@
-#
-# Copyright 2018
-# - Skia <skia@libskia.so>
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-#
-
-
-from django.core.management.base import BaseCommand
-
-from core.models import SithFile
-
-
-class Command(BaseCommand):
-    help = "Recursively repair the file system with respect to the DB"
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "ids", metavar="ID", type=int, nargs="+", help="The file IDs to process"
-        )
-
-    def handle(self, *args, **options):
-        files = SithFile.objects.filter(id__in=options["ids"]).all()
-        for f in files:
-            f._repair_fs()

core/migrations/0048_alter_user_options.py

@@ -0,0 +1,33 @@
+# Generated by Django 5.2.8 on 2025-11-09 15:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0047_alter_notification_date_alter_notification_type")]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": [("view_hidden_user", "Can view hidden users")],
+                "verbose_name": "user",
+                "verbose_name_plural": "users",
+            },
+        ),
+        migrations.RenameField(
+            model_name="user", old_name="is_subscriber_viewable", new_name="is_viewable"
+        ),
+        migrations.AlterField(
+            model_name="user",
+            name="is_viewable",
+            field=models.BooleanField(
+                default=True,
+                verbose_name="Profile visible by subscribers",
+                help_text=(
+                    "If you disable this option, only admin users "
+                    "will be able to see your profile."
+                ),
+            ),
+        ),
+    ]

core/models.py

@@ -23,14 +23,13 @@
 #
 from __future__ import annotations
 
-import logging
-import os
+import difflib
 import string
 import unicodedata
 from datetime import timedelta
 from io import BytesIO
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional, Self
+from typing import TYPE_CHECKING, Final, Self
 from uuid import uuid4
 
 from django.conf import settings
@@ -39,7 +38,6 @@ from django.contrib.auth.models import AnonymousUser as AuthAnonymousUser
 from django.contrib.auth.models import Group as AuthGroup
 from django.contrib.staticfiles.storage import staticfiles_storage
 from django.core import validators
-from django.core.cache import cache
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.core.files import File
 from django.core.files.base import ContentFile
@@ -56,6 +54,8 @@ from django.utils.translation import gettext_lazy as _
 from phonenumber_field.modelfields import PhoneNumberField
 from PIL import Image, ImageOps
 
+from core.utils import get_last_promo
+
 if TYPE_CHECKING:
     from django.core.files.uploadedfile import UploadedFile
     from pydantic import NonNegativeInt
@@ -76,69 +76,16 @@ class Group(AuthGroup):
     def get_absolute_url(self) -> str:
         return reverse("core:group_list")
 
-    def save(self, *args, **kwargs) -> None:
-        super().save(*args, **kwargs)
-        cache.set(f"sith_group_{self.id}", self)
-        cache.set(f"sith_group_{self.name.replace(' ', '_')}", self)
-
-    def delete(self, *args, **kwargs) -> None:
-        super().delete(*args, **kwargs)
-        cache.delete(f"sith_group_{self.id}")
-        cache.delete(f"sith_group_{self.name.replace(' ', '_')}")
-
 
 def validate_promo(value: int) -> None:
-    start_year = settings.SITH_SCHOOL_START_YEAR
-    delta = (localdate() + timedelta(days=180)).year - start_year
-    if value < 0 or delta < value:
+    last_promo = get_last_promo()
+    if not 0 < value <= last_promo:
         raise ValidationError(
             _("%(value)s is not a valid promo (between 0 and %(end)s)"),
-            params={"value": value, "end": delta},
+            params={"value": value, "end": last_promo},
         )
 
 
-def get_group(*, pk: int | None = None, name: str | None = None) -> Group | None:
-    """Search for a group by its primary key or its name.
-    Either one of the two must be set.
-
-    The result is cached for the default duration (should be 5 minutes).
-
-    Args:
-        pk: The primary key of the group
-        name: The name of the group
-
-    Returns:
-        The group if it exists, else None
-
-    Raises:
-        ValueError: If no group matches the criteria
-    """
-    if pk is None and name is None:
-        raise ValueError("Either pk or name must be set")
-
-    # replace space characters to hide warnings with memcached backend
-    pk_or_name: str | int = pk if pk is not None else name.replace(" ", "_")
-    group = cache.get(f"sith_group_{pk_or_name}")
-
-    if group == "not_found":
-        # Using None as a cache value is a little bit tricky,
-        # so we use a special string to represent None
-        return None
-    elif group is not None:
-        return group
-    # if this point is reached, the group is not in cache
-    if pk is not None:
-        group = Group.objects.filter(pk=pk).first()
-    else:
-        group = Group.objects.filter(name=name).first()
-    if group is not None:
-        name = group.name.replace(" ", "_")
-        cache.set_many({f"sith_group_{group.id}": group, f"sith_group_{name}": group})
-    else:
-        cache.set(f"sith_group_{pk_or_name}", "not_found")
-    return group
-
-
 class BanGroup(AuthGroup):
     """An anti-group, that removes permissions instead of giving them.
 
@@ -180,6 +127,15 @@ class UserQuerySet(models.QuerySet):
             Q(Exists(subscriptions)) | Q(Exists(refills)) | Q(Exists(purchases))
         )
 
+    def viewable_by(self, user: User) -> Self:
+        if user.has_perm("core.view_hidden_user"):
+            return self
+        if user.has_perm("core.view_user"):
+            return self.filter(is_viewable=True)
+        if user.is_anonymous:
+            return self.none()
+        return self.filter(id=user.id)
+
 
 class CustomUserManager(UserManager.from_queryset(UserQuerySet)):
     # see https://docs.djangoproject.com/fr/stable/topics/migrations/#model-managers
@@ -315,13 +271,24 @@ class User(AbstractUser):
     parent_address = models.CharField(
         _("parent address"), max_length=128, blank=True, default=""
     )
-    is_subscriber_viewable = models.BooleanField(
-        _("is subscriber viewable"), default=True
+    is_viewable = models.BooleanField(
+        _("Profile visible by subscribers"),
+        help_text=_(
+            "If you disable this option, only admin users "
+            "will be able to see your profile."
+        ),
+        default=True,
     )
     godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)
 
     objects = CustomUserManager()
 
+    class Meta(AbstractUser.Meta):
+        abstract = False
+        permissions = [
+            ("view_hidden_user", "Can view hidden users"),
+        ]
+
     def __str__(self):
         return self.get_display_name()
 
@@ -382,31 +349,34 @@ class User(AbstractUser):
         Returns:
              True if the user is the group, else False
         """
-        if pk is not None:
-            group: Optional[Group] = get_group(pk=pk)
-        elif name is not None:
-            group: Optional[Group] = get_group(name=name)
-        else:
+        if not pk and not name:
             raise ValueError("You must either provide the id or the name of the group")
-        if group is None:
+        group_id: int | None = (
+            pk or Group.objects.filter(name=name).values_list("id", flat=True).first()
+        )
+        if group_id is None:
             return False
-        if group.id == settings.SITH_GROUP_SUBSCRIBERS_ID:
-            return self.is_subscribed
-        if group.id == settings.SITH_GROUP_ROOT_ID:
-            return self.is_root
-        return group in self.cached_groups
+        return group_id in self.all_groups
 
     @cached_property
-    def cached_groups(self) -> list[Group]:
+    def all_groups(self) -> dict[int, Group]:
         """Get the list of groups this user is in."""
-        return list(self.groups.all())
+        additional_groups = []
+        if self.is_subscribed:
+            additional_groups.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
+        if self.is_superuser:
+            additional_groups.append(settings.SITH_GROUP_ROOT_ID)
+        qs = self.groups.all()
+        if additional_groups:
+            # This is somewhat counter-intuitive, but this query runs way faster with
+            # a UNION rather than a OR (in average, 0.25ms vs 14ms).
+            # For the why, cf. https://dba.stackexchange.com/questions/293836/why-is-an-or-statement-slower-than-union
+            qs = qs.union(Group.objects.filter(id__in=additional_groups))
+        return {g.id: g for g in qs}
 
     @cached_property
     def is_root(self) -> bool:
-        if self.is_superuser:
-            return True
-        root_id = settings.SITH_GROUP_ROOT_ID
-        return any(g.id == root_id for g in self.cached_groups)
+        return self.is_superuser or settings.SITH_GROUP_ROOT_ID in self.all_groups
 
     @cached_property
     def is_board_member(self) -> bool:
@@ -454,14 +424,6 @@ class User(AbstractUser):
         else:
             raise ValidationError(_("A user with that username already exists"))
 
-    def get_profile(self):
-        return {
-            "last_name": self.last_name,
-            "first_name": self.first_name,
-            "nick_name": self.nick_name,
-            "date_of_birth": self.date_of_birth,
-        }
-
     def get_short_name(self):
         """Returns the short name for the user."""
         if self.nick_name:
@@ -604,8 +566,12 @@ class User(AbstractUser):
     def can_be_edited_by(self, user):
         return user.is_root or user.is_board_member
 
-    def can_be_viewed_by(self, user):
-        return (user.was_subscribed and self.is_subscriber_viewable) or user.is_root
+    def can_be_viewed_by(self, user: User) -> bool:
+        return (
+            user.id == self.id
+            or user.has_perm("core.view_hidden_user")
+            or (user.has_perm("core.view_user") and self.is_viewable)
+        )
 
     def get_mini_item(self):
         return """
@@ -651,9 +617,6 @@ class User(AbstractUser):
 
 
 class AnonymousUser(AuthAnonymousUser):
-    def __init__(self):
-        super().__init__()
-
     @property
     def was_subscribed(self):
         return False
@@ -662,10 +625,6 @@ class AnonymousUser(AuthAnonymousUser):
     def is_subscribed(self):
         return False
 
-    @property
-    def subscribed(self):
-        return False
-
     @property
     def is_root(self):
         return False
@@ -696,8 +655,8 @@ class AnonymousUser(AuthAnonymousUser):
         if pk is not None:
             return pk == allowed_id
         elif name is not None:
-            group = get_group(name=name)
-            return group is not None and group.id == allowed_id
+            group = Group.objects.get(id=allowed_id)
+            return group.name == name
         else:
             raise ValueError("You must either provide the id or the name of the group")
 
@@ -1023,63 +982,6 @@ class SithFile(models.Model):
         self.clean()
         self.save()
 
-    def _repair_fs(self):
-        """Rebuilds recursively the filesystem as it should be regarding the DB tree."""
-        if self.is_folder:
-            for c in self.children.all():
-                c._repair_fs()
-            return
-        elif not self._check_path_consistence():
-            # First get future parent path and the old file name
-            # Prepend "." so that we match all relative handling of Django's
-            # file storage
-            parent_path = "." + self.parent.get_full_path()
-            parent_full_path = settings.MEDIA_ROOT + parent_path
-            os.makedirs(parent_full_path, exist_ok=True)
-            old_path = self.file.name  # Should be relative: "./users/skia/bleh.jpg"
-            new_path = "." + self.get_full_path()
-            try:
-                # Make this atomic, so that a FS problem rolls back the DB change
-                with transaction.atomic():
-                    # Set the new filesystem path
-                    self.file.name = new_path
-                    self.save()
-                    # Really move at the FS level
-                    if os.path.exists(parent_full_path):
-                        os.rename(
-                            settings.MEDIA_ROOT + old_path,
-                            settings.MEDIA_ROOT + new_path,
-                        )
-                        # Empty directories may remain, but that's not really a
-                        # problem, and that can be solved with a simple shell
-                        # command: `find . -type d -empty -delete`
-            except Exception as e:
-                logging.error(e)
-
-    def _check_path_consistence(self):
-        file_path = str(self.file)
-        file_full_path = settings.MEDIA_ROOT + file_path
-        db_path = ".%s" % self.get_full_path()
-        if not os.path.exists(file_full_path):
-            print("%s: WARNING: real file does not exists!" % self.id)  # noqa T201
-            print("file path: %s" % file_path, end="")  # noqa T201
-            print("  db path: %s" % db_path)  # noqa T201
-            return False
-        if file_path != db_path:
-            print("%s: " % self.id, end="")  # noqa T201
-            print("file path: %s" % file_path, end="")  # noqa T201
-            print("  db path: %s" % db_path)  # noqa T201
-            return False
-        return True
-
-    def _check_fs(self):
-        if self.is_folder:
-            for c in self.children.all():
-                c._check_fs()
-            return
-        else:
-            self._check_path_consistence()
-
     @property
     def is_file(self):
         return not self.is_folder
@@ -1164,8 +1066,6 @@ class QuickUploadImage(models.Model):
         identifier = str(uuid4())
         name = Path(image.name).stem[: cls.IMAGE_NAME_SIZE - 1]
         file = File(convert_image(image), name=f"{identifier}.webp")
-        width, height = Image.open(file).size
-
         return cls.objects.create(
             uuid=identifier,
             name=name,
@@ -1197,6 +1097,15 @@ class NotLocked(LockError):
     pass
 
 
+class PageQuerySet(models.QuerySet):
+    def viewable_by(self, user: User) -> Self:
+        if user.is_anonymous:
+            return self.filter(view_groups=settings.SITH_GROUP_PUBLIC_ID)
+        if user.has_perm("core.view_page"):
+            return self.all()
+        return self.filter(view_groups__in=user.all_groups)
+
+
 # This function prevents generating migration upon settings change
 def get_default_owner_group():
     return settings.SITH_GROUP_ROOT_ID
@@ -1266,6 +1175,8 @@ class Page(models.Model):
         _("lock_timeout"), null=True, blank=True, default=None
     )
 
+    objects = PageQuerySet.as_manager()
+
     class Meta:
         unique_together = ("name", "parent")
         permissions = (
@@ -1275,12 +1186,9 @@ class Page(models.Model):
     def __str__(self):
         return self.get_full_name()
 
-    def save(self, *args, **kwargs):
+    def save(self, *args, force_lock: bool = False, **kwargs):
         """Performs some needed actions before and after saving a page in database."""
-        locked = kwargs.pop("force_lock", False)
-        if not locked:
-            locked = self.is_locked()
-        if not locked:
+        if not force_lock and not self.is_locked():
             raise NotLocked("The page is not locked and thus can not be saved")
         self.full_clean()
         if not self.id:
@@ -1292,7 +1200,7 @@ class Page(models.Model):
         # It also update all the children to maintain correct names
         self._full_name = self.get_full_name()
         for c in self.children.all():
-            c.save()
+            c.save(force_lock=force_lock)
         super().save(*args, **kwargs)
         self.unset_lock()
 
@@ -1408,14 +1316,14 @@ class Page(models.Model):
     def need_club_redirection(self):
         return self.is_club_page and self.name != settings.SITH_CLUB_ROOT_PAGE
 
-    def delete(self):
+    def delete(self, *args, **kwargs):
         self.unset_lock_recursive()
         self.set_lock_recursive(User.objects.get(id=0))
         for child in self.children.all():
             child.parent = self.parent
             child.save()
             child.unset_lock_recursive()
-        super().delete()
+        return super().delete(*args, **kwargs)
 
 
 class PageRev(models.Model):
@@ -1427,6 +1335,9 @@ class PageRev(models.Model):
     The content is in PageRev.title and PageRev.content .
     """
 
+    MERGE_TIME_THRESHOLD: Final[timedelta] = timedelta(minutes=20)
+    MERGE_DIFF_THRESHOLD: Final[float] = 0.2
+
     revision = models.IntegerField(_("revision"))
     title = models.CharField(_("page title"), max_length=255, blank=True)
     content = models.TextField(_("page content"), blank=True)
@@ -1462,9 +1373,38 @@ class PageRev(models.Model):
     def get_absolute_url(self):
         return reverse("core:page", kwargs={"page_name": self.page._full_name})
 
-    def can_be_edited_by(self, user):
+    def can_be_edited_by(self, user: User) -> bool:
         return self.page.can_be_edited_by(user)
 
+    def is_owned_by(self, user: User) -> bool:
+        return self.page.owner_group_id in user.all_groups
+
+    def similarity_ratio(self, text: str) -> float:
+        """Similarity ratio between this revision's content and the given text.
+
+        The result is a float in [0; 1], 0 meaning the contents are entirely different,
+        and 1 they are strictly the same.
+        """
+        # cf. https://docs.python.org/3/library/difflib.html#difflib.SequenceMatcher.ratio
+        return difflib.SequenceMatcher(None, self.content, text).quick_ratio()
+
+    def should_merge(self, other: Self) -> bool:
+        """Return True if `other` should be merged into `self`, else False.
+
+        It's considered the other revision should be merged into this one if :
+
+        - it was made less than 20 minutes after
+        - by the same author
+        - with a similarity ratio higher than 80%
+        """
+        return (
+            not self._state.adding  # cannot merge if the original rev doesn't exist
+            and self.author == other.author
+            and (other.date - self.date) < self.MERGE_TIME_THRESHOLD
+            and (not other._state.adding or other.revision == self.revision + 1)
+            and self.similarity_ratio(other.content) >= (1 - other.MERGE_DIFF_THRESHOLD)
+        )
+
 
 def get_notification_types():
     return settings.SITH_NOTIFICATIONS

core/schemas.py

@@ -1,3 +1,4 @@
+from datetime import datetime
 from pathlib import Path
 from typing import Annotated, Any
 
@@ -8,12 +9,14 @@ from django.urls import reverse
 from django.utils.text import slugify
 from django.utils.translation import gettext as _
 from haystack.query import SearchQuerySet
-from ninja import FilterSchema, ModelSchema, Schema, UploadedFile
-from pydantic import AliasChoices, Field
+from ninja import FilterLookup, FilterSchema, ModelSchema, Schema, UploadedFile
+from pydantic import AliasChoices, Field, field_validator
 from pydantic_core.core_schema import ValidationInfo
 
 from core.models import Group, QuickUploadImage, SithFile, User
-from core.utils import is_image
+from core.utils import get_last_promo, is_image
+
+NonEmptyStr = Annotated[str, MinLen(1)]
 
 
 class UploadedImage(UploadedFile):
@@ -34,6 +37,22 @@ class SimpleUserSchema(ModelSchema):
         fields = ["id", "nick_name", "first_name", "last_name"]
 
 
+class UserSchema(ModelSchema):
+    class Meta:
+        model = User
+        fields = [
+            "id",
+            "nick_name",
+            "first_name",
+            "last_name",
+            "date_of_birth",
+            "email",
+            "role",
+            "quote",
+            "promo",
+        ]
+
+
 class UserProfileSchema(ModelSchema):
     """The necessary information to show a user profile"""
 
@@ -91,7 +110,11 @@ class GroupSchema(ModelSchema):
 
 
 class UserFilterSchema(FilterSchema):
-    search: Annotated[str, MinLen(1)]
+    search: Annotated[str, MinLen(1)] | None = None
+    role: Annotated[str, FilterLookup("role__icontains")] | None = None
+    department: str | None = None
+    promo: int | None = None
+    date_of_birth: datetime | None = None
     exclude: list[int] | None = Field(
         None, validation_alias=AliasChoices("exclude", "exclude[]")
     )
@@ -120,6 +143,13 @@ class UserFilterSchema(FilterSchema):
             return Q()
         return ~Q(id__in=value)
 
+    @field_validator("promo", mode="after")
+    @classmethod
+    def validate_promo(cls, value: int) -> int:
+        if not 0 < value <= get_last_promo():
+            raise ValueError(f"{value} is not a valid promo")
+        return value
+
 
 class MarkdownSchema(Schema):
     text: str

core/static/bundled/alpine-index.js

@@ -1,7 +1,10 @@
 import sort from "@alpinejs/sort";
 import Alpine from "alpinejs";
+import { limitedChoices } from "#core:alpine/limited-choices.ts";
+import { alpinePlugin as notificationPlugin } from "#core:utils/notifications.ts";
 
-Alpine.plugin(sort);
+Alpine.plugin([sort, limitedChoices]);
+Alpine.magic("notifications", notificationPlugin);
 window.Alpine = Alpine;
 
 window.addEventListener("DOMContentLoaded", () => {

core/static/bundled/alpine/limited-choices.ts

@@ -0,0 +1,69 @@
+import type { Alpine as AlpineType } from "alpinejs";
+
+export function limitedChoices(Alpine: AlpineType) {
+  /**
+   * Directive to limit the number of elements
+   * that can be selected in a group of checkboxes.
+   *
+   * When the max numbers of selectable elements is reached,
+   * new elements will still be inserted, but oldest ones will be deselected.
+   * For example, if checkboxes A, B and C have been selected and the max
+   * number of selections is 3, then selecting D will result in having
+   * B, C and D selected.
+   *
+   * # Example in template
+   * ```html
+   * <div x-data="{nbMax: 2}", x-limited-choices="nbMax">
+   *   <button @click="nbMax += 1">Click me to increase the limit</button>
+   *   <input type="checkbox" value="A" name="foo">
+   *   <input type="checkbox" value="B" name="foo">
+   *   <input type="checkbox" value="C" name="foo">
+   *   <input type="checkbox" value="D" name="foo">
+   * </div>
+   * ```
+   */
+  Alpine.directive(
+    "limited-choices",
+    (el, { expression }, { evaluateLater, effect }) => {
+      const getMaxChoices = evaluateLater(expression);
+      let maxChoices: number;
+      const inputs: HTMLInputElement[] = Array.from(
+        el.querySelectorAll("input[type='checkbox']"),
+      );
+      const checked = [] as HTMLInputElement[];
+
+      const manageDequeue = () => {
+        if (checked.length <= maxChoices) {
+          // There isn't too many checkboxes selected. Nothing to do
+          return;
+        }
+        const popped = checked.splice(0, checked.length - maxChoices);
+        for (const p of popped) {
+          p.checked = false;
+        }
+      };
+
+      for (const input of inputs) {
+        input.addEventListener("change", (_e) => {
+          if (input.checked) {
+            checked.push(input);
+          } else {
+            checked.splice(checked.indexOf(input), 1);
+          }
+          manageDequeue();
+        });
+      }
+      effect(() => {
+        getMaxChoices((value: string) => {
+          const previousValue = maxChoices;
+          maxChoices = Number.parseInt(value, 10);
+          if (maxChoices < previousValue) {
+            // The maximum number of selectable items has been lowered.
+            // Some currently selected elements may need to be removed
+            manageDequeue();
+          }
+        });
+      });
+    },
+  );
+}

core/static/bundled/core/components/ajax-select-base.ts

@@ -1,4 +1,3 @@
-import { inheritHtmlElement } from "#core:utils/web-components";
 import TomSelect from "tom-select";
 import type {
   RecursivePartial,
@@ -7,6 +6,7 @@ import type {
   TomSettings,
 } from "tom-select/dist/types/types";
 import type { escape_html } from "tom-select/dist/types/utils";
+import { inheritHtmlElement } from "#core:utils/web-components.ts";
 
 export class AutoCompleteSelectBase extends inheritHtmlElement("select") {
   static observedAttributes = [
@@ -29,7 +29,7 @@ export class AutoCompleteSelectBase extends inheritHtmlElement("select") {
   ) {
     switch (name) {
       case "delay": {
-        this.delay = Number.parseInt(newValue) ?? null;
+        this.delay = Number.parseInt(newValue, 10) ?? null;
         break;
       }
       case "placeholder": {
@@ -37,11 +37,11 @@ export class AutoCompleteSelectBase extends inheritHtmlElement("select") {
         break;
       }
       case "max": {
-        this.max = Number.parseInt(newValue) ?? null;
+        this.max = Number.parseInt(newValue, 10) ?? null;
         break;
       }
       case "min-characters-for-search": {
-        this.minCharNumberForSearch = Number.parseInt(newValue) ?? 0;
+        this.minCharNumberForSearch = Number.parseInt(newValue, 10) ?? 0;
         break;
       }
       default: {

core/static/bundled/core/components/ajax-select-index.ts

@@ -1,20 +1,19 @@
 import "tom-select/dist/css/tom-select.default.css";
-import { registerComponent } from "#core:utils/web-components";
 import type { TomOption } from "tom-select/dist/types/types";
 import type { escape_html } from "tom-select/dist/types/utils";
-import {
-  type GroupSchema,
-  type SithFileSchema,
-  type UserProfileSchema,
-  groupSearchGroup,
-  sithfileSearchFiles,
-  userSearchUsers,
-} from "#openapi";
-
 import {
   AjaxSelect,
   AutoCompleteSelectBase,
-} from "#core:core/components/ajax-select-base";
+} from "#core:core/components/ajax-select-base.ts";
+import { registerComponent } from "#core:utils/web-components.ts";
+import {
+  type GroupSchema,
+  groupSearchGroup,
+  type SithFileSchema,
+  sithfileSearchFiles,
+  type UserProfileSchema,
+  userSearchUsers,
+} from "#openapi";
 
 @registerComponent("autocomplete-select")
 export class AutoCompleteSelect extends AutoCompleteSelectBase {}

core/static/bundled/core/components/easymde-index.ts

@@ -1,14 +1,14 @@
 // biome-ignore lint/correctness/noUndeclaredDependencies: shipped by easymde
 import "codemirror/lib/codemirror.css";
 import "easymde/src/css/easymde.css";
-import { inheritHtmlElement, registerComponent } from "#core:utils/web-components";
 // biome-ignore lint/correctness/noUndeclaredDependencies: Imported by EasyMDE
 import type CodeMirror from "codemirror";
 // biome-ignore lint/style/useNamingConvention: This is how they called their namespace
 import EasyMDE from "easymde";
+import { inheritHtmlElement, registerComponent } from "#core:utils/web-components.ts";
 import {
-  type UploadUploadImageErrors,
   markdownRenderMarkdown,
+  type UploadUploadImageErrors,
   uploadUploadImage,
 } from "#openapi";
 

core/static/bundled/core/components/include-index.ts

@@ -1,4 +1,4 @@
-import { inheritHtmlElement, registerComponent } from "#core:utils/web-components";
+import { inheritHtmlElement, registerComponent } from "#core:utils/web-components.ts";
 
 /**
  * Web component used to import css files only once

core/static/bundled/core/components/nfc-input-index.ts

@@ -1,4 +1,4 @@
-import { inheritHtmlElement, registerComponent } from "#core:utils/web-components";
+import { inheritHtmlElement, registerComponent } from "#core:utils/web-components.ts";
 
 @registerComponent("nfc-input")
 export class NfcInput extends inheritHtmlElement("input") {

core/static/bundled/core/components/tabs-index.ts

@@ -1,6 +1,6 @@
-import { registerComponent } from "#core:utils/web-components";
 import { html, render } from "lit-html";
 import { unsafeHTML } from "lit-html/directives/unsafe-html.js";
+import { registerComponent } from "#core:utils/web-components.ts";
 
 @registerComponent("ui-tab")
 export class Tab extends HTMLElement {

core/static/bundled/core/dynamic-formset-index.ts

@@ -0,0 +1,77 @@
+interface Config {
+  /**
+   * The prefix of the formset, in case it has been changed.
+   * See https://docs.djangoproject.com/fr/stable/topics/forms/formsets/#customizing-a-formset-s-prefix
+   */
+  prefix?: string;
+}
+
+// biome-ignore lint/style/useNamingConvention: It's the DOM API naming
+type HTMLFormInputElement = HTMLInputElement | HTMLSelectElement | HTMLTextAreaElement;
+
+document.addEventListener("alpine:init", () => {
+  /**
+   * Alpine data element to allow the dynamic addition of forms to a formset.
+   *
+   * To use this, you need :
+   * - an HTML element containing the existing forms, noted by `x-ref="formContainer"`
+   * - a template containing the empty form
+   *   (that you can obtain jinja-side with `{{ formset.empty_form }}`),
+   *   noted by `x-ref="formTemplate"`
+   * - a button with `@click="addForm"`
+   * - you may also have one or more buttons with `@click="removeForm(element)"`,
+   *   where `element` is the HTML element containing the form.
+   *
+   * For an example of how this is used, you can have a look to
+   * `counter/templates/counter/product_form.jinja`
+   */
+  Alpine.data("dynamicFormSet", (config?: Config) => ({
+    init() {
+      this.formContainer = this.$refs.formContainer as HTMLElement;
+      this.nbForms = this.formContainer.children.length as number;
+      this.template = this.$refs.formTemplate as HTMLTemplateElement;
+      const prefix = config?.prefix ?? "form";
+      this.$root
+        .querySelector(`#id_${prefix}-TOTAL_FORMS`)
+        .setAttribute(":value", "nbForms");
+    },
+
+    addForm() {
+      this.formContainer.appendChild(document.importNode(this.template.content, true));
+      const newForm = this.formContainer.lastElementChild;
+      const inputs: NodeListOf<HTMLFormInputElement> = newForm.querySelectorAll(
+        "input, select, textarea",
+      );
+      for (const el of inputs) {
+        el.name = el.name.replace("__prefix__", this.nbForms.toString());
+        el.id = el.id.replace("__prefix__", this.nbForms.toString());
+      }
+      const labels: NodeListOf<HTMLLabelElement> = newForm.querySelectorAll("label");
+      for (const el of labels) {
+        el.htmlFor = el.htmlFor.replace("__prefix__", this.nbForms.toString());
+      }
+      inputs[0].focus();
+      this.nbForms += 1;
+    },
+
+    removeForm(container: HTMLDivElement) {
+      container.remove();
+      this.nbForms -= 1;
+      // adjust the id of remaining forms
+      for (let i = 0; i < this.nbForms; i++) {
+        const form: HTMLDivElement = this.formContainer.children[i];
+        const inputs: NodeListOf<HTMLFormInputElement> = form.querySelectorAll(
+          "input, select, textarea",
+        );
+        for (const el of inputs) {
+          el.name = el.name.replace(/\d+/, i.toString());
+          el.id = el.id.replace(/\d+/, i.toString());
+        }
+        const labels: NodeListOf<HTMLLabelElement> = form.querySelectorAll("label");
+        for (const el of labels) {
+          el.htmlFor = el.htmlFor.replace(/\d+/, i.toString());
+        }
+      }
+    },
+  }));
+});

core/static/bundled/core/navbar-index.ts

@@ -1,4 +1,4 @@
-import { exportToHtml } from "#core:utils/globals";
+import { exportToHtml } from "#core:utils/globals.ts";
 
 exportToHtml("showMenu", () => {
   const navbar = document.getElementById("navbar-content");

core/static/bundled/core/read-more-index.ts

@@ -26,7 +26,7 @@ function showMore(element: HTMLElement) {
   const fullContent = element.innerHTML;
   const clippedContent = clip(
     element.innerHTML,
-    Number.parseInt(element.getAttribute("show-more") as string),
+    Number.parseInt(element.getAttribute("show-more") as string, 10),
     {
       html: true,
     },

core/static/bundled/core/tooltips-index.ts

@@ -1,9 +1,9 @@
 import {
-  type Placement,
   autoPlacement,
   computePosition,
   flip,
   offset,
+  type Placement,
   size,
 } from "@floating-ui/dom";
 

core/static/bundled/htmx-index.js

@@ -1,11 +1,11 @@
 import htmx from "htmx.org";
 
 document.body.addEventListener("htmx:beforeRequest", (event) => {
-  event.target.ariaBusy = true;
+  event.detail.target.ariaBusy = true;
 });
 
-document.body.addEventListener("htmx:afterRequest", (event) => {
-  event.originalTarget.ariaBusy = null;
+document.body.addEventListener("htmx:beforeSwap", (event) => {
+  event.detail.target.ariaBusy = null;
 });
 
 Object.assign(window, { htmx });

core/static/bundled/sentry-popup-index.ts

@@ -1,6 +1,6 @@
-import { exportToHtml } from "#core:utils/globals";
-// biome-ignore lint/style/noNamespaceImport: this is the recommended way from the documentation
+// biome-ignore lint/performance/noNamespaceImport: this is the recommended way from the documentation
 import * as Sentry from "@sentry/browser";
+import { exportToHtml } from "#core:utils/globals.ts";
 
 interface LoggedUser {
   name: string;

core/static/bundled/types/web-nfc.d.ts

@@ -8,7 +8,6 @@
 
 // This has been modified to not trigger biome linting
 
-// biome-ignore lint/correctness/noUnusedVariables: this is the official definition
 interface Window {
   // biome-ignore lint/style/useNamingConvention: this is the official API name
   NDEFMessage: NDEFMessage;
@@ -28,7 +27,6 @@ declare interface NDEFMessageInit {
 // biome-ignore lint/style/useNamingConvention: this is the official API name
 declare type NDEFRecordDataSource = string | BufferSource | NDEFMessageInit;
 
-// biome-ignore lint/correctness/noUnusedVariables: this is the official definition
 interface Window {
   // biome-ignore lint/style/useNamingConvention: this is the official API name
   NDEFRecord: NDEFRecord;
@@ -74,7 +72,6 @@ declare class NDEFReader extends EventTarget {
   makeReadOnly: (options?: NDEFMakeReadOnlyOptions) => Promise<void>;
 }
 
-// biome-ignore lint/correctness/noUnusedVariables: this is the official definition
 interface Window {
   // biome-ignore lint/style/useNamingConvention: this is the official API name
   NDEFReadingEvent: NDEFReadingEvent;

core/static/bundled/user/family-graph-index.ts

@@ -1,4 +1,3 @@
-import { History, initialUrlParams, updateQueryString } from "#core:utils/history";
 import cytoscape, {
   type ElementDefinition,
   type NodeSingular,
@@ -6,7 +5,8 @@ import cytoscape, {
 } from "cytoscape";
 import cxtmenu from "cytoscape-cxtmenu";
 import klay, { type KlayLayoutOptions } from "cytoscape-klay";
-import { type UserProfileSchema, familyGetFamilyGraph } from "#openapi";
+import { History, initialUrlParams, updateQueryString } from "#core:utils/history.ts";
+import { familyGetFamilyGraph, type UserProfileSchema } from "#openapi";
 
 cytoscape.use(klay);
 cytoscape.use(cxtmenu);
@@ -200,7 +200,7 @@ document.addEventListener("alpine:init", () => {
     isZoomEnabled: !isMobile(),
 
     getInitialDepth(prop: string) {
-      const value = Number.parseInt(initialUrlParams.get(prop));
+      const value = Number.parseInt(initialUrlParams.get(prop), 10);
       if (Number.isNaN(value) || value < config.depthMin || value > config.depthMax) {
         return defaultDepth;
       }

core/static/bundled/utils/api.ts

@@ -1,5 +1,5 @@
+import { client, type Options } from "#openapi";
 import type { Client, RequestResult, TDataShape } from "#openapi:client";
-import { type Options, client } from "#openapi";
 
 export interface PaginatedResponse<T> {
   count: number;

core/static/bundled/utils/csv.ts

@@ -1,4 +1,4 @@
-import type { NestedKeyOf } from "#core:utils/types";
+import type { NestedKeyOf } from "#core:utils/types.ts";
 
 interface StringifyOptions<T extends object> {
   /** The columns to include in the resulting CSV. */

core/static/bundled/utils/notifications.ts

@@ -0,0 +1,36 @@
+export enum NotificationLevel {
+  Error = "error",
+  Warning = "warning",
+  Success = "success",
+}
+
+export function createNotification(message: string, level: NotificationLevel) {
+  const element = document.getElementById("quick-notifications");
+  if (element === null) {
+    return false;
+  }
+  return element.dispatchEvent(
+    new CustomEvent("quick-notification-add", {
+      detail: { text: message, tag: level },
+    }),
+  );
+}
+
+export function deleteNotifications() {
+  const element = document.getElementById("quick-notifications");
+  if (element === null) {
+    return false;
+  }
+  return element.dispatchEvent(new CustomEvent("quick-notification-delete"));
+}
+
+export function alpinePlugin() {
+  return {
+    error: (message: string) => createNotification(message, NotificationLevel.Error),
+    warning: (message: string) =>
+      createNotification(message, NotificationLevel.Warning),
+    success: (message: string) =>
+      createNotification(message, NotificationLevel.Success),
+    clear: () => deleteNotifications(),
+  };
+}