filter using schema

Automatic product actions

.github/auto_assign.yml

@@ -6,7 +6,7 @@ addAssignees: author
 
 # A list of team reviewers to be added to pull requests (GitHub team slug)
 reviewers:
-  - ae-utbm/sith-3-developers
+  - ae-utbm/developpeurs
 
 # Number of reviewers has no impact on GitHub teams
 # Set 0 to add all the reviewers (default: 0)

.github/dependabot.yml

@@ -4,11 +4,28 @@
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
 version: 2
-updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+
+multi-ecosystem-groups:
+  common:
+    directory: "/"
     schedule:
       interval: "weekly"
     target-branch: "taiste"
     commit-message:
-      prefix: "[UPDATE] "
+      prefix: "[UPDATE] "
+
+updates:
+  - package-ecosystem: "uv"
+    patterns: ["*"]
+    multi-ecosystem-group: "common"
+
+  - package-ecosystem: "npm"
+    patterns: ["*"]
+    multi-ecosystem-group: "common"
+    groups:
+      # npm supports production and development groups, but not uv
+      # cf. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-groups
+      main-deps:
+        dependency-type: "production"
+      dev-deps:
+        dependency-type: "development"

club/api.py

@@ -1,7 +1,5 @@
-from typing import Annotated
-
-from annotated_types import MinLen
 from django.db.models import Prefetch
+from ninja import Query
 from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.pagination import PageNumberPaginationExtra
@@ -10,7 +8,7 @@ from ninja_extra.schemas import PaginatedResponseSchema
 from api.auth import ApiKeyAuth
 from api.permissions import CanAccessLookup, HasPerm
 from club.models import Club, Membership
-from club.schemas import ClubSchema, SimpleClubSchema
+from club.schemas import ClubSchema, ClubSearchFilterSchema, SimpleClubSchema
 
 
 @api_controller("/club")
@@ -23,8 +21,12 @@ class ClubController(ControllerBase):
         url_name="search_club",
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
-    def search_club(self, search: Annotated[str, MinLen(1)]):
-        return Club.objects.filter(name__icontains=search).values()
+    def search_club(
+        self,
+        filters: Query[ClubSearchFilterSchema],
+    ):
+        clubs = Club.objects.all()
+        return filters.filter(clubs)
 
     @route.get(
         "/{int:club_id}",

club/forms.py

@@ -26,12 +26,16 @@ from django import forms
 from django.conf import settings
 from django.db.models import Exists, OuterRef, Q
 from django.db.models.functions import Lower
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 
 from club.models import Club, Mailing, MailingSubscription, Membership
 from core.models import User
-from core.views.forms import SelectDate, SelectDateTime
-from core.views.widgets.ajax_select import AutoCompleteSelectMultipleUser
+from core.views.forms import SelectDateTime
+from core.views.widgets.ajax_select import (
+    AutoCompleteSelectMultipleUser,
+    AutoCompleteSelectUser,
+)
 from counter.models import Counter, Selling
 
 
@@ -188,105 +192,113 @@ class SellingsForm(forms.Form):
         )
 
 
-class ClubMemberForm(forms.Form):
-    """Form handling the members of a club."""
+class ClubOldMemberForm(forms.Form):
+    members_old = forms.ModelMultipleChoiceField(
+        Membership.objects.none(),
+        label=_("Mark as old"),
+        widget=forms.CheckboxSelectMultiple,
+        required=False,
+    )
+
+    def __init__(self, *args, user: User, club: Club, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["members_old"].queryset = (
+            Membership.objects.ongoing().filter(club=club).editable_by(user)
+        )
+
+
+class ClubMemberForm(forms.ModelForm):
+    """Form to add a member to the club, as a board member."""
 
     error_css_class = "error"
     required_css_class = "required"
 
-    users = forms.ModelMultipleChoiceField(
-        label=_("Users to add"),
-        help_text=_("Search users to add (one or more)."),
-        required=False,
-        widget=AutoCompleteSelectMultipleUser,
-        queryset=User.objects.all(),
-    )
+    class Meta:
+        model = Membership
+        fields = ["role", "description"]
 
-    def __init__(self, *args, **kwargs):
-        self.club = kwargs.pop("club")
-        self.request_user = kwargs.pop("request_user")
-        self.club_members = kwargs.pop("club_members", None)
-        if not self.club_members:
-            self.club_members = self.club.members.ongoing().order_by("-role").all()
+    def __init__(self, *args, club: Club, request_user: User, **kwargs):
+        self.club = club
+        self.request_user = request_user
         self.request_user_membership = self.club.get_membership_for(self.request_user)
         super().__init__(*args, **kwargs)
+        self.fields["role"].required = True
+        self.fields["role"].choices = [
+            (value, name)
+            for value, name in settings.SITH_CLUB_ROLES.items()
+            if value <= self.max_available_role
+        ]
+        self.instance.club = club
 
-        # Using a ModelForm binds too much the form with the model and we don't want that
-        # We want the view to process the model creation since they are multiple users
-        # We also want the form to handle bulk deletion
-        self.fields.update(
-            forms.fields_for_model(
-                Membership,
-                fields=("role", "start_date", "description"),
-                widgets={"start_date": SelectDate},
-            )
-        )
+    @property
+    def max_available_role(self):
+        """The greatest role that will be obtainable with this form."""
+        # this is unreachable, because it will be overridden by subclasses
+        return -1  # pragma: no cover
 
-        # Role is required only if users is specified
-        self.fields["role"].required = False
 
-        # Start date and description are never really required
-        self.fields["start_date"].required = False
-        self.fields["description"].required = False
+class ClubAddMemberForm(ClubMemberForm):
+    """Form to add a member to the club, as a board member."""
 
-        self.fields["users_old"] = forms.ModelMultipleChoiceField(
-            User.objects.filter(
-                id__in=[
-                    ms.user.id
-                    for ms in self.club_members
-                    if ms.can_be_edited_by(self.request_user)
-                ]
-            ).all(),
-            label=_("Mark as old"),
-            required=False,
-            widget=forms.CheckboxSelectMultiple,
-        )
-        if not self.request_user.is_root:
-            self.fields.pop("start_date")
+    class Meta(ClubMemberForm.Meta):
+        fields = ["user", *ClubMemberForm.Meta.fields]
+        widgets = {"user": AutoCompleteSelectUser}
 
-    def clean_users(self):
-        """Check that the user is not trying to add an user already in the club.
+    @cached_property
+    def max_available_role(self):
+        """The greatest role that will be obtainable with this form.
+
+        Admins and the club president can attribute any role.
+        Board members can attribute roles lower than their own.
+        Other users cannot attribute roles with this form
+        """
+        if self.request_user.has_perm("club.add_membership"):
+            return settings.SITH_CLUB_ROLES_ID["President"]
+        membership = self.request_user_membership
+        if membership is None or membership.role <= settings.SITH_MAXIMUM_FREE_ROLE:
+            return -1
+        if membership.role == settings.SITH_CLUB_ROLES_ID["President"]:
+            return membership.role
+        return membership.role - 1
+
+    def clean_user(self):
+        """Check that the user is not trying to add a user already in the club.
 
         Also check that the user is valid and has a valid subscription.
         """
-        cleaned_data = super().clean()
-        users = []
-        for user in cleaned_data["users"]:
-            if not user.is_subscribed:
-                raise forms.ValidationError(
-                    _("User must be subscriber to take part to a club"), code="invalid"
-                )
-            if self.club.get_membership_for(user):
-                raise forms.ValidationError(
-                    _("You can not add the same user twice"), code="invalid"
-                )
-            users.append(user)
-        return users
+        user = self.cleaned_data["user"]
+        if not user.is_subscribed:
+            raise forms.ValidationError(
+                _("User must be subscriber to take part to a club"), code="invalid"
+            )
+        if self.club.get_membership_for(user):
+            raise forms.ValidationError(
+                _("You can not add the same user twice"), code="invalid"
+            )
+        return user
+
+
+class JoinClubForm(ClubMemberForm):
+    """Form to join a club."""
+
+    def __init__(self, *args, club: Club, request_user: User, **kwargs):
+        super().__init__(*args, club=club, request_user=request_user, **kwargs)
+        # this form doesn't manage the user who will join the club,
+        # so we must set this here to avoid errors
+        self.instance.user = self.request_user
+
+    @cached_property
+    def max_available_role(self):
+        return settings.SITH_MAXIMUM_FREE_ROLE
 
     def clean(self):
-        """Check user rights for adding an user."""
-        cleaned_data = super().clean()
-
-        if "start_date" in cleaned_data and not cleaned_data["start_date"]:
-            # Drop start_date if allowed to edition but not specified
-            cleaned_data.pop("start_date")
-
-        if not cleaned_data.get("users"):
-            # No user to add equals no check needed
-            return cleaned_data
-
-        if cleaned_data.get("role", "") == "":
-            # Role is required if users exists
-            self.add_error("role", _("You should specify a role"))
-            return cleaned_data
-
-        request_user = self.request_user
-        membership = self.request_user_membership
-        if not (
-            cleaned_data["role"] <= settings.SITH_MAXIMUM_FREE_ROLE
-            or (membership is not None and membership.role >= cleaned_data["role"])
-            or request_user.is_board_member
-            or request_user.is_root
-        ):
-            raise forms.ValidationError(_("You do not have the permission to do that"))
-        return cleaned_data
+        """Check that the user is subscribed and isn't already in the club."""
+        if not self.request_user.is_subscribed:
+            raise forms.ValidationError(
+                _("You must be subscribed to join a club"), code="invalid"
+            )
+        if self.club.get_membership_for(self.request_user):
+            raise forms.ValidationError(
+                _("You are already a member of this club"), code="invalid"
+            )
+        return super().clean()

club/migrations/0012_club_board_group_club_members_group.py

@@ -34,12 +34,10 @@ def migrate_meta_groups(apps: StateApps, schema_editor):
     clubs = list(Club.objects.all())
     for club in clubs:
         club.board_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_BOARD_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-bureau", defaults={"is_meta": True}
         )[0]
         club.members_group = meta_groups.get_or_create(
-            name=club.unix_name + settings.SITH_MEMBER_SUFFIX,
-            defaults={"is_meta": True},
+            name=f"{club.unix_name}-membres", defaults={"is_meta": True}
         )[0]
         club.save()
         club.refresh_from_db()

club/migrations/0013_alter_club_board_group_alter_club_members_group_and_more.py

@@ -29,7 +29,7 @@ class Migration(migrations.Migration):
         migrations.AddConstraint(
             model_name="membership",
             constraint=models.CheckConstraint(
-                check=models.Q(("end_date__gte", models.F("start_date"))),
+                condition=models.Q(("end_date__gte", models.F("start_date"))),
                 name="end_after_start",
             ),
         ),

club/models.py

@@ -30,7 +30,8 @@ from django.core.cache import cache
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.core.validators import RegexValidator, validate_email
 from django.db import models, transaction
-from django.db.models import Exists, F, OuterRef, Q
+from django.db.models import Exists, F, OuterRef, Q, Value
+from django.db.models.functions import Greatest
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
@@ -42,6 +43,13 @@ from core.fields import ResizedImageField
 from core.models import Group, Notification, Page, SithFile, User
 
 
+class ClubQuerySet(models.QuerySet):
+    def having_board_member(self, user: User) -> Self:
+        """Filter all club in which the given user is a board member."""
+        active_memberships = user.memberships.board().ongoing()
+        return self.filter(Exists(active_memberships.filter(club=OuterRef("pk"))))
+
+
 class Club(models.Model):
     """The Club class, made as a tree to allow nice tidy organization."""
 
@@ -91,6 +99,8 @@ class Club(models.Model):
         Group, related_name="club_board", on_delete=models.PROTECT
     )
 
+    objects = ClubQuerySet.as_manager()
+
     class Meta:
         ordering = ["name"]
 
@@ -200,10 +210,6 @@ class Club(models.Model):
         """Method to see if that object can be edited by the given user."""
         return self.has_rights_in_club(user)
 
-    def can_be_viewed_by(self, user: User) -> bool:
-        """Method to see if that object can be seen by the given user."""
-        return user.was_subscribed
-
     def get_membership_for(self, user: User) -> Membership | None:
         """Return the current membership the given user.
 
@@ -243,6 +249,44 @@ class MembershipQuerySet(models.QuerySet):
         """
         return self.filter(role__gt=settings.SITH_MAXIMUM_FREE_ROLE)
 
+    def editable_by(self, user: User) -> Self:
+        """Filter Memberships that this user can edit.
+
+        Users with the `club.change_membership` permission can edit all Membership.
+        The other users can edit :
+        - their own membership
+        - if they are board members, ongoing memberships with a role lower than their own
+
+        For example, let's suppose the following users :
+        - A : board member
+        - B : board member
+        - C : simple member
+        - D : curious
+        - E : old member
+
+        A will be able to edit the memberships of A, C and D ;
+        C and D will be able to edit only their own membership ;
+        nobody will be able to edit E's membership.
+        """
+        if user.has_perm("club.change_membership"):
+            return self.all()
+        return self.filter(
+            Q(user=user)
+            | Exists(
+                Membership.objects.filter(
+                    Q(
+                        role__gt=Greatest(
+                            OuterRef("role"), Value(settings.SITH_MAXIMUM_FREE_ROLE)
+                        )
+                    ),
+                    user=user,
+                    end_date=None,
+                    club=OuterRef("club"),
+                )
+            ),
+            end_date=None,
+        )
+
     def update(self, **kwargs) -> int:
         """Refresh the cache and edit group ownership.
 
@@ -319,16 +363,12 @@ class Membership(models.Model):
         User,
         verbose_name=_("user"),
         related_name="memberships",
-        null=False,
-        blank=False,
         on_delete=models.CASCADE,
     )
     club = models.ForeignKey(
         Club,
         verbose_name=_("club"),
         related_name="members",
-        null=False,
-        blank=False,
         on_delete=models.CASCADE,
     )
     start_date = models.DateField(_("start date"), default=timezone.now)
@@ -347,7 +387,7 @@ class Membership(models.Model):
     class Meta:
         constraints = [
             models.CheckConstraint(
-                check=Q(end_date__gte=F("start_date")), name="end_after_start"
+                condition=Q(end_date__gte=F("start_date")), name="end_after_start"
             ),
         ]
 

club/schemas.py

@@ -1,9 +1,24 @@
-from ninja import ModelSchema
+from typing import Optional
+
+from django.db.models import Q
+from ninja import Field, FilterSchema, ModelSchema
 
 from club.models import Club, Membership
 from core.schemas import SimpleUserSchema
 
 
+class ClubSearchFilterSchema(FilterSchema):
+    search: Optional[str] = Field(None, q="name__icontains")
+    club_id: Optional[int] = Field(None, q="id")
+    is_active: Optional[bool] = None
+    parent_id: Optional[int] = None
+    parent_name: Optional[str] = Field(None, q="parent__name__icontains")
+    exclude_ids: Optional[list[int]] = None
+
+    def filter_exclude_ids(self, value: list[int]):
+        return ~Q(id__in=value)
+
+
 class SimpleClubSchema(ModelSchema):
     class Meta:
         model = Club

club/static/club/members.scss

@@ -0,0 +1,24 @@
+#club_members_table {
+  tbody label {
+    margin: 0;
+    padding: 0;
+  }
+}
+
+#add_club_members_form {
+  fieldset {
+    display: flex;
+    flex-direction: row;
+    column-gap: 2em;
+    row-gap: 1em;
+    flex-wrap: wrap;
+
+    @media (max-width: 1100px) {
+      justify-content: space-evenly;
+    }
+
+    .errorlist {
+      max-width: 300px;
+    }
+  }
+}

club/templates/club/club_detail.jinja

@@ -1,6 +1,14 @@
 {% extends "core/base.jinja" %}
 {% from 'core/macros.jinja' import user_profile_link %}
 
+{% block title -%}
+  {{ club.name }}
+{%- endblock %}
+
+{% block description -%}
+  {{ club.short_description }}
+{%- endblock %}
+
 {% block content %}
   <div id="club_detail">
     {% if club.logo %}

club/templates/club/club_list.jinja

@@ -1,8 +1,12 @@
 {% extends "core/base.jinja" %}
 
-{% block title %}
+{% block title -%}
   {% trans %}Club list{% endtrans %}
-{% endblock %}
+{%- endblock %}
+
+{% block description -%}
+  {% trans %}The list of all clubs existing at UTBM.{% endtrans %}
+{%- endblock %}
 
 {% macro display_club(club) -%}
 
@@ -21,7 +25,7 @@
 
   {%- if club.children.all()|length != 0 %}
     <ul>
-      {%- for c in club.children.order_by('name') %}
+      {%- for c in club.children.order_by('name').prefetch_related("children") %}
         {{ display_club(c) }}
       {%- endfor %}
     </ul>
@@ -36,8 +40,8 @@
   {% if club_list %}
     <h3>{% trans %}Club list{% endtrans %}</h3>
     <ul>
-      {%- for c in club_list.all().order_by('name') if c.parent is none %}
-        {{ display_club(c) }}
+      {%- for club in club_list %}
+        {{ display_club(club) }}
       {%- endfor %}
     </ul>
   {% else %}

club/templates/club/club_members.jinja

@@ -1,15 +1,33 @@
 {% extends "core/base.jinja" %}
 {% from 'core/macros.jinja' import user_profile_link, select_all_checkbox %}
 
+{% block additional_js %}
+  <script type="module" src="{{ static("bundled/core/components/ajax-select-index.ts") }}"></script>
+{% endblock %}
+{% block additional_css %}
+  <link rel="stylesheet" href="{{ static("bundled/core/components/ajax-select-index.css") }}">
+  <link rel="stylesheet" href="{{ static("club/members.scss") }}">
+{% endblock %}
+
 {% block content %}
+  {% block notifications %}
+    {# Notifications are moved a little bit below #}
+  {% endblock %}
+
   <h2>{% trans %}Club members{% endtrans %}</h2>
+
+  {% if add_member_fragment %}
+    <br />
+    {{ add_member_fragment }}
+    <br />
+  {% endif %}
+  {% include "core/base/notifications.jinja" %}
   {% if members %}
-    <form action="{{ url('club:club_members', club_id=club.id) }}" id="users_old" method="post">
+    <form action="{{ url('club:club_members', club_id=club.id) }}" id="members_old" method="post">
       {% csrf_token %}
-      {% set users_old = dict(form.users_old | groupby("choice_label")) %}
-      {% if users_old %}
-        {{ select_all_checkbox("users_old") }}
-        <p></p>
+      {% if can_end_membership %}
+        {{ select_all_checkbox("members_old") }}
+        <br />
       {% endif %}
       <table id="club_members_table">
         <thead>
@@ -18,7 +36,7 @@
             <td>{% trans %}Role{% endtrans %}</td>
             <td>{% trans %}Description{% endtrans %}</td>
             <td>{% trans %}Since{% endtrans %}</td>
-            {% if users_old %}
+            {% if can_end_membership %}
               <td>{% trans %}Mark as old{% endtrans %}</td>
             {% endif %}
           </tr>
@@ -30,20 +48,24 @@
               <td>{{ settings.SITH_CLUB_ROLES[m.role] }}</td>
               <td>{{ m.description }}</td>
               <td>{{ m.start_date }}</td>
-              {% if users_old %}
+              {%- if can_end_membership -%}
                 <td>
-                  {% set user_old = users_old[m.user.get_display_name()] %}
-                  {% if user_old %}
-                    {{ user_old[0].tag() }}
-                  {% endif %}
+                  {%- if m.is_editable -%}
+                    <label for="id_members_old_{{ loop.index }}"></label>
+                    <input
+                      type="checkbox"
+                      name="members_old"
+                      value="{{ m.id }}"
+                      id="id_members_old_{{ loop.index }}"
+                    >
+                  {%- endif -%}
                 </td>
-              {% endif %}
+              {%- endif -%}
             </tr>
           {% endfor %}
         </tbody>
       </table>
-      {{ form.users_old.errors }}
-      {% if users_old %}
+      {% if can_end_membership %}
         <p></p>
         <input type="submit" name="submit" value="{% trans %}Mark as old{% endtrans %}">
       {% endif %}
@@ -51,32 +73,4 @@
   {% else %}
     <p>{% trans %}There are no members in this club.{% endtrans %}</p>
   {% endif %}
-  <form action="{{ url('club:club_members', club_id=club.id) }}" id="add_users" method="post">
-    {% csrf_token %}
-    {{ form.non_field_errors() }}
-    <p>
-      {{ form.users.errors }}
-      <label for="{{ form.users.id_for_label }}">{{ form.users.label }} :</label>
-      {{ form.users }}
-      <span class="helptext">{{ form.users.help_text }}</span>
-    </p>
-    <p>
-      {{ form.role.errors }}
-      <label for="{{ form.role.id_for_label }}">{{ form.role.label }} :</label>
-      {{ form.role }}
-    </p>
-    {% if form.start_date %}
-      <p>
-        {{ form.start_date.errors }}
-        <label for="{{ form.start_date.id_for_label }}">{{ form.start_date.label }} :</label>
-        {{ form.start_date }}
-      </p>
-    {% endif %}
-    <p>
-      {{ form.description.errors }}
-      <label for="{{ form.description.id_for_label }}">{{ form.description.label }} :</label>
-      {{ form.description }}
-    </p>
-    <p><input type="submit" value="{% trans %}Add{% endtrans %}" /></p>
-  </form>
 {% endblock %}

club/templates/club/club_old_members.jinja

@@ -5,20 +5,22 @@
   <h2>{% trans %}Club old members{% endtrans %}</h2>
   <table>
     <thead>
-      <td>{% trans %}User{% endtrans %}</td>
-      <td>{% trans %}Role{% endtrans %}</td>
-      <td>{% trans %}Description{% endtrans %}</td>
-      <td>{% trans %}From{% endtrans %}</td>
-      <td>{% trans %}To{% endtrans %}</td>
+      <tr>
+        <td>{% trans %}User{% endtrans %}</td>
+        <td>{% trans %}Role{% endtrans %}</td>
+        <td>{% trans %}Description{% endtrans %}</td>
+        <td>{% trans %}From{% endtrans %}</td>
+        <td>{% trans %}To{% endtrans %}</td>
+      </tr>
     </thead>
     <tbody>
-      {% for m in club.members.exclude(end_date=None).order_by('-role', 'description', '-end_date').all() %}
+      {% for member in old_members %}
         <tr>
-          <td>{{ user_profile_link(m.user) }}</td>
-          <td>{{ settings.SITH_CLUB_ROLES[m.role] }}</td>
-          <td>{{ m.description }}</td>
-          <td>{{ m.start_date }}</td>
-          <td>{{ m.end_date }}</td>
+          <td>{{ user_profile_link(member.user) }}</td>
+          <td>{{ settings.SITH_CLUB_ROLES[member.role] }}</td>
+          <td>{{ member.description }}</td>
+          <td>{{ member.start_date }}</td>
+          <td>{{ member.end_date }}</td>
         </tr>
       {% endfor %}
     </tbody>

club/templates/club/club_sellings.jinja

@@ -83,9 +83,10 @@ TODO : rewrite the pagination used in this template an Alpine one
   </table>
   <script type="text/javascript">
     function formPagination(link){
-      $("form").attr("action", link.href);
+      const form = document.getElementById("form")
+      form.action = link.href;
       link.href = "javascript:void(0)"; // block link action
-      $("form").submit();
+      form.submit();
     }
   </script>
   {{ paginate(paginated_result, paginator, "formPagination(this)") }}

club/templates/club/fragments/add_member.jinja

@@ -0,0 +1,46 @@
+<section id="member-fragment-container">
+  {% if form.user %}
+    <h4>{% trans %}Add a new member{% endtrans %}</h4>
+  {% else %}
+    <h4>{% trans %}Join club{% endtrans %}</h4>
+  {% endif %}
+
+  <form
+    hx-post="{{ url('club:club_new_members', club_id=club.id) }}"
+    hx-disabled-elt="find input[type='submit']"
+    hx-swap="outerHTML"
+    hx-target="#member-fragment-container"
+    id="add_club_members_form"
+  >
+    {% csrf_token %}
+    {{ form.non_field_errors() }}
+    <fieldset>
+      {% if form.user %}
+        <div>
+          {{ form.user.label_tag() }}
+          <span class="helptext">{{ form.user.help_text }}</span>
+          {{ form.user }}
+          {{ form.user.errors }}
+        </div>
+      {% endif %}
+      <div>
+        {{ form.role.label_tag() }}
+        {{ form.role }}
+        {{ form.role.errors }}
+      </div>
+      <div>
+        {{ form.description.label_tag() }}
+        {{ form.description }}
+        {{ form.description.errors }}
+      </div>
+    </fieldset>
+    <button type="submit" class="btn btn-blue">
+      <i class="fa fa-user-plus"></i>
+      {%- if form.user -%}
+        {% trans %}Add{% endtrans %}
+      {%- else -%}
+        {% trans %}Join{% endtrans %}
+      {%- endif -%}
+    </button>
+  </form>
+</section>

club/tests/base.py

@@ -43,6 +43,9 @@ class TestClub(TestCase):
 
         cls.ae = Club.objects.get(pk=settings.SITH_MAIN_CLUB_ID)
         cls.club = baker.make(Club)
+        cls.new_members_url = reverse(
+            "club:club_new_members", kwargs={"club_id": cls.club.id}
+        )
         cls.members_url = reverse("club:club_members", kwargs={"club_id": cls.club.id})
         a_month_ago = now() - timedelta(days=30)
         yesterday = now() - timedelta(days=1)

club/tests/test_club.py

@@ -0,0 +1,27 @@
+from datetime import timedelta
+
+import pytest
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+def test_club_queryset_having_board_member():
+    clubs = baker.make(Club, _quantity=5)
+    user = subscriber_user.make()
+    membership_recipe = Recipe(
+        Membership, user=user, start_date=localdate() - timedelta(days=3)
+    )
+    membership_recipe.make(club=clubs[0], role=1)
+    membership_recipe.make(club=clubs[1], role=3)
+    membership_recipe.make(club=clubs[2], role=7)
+    membership_recipe.make(
+        club=clubs[3], role=3, end_date=localdate() - timedelta(days=1)
+    )
+
+    club_ids = Club.objects.having_board_member(user).values_list("id", flat=True)
+    assert set(club_ids) == {clubs[1].id, clubs[2].id}

club/tests/test_membership.py

@@ -1,13 +1,20 @@
+from collections.abc import Callable
+from datetime import timedelta
+
+import pytest
 from bs4 import BeautifulSoup
 from django.conf import settings
+from django.contrib.auth.models import Permission
 from django.core.cache import cache
 from django.db.models import Max
+from django.test import TestCase
 from django.urls import reverse
 from django.utils.timezone import localdate, localtime, now
 from model_bakery import baker
+from pytest_django.asserts import assertRedirects
 
-from club.forms import ClubMemberForm
-from club.models import Membership
+from club.forms import ClubAddMemberForm, JoinClubForm
+from club.models import Club, Membership
 from club.tests.base import TestClub
 from core.baker_recipes import subscriber_user
 from core.models import AnonymousUser, User
@@ -137,6 +144,38 @@ class TestMembershipQuerySet(TestClub):
         assert set(user.groups.all()).isdisjoint(club_groups)
 
 
+class TestMembershipEditableBy(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        Membership.objects.all().delete()
+        cls.club_a, cls.club_b = baker.make(Club, _quantity=2)
+        cls.memberships = [
+            *baker.make(
+                Membership, role=iter([7, 3, 3, 1]), club=cls.club_a, _quantity=4
+            ),
+            *baker.make(
+                Membership, role=iter([7, 3, 3, 1]), club=cls.club_b, _quantity=4
+            ),
+        ]
+
+    def test_admin_user(self):
+        perm = Permission.objects.get(codename="change_membership")
+        user = baker.make(User, user_permissions=[perm])
+        qs = Membership.objects.editable_by(user).values_list("id", flat=True)
+        assert set(qs) == set(Membership.objects.values_list("id", flat=True))
+
+    def test_simple_subscriber_user(self):
+        user = subscriber_user.make()
+        assert not Membership.objects.editable_by(user).exists()
+
+    def test_board_member(self):
+        # a board member can end lower memberships and its own one
+        user = self.memberships[2].user
+        qs = Membership.objects.editable_by(user).values_list("id", flat=True)
+        expected = {self.memberships[2].id, self.memberships[3].id}
+        assert set(qs) == expected
+
+
 class TestMembership(TestClub):
     def assert_membership_started_today(self, user: User, role: int):
         """Assert that the given membership is active and started today."""
@@ -151,7 +190,7 @@ class TestMembership(TestClub):
 
     def assert_membership_ended_today(self, user: User):
         """Assert that the given user have a membership which ended today."""
-        today = localtime(now()).date()
+        today = localdate()
         assert user.memberships.filter(club=self.club, end_date=today).exists()
         assert self.club.get_membership_for(user) is None
 
@@ -160,7 +199,9 @@ class TestMembership(TestClub):
         cannot see the page.
         """
         response = self.client.post(self.members_url)
-        assert response.status_code == 403
+        assertRedirects(
+            response, reverse("core:login", query={"next": self.members_url})
+        )
 
         self.client.force_login(self.public)
         response = self.client.post(self.members_url)
@@ -171,7 +212,9 @@ class TestMembership(TestClub):
         information are displayed.
         """
         self.client.force_login(self.simple_board_member)
-        response = self.client.get(self.members_url)
+        response = self.client.get(
+            reverse("club:club_members", kwargs={"club_id": self.club.id})
+        )
         assert response.status_code == 200
         soup = BeautifulSoup(response.text, "lxml")
         table = soup.find("table", id="club_members_table")
@@ -197,59 +240,45 @@ class TestMembership(TestClub):
             assert cols[2].text == membership.description
             assert cols[3].text == str(membership.start_date)
 
-            if membership.role <= 3:  # 3 is the role of simple_board_member
+            if membership.role < 3 or membership.user_id == self.simple_board_member.id:
+                # 3 is the role of simple_board_member
                 form_input = cols[4].find("input")
                 expected_attrs = {
                     "type": "checkbox",
-                    "name": "users_old",
-                    "value": str(user.id),
+                    "name": "members_old",
+                    "value": str(membership.id),
                 }
                 assert form_input.attrs.items() >= expected_attrs.items()
             else:
                 assert cols[4].find_all() == []
 
     def test_root_add_one_club_member(self):
-        """Test that root users can add members to clubs, one at a time."""
+        """Test that root users can add members to clubs"""
         self.client.force_login(self.root)
         response = self.client.post(
-            self.members_url,
-            {"users": [self.subscriber.id], "role": 3},
+            self.new_members_url, {"user": self.subscriber.id, "role": 3}
+        )
+        assert response.status_code == 200
+        assert response.headers.get("HX-Redirect", "") == reverse(
+            "club:club_members", kwargs={"club_id": self.club.id}
         )
-        self.assertRedirects(response, self.members_url)
         self.subscriber.refresh_from_db()
         self.assert_membership_started_today(self.subscriber, role=3)
 
-    def test_root_add_multiple_club_member(self):
-        """Test that root users can add multiple members at once to clubs."""
-        self.client.force_login(self.root)
-        response = self.client.post(
-            self.members_url,
-            {
-                "users": (self.subscriber.id, self.krophil.id),
-                "role": 3,
-            },
-        )
-        self.assertRedirects(response, self.members_url)
-        self.subscriber.refresh_from_db()
-        self.assert_membership_started_today(self.subscriber, role=3)
-        self.assert_membership_started_today(self.krophil, role=3)
-
     def test_add_unauthorized_members(self):
         """Test that users who are not currently subscribed
         cannot be members of clubs.
         """
         for user in self.public, self.old_subscriber:
-            form = ClubMemberForm(
-                data={"users": [user.id], "role": 1},
+            form = ClubAddMemberForm(
+                data={"user": user.id, "role": 1},
                 request_user=self.root,
                 club=self.club,
             )
 
             assert not form.is_valid()
             assert form.errors == {
-                "users": [
-                    "L'utilisateur doit être cotisant pour faire partie d'un club"
-                ]
+                "user": ["L'utilisateur doit être cotisant pour faire partie d'un club"]
             }
 
     def test_add_members_already_members(self):
@@ -281,16 +310,16 @@ class TestMembership(TestClub):
         nb_memberships = self.club.members.count()
         max_id = User.objects.aggregate(id=Max("id"))["id"]
         for members in [max_id + 1], [max_id + 1, self.subscriber.id]:
-            form = ClubMemberForm(
-                data={"users": members, "role": 1},
+            form = ClubAddMemberForm(
+                data={"user": members, "role": 1},
                 request_user=self.root,
                 club=self.club,
             )
             assert not form.is_valid()
             assert form.errors == {
-                "users": [
+                "user": [
                     "Sélectionnez un choix valide. "
-                    f"{max_id + 1} n\u2019en fait pas partie."
+                    "Ce choix ne fait pas partie de ceux disponibles."
                 ]
             }
         self.club.refresh_from_db()
@@ -303,10 +332,12 @@ class TestMembership(TestClub):
         nb_subscriber_memberships = self.subscriber.memberships.count()
         self.client.force_login(president)
         response = self.client.post(
-            self.members_url,
-            {"users": self.subscriber.id, "role": 9},
+            self.new_members_url, {"user": self.subscriber.id, "role": 9}
+        )
+        assert response.status_code == 200
+        assert response.headers.get("HX-Redirect", "") == reverse(
+            "club:club_members", kwargs={"club_id": self.club.id}
         )
-        self.assertRedirects(response, self.members_url)
         self.club.refresh_from_db()
         self.subscriber.refresh_from_db()
         assert self.club.members.count() == nb_club_membership + 1
@@ -317,8 +348,8 @@ class TestMembership(TestClub):
         """Test that a member of the club member cannot create
         a membership with a greater role than its own.
         """
-        form = ClubMemberForm(
-            data={"users": [self.subscriber.id], "role": 10},
+        form = ClubAddMemberForm(
+            data={"user": self.subscriber.id, "role": 10},
             request_user=self.simple_board_member,
             club=self.club,
         )
@@ -326,7 +357,7 @@ class TestMembership(TestClub):
 
         assert not form.is_valid()
         assert form.errors == {
-            "__all__": ["Vous n'avez pas la permission de faire cela"]
+            "role": ["Sélectionnez un choix valide. 10 n\u2019en fait pas partie."]
         }
         self.club.refresh_from_db()
         assert nb_memberships == self.club.members.count()
@@ -334,23 +365,53 @@ class TestMembership(TestClub):
 
     def test_add_member_without_role(self):
         """Test that trying to add members without specifying their role fails."""
-        self.client.force_login(self.root)
-        form = ClubMemberForm(
-            data={"users": [self.subscriber.id]},
-            request_user=self.simple_board_member,
-            club=self.club,
+        form = ClubAddMemberForm(
+            data={"user": self.subscriber.id}, request_user=self.root, club=self.club
         )
 
         assert not form.is_valid()
-        assert form.errors == {"role": ["Vous devez choisir un rôle"]}
+        assert form.errors == {"role": ["Ce champ est obligatoire."]}
+
+    def test_add_member_already_there(self):
+        form = ClubAddMemberForm(
+            data={"user": self.simple_board_member, "role": 3},
+            request_user=self.root,
+            club=self.club,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "user": ["Vous ne pouvez pas ajouter deux fois le même utilisateur"]
+        }
+
+    def test_add_other_member_forbidden(self):
+        non_member = subscriber_user.make()
+        simple_member = baker.make(Membership, club=self.club, role=1).user
+        for user in non_member, simple_member:
+            form = ClubAddMemberForm(
+                data={"user": subscriber_user.make(), "role": 1},
+                request_user=user,
+                club=self.club,
+            )
+            assert not form.is_valid()
+            assert form.errors == {
+                "role": ["Sélectionnez un choix valide. 1 n\u2019en fait pas partie."]
+            }
+
+    def test_simple_members_dont_see_form_anymore(self):
+        """Test that simple club members don't see the form to add members"""
+        user = subscriber_user.make()
+        baker.make(Membership, club=self.club, user=user, role=1)
+        self.client.force_login(user)
+        res = self.client.get(self.members_url)
+        assert res.status_code == 200
+        soup = BeautifulSoup(res.text, "lxml")
+        assert not soup.find(id="add_club_members_form")
 
     def test_end_membership_self(self):
         """Test that a member can end its own membership."""
         self.client.force_login(self.simple_board_member)
-        self.client.post(
-            self.members_url,
-            {"users_old": self.simple_board_member.id},
-        )
+        membership = self.club.members.get(end_date=None, user=self.simple_board_member)
+        self.client.post(self.members_url, {"members_old": [membership.id]})
         self.simple_board_member.refresh_from_db()
         self.assert_membership_ended_today(self.simple_board_member)
 
@@ -358,15 +419,13 @@ class TestMembership(TestClub):
         """Test that board members of the club can end memberships
         of users with lower roles.
         """
-        # remainder : simple_board_member has role 3, president has role 10, richard has role 1
+        # reminder : simple_board_member has role 3
         self.client.force_login(self.simple_board_member)
-        response = self.client.post(
-            self.members_url,
-            {"users_old": self.richard.id},
-        )
+        membership = baker.make(Membership, club=self.club, role=2, end_date=None)
+        response = self.client.post(self.members_url, {"members_old": [membership.id]})
         self.assertRedirects(response, self.members_url)
         self.club.refresh_from_db()
-        self.assert_membership_ended_today(self.richard)
+        self.assert_membership_ended_today(membership.user)
 
     def test_end_membership_higher_role(self):
         """Test that board members of the club cannot end memberships
@@ -374,46 +433,30 @@ class TestMembership(TestClub):
         """
         membership = self.president.memberships.filter(club=self.club).first()
         self.client.force_login(self.simple_board_member)
-        self.client.post(
-            self.members_url,
-            {"users_old": self.president.id},
-        )
+        self.client.post(self.members_url, {"members_old": [membership.id]})
         self.club.refresh_from_db()
         new_membership = self.club.get_membership_for(self.president)
         assert new_membership is not None
         assert new_membership == membership
 
-        membership = self.president.memberships.filter(club=self.club).first()
+        membership.refresh_from_db()
         assert membership.end_date is None
 
-    def test_end_membership_as_main_club_board(self):
-        """Test that board members of the main club can end the membership
-        of anyone.
-        """
+    def test_end_membership_with_permission(self):
+        """Test that users with permission can end any membership."""
         # make subscriber a board member
-        subscriber = subscriber_user.make()
-        Membership.objects.create(club=self.ae, user=subscriber, role=3)
-
         nb_memberships = self.club.members.ongoing().count()
-        self.client.force_login(subscriber)
+        self.client.force_login(
+            subscriber_user.make(
+                user_permissions=[Permission.objects.get(codename="change_membership")]
+            )
+        )
+        president_membership = self.club.president
         response = self.client.post(
-            self.members_url,
-            {"users_old": self.president.id},
+            self.members_url, {"members_old": [president_membership.id]}
         )
         self.assertRedirects(response, self.members_url)
-        self.assert_membership_ended_today(self.president)
-        assert self.club.members.ongoing().count() == nb_memberships - 1
-
-    def test_end_membership_as_root(self):
-        """Test that root users can end the membership of anyone."""
-        nb_memberships = self.club.members.ongoing().count()
-        self.client.force_login(self.root)
-        response = self.client.post(
-            self.members_url,
-            {"users_old": [self.president.id]},
-        )
-        self.assertRedirects(response, self.members_url)
-        self.assert_membership_ended_today(self.president)
+        self.assert_membership_ended_today(president_membership.user)
         assert self.club.members.ongoing().count() == nb_memberships - 1
 
     def test_end_membership_as_foreigner(self):
@@ -421,14 +464,11 @@ class TestMembership(TestClub):
         nb_memberships = self.club.members.count()
         membership = self.richard.memberships.filter(club=self.club).first()
         self.client.force_login(self.subscriber)
-        self.client.post(
-            self.members_url,
-            {"users_old": [self.richard.id]},
-        )
+        self.client.post(self.members_url, {"members_old": [self.richard.id]})
         # nothing should have changed
-        new_mem = self.club.get_membership_for(self.richard)
+        membership.refresh_from_db()
         assert self.club.members.count() == nb_memberships
-        assert membership == new_mem
+        assert membership.end_date is None
 
     def test_remove_from_club_group(self):
         """Test that when a membership ends, the user is removed from club groups."""
@@ -490,3 +530,85 @@ class TestMembership(TestClub):
         new_board = set(self.club.board_group.users.values_list("id", flat=True))
         assert new_members == initial_members
         assert new_board == initial_board
+
+
+@pytest.mark.django_db
+class TestJoinClub:
+    @pytest.fixture(autouse=True)
+    def clear_cache(self):
+        cache.clear()
+
+    @pytest.mark.parametrize(
+        ("user_factory", "role", "errors"),
+        [
+            (
+                subscriber_user.make,
+                2,
+                {
+                    "role": [
+                        "Sélectionnez un choix valide. 2 n\u2019en fait pas partie."
+                    ]
+                },
+            ),
+            (
+                lambda: baker.make(User),
+                1,
+                {"__all__": ["Vous devez être cotisant pour faire partie d'un club"]},
+            ),
+        ],
+    )
+    def test_join_club_errors(
+        self, user_factory: Callable[[], User], role: int, errors: dict
+    ):
+        club = baker.make(Club)
+        user = user_factory()
+        form = JoinClubForm(club=club, request_user=user, data={"role": role})
+        assert not form.is_valid()
+        assert form.errors == errors
+
+    def test_user_already_in_club(self):
+        club = baker.make(Club)
+        user = subscriber_user.make()
+        baker.make(Membership, user=user, club=club)
+        form = JoinClubForm(club=club, request_user=user, data={"role": 1})
+        assert not form.is_valid()
+        assert form.errors == {"__all__": ["Vous êtes déjà membre de ce club."]}
+
+    def test_ok(self):
+        club = baker.make(Club)
+        user = subscriber_user.make()
+        form = JoinClubForm(club=club, request_user=user, data={"role": 1})
+        assert form.is_valid()
+        form.save()
+        assert Membership.objects.ongoing().filter(user=user, club=club).exists()
+
+
+class TestOldMembersView(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        club = baker.make(Club)
+        roles = [1, 1, 1, 2, 2, 4, 4, 5, 7, 9, 10]
+        cls.memberships = baker.make(
+            Membership,
+            role=iter(roles),
+            club=club,
+            start_date=now() - timedelta(days=14),
+            end_date=now() - timedelta(days=7),
+            _quantity=len(roles),
+            _bulk_create=True,
+        )
+        cls.url = reverse("club:club_old_members", kwargs={"club_id": club.id})
+
+    def test_ok(self):
+        user = subscriber_user.make()
+        self.client.force_login(user)
+        res = self.client.get(self.url)
+        assert res.status_code == 200
+
+    def test_access_forbidden(self):
+        res = self.client.get(self.url)
+        assertRedirects(res, reverse("core:login", query={"next": self.url}))
+
+        self.client.force_login(baker.make(User))
+        res = self.client.get(self.url)
+        assert res.status_code == 403

club/tests/test_posters.py

@@ -0,0 +1,35 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from club.models import Club
+from com.models import Poster
+from core.baker_recipes import subscriber_user
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_list", "club:poster_create"])
+def test_access(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    url = reverse(route_url, kwargs={"club_id": club.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("route_url", ["club:poster_edit", "club:poster_delete"])
+def test_access_specific_poster(client: Client, route_url):
+    club = baker.make(Club)
+    user = subscriber_user.make()
+    poster = baker.make(Poster)
+    url = reverse(route_url, kwargs={"club_id": club.id, "poster_id": poster.id})
+
+    client.force_login(user)
+    assert client.get(url).status_code == 403
+    club.board_group.users.add(user)
+    assert client.get(url).status_code == 200

club/urls.py

@@ -25,6 +25,7 @@
 from django.urls import path
 
 from club.views import (
+    ClubAddMembersFragment,
     ClubCreateView,
     ClubEditView,
     ClubListView,
@@ -60,6 +61,11 @@ urlpatterns = [
     path("<int:club_id>/edit/", ClubEditView.as_view(), name="club_edit"),
     path("<int:club_id>/edit/page/", ClubPageEditView.as_view(), name="club_edit_page"),
     path("<int:club_id>/members/", ClubMembersView.as_view(), name="club_members"),
+    path(
+        "fragment/<int:club_id>/members/",
+        ClubAddMembersFragment.as_view(),
+        name="club_new_members",
+    ),
     path(
         "<int:club_id>/elderlies/",
         ClubOldMembersView.as_view(),

club/views.py

@@ -23,52 +23,57 @@
 #
 
 import csv
+from typing import Any
 
 from django.conf import settings
 from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import NON_FIELD_ERRORS, PermissionDenied, ValidationError
 from django.core.paginator import InvalidPage, Paginator
-from django.db.models import Sum
-from django.http import (
-    Http404,
-    HttpResponseRedirect,
-    StreamingHttpResponse,
-)
+from django.db.models import Q, Sum
+from django.http import Http404, HttpResponseRedirect, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone
-from django.utils.functional import cached_property
+from django.utils.safestring import SafeString
+from django.utils.timezone import now
 from django.utils.translation import gettext as _t
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView, View
 from django.views.generic.edit import CreateView, DeleteView, UpdateView
 
 from club.forms import (
+    ClubAddMemberForm,
     ClubAdminEditForm,
     ClubEditForm,
-    ClubMemberForm,
+    ClubOldMemberForm,
+    JoinClubForm,
     MailingForm,
     SellingsForm,
 )
 from club.models import Club, Mailing, MailingSubscription, Membership
+from com.models import Poster
 from com.views import (
     PosterCreateBaseView,
     PosterDeleteBaseView,
     PosterEditBaseView,
     PosterListBaseView,
 )
-from core.auth.mixins import CanCreateMixin, CanEditMixin, CanViewMixin
+from core.auth.mixins import CanEditMixin
 from core.models import PageRev
-from core.views import DetailFormView, PageEditViewBase
-from core.views.mixins import TabedViewMixin
+from core.views import DetailFormView, PageEditViewBase, UseFragmentsMixin
+from core.views.mixins import FragmentMixin, FragmentRenderer, TabedViewMixin
 from counter.models import Selling
 
 
 class ClubTabsMixin(TabedViewMixin):
     def get_tabs_title(self):
-        obj = self.get_object()
-        if isinstance(obj, PageRev):
-            self.object = obj.page.club
+        if not hasattr(self, "object") or not self.object:
+            self.object = self.get_object()
+        if isinstance(self.object, PageRev):
+            self.object = self.object.page.club
+        elif isinstance(self.object, Poster):
+            self.object = self.object.club
         return self.object.get_display_name()
 
     def get_list_of_tabs(self):
@@ -79,7 +84,7 @@ class ClubTabsMixin(TabedViewMixin):
                 "name": _("Infos"),
             }
         ]
-        if self.request.user.can_view(self.object):
+        if self.request.user.has_perm("club.view_club"):
             tab_list.extend(
                 [
                     {
@@ -98,16 +103,16 @@ class ClubTabsMixin(TabedViewMixin):
                     },
                 ]
             )
-        if self.object.page:
-            tab_list.append(
-                {
-                    "url": reverse(
-                        "club:club_hist", kwargs={"club_id": self.object.id}
-                    ),
-                    "slug": "history",
-                    "name": _("History"),
-                }
-            )
+            if self.object.page:
+                tab_list.append(
+                    {
+                        "url": reverse(
+                            "club:club_hist", kwargs={"club_id": self.object.id}
+                        ),
+                        "slug": "history",
+                        "name": _("History"),
+                    }
+                )
         if self.request.user.can_edit(self.object):
             tab_list.extend(
                 [
@@ -159,7 +164,7 @@ class ClubTabsMixin(TabedViewMixin):
                             "club:poster_list", kwargs={"club_id": self.object.id}
                         ),
                         "slug": "posters",
-                        "name": _("Posters list"),
+                        "name": _("Posters"),
                     },
                 ]
             )
@@ -171,6 +176,10 @@ class ClubListView(ListView):
 
     model = Club
     template_name = "club/club_list.jinja"
+    queryset = (
+        Club.objects.filter(parent=None).order_by("name").prefetch_related("children")
+    )
+    context_object_name = "club_list"
 
 
 class ClubView(ClubTabsMixin, DetailView):
@@ -224,13 +233,14 @@ class ClubPageEditView(ClubTabsMixin, PageEditViewBase):
         return reverse_lazy("club:club_view", kwargs={"club_id": self.club.id})
 
 
-class ClubPageHistView(ClubTabsMixin, CanViewMixin, DetailView):
+class ClubPageHistView(ClubTabsMixin, PermissionRequiredMixin, DetailView):
     """Modification hostory of the page."""
 
     model = Club
     pk_url_kwarg = "club_id"
     template_name = "club/page_history.jinja"
     current_tab = "history"
+    permission_required = "club.view_club"
 
 
 class ClubToolsView(ClubTabsMixin, CanEditMixin, DetailView):
@@ -242,57 +252,121 @@ class ClubToolsView(ClubTabsMixin, CanEditMixin, DetailView):
     current_tab = "tools"
 
 
-class ClubMembersView(ClubTabsMixin, CanViewMixin, DetailFormView):
+class ClubAddMembersFragment(
+    FragmentMixin, PermissionRequiredMixin, SuccessMessageMixin, CreateView
+):
+    template_name = "club/fragments/add_member.jinja"
+    model = Membership
+    object = None
+    reload_on_redirect = True
+    permission_required = "club.view_club"
+
+    def dispatch(self, *args, **kwargs):
+        self.club = get_object_or_404(Club, pk=kwargs.get("club_id"))
+        return super().dispatch(*args, **kwargs)
+
+    def get_form_class(self):
+        user = self.request.user
+        if user.has_perm("club.add_membership") or self.club.get_membership_for(user):
+            return ClubAddMemberForm
+        return JoinClubForm
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {
+            "request_user": self.request.user,
+            "club": self.club,
+        }
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.club = kwargs.get("club")
+        return super().render_fragment(request, **kwargs)
+
+    def get_success_url(self):
+        return reverse("club:club_members", kwargs={"club_id": self.club.id})
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {"club": self.club}
+
+    def get_success_message(self, cleaned_data):
+        if "user" not in cleaned_data or cleaned_data["user"] == self.request.user:
+            return _("You are now a member of this club.")
+        return _("%(user)s has been added to club.") % cleaned_data
+
+
+class ClubMembersView(
+    ClubTabsMixin, UseFragmentsMixin, PermissionRequiredMixin, DetailFormView
+):
     """View of a club's members."""
 
     model = Club
     pk_url_kwarg = "club_id"
-    form_class = ClubMemberForm
+    form_class = ClubOldMemberForm
     template_name = "club/club_members.jinja"
     current_tab = "members"
+    permission_required = "club.view_club"
 
-    @cached_property
-    def members(self) -> list[Membership]:
-        return list(self.object.members.ongoing().order_by("-role"))
+    def get_fragments(self) -> dict[str, type[FragmentMixin] | FragmentRenderer]:
+        membership = self.object.get_membership_for(self.request.user)
+        if (
+            membership
+            and membership.role <= settings.SITH_MAXIMUM_FREE_ROLE
+            and not self.request.user.has_perm("club.add_membership")
+        ):
+            # Simple club members won't see the form anymore.
+            # Even if they saw it, they couldn't add anyone to the club anyway
+            return {}
+        return {"add_member_fragment": ClubAddMembersFragment}
+
+    def get_fragment_data(self) -> dict[str, Any]:
+        return {"add_member_fragment": {"club": self.object}}
 
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["request_user"] = self.request.user
-        kwargs["club"] = self.object
-        kwargs["club_members"] = self.members
-        return kwargs
+        return super().get_form_kwargs() | {
+            "user": self.request.user,
+            "club": self.object,
+        }
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        kwargs["members"] = self.members
+        editable = list(
+            kwargs["form"].fields["members_old"].queryset.values_list("id", flat=True)
+        )
+        kwargs["members"] = list(
+            self.object.members.ongoing()
+            .annotate(is_editable=Q(id__in=editable))
+            .order_by("-role")
+            .select_related("user")
+        )
+        kwargs["can_end_membership"] = len(editable) > 0
         return kwargs
 
     def form_valid(self, form):
-        """Check user rights."""
-        resp = super().form_valid(form)
-
-        data = form.clean()
-        users = data.pop("users", [])
-        users_old = data.pop("users_old", [])
-        for user in users:
-            Membership(club=self.object, user=user, **data).save()
-        for user in users_old:
-            membership = self.object.get_membership_for(user)
-            membership.end_date = timezone.now()
+        for membership in form.cleaned_data.get("members_old"):
+            membership.end_date = now()
             membership.save()
-        return resp
+        return super().form_valid(form)
 
     def get_success_url(self, **kwargs):
         return self.request.path
 
 
-class ClubOldMembersView(ClubTabsMixin, CanViewMixin, DetailView):
+class ClubOldMembersView(ClubTabsMixin, PermissionRequiredMixin, DetailView):
     """Old members of a club."""
 
     model = Club
     pk_url_kwarg = "club_id"
     template_name = "club/club_old_members.jinja"
     current_tab = "elderlies"
+    permission_required = "club.view_club"
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "old_members": (
+                self.object.members.exclude(end_date=None)
+                .order_by("-role", "description", "-end_date")
+                .select_related("user")
+            )
+        }
 
 
 class ClubSellingView(ClubTabsMixin, CanEditMixin, DetailFormView):
@@ -333,7 +407,7 @@ class ClubSellingView(ClubTabsMixin, CanEditMixin, DetailFormView):
         form = self.get_form()
         if form.is_valid():
             if not len([v for v in form.cleaned_data.values() if v is not None]):
-                qs = Selling.objects.filter(id=-1)
+                qs = Selling.objects.none()
             if form.cleaned_data["begin_date"]:
                 qs = qs.filter(date__gte=form.cleaned_data["begin_date"])
             if form.cleaned_data["end_date"]:
@@ -351,7 +425,9 @@ class ClubSellingView(ClubTabsMixin, CanEditMixin, DetailFormView):
             if len(selected_products) > 0:
                 qs = qs.filter(product__in=selected_products)
 
-            kwargs["result"] = qs.all().order_by("-id")
+            kwargs["result"] = qs.select_related(
+                "counter", "counter__club", "customer", "customer__user", "seller"
+            ).order_by("-id")
             kwargs["total"] = sum([s.quantity * s.unit_price for s in kwargs["result"]])
             total_quantity = qs.all().aggregate(Sum("quantity"))
             if total_quantity["quantity__sum"]:
@@ -682,48 +758,45 @@ class MailingAutoGenerationView(View):
         return redirect("club:mailing", club_id=club.id)
 
 
-class PosterListView(ClubTabsMixin, PosterListBaseView, CanViewMixin):
+class PosterListView(ClubTabsMixin, PosterListBaseView):
     """List communication posters."""
 
+    current_tab = "posters"
+    extra_context = {"app": "club"}
+
+    def get_queryset(self):
+        return super().get_queryset().filter(club=self.club.id)
+
     def get_object(self):
         return self.club
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        kwargs["club"] = self.club
-        return kwargs
 
-
-class PosterCreateView(PosterCreateBaseView, CanCreateMixin):
+class PosterCreateView(ClubTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
-    pk_url_kwarg = "club_id"
-
-    def get_object(self):
-        obj = super().get_object()
-        if not obj:
-            return self.club
-        return obj
+    current_tab = "posters"
 
     def get_success_url(self, **kwargs):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
+    def get_object(self, *args, **kwargs):
+        return self.club
 
-class PosterEditView(ClubTabsMixin, PosterEditBaseView, CanEditMixin):
+
+class PosterEditView(ClubTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
+    extra_context = {"app": "club"}
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})
 
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "club"
-        return kwargs
 
-
-class PosterDeleteView(PosterDeleteBaseView, ClubTabsMixin, CanEditMixin):
+class PosterDeleteView(ClubTabsMixin, PosterDeleteBaseView):
     """Delete communication poster."""
 
+    current_tab = "posters"
+
     def get_success_url(self):
         return reverse_lazy("club:poster_list", kwargs={"club_id": self.club.id})

com/forms.py

@@ -2,7 +2,6 @@ from datetime import date
 
 from dateutil.relativedelta import relativedelta
 from django import forms
-from django.db.models import Exists, OuterRef
 from django.forms import CheckboxInput
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -35,20 +34,18 @@ class PosterForm(forms.ModelForm):
         label=_("Start date"),
         widget=SelectDateTime,
         required=True,
-        initial=timezone.now().strftime("%Y-%m-%d %H:%M:%S"),
+        initial=timezone.now(),
     )
     date_end = forms.DateTimeField(
         label=_("End date"), widget=SelectDateTime, required=False
     )
 
-    def __init__(self, *args, **kwargs):
-        self.user = kwargs.pop("user", None)
+    def __init__(self, *args, user: User, **kwargs):
         super().__init__(*args, **kwargs)
-        if self.user and not self.user.is_com_admin:
-            self.fields["club"].queryset = Club.objects.filter(
-                id__in=self.user.clubs_with_rights
-            )
-            self.fields.pop("display_time")
+        if user.is_root or user.is_com_admin:
+            self.fields["club"].widget = AutoCompleteSelectClub()
+        else:
+            self.fields["club"].queryset = Club.objects.having_board_member(user)
 
 
 class NewsDateForm(forms.ModelForm):
@@ -161,16 +158,9 @@ class NewsForm(forms.ModelForm):
         # if the author is an admin, he/she can choose any club,
         # otherwise, only clubs for which he/she is a board member can be selected
         if author.is_root or author.is_com_admin:
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.all(), widget=AutoCompleteSelectClub
-            )
+            self.fields["club"].widget = AutoCompleteSelectClub()
         else:
-            active_memberships = author.memberships.board().ongoing()
-            self.fields["club"] = forms.ModelChoiceField(
-                queryset=Club.objects.filter(
-                    Exists(active_memberships.filter(club=OuterRef("pk")))
-                )
-            )
+            self.fields["club"].queryset = Club.objects.having_board_member(author)
 
     def is_valid(self):
         return super().is_valid() and self.date_form.is_valid()

com/ics_calendar.py

@@ -68,7 +68,7 @@ class IcsCalendar:
                 start=news_date.start_date,
                 end=news_date.end_date,
                 url=as_absolute_url(
-                    reverse("com:news_detail", kwargs={"news_id": news_date.news.id})
+                    reverse("com:news_detail", kwargs={"news_id": news_date.news_id})
                 ),
             )
             calendar.events.append(event)

com/migrations/0008_alter_news_options_alter_newsdate_options_and_more.py

@@ -54,7 +54,7 @@ class Migration(migrations.Migration):
         migrations.AddConstraint(
             model_name="newsdate",
             constraint=models.CheckConstraint(
-                check=models.Q(("end_date__gte", models.F("start_date"))),
+                condition=models.Q(("end_date__gte", models.F("start_date"))),
                 name="news_date_end_date_after_start_date",
             ),
         ),

com/models.py

@@ -27,7 +27,7 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.mail import EmailMultiAlternatives
 from django.db import models, transaction
-from django.db.models import F, Q
+from django.db.models import Exists, F, OuterRef, Q
 from django.shortcuts import render
 from django.templatetags.static import static
 from django.urls import reverse
@@ -55,9 +55,17 @@ class Sith(models.Model):
 
 
 class NewsQuerySet(models.QuerySet):
-    def moderated(self) -> Self:
+    def published(self) -> Self:
         return self.filter(is_published=True)
 
+    def waiting_moderation(self) -> Self:
+        """Filter all non-finished non-published news"""
+        # Because of the way News and NewsDates are created,
+        # there may be some cases where this method is called before
+        # the NewsDates linked to a Date are actually persisted in db.
+        # Thus, it's important to filter by "not past date" rather than by "future date"
+        return self.filter(~Q(dates__start_date__lt=timezone.now()), is_published=False)
+
     def viewable_by(self, user: User) -> Self:
         """Filter news that the given user can view.
 
@@ -127,20 +135,28 @@ class News(models.Model):
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
-        if self.is_published:
-            return
-        for user in User.objects.filter(
-            groups__id__in=[settings.SITH_GROUP_COM_ADMIN_ID]
-        ):
-            Notification.objects.create(
-                user=user, url=reverse("com:news_admin_list"), type="NEWS_MODERATION"
+        if not self.is_published:
+            admins_without_notif = User.objects.filter(
+                ~Exists(
+                    Notification.objects.filter(
+                        user=OuterRef("pk"), type="NEWS_MODERATION"
+                    )
+                ),
+                groups__id=settings.SITH_GROUP_COM_ADMIN_ID,
             )
+            notif_url = reverse("com:news_admin_list")
+            new_notifs = [
+                Notification(user=user, url=notif_url, type="NEWS_MODERATION")
+                for user in admins_without_notif
+            ]
+            Notification.objects.bulk_create(new_notifs)
+        self.update_moderation_notifs()
 
     def get_absolute_url(self):
         return reverse("com:news_detail", kwargs={"news_id": self.id})
 
     def get_full_url(self):
-        return "https://%s%s" % (settings.SITH_URL, self.get_absolute_url())
+        return f"https://{settings.SITH_URL}{self.get_absolute_url()}"
 
     def is_owned_by(self, user):
         if user.is_anonymous:
@@ -159,19 +175,16 @@ class News(models.Model):
             or (user.is_authenticated and self.author_id == user.id)
         )
 
-
-def news_notification_callback(notif: Notification):
-    # the NewsDate linked to the News
-    # which creation triggered this callback may not exist yet,
-    # so it's important to filter by "not past date" rather than by "future date"
-    count = News.objects.filter(
-        ~Q(dates__start_date__gt=timezone.now()), is_published=False
-    ).count()
-    if count:
-        notif.viewed = False
-        notif.param = str(count)
-    else:
-        notif.viewed = True
+    @staticmethod
+    def update_moderation_notifs():
+        count = News.objects.waiting_moderation().count()
+        notifs_qs = Notification.objects.filter(
+            type="NEWS_MODERATION", user__groups__id=settings.SITH_GROUP_COM_ADMIN_ID
+        )
+        if count:
+            notifs_qs.update(viewed=False, param=str(count))
+        else:
+            notifs_qs.update(viewed=True)
 
 
 class NewsDateQuerySet(models.QuerySet):
@@ -212,7 +225,7 @@ class NewsDate(models.Model):
         verbose_name_plural = _("news dates")
         constraints = [
             models.CheckConstraint(
-                check=Q(end_date__gte=F("start_date")),
+                condition=Q(end_date__gte=F("start_date")),
                 name="news_date_end_date_after_start_date",
             )
         ]
@@ -399,17 +412,5 @@ class Poster(models.Model):
         if self.date_end and self.date_begin > self.date_end:
             raise ValidationError(_("Begin date should be before end date"))
 
-    def is_owned_by(self, user):
-        if user.is_anonymous:
-            return False
-        return user.is_com_admin or len(user.clubs_with_rights) > 0
-
-    def can_be_moderated_by(self, user):
-        return user.is_com_admin
-
     def get_display_name(self):
         return self.club.get_display_name()
-
-    @property
-    def page(self):
-        return self.club.page

com/static/bundled/com/slideshow-index.ts

@@ -0,0 +1,49 @@
+const INTERVAL = 10;
+
+interface Poster {
+  url: string; // URL of the poster
+  displayTime: number; // Number of seconds to display that poster
+}
+
+document.addEventListener("alpine:init", () => {
+  Alpine.data("slideshow", (posters: Poster[]) => ({
+    posters: posters,
+    progress: 0,
+    elapsed: 0,
+
+    current: 0,
+    previous: 0,
+
+    init() {
+      this.$watch("elapsed", () => {
+        const displayTime = this.posters[this.current].displayTime * 1000;
+        if (this.elapsed > displayTime) {
+          this.previous = this.current;
+          this.current = this.getNext();
+          this.elapsed = 0;
+        }
+        if (displayTime === 0) {
+          this.progress = 100;
+        } else {
+          this.progress = (100 * this.elapsed) / displayTime;
+        }
+      });
+      setInterval(() => {
+        this.elapsed += INTERVAL;
+      }, INTERVAL);
+    },
+
+    getNext() {
+      return (this.current + 1) % this.posters.length;
+    },
+
+    async toggleFullScreen(event: Event) {
+      if (document.fullscreenElement) {
+        await document.exitFullscreen();
+        return;
+      }
+      const target = event.target as HTMLElement;
+      await target.requestFullscreen();
+    },
+  }));
+});

com/static/com/css/news-list.scss

@@ -83,7 +83,8 @@
     #links_content {
       overflow: auto;
       box-shadow: $shadow-color 1px 1px 1px;
-      height: 20em;
+      min-height: 20em;
+      padding-bottom: 1em;
 
       h4 {
         margin-left: 5px;

com/static/com/css/posters.scss

@@ -111,7 +111,7 @@
             top: 0;
             left: 0;
             z-index: 10;
-            content: "Click to expand";
+            content: attr(hover);
             color: white;
             background-color: rgba(black, 0.5);
           }

com/static/com/js/poster_list.js

@@ -1,23 +0,0 @@
-$(document).ready(() => {
-  $("#poster_list #view").click(() => {
-    $("#view").removeClass("active");
-  });
-
-  $("#poster_list .poster .image").click((e) => {
-    let el = $(e.target);
-    if (el.hasClass("image")) {
-      el = el.find("img");
-    }
-    $("#poster_list #view #placeholder").html(el.clone());
-
-    $("#view").addClass("active");
-  });
-
-  $(document).keyup((e) => {
-    if (e.keyCode === 27) {
-      // escape key maps to keycode `27`
-      e.preventDefault();
-      $("#view").removeClass("active");
-    }
-  });
-});

com/static/com/js/slideshow.js

@@ -1,98 +0,0 @@
-$(document).ready(() => {
-  const transitionTime = 1000;
-
-  let i = 0;
-  const max = $("#slideshow .slide").length;
-
-  function enterFullscreen() {
-    const element = document.getElementById("slideshow");
-    $(element).addClass("fullscreen");
-    if (element.requestFullscreen) {
-      element.requestFullscreen();
-    } else if (element.mozRequestFullScreen) {
-      element.mozRequestFullScreen();
-    } else if (element.webkitRequestFullscreen) {
-      element.webkitRequestFullscreen();
-    } else if (element.msRequestFullscreen) {
-      element.msRequestFullscreen();
-    }
-  }
-
-  function exitFullscreen() {
-    const element = document.getElementById("slideshow");
-    $(element).removeClass("fullscreen");
-    if (document.exitFullscreen) {
-      document.exitFullscreen();
-    } else if (document.webkitExitFullscreen) {
-      document.webkitExitFullscreen();
-    } else if (document.mozCancelFullScreen) {
-      document.mozCancelFullScreen();
-    } else if (document.msExitFullscreen) {
-      document.msExitFullscreen();
-    }
-  }
-
-  function initProgressBar() {
-    $("#slideshow #progress_bar").css("transition", "none");
-    $("#slideshow #progress_bar").removeClass("progress");
-    $("#slideshow #progress_bar").addClass("init");
-  }
-
-  function startProgressBar(displayTime) {
-    $("#slideshow #progress_bar").removeClass("init");
-    $("#slideshow #progress_bar").addClass("progress");
-    $("#slideshow #progress_bar").css("transition", `width ${displayTime}s linear`);
-  }
-
-  function next() {
-    initProgressBar();
-    const slide = $($("#slideshow .slide").get(i % max));
-    slide.removeClass("center");
-    slide.addClass("left");
-
-    const nextSlide = $($("#slideshow .slide").get((i + 1) % max));
-    nextSlide.removeClass("right");
-    nextSlide.addClass("center");
-    const displayTime = nextSlide.attr("display_time") || 2;
-
-    $("#slideshow .bullet").removeClass("active");
-    const bullet = $("#slideshow .bullet")[(i + 1) % max];
-    $(bullet).addClass("active");
-
-    i = (i + 1) % max;
-
-    setTimeout(() => {
-      const othersLeft = $("#slideshow .slide.left");
-      othersLeft.removeClass("left");
-      othersLeft.addClass("right");
-
-      startProgressBar(displayTime);
-      setTimeout(next, displayTime * 1000);
-    }, transitionTime);
-  }
-
-  const displayTime = $("#slideshow .center").attr("display_time");
-  initProgressBar();
-  setTimeout(() => {
-    if (max > 1) {
-      startProgressBar(displayTime);
-      setTimeout(next, displayTime * 1000);
-    }
-  }, 10);
-
-  $("#slideshow").click(() => {
-    if ($("#slideshow").hasClass("fullscreen")) {
-      exitFullscreen();
-    } else {
-      enterFullscreen();
-    }
-  });
-
-  $(document).keyup((e) => {
-    if (e.keyCode === 27) {
-      // escape key maps to keycode `27`
-      e.preventDefault();
-      exitFullscreen();
-    }
-  });
-});

com/static/css/slideshow.scss

@@ -1,4 +1,4 @@
-body{
+body {
   position: absolute;
   width: 100vw;
   height: 100vh;
@@ -7,22 +7,22 @@ body{
   margin: 0;
 }
 
-#slideshow{
+#slideshow {
   position: relative;
   background-color: lightgrey;
 
   height: 100%;
 
-  *{
+  * {
     -webkit-user-select: none;
     -moz-user-select: none;
     -ms-user-select: none;
     user-select: none;
   }
 
-  &:hover{
+  &:hover {
 
-    &::before{
+    &::before {
 
       position: absolute;
       width: 100%;
@@ -34,7 +34,7 @@ body{
 
       z-index: 10;
 
-      content: "Click to expand";
+      content: attr(hover);
 
       color: white;
       background-color: rgba(black, 0.5);
@@ -43,7 +43,7 @@ body{
 
   }
 
-  &.fullscreen{
+  &:fullscreen {
     position: fixed;
     width: 100%;
     height: 100%;
@@ -51,57 +51,78 @@ body{
     left: 0;
     background: none;
 
-    &:before{
-      display:none;
+    &:before {
+      display: none;
     }
 
-    #slides{
+    #slides {
       height: 100vh;
     }
 
   }
 
-  #slides{
+  #slides {
     position: relative;
     height: 100%;
     overflow: hidden;
+    background-color: grey;
 
-    .slide{
+    .slide {
       position: absolute;
       width: 100%;
       height: 100%;
 
-      display: inline-flex;
+      display: none;
       justify-content: center;
 
       top: 0px;
+      left: 0%;
 
-      background-color: grey;
-      transition: left 1s ease-out;
-
-      img{
+      img {
         max-width: 100%;
         max-height: 100%;
         object-fit: contain;
       }
-    }
 
-    .slide.left{
-      left: -100%;
-    }
+      &.current {
+        display: inline-flex;
+        left: 0%;
+        animation: scrolling-in 1s linear;
+      }
 
-    .slide.center{
-      left: 0px;
-    }
+      &.previous {
+        display: inline-flex;
+        animation: scrolling-out 1s linear;
+        opacity: 0;
+        transition: opacity 0.1s;
+        transition-delay: 0.9s;
+      }
+
+      @keyframes scrolling-in {
+        0% {
+          transform: translateX(100%);
+        }
+
+        100% {
+          transform: translateX(0%);
+        }
+      }
+
+      @keyframes scrolling-out {
+        0% {
+          transform: translateX(0%);
+        }
+
+        100% {
+          transform: translateX(-100%);
+        }
+      }
 
-    .slide.right{
-      left: 100%;
-      transition: none;
     }
   }
 
 
-  #progress_bullets{
+  #progress_bullets {
     position: absolute;
     bottom: 10px;
     width: 100%;
@@ -112,7 +133,7 @@ body{
 
     margin-bottom: 10px;
 
-    .bullet{
+    .bullet {
       height: 10px;
       width: 10px;
 
@@ -123,27 +144,33 @@ body{
 
       background-color: grey;
 
-      &.active{
+      &.active {
         background-color: #c99836;
       }
     }
   }
 
-  #progress_bar{
+  progress {
+    --color: #304c83;
+
     position: absolute;
     bottom: 0px;
     height: 10px;
-    background-color: #304c83;
+    color: var(--color);
+    width: 100%;
+    margin-bottom: 0px;
+    border: none;
 
-    &.init{
-      width: 0px;
-      transition: none;
+    &::-moz-progress-bar {
+      background: var(--color);
     }
 
-    &.progress{
-      width: 100%;
-      transition: width 10s linear;
+    &::-webkit-progress-value {
+      background: var(--color);
+    }
+
+    &[value] {
+      background-color: transparent;
     }
   }
-}
-
+}

com/templates/com/macros.jinja

@@ -76,18 +76,20 @@
               It will stay hidden for other users until it has been published.
             {% endtrans %}
           </p>
-          {% if user.has_perm("com.moderate_news") %}
+          {%- if user.has_perm("com.moderate_news") -%}
             {# This is an additional query for each non-moderated news,
             but it will be executed only for admin users, and only one time
-            (if they do their job and moderated news as soon as they see them),
+            (if they do their job and moderate news as soon as they see them),
             so it's still reasonable #}
             <div
-              {% if news is integer or news is string %}
+              {% if news is integer or news is string -%}
                 x-data="{ nbEvents: 0 }"
                 x-init="nbEvents = await nbToPublish()"
-              {% else %}
+              {%- elif news.is_published -%}
+                x-data="{ nbEvents: 0 }"
+              {%- else -%}
                 x-data="{ nbEvents: {{ news.dates.count() }} }"
-              {% endif %}
+              {%- endif -%}
             >
               <template x-if="nbEvents > 1">
                 <div>

com/templates/com/news_list.jinja

@@ -1,10 +1,6 @@
 {% extends "core/base.jinja" %}
 {% from "com/macros.jinja" import news_moderation_alert %}
 
-{% block title %}
-  {% trans %}News{% endtrans %}
-{% endblock %}
-
 {% block additional_css %}
   <link rel="stylesheet" href="{{ static('com/css/news-list.scss') }}">
   <link rel="stylesheet" href="{{ static('com/components/ics-calendar.scss') }}">
@@ -209,6 +205,10 @@
               <i class="fa-solid fa-graduation-cap fa-xl"></i>
               <a href="{{ url("pedagogy:guide") }}">{% trans %}UV Guide{% endtrans %}</a>
             </li>
+            <li>
+              <i class="fa-solid fa-calendar-days fa-xl"></i>
+              <a href="{{ url("timetable:generator") }}">{% trans %}Timetable{% endtrans %}</a>
+            </li>
             <li>
               <i class="fa-solid fa-magnifying-glass fa-xl"></i>
               <a href="{{ url("matmat:search_clear") }}">{% trans %}Matmatronch{% endtrans %}</a>

com/templates/com/poster_list.jinja

@@ -1,11 +1,5 @@
 {% extends "core/base.jinja" %}
 
-{% block script %}
-  {{ super() }}
-  <script src="{{ static('com/js/poster_list.js') }}"></script>
-{% endblock %}
-
-
 {% block title %}
   {% trans %}Poster{% endtrans %}
 {% endblock %}
@@ -15,7 +9,7 @@
 {% endblock %}
 
 {% block content %}
-  <div id="poster_list">
+  <div id="poster_list" x-data="{ active: null }">
 
     <div id="title">
       <h3>{% trans %}Posters{% endtrans %}</h3>
@@ -38,7 +32,13 @@
         {% for poster in poster_list %}
           <div class="poster{% if not poster.is_moderated %} not_moderated{% endif %}">
             <div class="name">{{ poster.name }}</div>
-            <div class="image"><img src="{{ poster.file.url }}"></img></div>
+            <div
+              class="image"
+              hover="{% trans %}Click to expand{% endtrans %}"
+              @click="active = $el.firstElementChild"
+            >
+              <img src="{{ poster.file.url }}"></img>
+            </div>
             <div class="dates">
               <div class="begin">{{ poster.date_begin | localtime | date("d/M/Y H:m") }}</div>
               <div class="end">{{ poster.date_end | localtime | date("d/M/Y H:m") }}</div>
@@ -62,7 +62,14 @@
 
     </div>
 
-    <div id="view"><div id="placeholder"></div></div>
+    <div
+      id="view"
+      @keyup.escape.window="active = null"
+      @click="active = null"
+      :class="{active: active !== null}"
+    >
+      <div id="placeholder"><img :src="active?.src"></div>
+    </div>
 
   </div>
 {% endblock %}

com/templates/com/screen_slideshow.jinja

@@ -2,28 +2,44 @@
 <html lang="fr">
   <head>
     <title>{% trans %}Slideshow{% endtrans %}</title>
+    <link rel="shortcut icon" href="{{ static('core/img/favicon.ico') }}">
     <link href="{{ static('css/slideshow.scss') }}" rel="stylesheet" type="text/css" />
-    <script src="{{ static('bundled/vendored/jquery.min.js') }}"></script>
-    <script src="{{ static('com/js/slideshow.js') }}"></script>
+    <script type="module" src="{{ static('bundled/alpine-index.js') }}"></script>
+    <script type="module" src="{{ static('bundled/com/slideshow-index.ts') }}"></script>
   </head>
-  <body>
-    <div id="slideshow">
+  <body x-data="slideshow([
+                {% for poster in posters %}
+                  {
+                  url: '{{ poster.file.url }}',
+                  displayTime: {{ poster.display_time }}
+                  },
+                {% endfor %}
+                ])">
+    <div
+      id="slideshow"
+      @click="toggleFullScreen"
+      hover="{% trans %}Click to expand{% endtrans %}"
+      @keyup.f.window="toggleFullScreen"
+    >
 
       <div id="slides">
-        {% for poster in posters %}
-          <div class="slide {% if loop.first %}center{% else %}right{% endif %}" display_time="{{ poster.display_time }}">
-            <img src="{{ poster.file.url }}">
+        <template x-for="(poster, index) in posters">
+          <div class="slide" :class="{
+                                     current: index === current,
+                                     previous: index !== current && index === previous,
+                                     }">
+            <img :src="poster.url">
           </div>
-        {% endfor %}
+        </template>
       </div>
 
       <div id="progress_bullets">
-        {% for poster in posters %}
-          <div class="bullet {% if loop.first %}active{% endif %}"></div>
-        {% endfor %}
+        <template x-for="(poster, index) in posters">
+          <div class="bullet" :class="{active: current === index}"></div>
+        </template>
       </div>
 
-      <div id="progress_bar"></div>
+      <progress :value="progress" max="100" x-show="posters.length > 1 && progress > 0"></progress>
 
     </div>
   </body>

com/templates/com/weekmail.jinja

@@ -31,9 +31,7 @@
           <td>
             <a href="{{ url('com:weekmail_article_edit', article_id=a.id) }}">{% trans %}Edit{% endtrans %}</a> |
             <a href="{{ url('com:weekmail_article_delete', article_id=a.id) }}">{% trans %}Delete{% endtrans %}</a> |
-            <a href="?add_article={{ a.id }}">{% trans %}Add to weekmail{% endtrans %}</a> |
-            <a href="?up_article={{ a.id }}">{% trans %}Up{% endtrans %}</a> |
-            <a href="?down_article={{ a.id }}">{% trans %}Down{% endtrans %}</a>
+            <a href="?add_article={{ a.id }}">{% trans %}Add to weekmail{% endtrans %}</a>
           </td>
         </tr>
       {% endfor %}

com/tests/test_notifications.py

@@ -1,13 +1,22 @@
+from datetime import timedelta
+
 import pytest
 from django.conf import settings
+from django.utils.timezone import now
 from model_bakery import baker
 
-from com.models import News
+from com.models import News, NewsDate
+from core.baker_recipes import subscriber_user
 from core.models import Group, Notification, User
 
 
 @pytest.mark.django_db
 def test_notification_created():
+    # this news is unpublished, but is set in the past
+    # it shouldn't be taken into account when counting the number
+    # of news that are to be moderated
+    past_news = baker.make(News, is_published=False)
+    baker.make(NewsDate, news=past_news, start_date=now() - timedelta(days=1))
     com_admin_group = Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)
     com_admin_group.users.all().delete()
     Notification.objects.all().delete()
@@ -15,9 +24,28 @@ def test_notification_created():
     for i in range(2):
         # news notifications are permanent, so the notification created
         # during the first iteration should be reused during the second one.
-        baker.make(News)
+        baker.make(News, is_published=False)
         notifications = list(Notification.objects.all())
         assert len(notifications) == 1
         assert notifications[0].user == com_admin
         assert notifications[0].type == "NEWS_MODERATION"
         assert notifications[0].param == str(i + 1)
+
+
+@pytest.mark.django_db
+def test_notification_edited_when_moderating_news():
+    com_admin_group = Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)
+    com_admins = subscriber_user.make(_quantity=3)
+    com_admin_group.users.set(com_admins)
+    Notification.objects.all().delete()
+    news = baker.make(News, is_published=False)
+    assert Notification.objects.count() == 3
+    assert Notification.objects.filter(viewed=False).count() == 3
+
+    news.is_published = True
+    news.moderator = com_admins[0]
+    news.save()
+    # when the news is moderated, the notification should be marked as read
+    # for all admins
+    assert Notification.objects.count() == 3
+    assert Notification.objects.filter(viewed=False).count() == 0

com/tests/test_views.py

@@ -18,17 +18,16 @@ from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.sites.models import Site
-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils import html
-from django.utils.timezone import localtime, now
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from model_bakery import baker
 from pytest_django.asserts import assertNumQueries, assertRedirects
 
 from club.models import Club, Membership
-from com.models import News, NewsDate, Poster, Sith, Weekmail, WeekmailArticle
+from com.models import News, NewsDate, Sith, Weekmail, WeekmailArticle
 from core.baker_recipes import subscriber_user
 from core.models import AnonymousUser, Group, User
 
@@ -207,31 +206,6 @@ class TestWeekmailArticle(TestCase):
         assert not self.article.is_owned_by(self.sli)
 
 
-class TestPoster(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        cls.com_admin = User.objects.get(username="comunity")
-        cls.poster = Poster.objects.create(
-            name="dummy",
-            file=SimpleUploadedFile("dummy.jpg", b"azertyuiop"),
-            club=Club.objects.first(),
-            date_begin=localtime(now()),
-        )
-        cls.sli = User.objects.get(username="sli")
-        cls.sli.memberships.all().delete()
-        Membership(user=cls.sli, club=Club.objects.first(), role=5).save()
-        cls.susbcriber = User.objects.get(username="subscriber")
-        cls.anonymous = AnonymousUser()
-
-    def test_poster_owner(self):
-        """Test that poster are owned by com admins and board members in clubs."""
-        assert self.poster.is_owned_by(self.com_admin)
-        assert not self.poster.is_owned_by(self.anonymous)
-
-        assert not self.poster.is_owned_by(self.susbcriber)
-        assert self.poster.is_owned_by(self.sli)
-
-
 class TestNewsCreation(TestCase):
     @classmethod
     def setUpTestData(cls):

com/views.py

@@ -28,7 +28,10 @@ from typing import Any
 
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
-from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
+from django.contrib import messages
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin,
+)
 from django.contrib.syndication.views import Feed
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.db.models import Max
@@ -50,9 +53,10 @@ from core.auth.mixins import (
     CanEditPropMixin,
     CanViewMixin,
     PermissionOrAuthorRequiredMixin,
+    PermissionOrClubBoardRequiredMixin,
 )
 from core.models import User
-from core.views.mixins import QuickNotifMixin, TabedViewMixin
+from core.views.mixins import TabedViewMixin
 from core.views.widgets.markdown import MarkdownInput
 
 # Sith object
@@ -99,13 +103,6 @@ class ComTabsMixin(TabedViewMixin):
         ]
 
 
-class IsComAdminMixin(AccessMixin):
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_com_admin:
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
-
-
 class ComEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     model = Sith
     template_name = "core/edit.jinja"
@@ -337,7 +334,7 @@ class NewsFeed(Feed):
 # Weekmail
 
 
-class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, DetailView):
+class WeekmailPreviewView(ComTabsMixin, CanEditPropMixin, DetailView):
     model = Weekmail
     template_name = "com/weekmail_preview.jinja"
     success_url = reverse_lazy("com:weekmail")
@@ -349,12 +346,11 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
 
     def post(self, request, *args, **kwargs):
         self.object = self.get_object()
+        messages.success(self.request, _("Weekmail sent successfully"))
         if request.POST["send"] == "validate":
             try:
                 self.object.send()
-                return HttpResponseRedirect(
-                    reverse("com:weekmail") + "?qn_weekmail_send_success"
-                )
+                return HttpResponseRedirect(reverse("com:weekmail"))
             except SMTPRecipientsRefused as e:
                 self.bad_recipients = e.recipients
         elif request.POST["send"] == "clean":
@@ -365,7 +361,6 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
                 for u in users:
                     u.preferences.receive_weekmail = False
                     u.preferences.save()
-                self.quick_notif_list += ["qn_success"]
         return super().get(request, *args, **kwargs)
 
     def get_object(self, queryset=None):
@@ -379,7 +374,7 @@ class WeekmailPreviewView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, Detai
         return kwargs
 
 
-class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateView):
+class WeekmailEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     model = Weekmail
     template_name = "com/weekmail.jinja"
     form_class = modelform_factory(
@@ -419,7 +414,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
                 art.rank, prev_art.rank = prev_art.rank, art.rank
                 art.save()
                 prev_art.save()
-                self.quick_notif_list += ["qn_success"]
+                messages.success(
+                    self.request,
+                    _("%(title)s moved up in the Weekmail") % {"title": art.title},
+                )
         if "down_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["down_article"], weekmail=self.object
@@ -431,7 +429,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
                 art.rank, next_art.rank = next_art.rank, art.rank
                 art.save()
                 next_art.save()
-                self.quick_notif_list += ["qn_success"]
+                messages.success(
+                    self.request,
+                    _("%(title)s moved down in the Weekmail") % {"title": art.title},
+                )
         if "add_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["add_article"], weekmail=None
@@ -440,7 +441,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
             art.rank = self.object.articles.aggregate(Max("rank"))["rank__max"] or 0
             art.rank += 1
             art.save()
-            self.quick_notif_list += ["qn_success"]
+            messages.success(
+                self.request,
+                _("%(title)s added to the Weekmail") % {"title": art.title},
+            )
         if "del_article" in request.GET:
             art = get_object_or_404(
                 WeekmailArticle, id=request.GET["del_article"], weekmail=self.object
@@ -448,7 +452,10 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
             art.weekmail = None
             art.rank = -1
             art.save()
-            self.quick_notif_list += ["qn_success"]
+            messages.success(
+                self.request,
+                _("%(title)s removed from the Weekmail") % {"title": art.title},
+            )
         return super().get(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):
@@ -458,9 +465,7 @@ class WeekmailEditView(ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateVi
         return kwargs
 
 
-class WeekmailArticleEditView(
-    ComTabsMixin, QuickNotifMixin, CanEditPropMixin, UpdateView
-):
+class WeekmailArticleEditView(ComTabsMixin, CanEditPropMixin, UpdateView):
     """Edit an article."""
 
     model = WeekmailArticle
@@ -472,11 +477,10 @@ class WeekmailArticleEditView(
     pk_url_kwarg = "article_id"
     template_name = "core/edit.jinja"
     success_url = reverse_lazy("com:weekmail")
-    quick_notif_url_arg = "qn_weekmail_article_edit"
     current_tab = "weekmail"
 
 
-class WeekmailArticleCreateView(QuickNotifMixin, CreateView):
+class WeekmailArticleCreateView(CreateView):
     """Post an article."""
 
     model = WeekmailArticle
@@ -487,7 +491,6 @@ class WeekmailArticleCreateView(QuickNotifMixin, CreateView):
     )
     template_name = "core/create.jinja"
     success_url = reverse_lazy("core:user_tools")
-    quick_notif_url_arg = "qn_weekmail_new_article"
 
     def get_initial(self):
         if "club" not in self.request.GET:
@@ -558,161 +561,109 @@ class MailingModerateView(View):
         raise PermissionDenied
 
 
-class PosterAdminViewMixin(IsComAdminMixin, ComTabsMixin):
-    current_tab = "posters"
-
-
-class PosterListBaseView(PosterAdminViewMixin, ListView):
+class PosterListBaseView(PermissionOrClubBoardRequiredMixin, ListView):
     """List communication posters."""
 
-    current_tab = "posters"
     model = Poster
     template_name = "com/poster_list.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        club_id = kwargs.pop("club_id", None)
-        self.club = None
-        if club_id:
-            self.club = get_object_or_404(Club, pk=club_id)
-        return super().dispatch(request, *args, **kwargs)
-
-    def get_queryset(self):
-        if self.request.user.is_com_admin:
-            return Poster.objects.all().order_by("-date_begin")
-        else:
-            return Poster.objects.filter(club=self.club.id)
+    permission_required = "com.view_poster"
+    ordering = ["-date_begin"]
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
 
-class PosterCreateBaseView(PosterAdminViewMixin, CreateView):
+class PosterCreateBaseView(PermissionOrClubBoardRequiredMixin, CreateView):
     """Create communication poster."""
 
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "core/create.jinja"
+    permission_required = "com.add_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
-    def dispatch(self, request, *args, **kwargs):
-        if "club_id" in kwargs:
-            self.club = get_object_or_404(Club, pk=kwargs["club_id"])
-        return super().dispatch(request, *args, **kwargs)
-
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
+
+    def get_initial(self):
+        return {"club": self.club}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if not self.request.user.is_com_admin:
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = True
         return super().form_valid(form)
 
 
-class PosterEditBaseView(PosterAdminViewMixin, UpdateView):
+class PosterEditBaseView(PermissionOrClubBoardRequiredMixin, UpdateView):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
-    current_tab = "posters"
     form_class = PosterForm
     template_name = "com/poster_edit.jinja"
-
-    def get_initial(self):
-        return {
-            "date_begin": self.object.date_begin.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_begin
-            else None,
-            "date_end": self.object.date_end.strftime("%Y-%m-%d %H:%M:%S")
-            if self.object.date_end
-            else None,
-        }
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.change_poster"
 
     def get_queryset(self):
         return Poster.objects.all()
 
     def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs.update({"user": self.request.user})
-        return kwargs
+        return super().get_form_kwargs() | {"user": self.request.user}
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        if hasattr(self, "club"):
-            kwargs["club"] = self.club
-        return kwargs
+        return super().get_context_data(**kwargs) | {"club": self.club}
 
     def form_valid(self, form):
-        if self.request.user.is_com_admin:
+        if not self.request.user.has_perm("com.moderate_poster"):
             form.instance.is_moderated = False
         return super().form_valid(form)
 
 
-class PosterDeleteBaseView(PosterAdminViewMixin, DeleteView):
+class PosterDeleteBaseView(
+    PermissionOrClubBoardRequiredMixin, ComTabsMixin, DeleteView
+):
     """Edit communication poster."""
 
     pk_url_kwarg = "poster_id"
     current_tab = "posters"
     model = Poster
     template_name = "core/delete_confirm.jinja"
-
-    def dispatch(self, request, *args, **kwargs):
-        if kwargs.get("club_id"):
-            try:
-                self.club = Club.objects.get(pk=kwargs["club_id"])
-            except Club.DoesNotExist as e:
-                raise PermissionDenied from e
-        return super().dispatch(request, *args, **kwargs)
+    permission_required = "com.delete_poster"
 
 
-class PosterListView(PosterListBaseView):
+class PosterListView(ComTabsMixin, PosterListBaseView):
     """List communication posters."""
 
+    current_tab = "posters"
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+        if self.request.user.has_perm("com.view_poster"):
+            return qs
+        return qs.filter(club=self.club.id)
+
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         kwargs["app"] = "com"
         return kwargs
 
 
-class PosterCreateView(PosterCreateBaseView):
+class PosterCreateView(ComTabsMixin, PosterCreateBaseView):
     """Create communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
-class PosterEditView(PosterEditBaseView):
+class PosterEditView(ComTabsMixin, PosterEditBaseView):
     """Edit communication poster."""
 
+    current_tab = "posters"
     success_url = reverse_lazy("com:poster_list")
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    extra_context = {"app": "com"}
 
 
 class PosterDeleteView(PosterDeleteBaseView):
@@ -721,44 +672,39 @@ class PosterDeleteView(PosterDeleteBaseView):
     success_url = reverse_lazy("com:poster_list")
 
 
-class PosterModerateListView(PosterAdminViewMixin, ListView):
+class PosterModerateListView(PermissionRequiredMixin, ComTabsMixin, ListView):
     """Moderate list communication poster."""
 
     current_tab = "posters"
     model = Poster
     template_name = "com/poster_moderate.jinja"
     queryset = Poster.objects.filter(is_moderated=False).all()
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+    permission_required = "com.moderate_poster"
+    extra_context = {"app": "com"}
 
 
-class PosterModerateView(PosterAdminViewMixin, View):
+class PosterModerateView(PermissionRequiredMixin, ComTabsMixin, View):
     """Moderate communication poster."""
 
+    current_tab = "posters"
+    permission_required = "com.moderate_poster"
+    extra_context = {"app": "com"}
+
     def get(self, request, *args, **kwargs):
         obj = get_object_or_404(Poster, pk=kwargs["object_id"])
-        if obj.can_be_moderated_by(request.user):
-            obj.is_moderated = True
-            obj.moderator = request.user
-            obj.save()
-            return redirect("com:poster_moderate_list")
-        raise PermissionDenied
-
-    def get_context_data(self, **kwargs):
-        kwargs = super(PosterModerateListView, self).get_context_data(**kwargs)
-        kwargs["app"] = "com"
-        return kwargs
+        obj.is_moderated = True
+        obj.moderator = request.user
+        obj.save()
+        return redirect("com:poster_moderate_list")
 
 
-class ScreenListView(IsComAdminMixin, ComTabsMixin, ListView):
+class ScreenListView(PermissionRequiredMixin, ComTabsMixin, ListView):
     """List communication screens."""
 
     current_tab = "screens"
     model = Screen
     template_name = "com/screen_list.jinja"
+    permission_required = "com.view_screen"
 
 
 class ScreenSlideshowView(DetailView):
@@ -769,12 +715,12 @@ class ScreenSlideshowView(DetailView):
     template_name = "com/screen_slideshow.jinja"
 
     def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["posters"] = self.object.active_posters()
-        return kwargs
+        return super().get_context_data(**kwargs) | {
+            "posters": self.object.active_posters()
+        }
 
 
-class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
+class ScreenCreateView(PermissionRequiredMixin, ComTabsMixin, CreateView):
     """Create communication screen."""
 
     current_tab = "screens"
@@ -782,9 +728,10 @@ class ScreenCreateView(IsComAdminMixin, ComTabsMixin, CreateView):
     fields = ["name"]
     template_name = "core/create.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.add_screen"
 
 
-class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
+class ScreenEditView(PermissionRequiredMixin, ComTabsMixin, UpdateView):
     """Edit communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -793,9 +740,10 @@ class ScreenEditView(IsComAdminMixin, ComTabsMixin, UpdateView):
     fields = ["name"]
     template_name = "com/screen_edit.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.change_screen"
 
 
-class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
+class ScreenDeleteView(PermissionRequiredMixin, ComTabsMixin, DeleteView):
     """Delete communication screen."""
 
     pk_url_kwarg = "screen_id"
@@ -803,3 +751,4 @@ class ScreenDeleteView(IsComAdminMixin, ComTabsMixin, DeleteView):
     model = Screen
     template_name = "core/delete_confirm.jinja"
     success_url = reverse_lazy("com:screen_list")
+    permission_required = "com.delete_screen"

core/admin.py

@@ -88,9 +88,9 @@ class PageAdmin(admin.ModelAdmin):
 
 @admin.register(SithFile)
 class SithFileAdmin(admin.ModelAdmin):
-    list_display = ("name", "owner", "size", "date")
+    list_display = ("name", "owner", "size", "date", "is_in_sas")
     autocomplete_fields = ("parent", "owner", "moderator")
-    search_fields = ("name",)
+    search_fields = ("name", "parent__name")
 
 
 @admin.register(OperationLog)

core/api.py

@@ -25,6 +25,7 @@ from core.schemas import (
     UserFamilySchema,
     UserFilterSchema,
     UserProfileSchema,
+    UserSchema,
 )
 from core.templatetags.renderer import markdown
 
@@ -69,16 +70,22 @@ class MailingListController(ControllerBase):
         return data
 
 
-@api_controller("/user", permissions=[CanAccessLookup])
+@api_controller("/user")
 class UserController(ControllerBase):
-    @route.get("", response=list[UserProfileSchema])
+    @route.get("", response=list[UserProfileSchema], permissions=[CanAccessLookup])
     def fetch_profiles(self, pks: Query[set[int]]):
         return User.objects.filter(pk__in=pks)
 
+    @route.get("/{int:user_id}", response=UserSchema, permissions=[CanView])
+    def fetch_user(self, user_id: int):
+        """Fetch a single user"""
+        return self.get_object_or_exception(User, id=user_id)
+
     @route.get(
         "/search",
         response=PaginatedResponseSchema[UserProfileSchema],
         url_name="search_users",
+        permissions=[CanAccessLookup],
     )
     @paginate(PageNumberPaginationExtra, page_size=20)
     def search_users(self, filters: Query[UserFilterSchema]):
@@ -97,7 +104,7 @@ class SithFileController(ControllerBase):
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
     def search_files(self, search: Annotated[str, annotated_types.MinLen(1)]):
-        return SithFile.objects.filter(name__icontains=search)
+        return SithFile.objects.filter(is_in_sas=False).filter(name__icontains=search)
 
 
 @api_controller("/group")

core/auth/mixins.py

@@ -29,8 +29,14 @@ from typing import TYPE_CHECKING, Any, LiteralString
 
 from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
+from django.http import Http404
+from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
+from django.utils.translation import gettext as _
 from django.views.generic.base import View
 
+from club.models import Club
+
 if TYPE_CHECKING:
     from django.db.models import Model
 
@@ -297,3 +303,50 @@ class PermissionOrAuthorRequiredMixin(PermissionRequiredMixin):
             self.author_field += "_id"
         author_id = getattr(obj, self.author_field, None)
         return author_id == self.request.user.id
+
+
+class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
+    """Require that the user has the required perm or is the board of the club.
+
+    This mixin can be used in any view that is called from a url
+    having a `club_id` kwarg.
+
+    Example:
+
+        In `urls.py` :
+        ```python
+        urlpatterns = [
+            path("foo/<int:club_id>/bar/", FooView.as_view())
+        ]
+        ```
+
+        In `views.py` :
+
+        ```python
+        # this view is available to users that either have the
+        # "foo.view_foo" permission or are in the board of the club
+        # which id was given in the url
+        class FooView(PermissionOrClubBoardRequiredMixin, View):
+            permission_required = "foo.view_foo"
+        ```
+    """
+
+    club_pk_url_kwarg = "club_id"
+
+    @cached_property
+    def club(self):
+        club_id: str | int = self.kwargs.pop(self.club_pk_url_kwarg, None)
+        if club_id is None:
+            return None
+        if isinstance(club_id, int) or club_id.isdigit():
+            return get_object_or_404(Club, pk=club_id)
+        raise Http404(_("No club found with id %(id)s") % {"id": club_id})
+
+    def has_permission(self):
+        if self.request.user.is_anonymous:
+            return False
+        if super().has_permission():
+            return True
+        return self.club is not None and any(
+            g.id == self.club.board_group_id for g in self.request.user.cached_groups
+        )

core/management/commands/add_promo_logo.py

@@ -0,0 +1,41 @@
+import pathlib
+
+from django.apps import apps
+from django.core.management.base import BaseCommand
+from PIL import Image, UnidentifiedImageError
+
+
+class Command(BaseCommand):
+    def add_arguments(self, parser):
+        parser.add_argument("number", type=int)
+        parser.add_argument("path", type=pathlib.Path)
+        parser.add_argument("-f", "--force", action="store_true")
+
+    def handle(self, number: int, path: pathlib.Path, force: int, *args, **options):
+        if not path.exists() or path.is_dir():
+            self.stderr.write(f"{path} is not a file or does not exist")
+            return
+
+        dest_path = (
+            pathlib.Path(apps.get_app_config("core").path)
+            / "static"
+            / "core"
+            / "img"
+            / f"promo_{number}.png"
+        )
+
+        if dest_path.exists() and not force:
+            over = input("File already exists, do you want to overwrite it? (y/N):")
+            if over.lower() != "y":
+                self.stdout.write("exiting")
+                return
+        try:
+            im = Image.open(path)
+            im.resize((120, 120), resample=Image.Resampling.LANCZOS).save(
+                dest_path, format="PNG"
+            )
+            self.stdout.write(
+                f"Promo logo moved and resized successfully at {dest_path}"
+            )
+        except UnidentifiedImageError:
+            self.stderr.write("image cannot be opened and identified.")

core/management/commands/populate.py

@@ -110,6 +110,7 @@ class Command(BaseCommand):
         p.save(force_lock=True)
 
         club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )
@@ -692,21 +693,33 @@ class Command(BaseCommand):
         # SAS
         for f in self.SAS_FIXTURE_PATH.glob("*"):
             if f.is_dir():
-                album = Album.objects.create(name=f.name, is_moderated=True)
+                album = Album(
+                    parent=sas,
+                    name=f.name,
+                    owner=root,
+                    is_folder=True,
+                    is_in_sas=True,
+                    is_moderated=True,
+                )
+                album.clean()
+                album.save()
                 for p in f.iterdir():
                     file = resize_image(Image.open(p), 1000, "WEBP")
                     pict = Picture(
                         parent=album,
                         name=p.name,
-                        original=file,
+                        file=file,
                         owner=root,
+                        is_folder=False,
+                        is_in_sas=True,
                         is_moderated=True,
+                        mime_type="image/webp",
+                        size=file.size,
                     )
-                    pict.original.name = pict.name
-                    pict.generate_thumbnails()
+                    pict.file.name = p.name
                     pict.full_clean()
+                    pict.generate_thumbnails()
                     pict.save()
-                album.generate_thumbnail()
 
         img_skia = Picture.objects.get(name="skia.jpg")
         img_sli = Picture.objects.get(name="sli.jpg")
@@ -755,7 +768,7 @@ class Command(BaseCommand):
         s = Subscription(
             member=user,
             subscription_type=subscription_type,
-            payment_method=settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[0][0],
+            payment_method=settings.SITH_SUBSCRIPTION_PAYMENT_METHOD[1][0],
         )
         s.subscription_start = s.compute_start(start)
         s.subscription_end = s.compute_end(

core/management/commands/populate_more.py

@@ -94,7 +94,11 @@ class Command(BaseCommand):
                 username=self.faker.user_name(),
                 first_name=self.faker.first_name(),
                 last_name=self.faker.last_name(),
-                date_of_birth=self.faker.date_of_birth(minimum_age=15, maximum_age=25),
+                date_of_birth=(
+                    None
+                    if random.random() < 0.2
+                    else self.faker.date_of_birth(minimum_age=15, maximum_age=25)
+                ),
                 email=self.faker.email(),
                 phone=self.faker.phone_number(),
                 address=self.faker.address(),

core/migrations/0043_bangroup_alter_group_description_alter_user_groups_and_more.py

@@ -154,7 +154,7 @@ class Migration(migrations.Migration):
         migrations.AddConstraint(
             model_name="userban",
             constraint=models.CheckConstraint(
-                check=models.Q(("expires_at__gte", models.F("created_at"))),
+                condition=models.Q(("expires_at__gte", models.F("created_at"))),
                 name="user_ban_end_after_start",
             ),
         ),

core/migrations/0048_remove_sithfiles.py

@@ -1,27 +0,0 @@
-# Generated by Django 4.2.17 on 2025-01-26 15:01
-
-from typing import TYPE_CHECKING
-
-from django.db import migrations
-from django.db.migrations.state import StateApps
-
-if TYPE_CHECKING:
-    import core.models
-
-
-def remove_sas_sithfiles(apps: StateApps, schema_editor):
-    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
-    SithFile.objects.filter(is_in_sas=True).delete()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("core", "0047_alter_notification_date_alter_notification_type"),
-        ("sas", "0007_alter_peoplepicturerelation_picture_and_more"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            remove_sas_sithfiles, reverse_code=migrations.RunPython.noop, elidable=True
-        )
-    ]

core/migrations/0049_remove_sithfile_is_in_sas.py

@@ -1,9 +0,0 @@
-# Generated by Django 4.2.17 on 2025-02-14 11:58
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [("core", "0048_remove_sithfiles")]
-
-    operations = [migrations.RemoveField(model_name="sithfile", name="is_in_sas")]

core/models.py

@@ -560,7 +560,7 @@ class User(AbstractUser):
         """Determine if the object is owned by the user."""
         if hasattr(obj, "is_owned_by") and obj.is_owned_by(self):
             return True
-        if hasattr(obj, "owner_group") and self.is_in_group(pk=obj.owner_group.id):
+        if hasattr(obj, "owner_group") and self.is_in_group(pk=obj.owner_group_id):
             return True
         return self.is_root
 
@@ -569,9 +569,15 @@ class User(AbstractUser):
         if hasattr(obj, "can_be_edited_by") and obj.can_be_edited_by(self):
             return True
         if hasattr(obj, "edit_groups"):
-            for pk in obj.edit_groups.values_list("pk", flat=True):
-                if self.is_in_group(pk=pk):
-                    return True
+            if (
+                hasattr(obj, "_prefetched_objects_cache")
+                and "edit_groups" in obj._prefetched_objects_cache
+            ):
+                pks = [g.id for g in obj.edit_groups.all()]
+            else:
+                pks = list(obj.edit_groups.values_list("id", flat=True))
+            if any(self.is_in_group(pk=pk) for pk in pks):
+                return True
         if isinstance(obj, User) and obj == self:
             return True
         return self.is_owner(obj)
@@ -581,9 +587,18 @@ class User(AbstractUser):
         if hasattr(obj, "can_be_viewed_by") and obj.can_be_viewed_by(self):
             return True
         if hasattr(obj, "view_groups"):
-            for pk in obj.view_groups.values_list("pk", flat=True):
-                if self.is_in_group(pk=pk):
-                    return True
+            # if "view_groups" has already been prefetched, use
+            # the prefetch cache, else fetch only the ids, to make
+            # the query lighter.
+            if (
+                hasattr(obj, "_prefetched_objects_cache")
+                and "view_groups" in obj._prefetched_objects_cache
+            ):
+                pks = [g.id for g in obj.view_groups.all()]
+            else:
+                pks = list(obj.view_groups.values_list("id", flat=True))
+            if any(self.is_in_group(pk=pk) for pk in pks):
+                return True
         return self.can_edit(obj)
 
     def can_be_edited_by(self, user):
@@ -636,9 +651,6 @@ class User(AbstractUser):
 
 
 class AnonymousUser(AuthAnonymousUser):
-    def __init__(self):
-        super().__init__()
-
     @property
     def was_subscribed(self):
         return False
@@ -647,10 +659,6 @@ class AnonymousUser(AuthAnonymousUser):
     def is_subscribed(self):
         return False
 
-    @property
-    def subscribed(self):
-        return False
-
     @property
     def is_root(self):
         return False
@@ -745,7 +753,7 @@ class UserBan(models.Model):
                 fields=["ban_group", "user"], name="unique_ban_type_per_user"
             ),
             models.CheckConstraint(
-                check=Q(expires_at__gte=F("created_at")),
+                condition=Q(expires_at__gte=F("created_at")),
                 name="user_ban_end_after_start",
             ),
         ]
@@ -863,6 +871,9 @@ class SithFile(models.Model):
         on_delete=models.CASCADE,
     )
     asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
+    is_in_sas = models.BooleanField(
+        _("is in the SAS"), default=False, db_index=True
+    )  # Allows to query this flag, updated at each call to save()
 
     class Meta:
         verbose_name = _("file")
@@ -871,10 +882,22 @@ class SithFile(models.Model):
         return self.get_parent_path() + "/" + self.name
 
     def save(self, *args, **kwargs):
+        sas = SithFile.objects.filter(id=settings.SITH_SAS_ROOT_DIR_ID).first()
+        self.is_in_sas = sas in self.get_parent_list() or self == sas
         adding = self._state.adding
         super().save(*args, **kwargs)
         if adding:
             self.copy_rights()
+        if self.is_in_sas:
+            for user in User.objects.filter(
+                groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
+            ):
+                Notification(
+                    user=user,
+                    url=reverse("sas:moderation"),
+                    type="SAS_MODERATION",
+                    param="1",
+                ).save()
 
     def is_owned_by(self, user: User) -> bool:
         if user.is_anonymous:
@@ -887,6 +910,8 @@ class SithFile(models.Model):
             return user.is_board_member
         if user.is_com_admin:
             return True
+        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return True
         return user.id == self.owner_id
 
     def can_be_viewed_by(self, user: User) -> bool:
@@ -913,6 +938,8 @@ class SithFile(models.Model):
         super().clean()
         if "/" in self.name:
             raise ValidationError(_("Character '/' not authorized in name"))
+        if self == self.parent:
+            raise ValidationError(_("Loop in folder tree"), code="loop")
         if self == self.parent or (
             self.parent is not None and self in self.get_parent_list()
         ):
@@ -1050,6 +1077,18 @@ class SithFile(models.Model):
     def is_file(self):
         return not self.is_folder
 
+    @cached_property
+    def as_picture(self):
+        from sas.models import Picture
+
+        return Picture.objects.filter(id=self.id).first()
+
+    @cached_property
+    def as_album(self):
+        from sas.models import Album
+
+        return Album.objects.filter(id=self.id).first()
+
     def get_parent_list(self):
         parents = []
         current = self.parent
@@ -1151,6 +1190,18 @@ class NotLocked(LockError):
     pass
 
 
+class PageQuerySet(models.QuerySet):
+    def viewable_by(self, user: User) -> Self:
+        if user.is_anonymous:
+            return self.filter(view_groups=settings.SITH_GROUP_PUBLIC_ID)
+        if user.has_perm("core.view_page"):
+            return self.all()
+        groups_ids = [g.id for g in user.cached_groups]
+        if user.is_subscribed:
+            groups_ids.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
+        return self.filter(view_groups__in=groups_ids)
+
+
 # This function prevents generating migration upon settings change
 def get_default_owner_group():
     return settings.SITH_GROUP_ROOT_ID
@@ -1220,6 +1271,8 @@ class Page(models.Model):
         _("lock_timeout"), null=True, blank=True, default=None
     )
 
+    objects = PageQuerySet.as_manager()
+
     class Meta:
         unique_together = ("name", "parent")
         permissions = (
@@ -1229,12 +1282,9 @@ class Page(models.Model):
     def __str__(self):
         return self.get_full_name()
 
-    def save(self, *args, **kwargs):
+    def save(self, *args, force_lock: bool = False, **kwargs):
         """Performs some needed actions before and after saving a page in database."""
-        locked = kwargs.pop("force_lock", False)
-        if not locked:
-            locked = self.is_locked()
-        if not locked:
+        if not force_lock and not self.is_locked():
             raise NotLocked("The page is not locked and thus can not be saved")
         self.full_clean()
         if not self.id:
@@ -1246,7 +1296,7 @@ class Page(models.Model):
         # It also update all the children to maintain correct names
         self._full_name = self.get_full_name()
         for c in self.children.all():
-            c.save()
+            c.save(force_lock=force_lock)
         super().save(*args, **kwargs)
         self.unset_lock()
 
@@ -1353,23 +1403,23 @@ class Page(models.Model):
 
     @cached_property
     def is_club_page(self):
-        club_root_page = Page.objects.filter(name=settings.SITH_CLUB_ROOT_PAGE).first()
-        return club_root_page is not None and (
-            self == club_root_page or club_root_page in self.get_parent_list()
+        return (
+            self.name == settings.SITH_CLUB_ROOT_PAGE
+            or settings.SITH_CLUB_ROOT_PAGE in [p.name for p in self.get_parent_list()]
         )
 
     @cached_property
     def need_club_redirection(self):
         return self.is_club_page and self.name != settings.SITH_CLUB_ROOT_PAGE
 
-    def delete(self):
+    def delete(self, *args, **kwargs):
         self.unset_lock_recursive()
         self.set_lock_recursive(User.objects.get(id=0))
         for child in self.children.all():
             child.parent = self.parent
             child.save()
             child.unset_lock_recursive()
-        super().delete()
+        return super().delete(*args, **kwargs)
 
 
 class PageRev(models.Model):
@@ -1416,9 +1466,12 @@ class PageRev(models.Model):
     def get_absolute_url(self):
         return reverse("core:page", kwargs={"page_name": self.page._full_name})
 
-    def can_be_edited_by(self, user):
+    def can_be_edited_by(self, user: User) -> bool:
         return self.page.can_be_edited_by(user)
 
+    def is_owned_by(self, user: User) -> bool:
+        return any(g.id == self.page.owner_group_id for g in user.cached_groups)
+
 
 def get_notification_types():
     return settings.SITH_NOTIFICATIONS

core/schemas.py

@@ -34,6 +34,22 @@ class SimpleUserSchema(ModelSchema):
         fields = ["id", "nick_name", "first_name", "last_name"]
 
 
+class UserSchema(ModelSchema):
+    class Meta:
+        model = User
+        fields = [
+            "id",
+            "nick_name",
+            "first_name",
+            "last_name",
+            "date_of_birth",
+            "email",
+            "role",
+            "quote",
+            "promo",
+        ]
+
+
 class UserProfileSchema(ModelSchema):
     """The necessary information to show a user profile"""
 

core/static/bundled/alpine-index.js

@@ -1,7 +1,9 @@
+import { alpinePlugin } from "#core:utils/notifications";
 import sort from "@alpinejs/sort";
 import Alpine from "alpinejs";
 
 Alpine.plugin(sort);
+Alpine.magic("notifications", alpinePlugin);
 window.Alpine = Alpine;
 
 window.addEventListener("DOMContentLoaded", () => {

core/static/bundled/utils/notifications.ts

@@ -0,0 +1,36 @@
+export enum NotificationLevel {
+  Error = "error",
+  Warning = "warning",
+  Success = "success",
+}
+
+export function createNotification(message: string, level: NotificationLevel) {
+  const element = document.getElementById("quick-notifications");
+  if (element === null) {
+    return false;
+  }
+  return element.dispatchEvent(
+    new CustomEvent("quick-notification-add", {
+      detail: { text: message, tag: level },
+    }),
+  );
+}
+
+export function deleteNotifications() {
+  const element = document.getElementById("quick-notifications");
+  if (element === null) {
+    return false;
+  }
+  return element.dispatchEvent(new CustomEvent("quick-notification-delete"));
+}
+
+export function alpinePlugin() {
+  return {
+    error: (message: string) => createNotification(message, NotificationLevel.Error),
+    warning: (message: string) =>
+      createNotification(message, NotificationLevel.Warning),
+    success: (message: string) =>
+      createNotification(message, NotificationLevel.Success),
+    clear: () => deleteNotifications(),
+  };
+}

core/static/core/components/ajax-select.scss

@@ -36,6 +36,7 @@
   > .ts-control {
     box-shadow: none;
     max-width: 300px;
+    width: 300px;
     background-color: var(--nf-input-background-color);
 
     &::after {

core/static/core/forms.scss

@@ -47,6 +47,7 @@
   }
 
   input,
+  select,
   textarea[type="text"],
   [type="number"],
   .ts-control {
@@ -153,10 +154,8 @@ form {
     margin-bottom: 1rem;
   }
 
-  .row {
-    label {
-      margin: unset;
-    }
+  .row > label {
+    margin: unset;
   }
 
   // ------------- LABEL
@@ -240,6 +239,23 @@ form {
       }
     }
   }
+  input[type="text"],
+  input[type="email"],
+  input[type="tel"],
+  input[type="url"],
+  input[type="password"],
+  input[type="number"],
+  input[type="date"],
+  input[type="datetime-local"],
+  input[type="week"],
+  input[type="time"],
+  input[type="month"],
+  input[type="search"],
+  textarea,
+  select,
+  .ts-control {
+    min-height: calc(var(--nf-input-size) * 2.5);
+  }
 
   input[type="text"],
   input[type="checkbox"],

core/static/core/header.scss

@@ -321,7 +321,6 @@ $hovered-red-text-color: #ff4d4d;
 
         >#header_notif {
           box-sizing: border-box;
-          display: none;
           position: absolute;
           margin: 0;
           background-color: whitesmoke;

core/static/core/js/script.js

@@ -1,38 +0,0 @@
-$(() => {
-  $("#quick_notif li").click(function () {
-    $(this).hide();
-  });
-});
-
-// biome-ignore lint/correctness/noUnusedVariables: used in other scripts
-function createQuickNotif(msg) {
-  const el = document.createElement("li");
-  el.textContent = msg;
-  el.addEventListener("click", () => el.parentNode.removeChild(el));
-  document.getElementById("quick_notif").appendChild(el);
-}
-
-// biome-ignore lint/correctness/noUnusedVariables: used in other scripts
-function deleteQuickNotifs() {
-  const el = document.getElementById("quick_notif");
-  while (el.firstChild) {
-    el.removeChild(el.firstChild);
-  }
-}
-
-// biome-ignore lint/correctness/noUnusedVariables: used in other scripts
-function displayNotif() {
-  $("#header_notif").toggle().parent().toggleClass("white");
-}
-
-// You can't get the csrf token from the template in a widget
-// We get it from a cookie as a workaround, see this link
-// https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax
-// Sadly, getting the cookie is not possible with CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
-// So, the true workaround is to get the token from the dom
-// https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
-// biome-ignore lint/style/useNamingConvention: can't find it used anywhere but I will not play with the devil
-// biome-ignore lint/correctness/noUnusedVariables: used in other scripts
-function getCSRFToken() {
-  return $("[name=csrfmiddlewaretoken]").val();
-}

core/static/core/style.scss

@@ -270,17 +270,6 @@ body {
   }
 
   /*--------------------------------CONTENT------------------------------*/
-  #quick_notif {
-    width: 100%;
-    margin: 0 auto;
-    list-style-type: none;
-    background: $second-color;
-
-    li {
-      padding: 10px;
-    }
-  }
-
   #content {
     padding: 1em 1%;
     box-shadow: $shadow-color 0 5px 10px;
@@ -517,6 +506,10 @@ th {
   >ul {
     margin-top: 0;
   }
+
+  >input[type="checkbox"] {
+    padding: unset;
+  }
 }
 
 td {

core/templates/core/base.jinja

@@ -2,8 +2,14 @@
 <html lang="fr">
   <head>
     {% block head %}
-      <title>{% block title %}{% trans %}Welcome!{% endtrans %}{% endblock %} - Association des Étudiants UTBM</title>
+      <title>{% block title %}Association des Étudiants de l'UTBM{% endblock %}</title>
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      <meta name="description" content="{% block description -%}
+                                          {% trans trimmed %}
+                                            AE UTBM is a voluntary organisation run by UTBM students.
+                                            It organises student life at UTBM and manages its student facilities.
+                                          {% endtrans %}
+                                        {%- endblock %}">
       <link rel="shortcut icon" href="{{ static('core/img/favicon.ico') }}">
       <link rel="stylesheet" href="{{ static('core/base.css') }}">
       <link rel="stylesheet" href="{{ static('core/style.scss') }}">
@@ -26,10 +32,6 @@
       <script type="module" src="{{ static('bundled/country-flags-index.ts') }}"></script>
       <script type="module" src="{{ static('bundled/core/tooltips-index.ts') }}"></script>
 
-      <!-- Jquery declared here to be accessible in every django widgets -->
-      <script src="{{ static('bundled/vendored/jquery.min.js') }}"></script>
-      <script src="{{ static('core/js/script.js') }}"></script>
-
       {% block additional_css %}{% endblock %}
       {% block additional_js %}{% endblock %}
     {% endblock %}
@@ -68,17 +70,15 @@
 
     <div id="page">
 
-      <ul id="quick_notif">
-        {% for n in quick_notifs %}
-          <li>{{ n }}</li>
-        {% endfor %}
-      </ul>
-
       <div id="content">
         {%- block tabs -%}
           {% include "core/base/tabs.jinja" %}
         {%- endblock -%}
 
+        {% block notifications %}
+          {% include "core/base/notifications.jinja" %}
+        {% endblock %}
+
         {%- block errors -%}
           {% if error %}
             {{ error }}
@@ -95,16 +95,6 @@
     {% endblock %}
 
     {% block script %}
-      <script>
-        document.addEventListener("keydown", (e) => {
-          // Looking at the `s` key when not typing in a form
-          if (e.keyCode !== 83 || ["INPUT", "TEXTAREA", "SELECT"].includes(e.target.nodeName)) {
-            return;
-          }
-          document.getElementById("search").focus();
-          e.preventDefault(); // Don't type the character in the focused search input
-        })
-      </script>
     {% endblock %}
   </body>
 </html>

core/templates/core/base/header.jinja

@@ -74,25 +74,25 @@
             {% endif %}
           ></a>
         </div>
-        <div class="notification">
-          <a href="#" onclick="displayNotif()">
-            <i class="fa-regular fa-bell"></i>
-            {% set notification_count = user.notifications.filter(viewed=False).count() %}
+        <div class="notification" x-data="{display: false}" :class="{white: display}">
+          <a href="#" @click.prevent="display = !display">
+            <i :class="`fa-${display ? 'solid': 'regular'} fa-bell`" x-transition></i>
+            {% set notifications = user.notifications.filter(viewed=False).order_by("-date")|list %}
 
-            {% if notification_count > 0 %}
+            {%- if notifications|length > 0 -%}
               <span>
-                {% if notification_count < 100 %}
-                  {{ notification_count }}
-                {% else %}
-                  &nbsp;
-                {% endif %}
+                {% if notifications|length < 100 %}
+                  {{ notifications|length }}
+                {%- else -%}
+                  99+
+                {%- endif -%}
               </span>
             {% endif %}
           </a>
-          <div id="header_notif">
+          <div id="header_notif" x-show="display" x-cloak x-transition @click.outside="display = false">
             <ul>
-              {% if user.notifications.filter(viewed=False).count() > 0 %}
-                {% for n in user.notifications.filter(viewed=False).order_by('-date') %}
+              {%- if notifications|length > 0 -%}
+                {%- for n in notifications -%}
                   <li>
                     <a href="{{ url("core:notification", notif_id=n.id) }}">
                       <div class="datetime">
@@ -108,10 +108,10 @@
                       </div>
                     </a>
                   </li>
-                {% endfor %}
-              {% else %}
+                {%- endfor -%}
+              {%- else -%}
                 <li class="empty-notification">{% trans %}You do not have any unread notification{% endtrans %}</li>
-              {% endif %}
+              {%- endif -%}
             </ul>
             <div class="options">
               <a href="{{ url('core:notification_list') }}">

core/templates/core/base/notifications.jinja

@@ -0,0 +1,24 @@
+<div id="quick-notifications"
+     x-data="{
+             messages: [
+             {% if messages %}
+               {% for message in messages %}
+                 {
+                 tag: '{{ message.tags }}',
+                 text: '{{ message }}',
+                 },
+               {% endfor %}
+             {% endif %}
+             ]
+             }"
+     @quick-notification-add="(e) => messages.push(e?.detail)"
+     @quick-notification-delete="messages = []">
+  <template x-for="message in messages">
+    <div x-data="{show: true}" class="alert" :class="`alert-${message.tag}`" x-show="show" x-transition>
+      <span class="alert-main" x-text="message.text"></span>
+      <span class="clickable" @click="show = false">
+        <i class="fa fa-close"></i>
+      </span>
+    </div>
+  </template>
+</div>

core/templates/core/group_detail.jinja

@@ -15,6 +15,7 @@
       {{ select_all_checkbox("add_users") }}
       <hr>
       {% csrf_token %}
+      {{ form.non_field_errors() }}
       <label for="{{ form.users_removed.id_for_label }}">{{ form.users_removed.label }} :</label>
       {{ form.users_removed.errors }}
       {% for user in form.users_removed %}

core/templates/core/page_list.jinja

@@ -5,16 +5,12 @@
 {% endblock %}
 
 {% block content %}
-  {% if page_list %}
-    <h3>{% trans %}Page list{% endtrans %}</h3>
-    <ul>
-      {% for p in page_list %}
-        <li><a href="{{ p.get_absolute_url() }}">{{ p.get_display_name() }}</a></li>
-      {% endfor %}
-    </ul>
-  {% else %}
-    {% trans %}There is no page in this website.{% endtrans %}
-  {% endif %}
+  <h3>{% trans %}Page list{% endtrans %}</h3>
+  <ul>
+    {% for p in page_list %}
+      <li><a href="{{ p.get_absolute_url() }}">{{ p.display_name }}</a></li>
+    {% endfor %}
+  </ul>
 {% endblock %}
 
 

core/templates/core/user_account_detail.jinja

@@ -30,7 +30,11 @@
               - {{ purchase.date|localtime|time(DATETIME_FORMAT) }}
             </td>
             <td>{{ purchase.counter }}</td>
-            <td><a href="{{ purchase.seller.get_absolute_url() }}">{{ purchase.seller.get_display_name() }}</a></td>
+            {% if not purchase.seller %}
+              <td>{% trans %}Deleted user{% endtrans %}</td>
+            {% else %}
+              <td><a href="{{ purchase.seller.get_absolute_url() }}">{{ purchase.seller.get_display_name() }}</a></td>
+            {% endif %}
             <td>{{ purchase.label }}</td>
             <td>{{ purchase.quantity }}</td>
             <td>{{ purchase.quantity * purchase.unit_price }} €</td>

core/templates/core/widgets/autocomplete_select.jinja

@@ -1,23 +1,25 @@
-{% for js in statics.js %}
-  <script-once type="module" src="{{ js }}"></script-once>
-{% endfor %}
-{% for css in statics.css %}
-  <link-once rel="stylesheet" type="text/css" href="{{ css }}" defer></link-once>
-{% endfor %}
-
-<{{ component }} name="{{ widget.name }}" {% include "django/forms/widgets/attrs.html" %}>
-{% for group_name, group_choices, group_index in widget.optgroups %}
-  {% if group_name %}
-    <optgroup label="{{ group_name }}">
-  {% endif %}
-  {% for widget in group_choices %}
-    {% include widget.template_name %}
+{% spaceless %}
+  {% for js in statics.js %}
+    <script-once type="module" src="{{ js }}"></script-once>
   {% endfor %}
-  {% if group_name %}
-    </optgroup>
+  {% for css in statics.css %}
+    <link-once rel="stylesheet" type="text/css" href="{{ css }}" defer></link-once>
+  {% endfor %}
+
+  <{{ component }} name="{{ widget.name }}" {% include "django/forms/widgets/attrs.html" %}>
+  {% for group_name, group_choices, group_index in widget.optgroups %}
+    {% if group_name %}
+      <optgroup label="{{ group_name }}">
+    {% endif %}
+    {% for widget in group_choices %}
+      {% include widget.template_name %}
+    {% endfor %}
+    {% if group_name %}
+      </optgroup>
+    {% endif %}
+  {% endfor %}
+  {% if initial %}
+    <slot style="display:none" name="initial">{{ initial }}</slot>
   {% endif %}
-{% endfor %}
-{% if initial %}
-  <slot style="display:none" name="initial">{{ initial }}</slot>
-{% endif %}
-</{{ component }}>
+  </{{ component }}>
+{% endspaceless %}

core/tests/test_files.py

@@ -5,7 +5,6 @@ from typing import Callable
 from uuid import uuid4
 
 import pytest
-from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile, UploadedFile
 from django.test import Client, TestCase
@@ -18,8 +17,8 @@ from pytest_django.asserts import assertNumQueries
 from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
 from core.models import Group, QuickUploadImage, SithFile, User
 from core.utils import RED_PIXEL_PNG
-from sas.baker_recipes import picture_recipe
 from sas.models import Picture
+from sith import settings
 
 
 @pytest.mark.django_db
@@ -31,19 +30,24 @@ class TestImageAccess:
             lambda: baker.make(
                 User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
             ),
+            lambda: baker.make(
+                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)]
+            ),
         ],
     )
     def test_sas_image_access(self, user_factory: Callable[[], User]):
         """Test that only authorized users can access the sas image."""
         user = user_factory()
-        picture = picture_recipe.make()
-        assert user.can_edit(picture)
+        picture: SithFile = baker.make(
+            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        )
+        assert picture.is_owned_by(user)
 
     def test_sas_image_access_owner(self):
         """Test that the owner of the image can access it."""
         user = baker.make(User)
-        picture = picture_recipe.make(owner=user)
-        assert user.can_edit(picture)
+        picture: Picture = baker.make(Picture, owner=user)
+        assert picture.is_owned_by(user)
 
     @pytest.mark.parametrize(
         "user_factory",
@@ -59,41 +63,7 @@ class TestImageAccess:
         user = user_factory()
         owner = baker.make(User)
         picture: Picture = baker.make(Picture, owner=owner)
-        assert not user.can_edit(picture)
-
-
-@pytest.mark.django_db
-class TestUserPicture:
-    def test_anonymous_user_unauthorized(self, client):
-        """An anonymous user shouldn't have access to an user's photo page."""
-        response = client.get(
-            reverse(
-                "core:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == 403
-
-    @pytest.mark.parametrize(
-        ("username", "status"),
-        [
-            ("guy", 403),
-            ("root", 200),
-            ("skia", 200),
-            ("sli", 200),
-        ],
-    )
-    def test_page_is_working(self, client, username, status):
-        """Only user that subscribed (or admins) should be able to see the page."""
-        # Test for simple user
-        client.force_login(User.objects.get(username=username))
-        response = client.get(
-            reverse(
-                "core:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == status
+        assert not picture.is_owned_by(user)
 
 
 # TODO: many tests on the pages:

core/tests/test_page.py

@@ -0,0 +1,58 @@
+import pytest
+from django.conf import settings
+from django.contrib.auth.models import Permission
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from core.baker_recipes import board_user, subscriber_user
+from core.models import AnonymousUser, Page, User
+from sith.settings import SITH_GROUP_OLD_SUBSCRIBERS_ID, SITH_GROUP_SUBSCRIBERS_ID
+
+
+@pytest.mark.django_db
+def test_edit_page(client: Client):
+    user = board_user.make()
+    page = baker.prepare(Page)
+    page.save(force_lock=True)
+    page.view_groups.add(user.groups.first())
+    client.force_login(user)
+
+    url = reverse("core:page_edit", kwargs={"page_name": page._full_name})
+    res = client.get(url)
+    assert res.status_code == 200
+
+    res = client.post(url, data={"content": "Hello World"})
+    assertRedirects(res, reverse("core:page", kwargs={"page_name": page._full_name}))
+    revision = page.revisions.last()
+    assert revision.content == "Hello World"
+
+
+@pytest.mark.django_db
+def test_viewable_by():
+    # remove existing pages to prevent side effect
+    Page.objects.all().delete()
+    view_groups = [
+        [settings.SITH_GROUP_PUBLIC_ID],
+        [settings.SITH_GROUP_PUBLIC_ID, SITH_GROUP_SUBSCRIBERS_ID],
+        [SITH_GROUP_SUBSCRIBERS_ID],
+        [SITH_GROUP_SUBSCRIBERS_ID, SITH_GROUP_OLD_SUBSCRIBERS_ID],
+        [],
+    ]
+    pages = baker.make(Page, _quantity=len(view_groups), _bulk_create=True)
+    for page, groups in zip(pages, view_groups, strict=True):
+        page.view_groups.set(groups)
+
+    viewable = Page.objects.viewable_by(AnonymousUser()).values_list("id", flat=True)
+    assert set(viewable) == {pages[0].id, pages[1].id}
+
+    subscriber = subscriber_user.make()
+    viewable = Page.objects.viewable_by(subscriber).values_list("id", flat=True)
+    assert set(viewable) == {p.id for p in pages[0:4]}
+
+    root_user = baker.make(
+        User, user_permissions=[Permission.objects.get(codename="view_page")]
+    )
+    viewable = Page.objects.viewable_by(root_user).values_list("id", flat=True)
+    assert set(viewable) == {p.id for p in pages}

core/tests/test_user.py

@@ -20,9 +20,9 @@ from core.baker_recipes import (
 )
 from core.models import Group, User
 from core.views import UserTabsMixin
-from counter.models import Counter, Refilling, Selling
+from counter.baker_recipes import sale_recipe
+from counter.models import Counter, Customer, Refilling, Selling
 from eboutic.models import Invoice, InvoiceItem
-from sas.models import Picture
 
 
 class TestSearchUsers(TestCase):
@@ -30,7 +30,6 @@ class TestSearchUsers(TestCase):
     def setUpTestData(cls):
         # News.author has on_delete=PROTECT, so news must be deleted beforehand
         News.objects.all().delete()
-        Picture.objects.all().delete()  # same for pictures
         User.objects.all().delete()
         user_recipe = Recipe(
             User,
@@ -131,6 +130,31 @@ def test_user_account_not_found(client: Client):
     assert res.status_code == 404
 
 
+@pytest.mark.django_db
+def test_is_deleted_barman_shown_as_deleted(client: Client):
+    customer = baker.make(Customer)
+    date = now()
+    sale_recipe.make(
+        seller=iter([None, baker.make(User)]),
+        customer=customer,
+        date=date,
+        _quantity=2,
+        _bulk_create=True,
+    )
+    client.force_login(customer.user)
+    res = client.get(
+        reverse(
+            "core:user_account_detail",
+            kwargs={
+                "user_id": customer.user.id,
+                "year": date.year,
+                "month": date.month,
+            },
+        )
+    )
+    assert res.status_code == 200
+
+
 class TestFilterInactive(TestCase):
     @classmethod
     def setUpTestData(cls):

core/utils.py

@@ -12,23 +12,18 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from dataclasses import dataclass
+
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Any, Final, Unpack
+from typing import Final
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.files.uploadedfile import UploadedFile
-from django.db import models
-from django.forms import BaseForm
-from django.http import Http404, HttpRequest
-from django.shortcuts import get_list_or_404
-from django.template.loader import render_to_string
-from django.utils.safestring import SafeString
+from django.http import HttpRequest
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
@@ -47,21 +42,6 @@ to generate a dummy image that is considered valid nonetheless
 """
 
 
-@dataclass
-class FormFragmentTemplateData[T: BaseForm]:
-    """Dataclass used to pre-render form fragments"""
-
-    form: T
-    template: str
-    context: dict[str, Any]
-
-    def render(self, request: HttpRequest) -> SafeString:
-        # Request is needed for csrf_tokens
-        return render_to_string(
-            self.template, context={"form": self.form, **self.context}, request=request
-        )
-
-
 def get_start_of_semester(today: date | None = None) -> date:
     """Return the date of the start of the semester of the given date.
     If no date is given, return the start date of the current semester.
@@ -215,56 +195,3 @@ def get_client_ip(request: HttpRequest) -> str | None:
             return ip
 
     return None
-
-
-Filterable = models.Model | models.QuerySet | models.Manager
-ListFilter = dict[str, list | tuple | set]
-
-
-def get_list_exact_or_404(klass: Filterable, **kwargs: Unpack[ListFilter]) -> list:
-    """Use filter() to return a list of objects from a list of unique keys (like ids)
-    or raises Http404 if the list has not the same length as the given one.
-
-    Work like `get_object_or_404()` but for lists of objects, with some caveats :
-
-    - The filter must be a list, a tuple or a set.
-    - There can't be more than exactly one filter.
-    - There must be no duplicate in the filter.
-    - The filter should consist in unique keys (like ids), or it could fail randomly.
-
-    klass may be a Model, Manager, or QuerySet object. All other passed
-    arguments and keyword arguments are used in the filter() query.
-
-    Raises:
-        Http404: If the list is empty or doesn't have as many elements as the keys list.
-        ValueError: If the first argument is not a Model, Manager, or QuerySet object.
-        ValueError: If more than one filter is passed.
-        TypeError: If the given filter is not a list, a tuple or a set.
-
-    Examples:
-        Get all the products with ids 1, 2, 3: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3])
-
-        Don't work with duplicate ids: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3, 3])
-            # Raises Http404: "The list of keys must contain no duplicates."
-    """
-    if len(kwargs) > 1:
-        raise ValueError("get_list_exact_or_404() only accepts one filter.")
-    key, list_filter = next(iter(kwargs.items()))
-    if not isinstance(list_filter, (list, tuple, set)):
-        raise TypeError(
-            f"The given filter must be a list, a tuple or a set, not {type(list_filter)}"
-        )
-    if len(list_filter) != len(set(list_filter)):
-        raise ValueError("The list of keys must contain no duplicates.")
-    kwargs = {key: list_filter}
-    obj_list = get_list_or_404(klass, **kwargs)
-    if len(obj_list) != len(list_filter):
-        raise Http404(
-            "The given list of keys doesn't match the number of objects found."
-            f"Expected {len(list_filter)} items, got {len(obj_list)}."
-        )
-    return obj_list

core/views/files.py

@@ -374,7 +374,7 @@ class FileDeleteView(AllowFragment, CanEditPropMixin, DeleteView):
 class FileModerationView(AllowFragment, ListView):
     model = SithFile
     template_name = "core/file_moderation.jinja"
-    queryset = SithFile.objects.filter(is_moderated=False)
+    queryset = SithFile.objects.filter(is_moderated=False, is_in_sas=False)
     ordering = "id"
     paginate_by = 100
 

core/views/forms.py

@@ -115,7 +115,7 @@ class SelectUser(TextInput):
 
 def validate_future_timestamp(value: date | datetime):
     if value <= now():
-        raise ValueError(_("Ensure this timestamp is set in the future"))
+        raise ValidationError(_("Ensure this timestamp is set in the future"))
 
 
 class FutureDateTimeField(forms.DateTimeField):

core/views/mixins.py

@@ -2,7 +2,6 @@ import copy
 import inspect
 from typing import Any, ClassVar, LiteralString, Protocol, Unpack
 
-from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
 from django.template.loader import render_to_string
@@ -41,36 +40,6 @@ class TabedViewMixin(View):
         return kwargs
 
 
-class QuickNotifMixin:
-    quick_notif_list = []
-
-    def dispatch(self, request, *arg, **kwargs):
-        # In some cases, the class can stay instanciated, so we need to reset the list
-        self.quick_notif_list = []
-        return super().dispatch(request, *arg, **kwargs)
-
-    def get_success_url(self):
-        ret = super().get_success_url()
-        if hasattr(self, "quick_notif_url_arg"):
-            if "?" in ret:
-                ret += "&" + self.quick_notif_url_arg
-            else:
-                ret += "?" + self.quick_notif_url_arg
-        return ret
-
-    def get_context_data(self, **kwargs):
-        """Add quick notifications to context."""
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["quick_notifs"] = []
-        for n in self.quick_notif_list:
-            kwargs["quick_notifs"].append(settings.SITH_QUICK_NOTIF[n])
-        for key, val in settings.SITH_QUICK_NOTIF.items():
-            for gk in self.request.GET:
-                if key == gk:
-                    kwargs["quick_notifs"].append(val)
-        return kwargs
-
-
 class AllowFragment:
     """Add `is_fragment` to templates. It's only True if the request is emitted by htmx"""
 

core/views/page.py

@@ -12,7 +12,10 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+
 from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.db.models import F, OuterRef, Subquery
+from django.db.models.functions import Coalesce
 
 # This file contains all the views that concern the page model
 from django.forms.models import modelform_factory
@@ -40,10 +43,26 @@ class CanEditPagePropMixin(CanEditPropMixin):
         return res
 
 
-class PageListView(CanViewMixin, ListView):
+class PageListView(ListView):
     model = Page
     template_name = "core/page_list.jinja"
 
+    def get_queryset(self):
+        return (
+            Page.objects.viewable_by(self.request.user)
+            .annotate(
+                display_name=Coalesce(
+                    Subquery(
+                        PageRev.objects.filter(page=OuterRef("id"))
+                        .order_by("-date")
+                        .values("title")[:1]
+                    ),
+                    F("name"),
+                )
+            )
+            .select_related("parent")
+        )
+
 
 class PageView(CanViewMixin, DetailView):
     model = Page
@@ -167,7 +186,7 @@ class PageEditViewBase(CanEditMixin, UpdateView):
     )
     template_name = "core/pagerev_edit.jinja"
 
-    def get_object(self):
+    def get_object(self, *args, **kwargs):
         self.page = Page.get_page_by_full_name(self.kwargs["page_name"])
         return self._get_revision()
 

core/views/user.py

@@ -65,7 +65,7 @@ from core.views.forms import (
     UserGroupsForm,
     UserProfileForm,
 )
-from core.views.mixins import QuickNotifMixin, TabedViewMixin, UseFragmentsMixin
+from core.views.mixins import TabedViewMixin, UseFragmentsMixin
 from counter.models import Counter, Refilling, Selling
 from eboutic.models import Invoice
 from subscription.models import Subscription
@@ -564,7 +564,7 @@ class UserUpdateGroupView(UserTabsMixin, CanEditPropMixin, UpdateView):
     current_tab = "groups"
 
 
-class UserToolsView(LoginRequiredMixin, QuickNotifMixin, UserTabsMixin, TemplateView):
+class UserToolsView(LoginRequiredMixin, UserTabsMixin, TemplateView):
     """Displays the logged user's tools."""
 
     template_name = "core/user_tools.jinja"

counter/forms.py

@@ -1,13 +1,23 @@
+import json
 import math
+import uuid
 
 from django import forms
 from django.db.models import Q
+from django.forms import BaseModelFormSet
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
+from django_celery_beat.models import ClockedSchedule
 from phonenumber_field.widgets import RegionalPhoneNumberWidget
 
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User
-from core.views.forms import NFCTextInput, SelectDate, SelectDateTime
+from core.views.forms import (
+    FutureDateTimeField,
+    NFCTextInput,
+    SelectDate,
+    SelectDateTime,
+)
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
     AutoCompleteSelectMultipleGroup,
@@ -22,7 +32,9 @@ from counter.models import (
     Product,
     Refilling,
     ReturnableProduct,
+    ScheduledProductAction,
     StudentCard,
+    get_product_actions,
 )
 from counter.widgets.ajax_select import (
     AutoCompleteSelectMultipleCounter,
@@ -158,7 +170,101 @@ class CounterEditForm(forms.ModelForm):
         }
 
 
-class ProductEditForm(forms.ModelForm):
+class ScheduledProductActionForm(forms.ModelForm):
+    """Form for automatic product archiving.
+
+    The `save` method will update or create tasks using celery-beat.
+    """
+
+    required_css_class = "required"
+    prefix = "scheduled"
+
+    class Meta:
+        model = ScheduledProductAction
+        fields = ["task"]
+        widgets = {"task": forms.RadioSelect(choices=get_product_actions)}
+        labels = {"task": _("Action")}
+        help_texts = {"task": ""}
+
+    trigger_at = FutureDateTimeField(
+        label=_("Date and time of action"), widget=SelectDateTime
+    )
+    counters = forms.ModelMultipleChoiceField(
+        label=_("New counters"),
+        help_text=_("The selected counters will replace the current ones"),
+        required=False,
+        widget=AutoCompleteSelectMultipleCounter,
+        queryset=Counter.objects.all(),
+    )
+
+    def __init__(self, *args, product: Product, **kwargs):
+        self.product = product
+        super().__init__(*args, **kwargs)
+        if not self.instance._state.adding:
+            self.fields["trigger_at"].initial = self.instance.clocked.clocked_time
+            self.fields["counters"].initial = json.loads(self.instance.kwargs).get(
+                "counters"
+            )
+
+    def clean(self):
+        if not self.changed_data or "trigger_at" in self.errors:
+            return super().clean()
+        if "trigger_at" in self.changed_data:
+            if not self.instance.clocked_id:
+                self.instance.clocked = ClockedSchedule(
+                    clocked_time=self.cleaned_data["trigger_at"]
+                )
+            else:
+                self.instance.clocked.clocked_time = self.cleaned_data["trigger_at"]
+            self.instance.clocked.save()
+        task_kwargs = {"product_id": self.product.id}
+        if (
+            self.cleaned_data["task"] == "counter.tasks.change_counters"
+            and "counters" in self.changed_data
+        ):
+            task_kwargs["counters"] = [c.id for c in self.cleaned_data["counters"]]
+        self.instance.product = self.product
+        self.instance.kwargs = json.dumps(task_kwargs)
+        self.instance.name = (
+            f"{self.cleaned_data['task']} - {self.product} - {uuid.uuid4()}"
+        )
+        return super().clean()
+
+
+class BaseScheduledProductActionFormSet(BaseModelFormSet):
+    def __init__(self, *args, product: Product, **kwargs):
+        if product.id:
+            queryset = (
+                product.scheduled_actions.filter(
+                    enabled=True, clocked__clocked_time__gt=now()
+                )
+                .order_by("clocked__clocked_time")
+                .select_related("clocked")
+            )
+        else:
+            queryset = ScheduledProductAction.objects.none()
+        form_kwargs = {"product": product}
+        super().__init__(*args, queryset=queryset, form_kwargs=form_kwargs, **kwargs)
+
+    def delete_existing(self, obj: ScheduledProductAction, commit: bool = True):  # noqa FBT001
+        clocked = obj.clocked
+        super().delete_existing(obj, commit=commit)
+        if commit:
+            clocked.delete()
+
+
+ScheduledProductActionFormSet = forms.modelformset_factory(
+    ScheduledProductAction,
+    ScheduledProductActionForm,
+    formset=BaseScheduledProductActionFormSet,
+    absolute_max=None,
+    can_delete=True,
+    can_delete_extra=False,
+    extra=2,
+)
+
+
+class ProductForm(forms.ModelForm):
     error_css_class = "error"
     required_css_class = "required"
 
@@ -199,22 +305,21 @@ class ProductEditForm(forms.ModelForm):
         queryset=Counter.objects.all(),
     )
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self, *args, instance=None, **kwargs):
+        super().__init__(*args, instance=instance, **kwargs)
         if self.instance.id:
             self.fields["counters"].initial = self.instance.counters.all()
+        self.action_formset = ScheduledProductActionFormSet(
+            *args, product=self.instance, **kwargs
+        )
+
+    def is_valid(self):
+        return super().is_valid() and self.action_formset.is_valid()
 
     def save(self, *args, **kwargs):
         ret = super().save(*args, **kwargs)
-        if self.fields["counters"].initial:
-            # Remove the product from all counter it was added to
-            # It will then only be added to selected counters
-            for counter in self.fields["counters"].initial:
-                counter.products.remove(self.instance)
-                counter.save()
-        for counter in self.cleaned_data["counters"]:
-            counter.products.add(self.instance)
-            counter.save()
+        self.instance.counters.set(self.cleaned_data["counters"])
+        self.action_formset.save()
         return ret
 
 
@@ -266,7 +371,7 @@ class CloseCustomerAccountForm(forms.Form):
     )
 
 
-class ProductForm(forms.Form):
+class BasketProductForm(forms.Form):
     quantity = forms.IntegerField(min_value=1, required=True)
     id = forms.IntegerField(min_value=0, required=True)
 
@@ -371,5 +476,5 @@ class BaseBasketForm(forms.BaseFormSet):
 
 
 BasketForm = forms.formset_factory(
-    ProductForm, formset=BaseBasketForm, absolute_max=None, min_num=1
+    BasketProductForm, formset=BaseBasketForm, absolute_max=None, min_num=1
 )

counter/migrations/0030_returnableproduct_returnableproductbalance_and_more.py

@@ -58,7 +58,7 @@ class Migration(migrations.Migration):
         migrations.AddConstraint(
             model_name="returnableproduct",
             constraint=models.CheckConstraint(
-                check=models.Q(
+                condition=models.Q(
                     ("product", models.F("returned_product")), _negated=True
                 ),
                 name="returnableproduct_product_different_from_returned",

counter/migrations/0032_scheduledproductaction.py

@@ -0,0 +1,40 @@
+# Generated by Django 5.2.3 on 2025-09-14 11:29
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("counter", "0031_alter_counter_options"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ScheduledProductAction",
+            fields=[
+                (
+                    "periodictask_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="django_celery_beat.periodictask",
+                    ),
+                ),
+                (
+                    "product",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="scheduled_actions",
+                        to="counter.product",
+                    ),
+                ),
+            ],
+            options={"verbose_name": "Product scheduled action"},
+            bases=("django_celery_beat.periodictask",),
+        ),
+    ]

counter/models.py

@@ -34,6 +34,7 @@ from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
+from django_celery_beat.models import PeriodicTask
 from django_countries.fields import CountryField
 from ordered_model.models import OrderedModel
 from phonenumber_field.modelfields import PhoneNumberField
@@ -445,7 +446,8 @@ class Product(models.Model):
         buying_groups = list(self.buying_groups.all())
         if not buying_groups:
             return True
-        return any(user.is_in_group(pk=group.id) for group in buying_groups)
+        res = any(user.is_in_group(pk=group.id) for group in buying_groups)
+        return res
 
     @property
     def profit(self):
@@ -479,7 +481,7 @@ class CounterQuerySet(models.QuerySet):
         return self.annotate(has_annotated_barman=Exists(subquery))
 
     def annotate_is_open(self) -> Self:
-        """Annotate tue queryset with the `is_open` field.
+        """Annotate the queryset with the `is_open` field.
 
         For each counter, if `is_open=True`, then the counter is currently opened.
         Else the counter is closed.
@@ -535,13 +537,6 @@ class Counter(models.Model):
     def __str__(self):
         return self.name
 
-    def __getattribute__(self, name: str):
-        if name == "edit_groups":
-            return Group.objects.filter(
-                name=self.club.unix_name + settings.SITH_BOARD_SUFFIX
-            ).all()
-        return object.__getattribute__(self, name)
-
     def get_absolute_url(self) -> str:
         if self.type == "EBOUTIC":
             return reverse("eboutic:main")
@@ -690,8 +685,10 @@ class Counter(models.Model):
         Prices will be annotated
         """
 
-        products = self.products.select_related("product_type").prefetch_related(
-            "buying_groups"
+        products = (
+            self.products.filter(archived=False)
+            .select_related("product_type")
+            .prefetch_related("buying_groups")
         )
 
         # Only include age appropriate products
@@ -1278,7 +1275,7 @@ class ReturnableProduct(models.Model):
         verbose_name_plural = _("returnable products")
         constraints = [
             models.CheckConstraint(
-                check=~Q(product=F("returned_product")),
+                condition=~Q(product=F("returned_product")),
                 name="returnableproduct_product_different_from_returned",
                 violation_error_message=_(
                     "The returnable product cannot be the same as the returned one"
@@ -1362,3 +1359,39 @@ class ReturnableProductBalance(models.Model):
             f"return balance of {self.customer} "
             f"for {self.returnable.product_id} : {self.balance}"
         )
+
+
+def get_product_actions():
+    return [
+        ("counter.tasks.archive_product", _("Archiving")),
+        ("counter.tasks.change_counters", _("Counters change")),
+    ]
+
+
+class ScheduledProductAction(PeriodicTask):
+    """Extension of celery-beat tasks dedicated to perform actions on Product."""
+
+    product = models.ForeignKey(
+        Product, related_name="scheduled_actions", on_delete=models.CASCADE
+    )
+
+    class Meta:
+        verbose_name = _("Product scheduled action")
+
+    def __init__(self, *args, **kwargs):
+        self._meta.get_field("task").choices = get_product_actions()
+        super().__init__(*args, **kwargs)
+
+    def full_clean(self, *args, **kwargs):
+        self.one_off = True  # A product action should occur one time only
+        return super().full_clean(*args, **kwargs)
+
+    def clean_clocked(self):
+        if not self.clocked:
+            raise ValidationError(_("Product actions must declare a clocked schedule."))
+
+    def validate_unique(self, *args, **kwargs):
+        # The checks done in PeriodicTask.validate_unique aren't
+        # adapted in the case of scheduled product action,
+        # so we skip it and execute directly Model.validate_unique
+        return super(PeriodicTask, self).validate_unique(*args, **kwargs)

counter/static/counter/css/counter-click.scss

@@ -39,6 +39,7 @@
   flex: auto;
   margin: 0.2em;
   width: 20%;
+  min-width: 350px;
 
   ul {
     list-style-type: none;

counter/tasks.py

@@ -0,0 +1,19 @@
+# Create your tasks here
+
+from celery import shared_task
+
+from counter.models import Counter, Product
+
+
+@shared_task
+def archive_product(*, product_id: int, **kwargs):
+    product = Product.objects.get(id=product_id)
+    product.archived = True
+    product.save()
+
+
+@shared_task
+def change_counters(*, product_id: int, counters: list[int], **kwargs):
+    product = Product.objects.get(id=product_id)
+    counters = Counter.objects.filter(id__in=counters)
+    product.counters.set(counters)

counter/templates/counter/counter_click.jinja

@@ -67,13 +67,13 @@
                 <option value="FIN">{% trans %}Confirm (FIN){% endtrans %}</option>
                 <option value="ANN">{% trans %}Cancel (ANN){% endtrans %}</option>
               </optgroup>
-              {% for category in categories.keys() %}
+              {%- for category in categories.keys() -%}
                 <optgroup label="{{ category }}">
-                  {% for product in categories[category] %}
+                  {%- for product in categories[category] -%}
                     <option value="{{ product.id }}">{{ product }}</option>
-                  {% endfor %}
+                  {%- endfor -%}
                 </optgroup>
-              {% endfor %}
+              {%- endfor -%}
             </counter-product-select>
 
             <input type="submit" value="{% trans %}Go{% endtrans %}"/>

counter/templates/counter/product_form.jinja

@@ -0,0 +1,56 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  {% if object %}
+    <h2>{% trans name=object %}Edit product {{ name }}{% endtrans %}</h2>
+  {% else %}
+    <h2>{% trans %}Product creation{% endtrans %}</h2>
+  {% endif %}
+  <form method="post">
+    {% csrf_token %}
+    {{ form.as_p() }}
+
+    <br />
+
+    <h3>{% trans %}Automatic actions{% endtrans %}</h3>
+
+    <p class="margin-bottom">
+      <em>
+        {%- trans trimmed -%}
+          Automatic actions allows to schedule product changes
+          ahead of time.
+        {%- endtrans -%}
+      </em>
+    </p>
+
+    {{ form.action_formset.management_form }}
+    {%- for action_form in form.action_formset.forms -%}
+      <fieldset x-data="{action: '{{ action_form.task.initial }}'}">
+        {{ action_form.non_field_errors() }}
+        <div class="row gap-2x margin-bottom">
+          <div>
+            {{ action_form.task.errors }}
+            {{ action_form.task.label_tag() }}
+            {{ action_form.task|add_attr("x-model=action") }}
+          </div>
+          <div>{{ action_form.trigger_at.as_field_group() }}</div>
+        </div>
+        <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
+          {{ action_form.counters.as_field_group() }}
+        </div>
+        {%- if action_form.DELETE -%}
+          <div class="row gap">
+            {{ action_form.DELETE.as_field_group() }}
+          </div>
+        {%- endif -%}
+        {%- for field in action_form.hidden_fields() -%}
+          {{ field }}
+        {%- endfor -%}
+      </fieldset>
+      {%- if not loop.last -%}
+        <hr class="margin-bottom">
+      {%- endif -%}
+    {%- endfor -%}
+    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+  </form>
+{% endblock %}

counter/tests/test_auto_actions.py

@@ -0,0 +1,116 @@
+import json
+from datetime import timedelta
+
+import pytest
+from django.conf import settings
+from django.test import Client
+from django.urls import reverse
+from django.utils.timezone import now
+from django_celery_beat.models import ClockedSchedule
+from model_bakery import baker
+
+from core.models import Group, User
+from counter.baker_recipes import counter_recipe, product_recipe
+from counter.forms import ScheduledProductActionForm, ScheduledProductActionFormSet
+from counter.models import ScheduledProductAction
+
+
+@pytest.mark.django_db
+def test_edit_product(client: Client):
+    client.force_login(
+        baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
+    )
+    product = product_recipe.make()
+    url = reverse("counter:product_edit", kwargs={"product_id": product.id})
+    res = client.get(url)
+    assert res.status_code == 200
+
+    res = client.post(url, data={})
+    # This is actually a failure, but we just want to check that
+    # we don't have a 403 or a 500.
+    # The actual behaviour will be tested directly on the form.
+    assert res.status_code == 200
+
+
+@pytest.mark.django_db
+class TestProductActionForm:
+    def test_single_form_archive(self):
+        product = product_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        form = ScheduledProductActionForm(
+            product=product,
+            data={
+                "scheduled-task": "counter.tasks.archive_product",
+                "scheduled-trigger_at": trigger_at,
+            },
+        )
+        assert form.is_valid()
+        instance = form.save()
+        assert instance.clocked.clocked_time == trigger_at
+        assert instance.enabled is True
+        assert instance.one_off is True
+        assert instance.task == "counter.tasks.archive_product"
+        assert instance.kwargs == json.dumps({"product_id": product.id})
+
+    def test_single_form_change_counters(self):
+        product = product_recipe.make()
+        counter = counter_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        form = ScheduledProductActionForm(
+            product=product,
+            data={
+                "scheduled-task": "counter.tasks.change_counters",
+                "scheduled-trigger_at": trigger_at,
+                "scheduled-counters": [counter.id],
+            },
+        )
+        assert form.is_valid()
+        instance = form.save()
+        instance.refresh_from_db()
+        assert instance.clocked.clocked_time == trigger_at
+        assert instance.enabled is True
+        assert instance.one_off is True
+        assert instance.task == "counter.tasks.change_counters"
+        assert instance.kwargs == json.dumps(
+            {"product_id": product.id, "counters": [counter.id]}
+        )
+
+    def test_delete(self):
+        product = product_recipe.make()
+        clocked = baker.make(ClockedSchedule, clocked_time=now() + timedelta(minutes=2))
+        task = baker.make(
+            ScheduledProductAction,
+            product=product,
+            one_off=True,
+            clocked=clocked,
+            task="counter.tasks.archive_product",
+        )
+        formset = ScheduledProductActionFormSet(product=product)
+        formset.delete_existing(task)
+        assert not ScheduledProductAction.objects.filter(id=task.id).exists()
+        assert not ClockedSchedule.objects.filter(id=clocked.id).exists()
+
+
+@pytest.mark.django_db
+class TestProductActionFormSet:
+    def test_ok(self):
+        product = product_recipe.make()
+        counter = counter_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        formset = ScheduledProductActionFormSet(
+            product=product,
+            data={
+                "form-TOTAL_FORMS": "2",
+                "form-INITIAL_FORMS": "0",
+                "form-0-task": "counter.tasks.archive_product",
+                "form-0-trigger_at": trigger_at,
+                "form-1-task": "counter.tasks.change_counters",
+                "form-1-trigger_at": trigger_at,
+                "form-1-counters": [counter.id],
+            },
+        )
+        assert formset.is_valid()
+        formset.save()
+        assert ScheduledProductAction.objects.filter(product=product).count() == 2

counter/tests/test_counter.py

@@ -583,6 +583,16 @@ class TestCounterClick(TestFullClickBase):
             - self.beer.selling_price
         )
 
+    def test_no_fetch_archived_product(self):
+        counter = baker.make(Counter)
+        customer = baker.make(Customer)
+        product_recipe.make(archived=True, counters=[counter])
+        unarchived_products = product_recipe.make(
+            archived=False, counters=[counter], _quantity=3
+        )
+        customer_products = counter.get_products_for(customer)
+        assert unarchived_products == customer_products
+
 
 class TestCounterStats(TestCase):
     @classmethod

counter/tests/test_product.py

@@ -6,14 +6,16 @@ import pytest
 from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile
-from django.test import Client
+from django.test import Client, TestCase
 from django.urls import reverse
 from model_bakery import baker
 from PIL import Image
-from pytest_django.asserts import assertNumQueries
+from pytest_django.asserts import assertNumQueries, assertRedirects
 
+from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
+from counter.forms import ProductForm
 from counter.models import Product, ProductType
 
 
@@ -84,3 +86,49 @@ def test_fetch_product_nb_queries(client: Client):
         # - 1 for the actual request
         # - 1 to prefetch the related buying_groups
         client.get(reverse("api:search_products_detailed"))
+
+
+class TestCreateProduct(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.product_type = baker.make(ProductType)
+        cls.club = baker.make(Club)
+        cls.data = {
+            "name": "foo",
+            "description": "bar",
+            "product_type": cls.product_type.id,
+            "club": cls.club.id,
+            "code": "FOO",
+            "purchase_price": 1.0,
+            "selling_price": 1.0,
+            "special_selling_price": 1.0,
+            "limit_age": 0,
+            "form-TOTAL_FORMS": 0,
+            "form-INITIAL_FORMS": 0,
+        }
+
+    def test_form(self):
+        form = ProductForm(data=self.data)
+        assert form.is_valid()
+        instance = form.save()
+        assert instance.club == self.club
+        assert instance.product_type == self.product_type
+        assert instance.name == "foo"
+        assert instance.selling_price == 1.0
+
+    def test_view(self):
+        self.client.force_login(
+            baker.make(
+                User,
+                groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)],
+            )
+        )
+        url = reverse("counter:new_product")
+        response = self.client.get(url)
+        assert response.status_code == 200
+        response = self.client.post(url, data=self.data)
+        assertRedirects(response, reverse("counter:product_list"))
+        product = Product.objects.last()
+        assert product.name == "foo"
+        assert product.club == self.club
+        assert product.product_type == self.product_type

counter/views/admin.py

@@ -32,7 +32,7 @@ from core.utils import get_semester_code, get_start_of_semester
 from counter.forms import (
     CloseCustomerAccountForm,
     CounterEditForm,
-    ProductEditForm,
+    ProductForm,
     ReturnableProductForm,
 )
 from counter.models import (
@@ -146,8 +146,8 @@ class ProductCreateView(CounterAdminTabsMixin, CounterAdminMixin, CreateView):
     """A create view for the admins."""
 
     model = Product
-    form_class = ProductEditForm
-    template_name = "core/create.jinja"
+    form_class = ProductForm
+    template_name = "counter/product_form.jinja"
     current_tab = "products"
 
 
@@ -155,9 +155,9 @@ class ProductEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     """An edit view for the admins."""
 
     model = Product
-    form_class = ProductEditForm
+    form_class = ProductForm
     pk_url_kwarg = "product_id"
-    template_name = "core/edit.jinja"
+    template_name = "counter/product_form.jinja"
     current_tab = "products"
 
 

docs/howto/logo.md

@@ -12,6 +12,15 @@ nouveau logo d'une promo. C'est un processus manuel.
 	de faire cette opération manuellement, ça prend quelques
 	minutes et on est certain de la qualité à la fin.
 
+### avec une commande django
+```bash
+./manage.py add_promo_logo numero_de_promo chemin_dacces_du_logo
+```
+options:
+
+* `--force/-f` pour automatiquement écraser les logos de promo avec le même nom.
+
+### manuellement
 Les logos de promo sont à manuellement ajouter dans le projet.
 Ils se situent dans le dossier `core/static/core/img/`.
 

docs/reference/core/mixins.md

@@ -4,7 +4,6 @@
         heading_level: 3
         members:
             - TabedViewMixin
-            - QuickNotifMixin
             - AllowFragment
             - FragmentMixin
             - UseFragmentsMixin

docs/tutorial/groups.md

@@ -263,35 +263,3 @@ avec un unique champ permettant de sélectionner des groupes.
 Par défaut, seuls les utilisateurs avec la permission
 `auth.change_permission` auront accès à ce formulaire
 (donc, normalement, uniquement les utilisateurs Root).
-
-```mermaid
-sequenceDiagram
-    participant A as Utilisateur
-    participant B as ReverseProxy
-    participant C as MarkdownImage
-    participant D as Model
-
-    A->>B: GET /page/foo
-    B->>C: GET /page/foo
-    C-->>B: La page, avec les urls
-    B-->>A: La page, avec les urls
-    alt image publique 
-        A->>B: GET markdown/public/2025/img.webp
-        B-->>A: img.webp
-    end
-    alt image privée 
-        A->>B: GET markdown_image/{id}
-        B->>C: GET markdown_image/{id}
-        C->>D: user.can_view(image)
-        alt l'utilisateur a le droit de voir l'image
-            D-->>C: True
-            C-->>B: 200 (avec le X-Accel-Redirect)
-            B-->>A: img.webp
-        end
-        alt l'utilisateur n'a pas le droit de l'image
-            D-->>C: False
-            C-->>B: 403
-            B-->>A: 403
-        end
-    end
-```

eboutic/static/bundled/eboutic/eboutic-index.ts

@@ -17,7 +17,6 @@ document.addEventListener("alpine:init", () => {
       this.$watch("basket", () => {
         this.saveBasket();
       });
-
       // Invalidate basket if a purchase was made
       if (lastPurchaseTime !== null && localStorage.basketTimestamp !== undefined) {
         if (

eboutic/templates/eboutic/eboutic_billing_info.jinja

@@ -31,12 +31,5 @@
   </div>
 
   <br>
-
-  {% if messages %}
-    {% for message in messages %}
-      <div class="alert alert-{{ message.tags }}">
-        {{ message }}
-      </div>
-    {% endfor %}
-  {% endif %}
+  {% include "core/base/notifications.jinja" %}
 </div>

eboutic/templates/eboutic/eboutic_checkout.jinja

@@ -1,5 +1,9 @@
 {% extends "core/base.jinja" %}
 
+{% block notifications %}
+  {# Notifications are moved inside the billing info fragment #}
+{% endblock %}
+
 {% block title %}
   {% trans %}Basket state{% endtrans %}
 {% endblock %}

eboutic/templates/eboutic/eboutic_main.jinja

@@ -1,8 +1,12 @@
 {% extends "core/base.jinja" %}
 
-{% block title %}
+{% block title -%}
   {% trans %}Eboutic{% endtrans %}
-{% endblock %}
+{%- endblock %}
+
+{% block description -%}
+  {% trans %}The online shop of the association.{% endtrans %}
+{%- endblock %}
 
 {% block additional_js %}
     {# This script contains the code to perform requests to manipulate the
@@ -18,14 +22,6 @@
 {% block content %}
   <h1 id="eboutic-title">{% trans %}Eboutic{% endtrans %}</h1>
 
-  {% if messages %}
-    {% for message in messages %}
-      <div class="alert alert-{{ message.tags }}">
-        {{ message }}
-      </div>
-    {% endfor %}
-  {% endif %}
-
   <div id="eboutic" x-data="basket({{ last_purchase_time }})">
     <div id="basket">
       <h3>Panier</h3>

eboutic/templates/eboutic/eboutic_payment_result.jinja

@@ -4,14 +4,6 @@
   <h3>{% trans %}Eboutic{% endtrans %}</h3>
 
   <div>
-    {% if messages %}
-      {% for message in messages %}
-        <div class="alert alert-{{ message.tags }}">
-          {{ message }}
-        </div>
-      {% endfor %}
-    {% endif %}
-
     {% if success %}
       {% trans %}Payment successful{% endtrans %}
     {% else %}

eboutic/tests/test_basket.py

@@ -1,3 +1,5 @@
+from datetime import datetime, timezone
+
 import pytest
 from django.http import HttpResponse
 from django.test import TestCase
@@ -9,8 +11,13 @@ from pytest_django.asserts import assertRedirects
 
 from core.baker_recipes import subscriber_user
 from core.models import Group, User
-from counter.baker_recipes import product_recipe
-from counter.models import Counter, ProductType, get_eboutic
+from counter.baker_recipes import product_recipe, refill_recipe, sale_recipe
+from counter.models import (
+    Counter,
+    Customer,
+    ProductType,
+    get_eboutic,
+)
 from counter.tests.test_counter import BasketItem
 from eboutic.models import Basket
 
@@ -24,6 +31,96 @@ def test_get_eboutic():
     assert Counter.objects.get(name="Eboutic") == get_eboutic()
 
 
+@pytest.mark.django_db
+def test_eboutic_access_unregistered(client: Client):
+    eboutic_url = reverse("eboutic:main")
+    assertRedirects(
+        client.get(eboutic_url), reverse("core:login", query={"next": eboutic_url})
+    )
+
+
+@pytest.mark.django_db
+def test_eboutic_access_new_customer(client: Client):
+    user = baker.make(User)
+    assert not Customer.objects.filter(user=user).exists()
+
+    client.force_login(user)
+
+    assert client.get(reverse("eboutic:main")).status_code == 200
+    assert Customer.objects.filter(user=user).exists()
+
+
+@pytest.mark.django_db
+def test_eboutic_access_old_customer(client: Client):
+    user = baker.make(User)
+    customer = Customer.get_or_create(user)[0]
+
+    client.force_login(user)
+
+    assert client.get(reverse("eboutic:main")).status_code == 200
+    assert Customer.objects.filter(user=user).first() == customer
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    ("sellings", "refillings", "expected"),
+    (
+        ([], [], None),
+        (
+            [datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            [],
+            datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+        ),
+        (
+            [],
+            [datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+        ),
+        (
+            [datetime(2025, 2, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            [datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+        ),
+        (
+            [datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            [datetime(2025, 2, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+        ),
+        (
+            [
+                datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+                datetime(2025, 2, 7, 1, 2, 3, tzinfo=timezone.utc),
+            ],
+            [datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc)],
+            datetime(2025, 3, 7, 1, 2, 3, tzinfo=timezone.utc),
+        ),
+    ),
+)
+def test_eboutic_basket_expiry(
+    client: Client,
+    sellings: list[datetime],
+    refillings: list[datetime],
+    expected: datetime | None,
+):
+    eboutic = get_eboutic()
+
+    customer = baker.make(Customer)
+
+    client.force_login(customer.user)
+
+    for date in sellings:
+        sale_recipe.make(
+            customer=customer, counter=eboutic, date=date, is_validated=True
+        )
+    for date in refillings:
+        refill_recipe.make(customer=customer, counter=eboutic, date=date)
+
+    assert (
+        f'x-data="basket({int(expected.timestamp() * 1000) if expected else "null"})"'
+        in client.get(reverse("eboutic:main")).text
+    )
+
+
 class TestEboutic(TestCase):
     @classmethod
     def setUpTestData(cls):

eboutic/views.py

@@ -34,6 +34,7 @@ from django.contrib.auth.mixins import (
 from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import DatabaseError, transaction
+from django.db.models import Subquery
 from django.db.models.fields import forms
 from django.db.utils import cached_property
 from django.http import HttpResponse
@@ -47,8 +48,15 @@ from django_countries.fields import Country
 
 from core.auth.mixins import CanViewMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
-from counter.forms import BaseBasketForm, BillingInfoForm, ProductForm
-from counter.models import BillingInfo, Customer, Product, Selling, get_eboutic
+from counter.forms import BaseBasketForm, BasketProductForm, BillingInfoForm
+from counter.models import (
+    BillingInfo,
+    Customer,
+    Product,
+    Refilling,
+    Selling,
+    get_eboutic,
+)
 from eboutic.models import (
     Basket,
     BasketItem,
@@ -70,7 +78,7 @@ class BaseEbouticBasketForm(BaseBasketForm):
 
 
 EbouticBasketForm = forms.formset_factory(
-    ProductForm, formset=BaseEbouticBasketForm, absolute_max=None, min_num=1
+    BasketProductForm, formset=BaseEbouticBasketForm, absolute_max=None, min_num=1
 )
 
 
@@ -124,13 +132,36 @@ class EbouticMainView(LoginRequiredMixin, FormView):
         context = super().get_context_data(**kwargs)
         context["products"] = self.products
         context["customer_amount"] = self.request.user.account_balance
-        last_purchase: Selling | None = (
-            self.customer.buyings.filter(counter__type="EBOUTIC")
-            .order_by("-date")
-            .first()
-        )
+
+        purchases = (
+            Customer.objects.filter(pk=self.customer.pk)
+            .annotate(
+                last_refill=Subquery(
+                    Refilling.objects.filter(
+                        counter__type="EBOUTIC", customer_id=self.customer.pk
+                    )
+                    .order_by("-date")
+                    .values("date")[:1]
+                ),
+                last_purchase=Subquery(
+                    Selling.objects.filter(
+                        counter__type="EBOUTIC", customer_id=self.customer.pk
+                    )
+                    .order_by("-date")
+                    .values("date")[:1]
+                ),
+            )
+            .values_list("last_refill", "last_purchase")
+        )[0]
+
+        purchase_times = [
+            int(purchase.timestamp() * 1000)
+            for purchase in purchases
+            if purchase is not None
+        ]
+
         context["last_purchase_time"] = (
-            int(last_purchase.date.timestamp() * 1000) if last_purchase else "null"
+            max(purchase_times) if len(purchase_times) > 0 else "null"
         )
         return context
 

forum/templates/forum/main.jinja

@@ -2,9 +2,13 @@
 {% from 'core/macros.jinja' import user_profile_link %}
 {% from 'forum/macros.jinja' import display_forum, display_search_bar %}
 
-{% block title %}
+{% block title -%}
   {% trans %}Forum{% endtrans %}
-{% endblock %}
+{%- endblock %}
+
+{% block description -%}
+  {% trans %}A forum dedicated to the UTBM students.{% endtrans %}
+{%- endblock %}
 
 {% block additional_css %}
   <link rel="stylesheet" href="{{ static('forum/css/forum.scss') }}">

galaxy/management/commands/generate_galaxy_test_data.py

@@ -25,12 +25,13 @@ import warnings
 from datetime import timedelta
 from typing import Final, Optional
 
+from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.management.base import BaseCommand
 from django.utils import timezone
 
 from club.models import Club, Membership
-from core.models import Group, Page, User
+from core.models import Group, Page, SithFile, User
 from core.utils import RED_PIXEL_PNG
 from sas.models import Album, PeoplePictureRelation, Picture
 from subscription.models import Subscription
@@ -90,8 +91,13 @@ class Command(BaseCommand):
         self.NB_CLUBS = options["club_count"]
 
         root = User.objects.filter(username="root").first()
+        sas = SithFile.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
         self.galaxy_album = Album.objects.create(
-            name="galaxy-register-file", owner=root, is_moderated=True
+            name="galaxy-register-file",
+            owner=root,
+            is_moderated=True,
+            is_in_sas=True,
+            parent=sas,
         )
 
         self.make_clubs()
@@ -279,10 +285,14 @@ class Command(BaseCommand):
                     owner=u,
                     name=f"galaxy-picture {u} {i // self.NB_USERS}",
                     is_moderated=True,
+                    is_folder=False,
                     parent=self.galaxy_album,
-                    original=ContentFile(RED_PIXEL_PNG),
+                    is_in_sas=True,
+                    file=ContentFile(RED_PIXEL_PNG),
                     compressed=ContentFile(RED_PIXEL_PNG),
                     thumbnail=ContentFile(RED_PIXEL_PNG),
+                    mime_type="image/png",
+                    size=len(RED_PIXEL_PNG),
                 )
             )
             self.picts[i].file.name = self.picts[i].name

galaxy/models.py

@@ -23,20 +23,21 @@
 
 from __future__ import annotations
 
+import itertools
 import logging
 import math
 import time
+from collections import defaultdict
 from typing import NamedTuple, TypedDict
 
 from django.db import models
-from django.db.models import Case, Count, F, Q, Value, When
-from django.db.models.functions import Concat
+from django.db.models import Count, F, Q, QuerySet
 from django.utils.timezone import localdate
 from django.utils.translation import gettext_lazy as _
 
-from club.models import Club
+from club.models import Membership
 from core.models import User
-from sas.models import Picture
+from sas.models import PeoplePictureRelation, Picture
 
 
 class GalaxyStar(models.Model):
@@ -114,18 +115,9 @@ class GalaxyLane(models.Model):
         default=0,
         help_text=_("Distance separating star1 and star2"),
     )
-    family = models.PositiveIntegerField(
-        _("family score"),
-        default=0,
-    )
-    pictures = models.PositiveIntegerField(
-        _("pictures score"),
-        default=0,
-    )
-    clubs = models.PositiveIntegerField(
-        _("clubs score"),
-        default=0,
-    )
+    family = models.PositiveIntegerField(_("family score"), default=0)
+    pictures = models.PositiveIntegerField(_("pictures score"), default=0)
+    clubs = models.PositiveIntegerField(_("clubs score"), default=0)
 
     def __str__(self):
         return f"{self.star1} -> {self.star2} ({self.distance})"
@@ -174,6 +166,7 @@ class Galaxy(models.Model):
     logger = logging.getLogger("main")
 
     GALAXY_SCALE_FACTOR = 2_000
+    DEFAULT_PICTURE_COUNT_THRESHOLD = 10
     FAMILY_LINK_POINTS = 366  # Equivalent to a leap year together in a club, because.
     PICTURE_POINTS = 2  # Equivalent to two days as random members of a club.
     CLUBS_POINTS = 1  # One day together as random members in a club is one point.
@@ -187,15 +180,13 @@ class Galaxy(models.Model):
         stars_count = self.stars.count()
         s = f"GLX-ID{self.pk}-SC{stars_count}-"
         if self.state is None:
-            s += "CHS"  # CHAOS
+            s += "CHAOS"
         else:
-            s += "RLD"  # RULED
+            s += "RULED"
         return s
 
     @classmethod
-    def get_current_galaxy(
-        cls,
-    ) -> Galaxy:  # __future__.annotations is required for this
+    def get_current_galaxy(cls) -> Galaxy:
         return Galaxy.objects.filter(state__isnull=False).last()
 
     ###################
@@ -203,7 +194,18 @@ class Galaxy(models.Model):
     ###################
 
     @classmethod
-    def compute_user_score(cls, user: User) -> int:
+    def get_rulable_users(
+        cls, picture_count_threshold: int = DEFAULT_PICTURE_COUNT_THRESHOLD
+    ) -> QuerySet[User]:
+        return (
+            User.objects.exclude(subscriptions=None)
+            .annotate(pictures_count=Count("pictures"))
+            .filter(pictures_count__gt=picture_count_threshold)
+            .distinct()
+        )
+
+    @classmethod
+    def compute_individual_scores(cls) -> dict[int, int]:
         """Compute an individual score for each citizen.
 
         It will later be used by the graph algorithm to push
@@ -211,87 +213,50 @@ class Galaxy(models.Model):
 
         Idea: This could be added to the computation:
 
-        - Forum posts
         - Picture count
         - Counter consumption
         - Barman time
         - ...
         """
-        user_score = 1
-        user_score += cls.query_user_score(user)
-
+        users = (
+            User.objects.annotate(
+                score=(
+                    Count("godchildren", distinct=True) * cls.FAMILY_LINK_POINTS
+                    + Count("godfathers", distinct=True) * cls.FAMILY_LINK_POINTS
+                    + Count("pictures", distinct=True) * cls.PICTURE_POINTS
+                    + Count("memberships", distinct=True) * cls.CLUBS_POINTS
+                )
+            )
+            .filter(score__gt=0)
+            .values("id", "score")
+        )
         # TODO:
         # Scale that value with some magic number to accommodate to typical data
         # Really active galaxy citizen after 5 years typically have a score of about XXX
         # Citizen that were seen regularly without taking much part in organizations typically have a score of about XXX
         # Citizen that only went to a few events typically score about XXX
-        user_score = int(math.log2(user_score))
-
-        return user_score
-
-    @classmethod
-    def query_user_score(cls, user: User) -> int:
-        """Get the individual score of the given user in the galaxy."""
-        score_query = (
-            User.objects.filter(id=user.id)
-            .annotate(
-                godchildren_count=Count("godchildren", distinct=True)
-                * cls.FAMILY_LINK_POINTS,
-                godfathers_count=Count("godfathers", distinct=True)
-                * cls.FAMILY_LINK_POINTS,
-                pictures_score=Count("pictures", distinct=True) * cls.PICTURE_POINTS,
-                clubs_score=Count("memberships", distinct=True) * cls.CLUBS_POINTS,
-            )
-            .aggregate(
-                score=models.Sum(
-                    F("godchildren_count")
-                    + F("godfathers_count")
-                    + F("pictures_score")
-                    + F("clubs_score")
-                )
-            )
-        )
-        return score_query.get("score")
+        res = {u["id"]: int(math.log2(u["score"] + 1)) for u in users}
+        return res
 
     ####################
     # Inter-user score #
     ####################
 
     @classmethod
-    def compute_users_score(cls, user1: User, user2: User) -> RelationScore:
-        """Compute the relationship scores of the two given users.
-
-        The computation is done with the following fields :
-
-        - family: if they have some godfather/godchild relation
-        - pictures: in how many pictures are both tagged
-        - clubs: during how many days they were members of the same clubs
-        """
-        family = cls.compute_users_family_score(user1, user2)
-        pictures = cls.compute_users_pictures_score(user1, user2)
-        clubs = cls.compute_users_clubs_score(user1, user2)
-        return RelationScore(family=family, pictures=pictures, clubs=clubs)
-
-    @classmethod
-    def compute_users_family_score(cls, user1: User, user2: User) -> int:
+    def compute_user_family_score(cls, user: User) -> defaultdict[int, int]:
         """Compute the family score of the relation between the given users.
 
         This takes into account mutual godfathers.
-
-        Returns:
-             366 if user1 is the godfather of user2 (or vice versa) else 0
         """
-        link_count = User.objects.filter(
-            Q(id=user1.id, godfathers=user2) | Q(id=user2.id, godfathers=user1)
-        ).count()
-        if link_count > 0:
-            cls.logger.debug(
-                f"\t\t- '{user1}' and '{user2}' have {link_count} direct family link"
-            )
-        return link_count * cls.FAMILY_LINK_POINTS
+        godchildren = User.objects.filter(godchildren=user).values_list("id", flat=True)
+        godfathers = User.objects.filter(godfathers=user).values_list("id", flat=True)
+        result = defaultdict(int)
+        for parent in itertools.chain(godchildren, godfathers):
+            result[parent] += cls.FAMILY_LINK_POINTS
+        return result
 
     @classmethod
-    def compute_users_pictures_score(cls, user1: User, user2: User) -> int:
+    def compute_user_pictures_score(cls, user: User) -> defaultdict[int, int]:
         """Compute the pictures score of the relation between the given users.
 
         The pictures score is obtained by counting the number
@@ -301,19 +266,19 @@ class Galaxy(models.Model):
         Returns:
              The number of pictures both users have in common, times 2
         """
-        picture_count = (
-            Picture.objects.filter(people__user__in=(user1,))
-            .filter(people__user__in=(user2,))
-            .count()
-        )
-        if picture_count:
-            cls.logger.debug(
-                f"\t\t- '{user1}' was pictured with '{user2}' {picture_count} times"
+        common_photos = (
+            PeoplePictureRelation.objects.filter(
+                picture__in=Picture.objects.filter(people__user=user)
             )
-        return picture_count * cls.PICTURE_POINTS
+            .values("user")
+            .annotate(count=Count("user"))
+        )
+        return defaultdict(
+            int, {p["user"]: p["count"] * cls.PICTURE_POINTS for p in common_photos}
+        )
 
     @classmethod
-    def compute_users_clubs_score(cls, user1: User, user2: User) -> int:
+    def compute_user_clubs_score(cls, user: User) -> defaultdict[int, int]:
         """Compute the clubs score of the relation between the given users.
 
         The club score is obtained by counting the number of days
@@ -324,54 +289,36 @@ class Galaxy(models.Model):
         (two years) and user2 was a member of the same club from 01/01/2021 to
         31/12/2022 (also two years, but with an offset of one year), then their
         club score is 365.
-
-        Returns:
-            the number of days during which both users were in the same club
         """
-        common_clubs = Club.objects.filter(members__in=user1.memberships.all()).filter(
-            members__in=user2.memberships.all()
-        )
-        user1_memberships = user1.memberships.filter(club__in=common_clubs)
-        user2_memberships = user2.memberships.filter(club__in=common_clubs)
-
-        score = 0
-        for user1_membership in user1_memberships:
-            if user1_membership.end_date is None:
-                # user1_membership.save() is not called in this function, hence this is safe
-                user1_membership.end_date = localdate()
-            query = Q(  # start2 <= start1 <= end2
-                start_date__lte=user1_membership.start_date,
-                end_date__gte=user1_membership.start_date,
-            )
-            query |= Q(  # start2 <= start1 <= now
-                start_date__lte=user1_membership.start_date, end_date=None
-            )
-            query |= Q(  # start1 <= start2 <= end2
-                start_date__gte=user1_membership.start_date,
-                start_date__lte=user1_membership.end_date,
-            )
-            for user2_membership in user2_memberships.filter(
-                query, club=user1_membership.club
-            ):
-                if user2_membership.end_date is None:
-                    user2_membership.end_date = localdate()
-                latest_start = max(
-                    user1_membership.start_date, user2_membership.start_date
-                )
-                earliest_end = min(user1_membership.end_date, user2_membership.end_date)
-                cls.logger.debug(
-                    "\t\t- '%s' was with '%s' in %s starting on %s until %s (%s days)"
-                    % (
-                        user1,
-                        user2,
-                        user2_membership.club,
-                        latest_start,
-                        earliest_end,
-                        (earliest_end - latest_start).days,
+        memberships = user.memberships.only("start_date", "end_date", "club_id")
+        result = defaultdict(int)
+        now = localdate()
+        for membership in memberships:
+            # This is a N+1 query, but 92% of galaxy users have less than 10 memberships.
+            # Only 5 users have more than 30 memberships.
+            common_memberships = (
+                Membership.objects.exclude(user=user)
+                .filter(
+                    Q(  # start2 <= start1 <= end2
+                        start_date__lte=membership.start_date,
+                        end_date__gte=membership.start_date,
                     )
+                    | Q(  # start2 <= start1 <= now
+                        start_date__lte=membership.start_date, end_date=None
+                    )
+                    | Q(  # start1 <= start2 <= end2
+                        start_date__gte=membership.start_date,
+                        start_date__lte=membership.end_date or now,
+                    ),
+                    club_id=membership.club_id,
                 )
-                score += cls.CLUBS_POINTS * (earliest_end - latest_start).days
-        return score
+                .only("start_date", "end_date", "user_id")
+            )
+            for other in common_memberships:
+                start = max(membership.start_date, other.start_date)
+                end = min(membership.end_date or now, other.end_date or now)
+                result[other.user_id] += (end - start).days * cls.CLUBS_POINTS
+        return result
 
     ###################
     # Rule the galaxy #
@@ -406,7 +353,9 @@ class Galaxy(models.Model):
         cls.logger.debug(f"\t\t> Scaled distance: {value}")
         return int(value)
 
-    def rule(self, picture_count_threshold=10) -> None:
+    def rule(
+        self, picture_count_threshold: int = DEFAULT_PICTURE_COUNT_THRESHOLD
+    ) -> None:
         """Main function of the Galaxy.
 
         Iterate over all the rulable users to promote them to citizens.
@@ -427,41 +376,30 @@ class Galaxy(models.Model):
         """
         total_time = time.time()
         self.logger.info("Listing rulable citizen.")
-        rulable_users = (
-            User.objects.filter(subscriptions__isnull=False)
-            .annotate(pictures_count=Count("pictures"))
-            .filter(pictures_count__gt=picture_count_threshold)
-            .distinct()
-        )
 
         # force fetch of the whole query to make sure there won't
         # be any more db hits
         # this is memory expensive but prevents a lot of db hits, therefore
         # is far more time efficient
 
-        rulable_users = list(rulable_users)
+        rulable_users = list(self.get_rulable_users(picture_count_threshold))
         rulable_users_count = len(rulable_users)
         user1_count = 0
         self.logger.info(
             f"{rulable_users_count} citizen have been listed. Starting to rule."
         )
 
-        stars = []
         self.logger.info("Creating stars for all citizen")
-        for user in rulable_users:
-            star = GalaxyStar(
-                owner=user, galaxy=self, mass=self.compute_user_score(user)
-            )
-            stars.append(star)
-        GalaxyStar.objects.bulk_create(stars)
-
-        stars = {}
-        for star in GalaxyStar.objects.filter(galaxy=self):
-            stars[star.owner.id] = star
+        individual_scores = self.compute_individual_scores()
+        GalaxyStar.objects.bulk_create(
+            [
+                GalaxyStar(owner=user, galaxy=self, mass=individual_scores[user.id])
+                for user in rulable_users
+            ]
+        )
+        stars = {star.owner_id: star for star in self.stars.all()}
 
         self.logger.info("Creating lanes between stars")
-        # Display current speed every $speed_count_frequency users
-        speed_count_frequency = max(rulable_users_count // 10, 1)  # ten time at most
         global_avg_speed_accumulator = 0
         global_avg_speed_count = 0
         t_global_start = time.time()
@@ -472,20 +410,19 @@ class Galaxy(models.Model):
 
             star1 = stars[user1.id]
 
-            user_avg_speed = 0
-            user_avg_speed_count = 0
-
-            tstart = time.time()
             lanes = []
-            for user2_count, user2 in enumerate(rulable_users, start=1):
-                self.logger.debug("")
-                self.logger.debug(
-                    f"\t> Examining '{user1}' ({user1_count}/{rulable_users_count}) with '{user2}' ({user2_count}/{rulable_users_count2})"
-                )
+            family_scores = self.compute_user_family_score(user1)
+            picture_scores = self.compute_user_pictures_score(user1)
+            club_scores = self.compute_user_clubs_score(user1)
 
+            for user2 in rulable_users:
                 star2 = stars[user2.id]
 
-                score = Galaxy.compute_users_score(user1, user2)
+                score = RelationScore(
+                    family=family_scores.get(user2.id, 0),
+                    pictures=picture_scores.get(user2.id, 0),
+                    clubs=club_scores.get(user2.id, 0),
+                )
                 distance = self.scale_distance(sum(score))
                 if distance < 30:  # TODO: this needs tuning with real-world data
                     lanes.append(
@@ -498,22 +435,8 @@ class Galaxy(models.Model):
                             clubs=score.clubs,
                         )
                     )
-
-                if user2_count % speed_count_frequency == 0:
-                    tend = time.time()
-                    delta = tend - tstart
-                    speed = float(speed_count_frequency) / delta
-                    user_avg_speed += speed
-                    user_avg_speed_count += 1
-                    self.logger.debug(
-                        f"\tSpeed: {speed:.2f} users per second (time for last {speed_count_frequency} citizens: {delta:.2f} second)"
-                    )
-                    tstart = time.time()
-
             GalaxyLane.objects.bulk_create(lanes)
 
-            self.logger.info("")
-
             t_global_end = time.time()
             global_delta = t_global_end - t_global_start
             speed = 1.0 / global_delta
@@ -521,21 +444,19 @@ class Galaxy(models.Model):
             global_avg_speed_count += 1
             global_avg_speed = global_avg_speed_accumulator / global_avg_speed_count
 
-            self.logger.info(f" Ruling of {self} ".center(60, "#"))
-            self.logger.info(
-                f"Progression: {user1_count}/{rulable_users_count} citizen -- {rulable_users_count - user1_count} remaining"
-            )
-            self.logger.info(f"Speed: {60.0 * global_avg_speed:.2f} citizen per minute")
-
-            # We can divide the computed ETA by 2 because each loop, there is one citizen less to check, and maths tell
-            # us that this averages to a division by two
-            eta = rulable_users_count2 / global_avg_speed / 2
-            eta_hours = int(eta // 3600)
-            eta_minutes = int(eta // 60 % 60)
-            self.logger.info(
-                f"ETA: {eta_hours} hours {eta_minutes} minutes ({eta / 3600 / 24:.2f} days)"
-            )
-            self.logger.info("#" * 60)
+            if user1_count % 50 == 0:
+                self.logger.info("")
+                self.logger.info(f" Ruling of {self} ".center(60, "#"))
+                self.logger.info(
+                    f"Progression: {user1_count}/{rulable_users_count} "
+                    f"citizen -- {rulable_users_count - user1_count} remaining"
+                )
+                self.logger.info(f"Speed: {global_avg_speed:.2f} citizen per second")
+                eta = rulable_users_count2 // global_avg_speed
+                self.logger.info(
+                    f"ETA: {int(eta // 60 % 60)} minutes {int(eta % 60)} seconds"
+                )
+                self.logger.info("#" * 60)
             t_global_start = time.time()
 
         # Here, we get the IDs of the old galaxies that we'll need to delete. In normal operation, only one galaxy
@@ -556,11 +477,10 @@ class Galaxy(models.Model):
             Galaxy.objects.filter(pk__in=old_galaxies_pks).delete()
 
         total_time = time.time() - total_time
-        total_time_hours = int(total_time // 3600)
         total_time_minutes = int(total_time // 60 % 60)
         total_time_seconds = int(total_time % 60)
         self.logger.info(
-            f"{self} ruled in {total_time:.2f} seconds ({total_time_hours} hours, {total_time_minutes} minutes, {total_time_seconds} seconds)"
+            f"{self} ruled in {total_time_minutes} minutes, {total_time_seconds} seconds"
         )
 
     def make_state(self) -> None:
@@ -568,59 +488,34 @@ class Galaxy(models.Model):
         self.logger.info(
             "Caching current Galaxy state for a quicker display of the Empire's power."
         )
-
-        without_nickname = Concat(
-            F("owner__first_name"), Value(" "), F("owner__last_name")
-        )
-        with_nickname = Concat(
-            F("owner__first_name"),
-            Value(" "),
-            F("owner__last_name"),
-            Value(" ("),
-            F("owner__nick_name"),
-            Value(")"),
-        )
         stars = (
             GalaxyStar.objects.filter(galaxy=self)
-            .order_by(
-                "owner"
-            )  # This helps determinism for the tests and doesn't cost much
-            .annotate(
-                owner_name=Case(
-                    When(owner__nick_name=None, then=without_nickname),
-                    default=with_nickname,
-                )
-            )
+            .order_by("owner_id")
+            .select_related("owner")
         )
         lanes = (
             GalaxyLane.objects.filter(star1__galaxy=self)
-            .order_by(
-                "star1"
-            )  # This helps determinism for the tests and doesn't cost much
+            .order_by("star1")
             .annotate(
-                star1_owner=F("star1__owner__id"),
-                star2_owner=F("star2__owner__id"),
+                star1_owner=F("star1__owner_id"), star2_owner=F("star2__owner_id")
             )
         )
         json = GalaxyDict(
             nodes=[
                 StarDict(
-                    id=star.owner_id,
-                    name=star.owner_name,
-                    mass=star.mass,
+                    id=star.owner_id, name=star.owner.get_display_name(), mass=star.mass
                 )
                 for star in stars
             ],
-            links=[],
-        )
-        for path in lanes:
-            json["links"].append(
+            links=[
                 {
                     "source": path.star1_owner,
                     "target": path.star2_owner,
                     "value": path.distance,
                 }
-            )
+                for path in lanes
+            ],
+        )
         self.state = json
         self.save()
         self.logger.info(f"{self} is now ready!")

galaxy/tests.py

@@ -33,7 +33,7 @@ from core.models import User
 from galaxy.models import Galaxy
 
 
-@pytest.mark.skip(reason="Galaxy is disabled for now")
+# @pytest.mark.skip(reason="Galaxy is disabled for now")
 class TestGalaxyModel(TestCase):
     @classmethod
     def setUpTestData(cls):
@@ -48,15 +48,19 @@ class TestGalaxyModel(TestCase):
 
     def test_user_self_score(self):
         """Test that individual user scores are correct."""
-        with self.assertNumQueries(8):
-            assert Galaxy.compute_user_score(self.root) == 9
-            assert Galaxy.compute_user_score(self.skia) == 10
-            assert Galaxy.compute_user_score(self.sli) == 8
-            assert Galaxy.compute_user_score(self.krophil) == 2
-            assert Galaxy.compute_user_score(self.richard) == 10
-            assert Galaxy.compute_user_score(self.subscriber) == 8
-            assert Galaxy.compute_user_score(self.public) == 8
-            assert Galaxy.compute_user_score(self.com) == 1
+        with self.assertNumQueries(1):
+            scores = Galaxy.compute_individual_scores()
+            expected = {
+                self.root.id: 9,
+                self.skia.id: 10,
+                self.sli.id: 8,
+                self.krophil.id: 2,
+                self.richard.id: 10,
+                self.subscriber.id: 8,
+                self.public.id: 8,
+                self.com.id: 1,
+            }
+            assert scores.items() >= expected.items()
 
     def test_users_score(self):
         """Test on the default dataset generated by the `populate` command
@@ -118,17 +122,23 @@ class TestGalaxyModel(TestCase):
             self.com,
         ]
 
-        with self.assertNumQueries(100):
+        with self.assertNumQueries(44):
             while len(users) > 0:
                 user1 = users.pop(0)
+                family_scores = Galaxy.compute_user_family_score(user1)
+                picture_scores = Galaxy.compute_user_pictures_score(user1)
+                club_scores = Galaxy.compute_user_clubs_score(user1)
                 for user2 in users:
-                    score = Galaxy.compute_users_score(user1, user2)
                     u1 = computed_scores.get(user1.username, {})
                     u1[user2.username] = {
-                        "score": sum(score),
-                        "family": score.family,
-                        "pictures": score.pictures,
-                        "clubs": score.clubs,
+                        "score": (
+                            family_scores[user2.id]
+                            + picture_scores[user2.id]
+                            + club_scores[user2.id]
+                        ),
+                        "family": family_scores[user2.id],
+                        "pictures": picture_scores[user2.id],
+                        "clubs": club_scores[user2.id],
                     }
                     computed_scores[user1.username] = u1
 
@@ -140,12 +150,12 @@ class TestGalaxyModel(TestCase):
         that the number of queries to rule the galaxy is stable.
         """
         galaxy = Galaxy.objects.create()
-        with self.assertNumQueries(58):
+        with self.assertNumQueries(39):
             galaxy.rule(0)  # We want everybody here
 
 
 @pytest.mark.slow
-@pytest.mark.skip(reason="Galaxy is disabled for now")
+# @pytest.mark.skip(reason="Galaxy is disabled for now")
 class TestGalaxyView(TestCase):
     @classmethod
     def setUpTestData(cls):