[UPDATE] Update cryptography requirement

Updates the requirements on [cryptography](https://github.com/pyca/cryptography) to permit the latest version.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/45.0.3...46.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/auto_assign.yml

@@ -6,7 +6,7 @@ addAssignees: author
 
 # A list of team reviewers to be added to pull requests (GitHub team slug)
 reviewers:
-  - ae-utbm/sith-3-developers
+  - ae-utbm/developpeurs
 
 # Number of reviewers has no impact on GitHub teams
 # Set 0 to add all the reviewers (default: 0)

.github/dependabot.yml

@@ -16,7 +16,16 @@ multi-ecosystem-groups:
 
 updates:
   - package-ecosystem: "uv"
+    patterns: ["*"]
     multi-ecosystem-group: "common"
 
   - package-ecosystem: "npm"
+    patterns: ["*"]
     multi-ecosystem-group: "common"
+    groups:
+      # npm supports production and development groups, but not uv
+      # cf. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-groups
+      main-deps:
+        dependency-type: "production"
+      dev-deps:
+        dependency-type: "development"

club/migrations/0012_club_board_group_club_members_group.py

@@ -34,12 +34,10 @@ def migrate_meta_groups(apps: StateApps, schema_editor):
     clubs = list(Club.objects.all())
     for club in clubs:
         club.board_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_BOARD_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-bureau", defaults={"is_meta": True}
         )[0]
         club.members_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_MEMBER_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-membres", defaults={"is_meta": True}
         )[0]
         club.save()
         club.refresh_from_db()

club/models.py

@@ -42,6 +42,13 @@ from core.fields import ResizedImageField
 from core.models import Group, Notification, Page, SithFile, User
 
 
+class ClubQuerySet(models.QuerySet):
+    def having_board_member(self, user: User) -> Self:
+        """Filter all club in which the given user is a board member."""
+        active_memberships = user.memberships.board().ongoing()
+        return self.filter(Exists(active_memberships.filter(club=OuterRef("pk"))))
+
+
 class Club(models.Model):
     """The Club class, made as a tree to allow nice tidy organization."""
 
@@ -91,6 +98,8 @@ class Club(models.Model):
         Group, related_name="club_board", on_delete=models.PROTECT
     )
 
+    objects = ClubQuerySet.as_manager()
+
     class Meta:
         ordering = ["name"]
 

club/tests/test_club.py

@@ -0,0 +1,27 @@
+from datetime import timedelta
+
+import pytest
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+def test_club_queryset_having_board_member():
+    clubs = baker.make(Club, _quantity=5)
+    user = subscriber_user.make()
+    membership_recipe = Recipe(
+        Membership, user=user, start_date=localdate() - timedelta(days=3)
+    )
+    membership_recipe.make(club=clubs[0], role=1)
+    membership_recipe.make(club=clubs[1], role=3)
+    membership_recipe.make(club=clubs[2], role=7)
+    membership_recipe.make(
+        club=clubs[3], role=3, end_date=localdate() - timedelta(days=1)
+    )
+
+    club_ids = Club.objects.having_board_member(user).values_list("id", flat=True)
+    assert set(club_ids) == {clubs[1].id, clubs[2].id}

club/tests/test_posters.py

@@ -0,0 +1,35 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from club.models import Club
+from com.models import Poster
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_list", "club:poster_create"])
+def test_access(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    url = reverse(route_url, kwargs={"club_id": club.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_edit", "club:poster_delete"])
+def test_access_specific_poster(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    poster = baker.make(Poster)
+    url = reverse(route_url, kwargs={"club_id": club.id, "poster_id": poster.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200

club/views.py

@@ -51,13 +51,17 @@ from club.forms import (
     SellingsForm,
 )
 from club.models import Club, Mailing, MailingSubscription, Membership
+from com.models import Poster
 from com.views import (
     PosterCreateBaseView,
     PosterDeleteBaseView,
     PosterEditBaseView,
     PosterListBaseView,
 )
-from core.auth.mixins import CanCreateMixin, CanEditMixin, CanViewMixin
+from core.auth.mixins import (
+    CanEditMixin,
+    CanViewMixin,
+)
 from core.models import PageRev
 from core.views import DetailFormView, PageEditViewBase
 from core.views.mixins import TabedViewMixin
@@ -66,9 +70,12 @@ from counter.models import Selling
 
 class ClubTabsMixin(TabedViewMixin):
     def get_tabs_title(self):
-        obj = self.get_object()
-        if isinstance(obj, PageRev):
-            self.object = obj.page.club
+        if not hasattr(self, "object") or not self.object:
+            self.object = self.get_object()
+        if isinstance(self.object, PageRev):
+            self.object = self.object.page.club
+        elif isinstance(self.object, Poster):
+            self.object = self.object.club
         return self.object.get_display_name()
 
     def get_list_of_tabs(self):
@@ -159,7 +166,7 @@ class ClubTabsMixin(TabedViewMixin):
                             "club:poster_list", kwargs={"club_id": self.object.id}
                         ),
                         "slug": "posters",
-                        "name": _("Posters list"),
+                        "name": _("Posters"),
                     },
                 ]
             )
@@ -686,48 +693,45 @@ class MailingAutoGenerationView(View):
         return redirect("club:mailing", club_id=club.id)
 
 
-class PosterListView(ClubTabsMixin, PosterListBaseView, CanViewMixin):
+class PosterListView(ClubTabsMixin, PosterListBaseView):
     """List communication posters."""
 
+    current_tab = "posters"
+    extra_context = {"app": "club"}
+
+    def get_queryset(self):
+        return super().get_queryset().filter(club=self.club.id)
+
     def get_object(self):
         return self.club
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        kwargs["club"] = self.club
-        return kwargs
 
-
-class PosterCreateView(PosterCreateBaseView, CanCreateMixin):
+class PosterCreateView(ClubTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
-    pk_url_kwarg = "club_id"
-
-    def get_object(self):
-        obj = super().get_object()
-        if not obj:
-            return self.club
-        return obj
+    current_tab = "posters"
 
     def get_success_url(self, **kwargs):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
+    def get_object(self, *args, **kwargs):
+        return self.club
 
-class PosterEditView(ClubTabsMixin, PosterEditBaseView, CanEditMixin):
+
+class PosterEditView(ClubTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
+    extra_context = {"app": "club"}
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        return kwargs
 
-
-class PosterDeleteView(PosterDeleteBaseView, ClubTabsMixin, CanEditMixin):
+class PosterDeleteView(ClubTabsMixin, PosterDeleteBaseView):
     """Delete communication poster."""
 
+    current_tab = "posters"
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})

com/forms.py

@@ -2,7 +2,6 @@ from datetime import date
 
 from dateutil.relativedelta import relativedelta
 from django import forms
-from django.db.models import Exists, OuterRef
 from django.forms import CheckboxInput
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -35,20 +34,18 @@ class PosterForm(forms.ModelForm):
         label=_("Start date"),
         widget=SelectDateTime,
         required=True,
-        initial=timezone.now().strftime("%Y-%m-%d %H:%M:%S"),
+        initial=timezone.now(),
     )
     date_end = forms.DateTimeField(
         label=_("End date"), widget=SelectDateTime, required=False
     )
 
-    def __init__(self, *args, **kwargs):
-        self.user = kwargs.pop("user", None)
+    def __init__(self, *args, user: User, **kwargs):
         super().__init__(*args, **kwargs)
-        if self.user and not self.user.is_com_admin:
-            self.fields["club"].queryset = Club.objects.filter(
-                id__in=self.user.clubs_with_rights
-            )
-            self.fields.pop("display_time")
+        if user.is_root or user.is_com_admin:
+            self.fields["club"].widget = AutoCompleteSelectClub()
+        else:
+            self.fields["club"].queryset = Club.objects.having_board_member(user)
 
 
 class NewsDateForm(forms.ModelForm):
@@ -161,16 +158,9 @@ class NewsForm(forms.ModelForm):
         # if the author is an admin, he/she can choose any club,
         # otherwise, only clubs for which he/she is a board member can be selected
         if author.is_root or author.is_com_admin:
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.all(), widget=AutoCompleteSelectClub
-            )
+            self.fields["club"].widget = AutoCompleteSelectClub()
         else:
-            active_memberships = author.memberships.board().ongoing()
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.filter(
-                    Exists(active_memberships.filter(club=OuterRef("pk")))
-                )
-            )
+            self.fields["club"].queryset = Club.objects.having_board_member(author)
 
     def is_valid(self):
         return super().is_valid() and self.date_form.is_valid()

com/models.py

@@ -412,17 +412,5 @@ class Poster(models.Model):
         if self.date_end and self.date_begin > self.date_end:
             raise ValidationError(_("Begin date should be before end date"))
 
-    def is_owned_by(self, user):
-        if user.is_anonymous:
-            return False
-        return user.is_com_admin or len(user.clubs_with_rights) > 0
-
-    def can_be_moderated_by(self, user):
-        return user.is_com_admin
-
     def get_display_name(self):
         return self.club.get_display_name()
-
-    @property
-    def page(self):
-        return self.club.page

com/tests/test_views.py

@@ -18,17 +18,16 @@ from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.sites.models import Site
-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils import html
-from django.utils.timezone import localtime, now
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from model_bakery import baker
 from pytest_django.asserts import assertNumQueries, assertRedirects
 
 from club.models import Club, Membership
-from com.models import News, NewsDate, Poster, Sith, Weekmail, WeekmailArticle
+from com.models import News, NewsDate, Sith, Weekmail, WeekmailArticle
 from core.baker_recipes import subscriber_user
 from core.models import AnonymousUser, Group, User
 
@@ -207,31 +206,6 @@ class TestWeekmailArticle(TestCase):
         assert not self.article.is_owned_by(self.sli)
 
 
-class TestPoster(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        cls.com_admin = User.objects.get(username="comunity")
-        cls.poster = Poster.objects.create(
-            name="dummy",
-            file=SimpleUploadedFile("dummy.jpg", b"azertyuiop"),
-            club=Club.objects.first(),
-            date_begin=localtime(now()),
-        )
-        cls.sli = User.objects.get(username="sli")
-        cls.sli.memberships.all().delete()
-        Membership(user=cls.sli, club=Club.objects.first(), role=5).save()
-        cls.susbcriber = User.objects.get(username="subscriber")
-        cls.anonymous = AnonymousUser()
-
-    def test_poster_owner(self):
-        """Test that poster are owned by com admins and board members in clubs."""
-        assert self.poster.is_owned_by(self.com_admin)
-        assert not self.poster.is_owned_by(self.anonymous)
-
-        assert not self.poster.is_owned_by(self.susbcriber)
-        assert self.poster.is_owned_by(self.sli)
-
-
 class TestNewsCreation(TestCase):
     @classmethod
     def setUpTestData(cls):

com/views.py

@@ -28,7 +28,9 @@ from typing import Any
 
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
-from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin,
+)
 from django.contrib.syndication.views import Feed
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.db.models import Max
@@ -50,6 +52,7 @@ from core.auth.mixins import (
     CanEditPropMixin,
     CanViewMixin,
     PermissionOrAuthorRequiredMixin,
+    PermissionOrClubBoardRequiredMixin,
 )
 from core.models import User
 from core.views.mixins import QuickNotifMixin, TabedViewMixin
@@ -99,13 +102,6 @@ class ComTabsMixin(TabedViewMixin):
         ]
 
 
-class IsComAdminMixin(AccessMixin):
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_com_admin:
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
-
-
 class ComEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     model = Sith
     template_name = "core/edit.jinja"
@@ -558,161 +554,109 @@ class MailingModerateView(View):
         raise PermissionDenied
 
 
-class PosterAdminViewMixin(IsComAdminMixin, ComTabsMixin):
-    current_tab = "posters"
-
-
-class PosterListBaseView(PosterAdminViewMixin, ListView):
+class PosterListBaseView(PermissionOrClubBoardRequiredMixin, ListView):
     """List communication posters."""
 
-    current_tab = "posters"
     model = Poster
     template_name = "com/poster_list.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        club_id = kwargs.pop("club_id", None)
-        self.club = None
-        if club_id:
-            self.club = get_object_or_404(Club, pk=club_id)
-        return super().dispatch(request, *args, **kwargs)
-
-    def get_queryset(self):
-        if self.request.user.is_com_admin:
-            return Poster.objects.all().order_by("-date_begin")
-        else:
-            return Poster.objects.filter(club=self.club.id)
+    permission_required = "com.view_poster"
+    ordering = ["-date_begin"]
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
 
-class PosterCreateBaseView(PosterAdminViewMixin, CreateView):
+class PosterCreateBaseView(PermissionOrClubBoardRequiredMixin, CreateView):
     """Create communication poster."""
 
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "core/create.jinja"
+    permission_required = "com.add_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
-    def dispatch(self, request, *args, **kwargs):
-        if "club_id" in kwargs:
-            self.club = get_object_or_404(Club, pk=kwargs["club_id"])
-        return super().dispatch(request, *args, **kwargs)
-
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
+
+    def get_initial(self):
+        return {"club": self.club}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = True
         return super().form_valid(form)
 
 
-class PosterEditBaseView(PosterAdminViewMixin, UpdateView):
+class PosterEditBaseView(PermissionOrClubBoardRequiredMixin, UpdateView):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "com/poster_edit.jinja"
-
-    def get_initial(self):
-        return {
-            "date_begin": self.object.date_begin.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_begin
-            else None,
-            "date_end": self.object.date_end.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_end
-            else None,
-        }
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.change_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if hasattr(self, "club"):
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if not self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = False
         return super().form_valid(form)
 
 
-class PosterDeleteBaseView(PosterAdminViewMixin, DeleteView):
+class PosterDeleteBaseView(
+    PermissionOrClubBoardRequiredMixin, ComTabsMixin, DeleteView
+):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
     current_tab = "posters"
     model = Poster
     template_name = "core/delete_confirm.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.delete_poster"
 
 
-class PosterListView(PosterListBaseView):
+class PosterListView(ComTabsMixin, PosterListBaseView):
     """List communication posters."""
 
+    current_tab = "posters"
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+        if self.request.user.has_perm("com.view_poster"):
+            return qs
+        return qs.filter(club=self.club.id)
+
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         kwargs["app"] = "com"
         return kwargs
 
 
-class PosterCreateView(PosterCreateBaseView):
+class PosterCreateView(ComTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
-class PosterEditView(PosterEditBaseView):
+class PosterEditView(ComTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
 class PosterDeleteView(PosterDeleteBaseView):
@@ -721,44 +665,39 @@ class PosterDeleteView(PosterDeleteBaseView):
     success_url = reverse_lazy("com:poster_list")
 
 
-class PosterModerateListView(PosterAdminViewMixin, ListView):
+class PosterModerateListView(PermissionRequiredMixin, ComTabsMixin, ListView):
     """Moderate list communication poster."""
 
     current_tab = "posters"
     model = Poster
     template_name = "com/poster_moderate.jinja"
     queryset = Poster.objects.filter(is_moderated=False).all()
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    permission_required = "com.moderate_poster"
+    extra_context = {"app": "com"}
 
 
-class PosterModerateView(PosterAdminViewMixin, View):
+class PosterModerateView(PermissionRequiredMixin, ComTabsMixin, View):
     """Moderate communication poster."""
 
+    current_tab = "posters"
+    permission_required = "com.moderate_poster"
+    extra_context = {"app": "com"}
+
     def get(self, request, *args, **kwargs):
         obj = get_object_or_404(Poster, pk=kwargs["object_id"])
-        if obj.can_be_moderated_by(request.user):
-            obj.is_moderated = True
-            obj.moderator = request.user
-            obj.save()
-            return redirect("com:poster_moderate_list")
-        raise PermissionDenied
-
-    def get_context_data(self, **kwargs):
-        kwargs = super(PosterModerateListView, self).get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+        obj.is_moderated = True
+        obj.moderator = request.user
+        obj.save()
+        return redirect("com:poster_moderate_list")
 
 
-class ScreenListView(IsComAdminMixin, ComTabsMixin, ListView):
+class ScreenListView(PermissionRequiredMixin, ComTabsMixin, ListView):
     """List communication screens."""
 
     current_tab = "screens"
     model = Screen
     template_name = "com/screen_list.jinja"
+    permission_required = "com.view_screen"
 
 
 class ScreenSlideshowView(DetailView):
@@ -769,12 +708,12 @@ class ScreenSlideshowView(DetailView):
     template_name = "com/screen_slideshow.jinja"
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["posters"] = self.object.active_posters()
-        return kwargs
+        return super().get_context_data(**kwargs) | {
+            "posters": self.object.active_posters()
+        }
 
 
-class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
+class ScreenCreateView(PermissionRequiredMixin, ComTabsMixin, CreateView):
     """Create communication screen."""
 
     current_tab = "screens"
@@ -782,9 +721,10 @@ class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
     fields = ["name"]
     template_name = "core/create.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.add_screen"
 
 
-class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
+class ScreenEditView(PermissionRequiredMixin, ComTabsMixin, UpdateView):
     """Edit communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -793,9 +733,10 @@ class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
     fields = ["name"]
     template_name = "com/screen_edit.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.change_screen"
 
 
-class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
+class ScreenDeleteView(PermissionRequiredMixin, ComTabsMixin, DeleteView):
     """Delete communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -803,3 +744,4 @@ class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
     model = Screen
     template_name = "core/delete_confirm.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.delete_screen"

core/api.py

@@ -25,6 +25,7 @@ from core.schemas import (
     UserFamilySchema,
     UserFilterSchema,
     UserProfileSchema,
+    UserSchema,
 )
 from core.templatetags.renderer import markdown
 
@@ -69,16 +70,22 @@ class MailingListController(ControllerBase):
         return data
 
 
-@api_controller("/user", permissions=[CanAccessLookup])
+@api_controller("/user")
 class UserController(ControllerBase):
-    @route.get("", response=list[UserProfileSchema])
+    @route.get("", response=list[UserProfileSchema], permissions=[CanAccessLookup])
     def fetch_profiles(self, pks: Query[set[int]]):
         return User.objects.filter(pk__in=pks)
 
+    @route.get("/{int:user_id}", response=UserSchema, permissions=[CanView])
+    def fetch_user(self, user_id: int):
+        """Fetch a single user"""
+        return self.get_object_or_exception(User, id=user_id)
+
     @route.get(
         "/search",
         response=PaginatedResponseSchema[UserProfileSchema],
         url_name="search_users",
+        permissions=[CanAccessLookup],
     )
     @paginate(PageNumberPaginationExtra, page_size=20)
     def search_users(self, filters: Query[UserFilterSchema]):

core/auth/mixins.py

@@ -29,8 +29,14 @@ from typing import TYPE_CHECKING, Any, LiteralString
 
 from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
+from django.http import Http404
+from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
+from django.utils.translation import gettext as _
 from django.views.generic.base import View
 
+from club.models import Club
+
 if TYPE_CHECKING:
     from django.db.models import Model
 
@@ -297,3 +303,50 @@ class PermissionOrAuthorRequiredMixin(PermissionRequiredMixin):
             self.author_field += "_id"
         author_id = getattr(obj, self.author_field, None)
         return author_id == self.request.user.id
+
+
+class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
+    """Require that the user has the required perm or is the board of the club.
+
+    This mixin can be used in any view that is called from a url
+    having a `club_id` kwarg.
+
+    Example:
+
+        In `urls.py` :
+        ```python
+        urlpatterns = [
+            path("foo/<int:club_id>/bar/", FooView.as_view())
+        ]
+        ```
+
+        In `views.py` :
+
+        ```python
+        # this view is available to users that either have the
+        # "foo.view_foo" permission or are in the board of the club
+        # which id was given in the url
+        class FooView(PermissionOrClubBoardRequiredMixin, View):
+            permission_required = "foo.view_foo"
+        ```
+    """
+
+    club_pk_url_kwarg = "club_id"
+
+    @cached_property
+    def club(self):
+        club_id: str | int = self.kwargs.pop(self.club_pk_url_kwarg, None)
+        if club_id is None:
+            return None
+        if isinstance(club_id, int) or club_id.isdigit():
+            return get_object_or_404(Club, pk=club_id)
+        raise Http404(_("No club found with id %(id)s") % {"id": club_id})
+
+    def has_permission(self):
+        if self.request.user.is_anonymous:
+            return False
+        if super().has_permission():
+            return True
+        return self.club is not None and any(
+            g.id == self.club.board_group_id for g in self.request.user.cached_groups
+        )

core/management/commands/populate_more.py

@@ -94,7 +94,11 @@ class Command(BaseCommand):
                 username=self.faker.user_name(),
                 first_name=self.faker.first_name(),
                 last_name=self.faker.last_name(),
-                date_of_birth=self.faker.date_of_birth(minimum_age=15, maximum_age=25),
+                date_of_birth=(
+                    None
+                    if random.random() < 0.2
+                    else self.faker.date_of_birth(minimum_age=15, maximum_age=25)
+                ),
                 email=self.faker.email(),
                 phone=self.faker.phone_number(),
                 address=self.faker.address(),

core/models.py

@@ -560,7 +560,7 @@ class User(AbstractUser):
         """Determine if the object is owned by the user."""
         if hasattr(obj, "is_owned_by") and obj.is_owned_by(self):
             return True
-        if hasattr(obj, "owner_group") and self.is_in_group(pk=obj.owner_group.id):
+        if hasattr(obj, "owner_group") and self.is_in_group(pk=obj.owner_group_id):
             return True
         return self.is_root
 
@@ -569,9 +569,15 @@ class User(AbstractUser):
         if hasattr(obj, "can_be_edited_by") and obj.can_be_edited_by(self):
             return True
         if hasattr(obj, "edit_groups"):
-            for pk in obj.edit_groups.values_list("pk", flat=True):
-                if self.is_in_group(pk=pk):
-                    return True
+            if (
+                hasattr(obj, "_prefetched_objects_cache")
+                and "edit_groups" in obj._prefetched_objects_cache
+            ):
+                pks = [g.id for g in obj.edit_groups.all()]
+            else:
+                pks = list(obj.edit_groups.values_list("id", flat=True))
+            if any(self.is_in_group(pk=pk) for pk in pks):
+                return True
         if isinstance(obj, User) and obj == self:
             return True
         return self.is_owner(obj)
@@ -581,9 +587,18 @@ class User(AbstractUser):
         if hasattr(obj, "can_be_viewed_by") and obj.can_be_viewed_by(self):
             return True
         if hasattr(obj, "view_groups"):
-            for pk in obj.view_groups.values_list("pk", flat=True):
-                if self.is_in_group(pk=pk):
-                    return True
+            # if "view_groups" has already been prefetched, use
+            # the prefetch cache, else fetch only the ids, to make
+            # the query lighter.
+            if (
+                hasattr(obj, "_prefetched_objects_cache")
+                and "view_groups" in obj._prefetched_objects_cache
+            ):
+                pks = [g.id for g in obj.view_groups.all()]
+            else:
+                pks = list(obj.view_groups.values_list("id", flat=True))
+            if any(self.is_in_group(pk=pk) for pk in pks):
+                return True
         return self.can_edit(obj)
 
     def can_be_edited_by(self, user):
@@ -1384,9 +1399,9 @@ class Page(models.Model):
 
     @cached_property
     def is_club_page(self):
-        club_root_page = Page.objects.filter(name=settings.SITH_CLUB_ROOT_PAGE).first()
-        return club_root_page is not None and (
-            self == club_root_page or club_root_page in self.get_parent_list()
+        return (
+            self.name == settings.SITH_CLUB_ROOT_PAGE
+            or settings.SITH_CLUB_ROOT_PAGE in [p.name for p in self.get_parent_list()]
         )
 
     @cached_property

core/schemas.py

@@ -34,6 +34,22 @@ class SimpleUserSchema(ModelSchema):
         fields = ["id", "nick_name", "first_name", "last_name"]
 
 
+class UserSchema(ModelSchema):
+    class Meta:
+        model = User
+        fields = [
+            "id",
+            "nick_name",
+            "first_name",
+            "last_name",
+            "date_of_birth",
+            "email",
+            "role",
+            "quote",
+            "promo",
+        ]
+
+
 class UserProfileSchema(ModelSchema):
     """The necessary information to show a user profile"""
 

core/static/core/style.scss

@@ -514,10 +514,6 @@ th {
   text-align: center;
   padding: 5px 10px;
 
-  >input[type="checkbox"] {
-    padding: unset;
-  }
-
   >ul {
     margin-top: 0;
   }

core/templates/core/page_list.jinja

@@ -5,16 +5,12 @@
 {% endblock %}
 
 {% block content %}
-  {% if page_list %}
-    <h3>{% trans %}Page list{% endtrans %}</h3>
-    <ul>
-      {% for p in page_list %}
-        <li><a href="{{ p.get_absolute_url() }}">{{ p.get_display_name() }}</a></li>
-      {% endfor %}
-    </ul>
-  {% else %}
-    {% trans %}There is no page in this website.{% endtrans %}
-  {% endif %}
+  <h3>{% trans %}Page list{% endtrans %}</h3>
+  <ul>
+    {% for p in page_list %}
+      <li><a href="{{ p.get_absolute_url() }}">{{ p.display_name }}</a></li>
+    {% endfor %}
+  </ul>
 {% endblock %}
 
 

core/views/page.py

@@ -12,7 +12,10 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+
 from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.db.models import F, OuterRef, Subquery
+from django.db.models.functions import Coalesce
 
 # This file contains all the views that concern the page model
 from django.forms.models import modelform_factory
@@ -43,6 +46,20 @@ class CanEditPagePropMixin(CanEditPropMixin):
 class PageListView(CanViewMixin, ListView):
     model = Page
     template_name = "core/page_list.jinja"
+    queryset = (
+        Page.objects.annotate(
+            display_name=Coalesce(
+                Subquery(
+                    PageRev.objects.filter(page=OuterRef("id"))
+                    .order_by("-date")
+                    .values("title")[:1]
+                ),
+                F("name"),
+            )
+        )
+        .prefetch_related("view_groups")
+        .select_related("parent")
+    )
 
 
 class PageView(CanViewMixin, DetailView):

counter/forms.py

@@ -5,7 +5,6 @@ from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 from phonenumber_field.widgets import RegionalPhoneNumberWidget
 
-from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User
 from core.views.forms import NFCTextInput, SelectDate, SelectDateTime
@@ -20,7 +19,6 @@ from counter.models import (
     Counter,
     Customer,
     Eticket,
-    InvoiceCall,
     Product,
     Refilling,
     ReturnableProduct,
@@ -375,39 +373,3 @@ class BaseBasketForm(forms.BaseFormSet):
 BasketForm = forms.formset_factory(
     ProductForm, formset=BaseBasketForm, absolute_max=None, min_num=1
 )
-
-
-class InvoiceCallForm(forms.Form):
-    def __init__(self, *args, month, clubs: list[Club] | None = None, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.month = month
-        self.clubs = clubs
-
-        if self.clubs is None:
-            self.clubs = []
-
-        invoices = {
-            i["club_id"]: i["is_validated"]
-            for i in InvoiceCall.objects.filter(
-                club__in=self.clubs, month=self.month
-            ).values("club_id", "is_validated")
-        }
-
-        for club in self.clubs:
-            is_validated = invoices.get(club.id, False)
-
-            self.fields[f"club_{club.id}"] = forms.BooleanField(
-                required=False, initial=is_validated
-            )
-
-    def save(self):
-        for club in self.clubs:
-            field_name = f"club_{club.id}"
-            is_validated = self.cleaned_data.get(field_name, False)
-
-            InvoiceCall.objects.update_or_create(
-                month=self.month, club=club, defaults={"is_validated": is_validated}
-            )
-
-    def get_club_name(self, club_id):
-        return f"club_{club_id}"

counter/migrations/0032_invoicecall.py

@@ -1,45 +0,0 @@
-# Generated by Django 5.2.3 on 2025-09-09 10:24
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import counter.models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("club", "0014_alter_club_options_rename_unix_name_club_slug_name_and_more"),
-        ("counter", "0031_alter_counter_options"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="InvoiceCall",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "is_validated",
-                    models.BooleanField(default=False, verbose_name="is validated"),
-                ),
-                ("month", counter.models.MonthField(verbose_name="invoice date")),
-                (
-                    "club",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="club.club"
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Invoice call",
-                "verbose_name_plural": "Invoice calls",
-            },
-        ),
-    ]

counter/models.py

@@ -535,13 +535,6 @@ class Counter(models.Model):
     def __str__(self):
         return self.name
 
-    def __getattribute__(self, name: str):
-        if name == "edit_groups":
-            return Group.objects.filter(
-                name=self.club.unix_name + settings.SITH_BOARD_SUFFIX
-            ).all()
-        return object.__getattribute__(self, name)
-
     def get_absolute_url(self) -> str:
         if self.type == "EBOUTIC":
             return reverse("eboutic:main")
@@ -690,8 +683,10 @@ class Counter(models.Model):
         Prices will be annotated
         """
 
-        products = self.products.select_related("product_type").prefetch_related(
-            "buying_groups"
+        products = (
+            self.products.filter(archived=False)
+            .select_related("product_type")
+            .prefetch_related("buying_groups")
         )
 
         # Only include age appropriate products
@@ -1362,49 +1357,3 @@ class ReturnableProductBalance(models.Model):
             f"return balance of {self.customer} "
             f"for {self.returnable.product_id} : {self.balance}"
         )
-
-
-class MonthField(models.DateField):
-    description = _("Year + month field (day forced to 1)")
-    default_error_messages = {
-        "invalid": _(
-            "“%(value)s” value has an invalid date format. It must be "
-            "in YYYY-MM format."
-        ),
-        "invalid_date": _(
-            "“%(value)s” value has the correct format (YYYY-MM) "
-            "but it is an invalid date."
-        ),
-    }
-
-    def to_python(self, value):
-        if isinstance(value, date):
-            return value.replace(day=1)
-
-        if isinstance(value, str):
-            try:
-                year, month = map(int, value.split("-"))
-                return date(year, month, 1)
-            except (ValueError, TypeError) as err:
-                raise ValueError(
-                    self.error_messages["invalid"] % {"value": value}
-                ) from err
-
-        return super().to_python(value)
-
-
-class InvoiceCall(models.Model):
-    is_validated = models.BooleanField(verbose_name=_("is validated"), default=False)
-    club = models.ForeignKey(Club, on_delete=models.CASCADE)
-    month = MonthField(verbose_name=_("invoice date"))
-
-    class Meta:
-        verbose_name = _("Invoice call")
-        verbose_name_plural = _("Invoice calls")
-
-    def __str__(self):
-        return f"invoice call of {self.month} made by {self.club}"
-
-    def save(self, *args, **kwargs):
-        self.month = self._meta.get_field("month").to_python(self.month)
-        super().save(*args, **kwargs)

counter/templates/counter/invoices_call.jinja

@@ -15,32 +15,24 @@
     </select>
     <input type="submit" value="{% trans %}Go{% endtrans %}" />
   </form>
-
-  <form method="post" action="">
-    {% csrf_token %}
-    <br>
-    <p>{% trans %}CB Payments{% endtrans %} : {{ sum_cb }} €</p>
-    <br>
-
-    <table>
-      <thead>
-        <td>{% trans %}Club{% endtrans %}</td>
-        <td>{% trans %}Sum{% endtrans %}</td>
-        <td>{% trans %}Validated{% endtrans %}</td>
-      </thead>
-      <tbody>
-        {% for data in club_data %}
-          <tr>
-            <td>{{ data.club.name }}</td>
-            <td>{{"%.2f"|format(data.sum)}} €</td>
-            <td>
-              {{ form[form.get_club_name(data.club.id)] }}
-            </td>
-          </tr>
-        {% endfor %}
-      </tbody>
-    </table>
-    <input type="hidden" name="month" value="{{ start_date|date('Y-m') }}">
-    <button type="submit">{% trans %}Save validation{% endtrans %}</button>
-  </form>
+  <br>
+  <p>{% trans %}CB Payments{% endtrans %} : {{ sum_cb }} €</p>
+  <br>
+  <table>
+    <thead>
+      <td>{% trans %}Club{% endtrans %}</td>
+      <td>{% trans %}Sum{% endtrans %}</td>
+    </thead>
+    <tbody>
+      {% for i in sums %}
+        <tr>
+          <td>{{ i['club__name'] }}</td>
+          <td>{{ i['selling_sum'] }} €</td>
+        </tr>
+      {% endfor %}
+    </tbody>
+  </table>
 {% endblock %}
+
+
+

counter/tests/test_counter.py

@@ -583,6 +583,16 @@ class TestCounterClick(TestFullClickBase):
             - self.beer.selling_price
         )
 
+    def test_no_fetch_archived_product(self):
+        counter = baker.make(Counter)
+        customer = baker.make(Customer)
+        product_recipe.make(archived=True, counters=[counter])
+        unarchived_products = product_recipe.make(
+            archived=False, counters=[counter], _quantity=3
+        )
+        customer_products = counter.get_products_for(customer)
+        assert unarchived_products == customer_products
+
 
 class TestCounterStats(TestCase):
     @classmethod

counter/tests/test_invoices.py

@@ -1,33 +0,0 @@
-from datetime import date
-
-import pytest
-from model_bakery import baker
-
-from club.models import Club
-from counter.models import InvoiceCall
-
-
-@pytest.mark.django_db
-def test_invoice_date_with_date():
-    club = baker.make(Club)
-    invoice = InvoiceCall.objects.create(club=club, month=date(2025, 10, 20))
-
-    assert not invoice.is_validated
-    assert str(invoice) == f"invoice call of {invoice.month} made by {club}"
-    assert invoice.month == date(2025, 10, 1)
-
-
-@pytest.mark.django_db
-def test_invoice_date_with_string():
-    club = baker.make(Club)
-    invoice = InvoiceCall.objects.create(club=club, month="2025-10")
-
-    assert invoice.month == date(2025, 10, 1)
-
-
-@pytest.mark.django_db
-def test_invoice_call_invalid_month_string():
-    club = baker.make(Club)
-
-    with pytest.raises(ValueError):
-        InvoiceCall.objects.create(club=club, month="2025-13")

counter/views/invoice.py

@@ -12,17 +12,15 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from datetime import date, datetime, timedelta
+from datetime import datetime, timedelta
 from datetime import timezone as tz
 
-from django.db.models import Exists, F, OuterRef
-from django.shortcuts import redirect
+from django.db.models import F
 from django.utils import timezone
 from django.views.generic import TemplateView
 
 from counter.fields import CurrencyField
-from counter.forms import InvoiceCallForm
-from counter.models import Club, InvoiceCall, Refilling, Selling
+from counter.models import Refilling, Selling
 from counter.views.mixins import CounterAdminMixin, CounterAdminTabsMixin
 
 
@@ -30,30 +28,12 @@ class InvoiceCallView(CounterAdminTabsMixin, CounterAdminMixin, TemplateView):
     template_name = "counter/invoices_call.jinja"
     current_tab = "invoices_call"
 
-    def get(self, request, *args, **kwargs):
-        month_str = request.GET.get("month")
-
-        if month_str:
-            try:
-                start_date = datetime.strptime(month_str, "%Y-%m").date()
-                today = timezone.now().date().replace(day=1)
-                if start_date > today:
-                    return redirect("counter:invoices_call")
-            except ValueError:
-                return redirect("counter:invoices_call")
-        return super().get(request, *args, **kwargs)
-
     def get_context_data(self, **kwargs):
         """Add sums to the context."""
         kwargs = super().get_context_data(**kwargs)
         kwargs["months"] = Selling.objects.datetimes("date", "month", order="DESC")
-        month_str = self.request.GET.get("month")
-
-        if month_str:
-            try:
-                start_date = datetime.strptime(self.request.GET["month"], "%Y-%m")
-            except ValueError:
-                return redirect("counter:invoices_call")
+        if "month" in self.request.GET:
+            start_date = datetime.strptime(self.request.GET["month"], "%Y-%m")
         else:
             start_date = datetime(
                 year=timezone.now().year,
@@ -66,23 +46,30 @@ class InvoiceCallView(CounterAdminTabsMixin, CounterAdminMixin, TemplateView):
         )
         from django.db.models import Case, Sum, When
 
-        kwargs["sum_cb"] = Refilling.objects.filter(
-            payment_method="CARD",
-            is_validated=True,
-            date__gte=start_date,
-            date__lte=end_date,
-        ).aggregate(amount=Sum(F("amount"), default=0))["amount"]
-
-        kwargs["sum_cb"] += Selling.objects.filter(
-            payment_method="CARD",
-            is_validated=True,
-            date__gte=start_date,
-            date__lte=end_date,
-        ).aggregate(amount=Sum(F("quantity") * F("unit_price"), default=0))["amount"]
-
+        kwargs["sum_cb"] = sum(
+            [
+                r.amount
+                for r in Refilling.objects.filter(
+                    payment_method="CARD",
+                    is_validated=True,
+                    date__gte=start_date,
+                    date__lte=end_date,
+                )
+            ]
+        )
+        kwargs["sum_cb"] += sum(
+            [
+                s.quantity * s.unit_price
+                for s in Selling.objects.filter(
+                    payment_method="CARD",
+                    is_validated=True,
+                    date__gte=start_date,
+                    date__lte=end_date,
+                )
+            ]
+        )
         kwargs["start_date"] = start_date
-
-        kwargs["sums"] = list(
+        kwargs["sums"] = (
             Selling.objects.values("club__name")
             .annotate(
                 selling_sum=Sum(
@@ -99,56 +86,4 @@ class InvoiceCallView(CounterAdminTabsMixin, CounterAdminMixin, TemplateView):
             .exclude(selling_sum=None)
             .order_by("-selling_sum")
         )
-
-        club_names = [i["club__name"] for i in kwargs["sums"]]
-        clubs = Club.objects.filter(name__in=club_names)
-
-        invoice_calls = InvoiceCall.objects.filter(month=month_str, club__in=clubs)
-        invoice_statuses = {ic.club.name: ic.is_validated for ic in invoice_calls}
-
-        kwargs["form"] = InvoiceCallForm(clubs=clubs, month=month_str)
-
-        kwargs["club_data"] = []
-        for club in clubs:
-            selling_sum = next(
-                (
-                    item["selling_sum"]
-                    for item in kwargs["sums"]
-                    if item["club__name"] == club.name
-                ),
-                0,
-            )
-            kwargs["club_data"].append(
-                {
-                    "club": club,
-                    "sum": selling_sum,
-                    "validated": invoice_statuses.get(club.name, False),
-                }
-            )
-
         return kwargs
-
-    def post(self, request, *args, **kwargs):
-        month_str = request.POST.get("month")
-        if not month_str:
-            return self.get(request, *args, **kwargs)
-        try:
-            start_date = datetime.strptime(month_str, "%Y-%m")
-            start_date = date(start_date.year, start_date.month, 1)
-        except ValueError:
-            return redirect(request.path)
-
-        selling_subquery = Selling.objects.filter(
-            club=OuterRef("pk"),
-            date__year=start_date.year,
-            date__month=start_date.month,
-        )
-
-        clubs = Club.objects.filter(Exists(selling_subquery))
-
-        form = InvoiceCallForm(request.POST, clubs=clubs, month=month_str)
-
-        if form.is_valid():
-            form.save()
-
-        return redirect(f"{request.path}?month={request.POST.get('month', '')}")

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-01 18:18+0200\n"
+"POT-Creation-Date: 2025-09-19 17:22+0200\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -514,8 +514,8 @@ msgstr "Éditer le Trombi"
 msgid "New Trombi"
 msgstr "Nouveau Trombi"
 
-#: club/templates/club/club_tools.jinja com/templates/com/poster_list.jinja
-#: core/templates/core/user_tools.jinja
+#: club/templates/club/club_tools.jinja club/views.py
+#: com/templates/com/poster_list.jinja core/templates/core/user_tools.jinja
 msgid "Posters"
 msgstr "Affiches"
 
@@ -675,10 +675,6 @@ msgstr "Vente"
 msgid "Mailing list"
 msgstr "Listes de diffusion"
 
-#: club/views.py com/views.py
-msgid "Posters list"
-msgstr "Liste d'affiches"
-
 #: com/forms.py
 msgid "Format: 16:9 | Resolution: 1920x1080"
 msgstr "Format : 16:9 | Résolution : 1920x1080"
@@ -1249,6 +1245,10 @@ msgstr "Message d'info"
 msgid "Alert message"
 msgstr "Message d'alerte"
 
+#: com/views.py
+msgid "Posters list"
+msgstr "Liste d'affiches"
+
 #: com/views.py
 msgid "Screens list"
 msgstr "Liste d'écrans"
@@ -1272,6 +1272,11 @@ msgstr ""
 "Vous devez êtres un membre du bureau du club sélectionné pour poster dans le "
 "Weekmail."
 
+#: core/auth/mixins.py
+#, python-format
+msgid "No club found with id %(id)s"
+msgstr "Pas de club avec l'id %(id)s trouvé"
+
 #: core/models.py
 msgid "Is manually manageable"
 msgstr "Est gérable manuellement"
@@ -1713,8 +1718,8 @@ msgid ""
 "AE UTBM is a voluntary organisation run by UTBM students. It organises "
 "student life at UTBM and manages its student facilities."
 msgstr ""
-"L'AE UTBM est une association bénévole gérée par les étudiants de "
-"l'UTBM. Elle organise la vie étudiante de l'UTBM et gère ses lieux de vie."
+"L'AE UTBM est une association bénévole gérée par les étudiants de l'UTBM. "
+"Elle organise la vie étudiante de l'UTBM et gère ses lieux de vie."
 
 #: core/templates/core/base/footer.jinja core/templates/core/base/navbar.jinja
 msgid "Contacts"
@@ -2157,10 +2162,6 @@ msgstr ""
 msgid "Page history"
 msgstr "Historique de la page"
 
-#: core/templates/core/page_list.jinja
-msgid "There is no page in this website."
-msgstr "Il n'y a pas de page sur ce site web."
-
 #: core/templates/core/page_prop.jinja
 msgid "Page properties"
 msgstr "Propriétés de la page"
@@ -5135,6 +5136,10 @@ msgstr "Tee-shirt AE"
 msgid "A user with that email address already exists"
 msgstr "Un utilisateur avec cette adresse email existe déjà"
 
+#: subscription/forms.py
+msgid "This user didn't fill its birthdate yet."
+msgstr "Cet utilisateur n'a pas encore renseigné sa date de naissance"
+
 #: subscription/models.py
 msgid "Bad subscription type"
 msgstr "Mauvais type de cotisation"
@@ -5174,7 +5179,7 @@ msgid ""
 "%(user)s received its new %(type)s subscription. It will be active until "
 "%(end)s included."
 msgstr ""
-"%(user)s a reçu sa nouvelle cotisaton %(type)s. Elle sert active jusqu'au "
+"%(user)s a reçu sa nouvelle cotisaton %(type)s. Elle sera active jusqu'au "
 "%(end)s inclu."
 
 #: subscription/templates/subscription/fragments/creation_success.jinja

package-lock.json

@@ -50,7 +50,7 @@
         "@types/jquery": "^3.5.31",
         "@types/js-cookie": "^3.0.6",
         "typescript": "^5.8.3",
-        "vite": "^6.2.6",
+        "vite": "^6.3.6",
         "vite-bundle-visualizer": "^1.2.1",
         "vite-plugin-static-copy": "^3.1.2"
       }
@@ -5737,9 +5737,9 @@
       }
     },
     "node_modules/vite": {
-      "version": "6.3.5",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.3.5.tgz",
-      "integrity": "sha512-cZn6NDFE7wdTpINgs++ZJ4N49W2vRp8LCKrn3Ob1kYNtOo21vfDoaV5GzBfLU4MovSAB8uNRm4jgzVQZ+mBzPQ==",
+      "version": "6.3.6",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.3.6.tgz",
+      "integrity": "sha512-0msEVHJEScQbhkbVTb/4iHZdJ6SXp/AvxL2sjwYQFfBqleHtnCqv1J3sa9zbWz/6kW1m9Tfzn92vW+kZ1WV6QA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {

package.json

@@ -35,7 +35,7 @@
     "@types/jquery": "^3.5.31",
     "@types/js-cookie": "^3.0.6",
     "typescript": "^5.8.3",
-    "vite": "^6.2.6",
+    "vite": "^6.3.6",
     "vite-bundle-visualizer": "^1.2.1",
     "vite-plugin-static-copy": "^3.1.2"
   },

pyproject.toml

@@ -25,7 +25,7 @@ dependencies = [
     "Pillow<12.0.0,>=11.1.0",
     "mistune<4.0.0,>=3.1.3",
     "django-jinja<3.0.0,>=2.11.0",
-    "cryptography>=45.0.3,<46.0.0",
+    "cryptography>=45.0.3,<47.0.0",
     "django-phonenumber-field<9.0.0,>=8.1.0",
     "phonenumbers>=9.0.2,<10.0.0",
     "reportlab<5.0.0,>=4.3.1",

sith/settings.py

@@ -405,9 +405,6 @@ SITH_FORUM_PAGE_LENGTH = 30
 SITH_SAS_ROOT_DIR_ID = env.int("SITH_SAS_ROOT_DIR_ID", default=4)
 SITH_SAS_IMAGES_PER_PAGE = 60
 
-SITH_BOARD_SUFFIX = "-bureau"
-SITH_MEMBER_SUFFIX = "-membres"
-
 SITH_PROFILE_DEPARTMENTS = [
     ("TC", _("TC")),
     ("IMSI", _("IMSI")),

subscription/forms.py

@@ -23,8 +23,8 @@ class SelectionDateForm(forms.Form):
 
 
 class SubscriptionForm(forms.ModelForm):
-    def __init__(self, *args, **kwargs):
-        initial = kwargs.pop("initial", {})
+    def __init__(self, *args, initial=None, **kwargs):
+        initial = initial or {}
         if "subscription_type" not in initial:
             initial["subscription_type"] = "deux-semestres"
         if "payment_method" not in initial:
@@ -131,8 +131,57 @@ class SubscriptionExistingUserForm(SubscriptionForm):
     """Form to add a subscription to an existing user."""
 
     template_name = "subscription/forms/create_existing_user.html"
+    required_css_class = "required"
+
+    birthdate = forms.fields_for_model(
+        User,
+        ["date_of_birth"],
+        widgets={"date_of_birth": SelectDate(attrs={"hidden": True})},
+        help_texts={"date_of_birth": _("This user didn't fill its birthdate yet.")},
+    )["date_of_birth"]
 
     class Meta:
         model = Subscription
         fields = ["member", "subscription_type", "payment_method", "location"]
         widgets = {"member": AutoCompleteSelectUser}
+
+    field_order = [
+        "member",
+        "birthdate",
+        "subscription_type",
+        "payment_method",
+        "location",
+    ]
+
+    def __init__(self, *args, initial=None, **kwargs):
+        super().__init__(*args, initial=initial, **kwargs)
+        self.fields["birthdate"].required = True
+        if not initial:
+            return
+        member: str | None = initial.get("member")
+        if member and member.isdigit():
+            member: User | None = User.objects.filter(id=int(member)).first()
+        else:
+            member = None
+        if member and member.date_of_birth:
+            # if there is an initial member with a birthdate,
+            # there is no need to ask this to the user
+            self.fields["birthdate"].initial = member.date_of_birth
+        elif member:
+            # if there is an initial member without a birthdate,
+            # then the field must be displayed
+            self.fields["birthdate"].widget.attrs.update({"hidden": False})
+        # if there is no initial member, it means that it will be
+        # dynamically selected using the AutoCompleteSelectUser widget.
+        # JS will take care of un-hiding the field if necessary
+
+    def save(self, *args, **kwargs):
+        if self.errors:
+            return super().save(*args, **kwargs)
+        if (
+            self.cleaned_data["birthdate"] is not None
+            and self.instance.member.date_of_birth is None
+        ):
+            self.instance.member.date_of_birth = self.cleaned_data["birthdate"]
+            self.instance.member.save()
+        return super().save(*args, **kwargs)

subscription/static/bundled/subscription/creation-form-existing-user-index.ts

@@ -1,3 +1,5 @@
+import { userFetchUser } from "#openapi";
+
 document.addEventListener("alpine:init", () => {
   Alpine.data("existing_user_subscription_form", () => ({
     loading: false,
@@ -12,13 +14,24 @@ document.addEventListener("alpine:init", () => {
     },
 
     async loadProfile(userId: number) {
+      const birthdayInput = document.getElementById("id_birthdate") as HTMLInputElement;
       if (!Number.isInteger(userId)) {
         this.profileFragment = "";
+        birthdayInput.hidden = true;
         return;
       }
       this.loading = true;
-      const response = await fetch(`/user/${userId}/mini/`);
-      this.profileFragment = await response.text();
+      const [miniProfile, userInfos] = await Promise.all([
+        fetch(`/user/${userId}/mini/`),
+        // biome-ignore lint/style/useNamingConvention: api is snake_case
+        userFetchUser({ path: { user_id: userId } }),
+      ]);
+      this.profileFragment = await miniProfile.text();
+      // If the user has no birthdate yet, show the form input
+      // to fill this info.
+      // Else keep the input hidden and change its value to the user birthdate
+      birthdayInput.value = userInfos.data.date_of_birth;
+      birthdayInput.hidden = userInfos.data.date_of_birth !== null;
       this.loading = false;
     },
   }));

subscription/static/subscription/css/subscription.scss

@@ -1,4 +1,14 @@
 #subscription-form form {
+  margin-top: 0;
+
+  .form-content {
+    margin-top: 0;
+  }
+
+  fieldset p:first-of-type, & > p:first-of-type {
+    margin-top: 0;
+  }
+
   .form-content.existing-user {
     max-height: 100%;
     display: flex;
@@ -13,6 +23,11 @@
      * then display the user profile right in the middle of the remaining space. */
     fieldset {
       flex: 0 1 auto;
+
+      p:has(input[hidden]) {
+        // when the input is hidden, hide the whole label+input+help text group
+        display: none;
+      }
     }
 
     #subscription-form-user-mini-profile {

subscription/tests/test_new_subscription.py

@@ -1,6 +1,6 @@
 """Tests focused on testing subscription creation"""
 
-from datetime import timedelta
+from datetime import date, timedelta
 from typing import Callable
 
 import pytest
@@ -31,6 +31,26 @@ def test_form_existing_user_valid(
 ):
     """Test `SubscriptionExistingUserForm`"""
     user = user_factory()
+    user.date_of_birth = date(year=1967, month=3, day=14)
+    user.save()
+    data = {
+        "member": user,
+        "birthdate": user.date_of_birth,
+        "subscription_type": "deux-semestres",
+        "location": settings.SITH_SUBSCRIPTION_LOCATIONS[0][0],
+        "payment_method": settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[0][0],
+    }
+    form = SubscriptionExistingUserForm(data)
+    assert form.is_valid()
+    form.save()
+    user.refresh_from_db()
+    assert user.is_subscribed
+
+
+@pytest.mark.django_db
+def test_form_existing_user_with_birthdate(settings: SettingsWrapper):
+    """Test `SubscriptionExistingUserForm`"""
+    user = baker.make(User, date_of_birth=None)
     data = {
         "member": user,
         "subscription_type": "deux-semestres",
@@ -38,11 +58,15 @@ def test_form_existing_user_valid(
         "payment_method": settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[0][0],
     }
     form = SubscriptionExistingUserForm(data)
+    assert not form.is_valid()
 
+    data |= {"birthdate": date(year=1967, month=3, day=14)}
+    form = SubscriptionExistingUserForm(data)
     assert form.is_valid()
     form.save()
     user.refresh_from_db()
     assert user.is_subscribed
+    assert user.date_of_birth == date(year=1967, month=3, day=14)
 
 
 @pytest.mark.django_db
@@ -132,6 +156,14 @@ def test_page_access(
     assert res.status_code == status_code
 
 
+@pytest.mark.django_db
+def test_page_access_with_get_data(client: Client):
+    user = old_subscriber_user.make()
+    client.force_login(baker.make(User, is_superuser=True))
+    res = client.get(reverse("subscription:subscription", query={"member": user.id}))
+    assert res.status_code == 200
+
+
 @pytest.mark.django_db
 def test_submit_form_existing_user(client: Client, settings: SettingsWrapper):
     client.force_login(
@@ -140,11 +172,12 @@ def test_submit_form_existing_user(client: Client, settings: SettingsWrapper):
             user_permissions=Permission.objects.filter(codename="add_subscription"),
         )
     )
-    user = old_subscriber_user.make()
+    user = old_subscriber_user.make(date_of_birth=date(year=1967, month=3, day=14))
     response = client.post(
         reverse("subscription:fragment-existing-user"),
         {
             "member": user.id,
+            "birthdate": user.date_of_birth,
             "subscription_type": "deux-semestres",
             "location": settings.SITH_SUBSCRIPTION_LOCATIONS[0][0],
             "payment_method": settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[0][0],