tweak documentation

Fix hidden user can't search itself

.gitignore

@@ -24,6 +24,9 @@ node_modules/
 # compiled documentation
 site/
 
+# rollup-bundle-visualizer report
+.bundle-size-report.html
+
 ### Redis ###
 
 # Ignore redis binary dump (dump.rdb) files

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.15.0
+    rev: v0.15.5
     hooks:
       - id: ruff-check  # just check the code, and print the errors
       - id: ruff-check  # actually fix the fixable errors, but print nothing
@@ -12,7 +12,7 @@ repos:
     rev: v0.6.1
     hooks:
       - id: biome-check
-        additional_dependencies: ["@biomejs/biome@2.3.14"]
+        additional_dependencies: ["@biomejs/biome@2.4.6"]
   - repo: https://github.com/rtts/djhtml
     rev: 3.0.10
     hooks:

api/admin.py

@@ -17,6 +17,15 @@ class ApiClientAdmin(admin.ModelAdmin):
         "owner__nick_name",
     )
     autocomplete_fields = ("owner", "groups", "client_permissions")
+    readonly_fields = ("hmac_key",)
+    actions = ("reset_hmac_key",)
+
+    @admin.action(permissions=["change"], description=_("Reset HMAC key"))
+    def reset_hmac_key(self, _request: HttpRequest, queryset: QuerySet[ApiClient]):
+        objs = list(queryset)
+        for obj in objs:
+            obj.reset_hmac(commit=False)
+        ApiClient.objects.bulk_update(objs, fields=["hmac_key"])
 
 
 @admin.register(ApiKey)

api/api.py

@@ -0,0 +1,16 @@
+from ninja_extra import ControllerBase, api_controller, route
+
+from api.auth import ApiKeyAuth
+from api.schemas import ApiClientSchema
+
+
+@api_controller("/client")
+class ApiClientController(ControllerBase):
+    @route.get(
+        "/me",
+        auth=[ApiKeyAuth()],
+        response=ApiClientSchema,
+        url_name="api-client-infos",
+    )
+    def get_client_info(self):
+        return self.context.request.auth

api/forms.py

@@ -0,0 +1,35 @@
+from django import forms
+from django.forms import HiddenInput
+from django.utils.translation import gettext_lazy as _
+
+
+class ThirdPartyAuthForm(forms.Form):
+    """Form to complete to authenticate on the sith from a third-party app.
+
+    For the form to be valid, the user approve the EULA (french: CGU)
+    and give its username from the third-party app.
+    """
+
+    cgu_accepted = forms.BooleanField(
+        required=True,
+        label=_("I have read and I accept the terms and conditions of use"),
+        error_messages={
+            "required": _("You must approve the terms and conditions of use.")
+        },
+    )
+    is_username_valid = forms.BooleanField(
+        required=True,
+        error_messages={"required": _("You must confirm that this is your username.")},
+    )
+    client_id = forms.IntegerField(widget=HiddenInput())
+    third_party_app = forms.CharField(widget=HiddenInput())
+    privacy_link = forms.URLField(widget=HiddenInput())
+    username = forms.CharField(widget=HiddenInput())
+    callback_url = forms.URLField(widget=HiddenInput())
+    signature = forms.CharField(widget=HiddenInput())
+
+    def __init__(self, *args, label_suffix: str = "", initial, **kwargs):
+        super().__init__(*args, label_suffix=label_suffix, initial=initial, **kwargs)
+        self.fields["is_username_valid"].label = _(
+            "I confirm that %(username)s is my username on %(app)s"
+        ) % {"username": initial.get("username"), "app": initial.get("third_party_app")}

api/migrations/0002_apiclient_hmac_key.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.3 on 2025-10-26 10:15
+
+from django.db import migrations, models
+
+import api.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("api", "0001_initial")]
+
+    operations = [
+        migrations.AddField(
+            model_name="apiclient",
+            name="hmac_key",
+            field=models.CharField(
+                default=api.models.get_hmac_key, max_length=128, verbose_name="HMAC Key"
+            ),
+        ),
+    ]

api/models.py

@@ -1,13 +1,20 @@
+import secrets
 from typing import Iterable
 
 from django.contrib.auth.models import Permission
 from django.db import models
+from django.db.models import Q
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import pgettext_lazy
 
 from core.models import Group, User
 
 
+def get_hmac_key():
+    return secrets.token_hex(64)
+
+
 class ApiClient(models.Model):
     name = models.CharField(_("name"), max_length=64)
     owner = models.ForeignKey(
@@ -26,11 +33,10 @@ class ApiClient(models.Model):
         help_text=_("Specific permissions for this api client."),
         related_name="clients",
     )
+    hmac_key = models.CharField(_("HMAC Key"), max_length=128, default=get_hmac_key)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
-    _perm_cache: set[str] | None = None
-
     class Meta:
         verbose_name = _("api client")
         verbose_name_plural = _("api clients")
@@ -38,33 +44,38 @@ class ApiClient(models.Model):
     def __str__(self):
         return self.name
 
+    @cached_property
+    def all_permissions(self) -> set[str]:
+        permissions = (
+            Permission.objects.filter(
+                Q(group__group__in=self.groups.all()) | Q(clients=self)
+            )
+            .values_list("content_type__app_label", "codename")
+            .order_by()
+        )
+        return {f"{content_type}.{name}" for content_type, name in permissions}
+
     def has_perm(self, perm: str):
         """Return True if the client has the specified permission."""
+        return perm in self.all_permissions
 
-        if self._perm_cache is None:
-            group_permissions = (
-                Permission.objects.filter(group__group__in=self.groups.all())
-                .values_list("content_type__app_label", "codename")
-                .order_by()
-            )
-            client_permissions = self.client_permissions.values_list(
-                "content_type__app_label", "codename"
-            ).order_by()
-            self._perm_cache = {
-                f"{content_type}.{name}"
-                for content_type, name in (*group_permissions, *client_permissions)
-            }
-        return perm in self._perm_cache
-
-    def has_perms(self, perm_list):
-        """
-        Return True if the client has each of the specified permissions. If
-        object is passed, check if the client has all required perms for it.
-        """
+    def has_perms(self, perm_list: Iterable[str]) -> bool:
+        """Return True if the client has each of the specified permissions."""
         if not isinstance(perm_list, Iterable) or isinstance(perm_list, str):
             raise ValueError("perm_list must be an iterable of permissions.")
         return all(self.has_perm(perm) for perm in perm_list)
 
+    def reset_hmac(self, *, commit: bool = True) -> str:
+        """Reset and return the HMAC key for this client.
+
+        Args:
+            commit: if True (the default), persist the new hmac in db.
+        """
+        self.hmac_key = get_hmac_key()
+        if commit:
+            self.save()
+        return self.hmac_key
+
 
 class ApiKey(models.Model):
     PREFIX_LENGTH = 5

api/schemas.py

@@ -0,0 +1,23 @@
+from ninja import ModelSchema, Schema
+from pydantic import Field, HttpUrl
+
+from api.models import ApiClient
+from core.schemas import SimpleUserSchema
+
+
+class ApiClientSchema(ModelSchema):
+    class Meta:
+        model = ApiClient
+        fields = ["id", "name"]
+
+    owner: SimpleUserSchema
+    permissions: list[str] = Field(alias="all_permissions")
+
+
+class ThirdPartyAuthParamsSchema(Schema):
+    client_id: int
+    third_party_app: str
+    privacy_link: HttpUrl
+    username: str
+    callback_url: HttpUrl
+    signature: str

api/templates/api/third_party/auth.jinja

@@ -0,0 +1,32 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  <form method="post">
+    {% csrf_token %}
+    <h3>{% trans %}Confidentiality{% endtrans %}</h3>
+    <p>
+      {% trans trimmed app=third_party_app %}
+        By ticking this box and clicking on the send button, you
+        acknowledge and agree to provide {{ app }} with your
+        first name, last name, nickname and any other information
+        that was the third party app was explicitly authorized to fetch
+        and that it must have acknowledged to you, in a complete and accurate manner.
+      {% endtrans %}
+    </p>
+    <p class="margin-bottom">
+      {% trans trimmed app=third_party_app, privacy_link=third_party_cgu, sith_cgu_link=sith_cgu %}
+        The privacy policies of <a href="{{ privacy_link }}">{{ app }}</a>
+        and of <a href="{{ sith_cgu_link }}">the Students' Association</a>
+        applies as soon as the form is submitted.
+      {% endtrans %}
+    </p>
+    <div class="row">{{ form.cgu_accepted }} {{ form.cgu_accepted.label_tag() }}</div>
+    <br>
+    <h3 class="margin-bottom">{% trans %}Confirmation of identity{% endtrans %}</h3>
+    <div class="row margin-bottom">
+      {{ form.is_username_valid }} {{ form.is_username_valid.label_tag() }}
+    </div>
+    {% for field in form.hidden_fields() %}{{ field }}{% endfor %}
+    <input type="submit" class="btn btn-blue">
+  </form>
+{% endblock %}

api/tests/test_admin.py

@@ -0,0 +1,24 @@
+import pytest
+from django.contrib.admin import AdminSite
+from django.http import HttpRequest
+from model_bakery import baker
+from pytest_django.asserts import assertNumQueries
+
+from api.admin import ApiClientAdmin
+from api.models import ApiClient
+
+
+@pytest.mark.django_db
+def test_reset_hmac_action():
+    client_admin = ApiClientAdmin(ApiClient, AdminSite())
+    api_clients = baker.make(ApiClient, _quantity=4, _bulk_create=True)
+    old_hmac_keys = [c.hmac_key for c in api_clients]
+    with assertNumQueries(2):
+        qs = ApiClient.objects.filter(id__in=[c.id for c in api_clients[2:4]])
+        client_admin.reset_hmac_key(HttpRequest(), qs)
+    for c in api_clients:
+        c.refresh_from_db()
+    assert api_clients[0].hmac_key == old_hmac_keys[0]
+    assert api_clients[1].hmac_key == old_hmac_keys[1]
+    assert api_clients[2].hmac_key != old_hmac_keys[2]
+    assert api_clients[3].hmac_key != old_hmac_keys[3]

api/tests/test_api_client_controller.py

@@ -0,0 +1,18 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+from api.schemas import ApiClientSchema
+
+
+@pytest.mark.django_db
+def test_api_client_controller(client: Client):
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    res = client.get(reverse("api:api-client-infos"), headers={"X-APIKey": key})
+    assert res.status_code == 200
+    assert res.json() == ApiClientSchema.from_orm(api_client).model_dump()

api/tests/test_client.py

@@ -0,0 +1,59 @@
+import pytest
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from api.models import ApiClient
+from core.models import Group
+
+
+class TestClientPermissions(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.api_client = baker.make(ApiClient)
+        cls.perms = baker.make(Permission, _quantity=10, _bulk_create=True)
+        cls.api_client.groups.set(
+            [
+                baker.make(Group, permissions=cls.perms[0:3]),
+                baker.make(Group, permissions=cls.perms[3:5]),
+            ]
+        )
+        cls.api_client.client_permissions.set(
+            [cls.perms[3], cls.perms[5], cls.perms[6], cls.perms[7]]
+        )
+
+    def test_all_permissions(self):
+        assert self.api_client.all_permissions == {
+            f"{p.content_type.app_label}.{p.codename}" for p in self.perms[0:8]
+        }
+
+    def test_has_perm(self):
+        assert self.api_client.has_perm(
+            f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}"
+        )
+        assert not self.api_client.has_perm(
+            f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}"
+        )
+
+    def test_has_perms(self):
+        assert self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[2].content_type.app_label}.{self.perms[2].codename}",
+            ]
+        )
+        assert not self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}",
+            ],
+        )
+
+
+@pytest.mark.django_db
+def test_reset_hmac_key():
+    client = baker.make(ApiClient)
+    original_key = client.hmac_key
+    client.reset_hmac(commit=True)
+    assert len(client.hmac_key) == len(original_key)
+    assert client.hmac_key != original_key

api/tests/test_third_party_auth.py

@@ -0,0 +1,114 @@
+from unittest import mock
+from unittest.mock import Mock
+
+from django.db.models import Max
+from django.test import TestCase
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from api.models import ApiClient, get_hmac_key
+from core.baker_recipes import subscriber_user
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+def mocked_post(*, ok: bool):
+    class MockedResponse(Mock):
+        @property
+        def ok(self):
+            return ok
+
+    def mocked():
+        return MockedResponse()
+
+    return mocked
+
+
+class TestThirdPartyAuth(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        cls.api_client = baker.make(ApiClient)
+
+    def setUp(self):
+        self.query = {
+            "client_id": self.api_client.id,
+            "third_party_app": "app",
+            "privacy_link": "https://foobar.fr/",
+            "username": "bibou",
+            "callback_url": "https://callback.fr/",
+        }
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        self.callback_data = {
+            "user": UserProfileSchema.from_orm(self.user).model_dump()
+        }
+        self.callback_data["signature"] = hmac_hexdigest(
+            self.api_client.hmac_key, self.callback_data["user"]
+        )
+
+    def test_auth_ok(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        with mock.patch("requests.post", new_callable=mocked_post(ok=True)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "success"}),
+        )
+
+    def test_callback_error(self):
+        """Test that the user see the failure page if the callback request failed."""
+        self.client.force_login(self.user)
+        with mock.patch("requests.post", new_callable=mocked_post(ok=False)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "failure"}),
+        )
+
+    def test_wrong_signature(self):
+        """Test that a 403 is raised if the signature of the query is wrong."""
+        self.client.force_login(subscriber_user.make())
+        new_key = get_hmac_key()
+        del self.query["signature"]
+        self.query["signature"] = hmac_hexdigest(new_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_cgu_not_accepted(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        res = self.client.post(reverse("api-link:third-party-auth"), data=self.query)
+        assert res.status_code == 200  # no redirect means invalid form
+        res = self.client.post(
+            reverse("api-link:third-party-auth"),
+            data={"cgu_accepted": False, "is_username_valid": False, **self.query},
+        )
+        assert res.status_code == 200
+
+    def test_invalid_client(self):
+        self.query["client_id"] = ApiClient.objects.aggregate(res=Max("id"))["res"] + 1
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_missing_parameter(self):
+        """Test that a 403 is raised if there is a missing parameter."""
+        del self.query["username"]
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403

api/urls.py

@@ -1,6 +1,10 @@
+from django.urls import path, register_converter
 from ninja.security import SessionAuth
 from ninja_extra import NinjaExtraAPI
 
+from api.views import ThirdPartyAuthResultView, ThirdPartyAuthView
+from core.converters import ResultConverter
+
 api = NinjaExtraAPI(
     title="PICON",
     description="Portail Interactif de Communication avec les Outils Numériques",
@@ -9,3 +13,14 @@ api = NinjaExtraAPI(
     auth=[SessionAuth()],
 )
 api.auto_discover_controllers()
+
+register_converter(ResultConverter, "res")
+
+urlpatterns = [
+    path("auth/", ThirdPartyAuthView.as_view(), name="third-party-auth"),
+    path(
+        "auth/<res:result>/",
+        ThirdPartyAuthResultView.as_view(),
+        name="third-party-auth-result",
+    ),
+]

api/views.py

@@ -0,0 +1,119 @@
+import hmac
+from urllib.parse import unquote
+
+import pydantic
+import requests
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView, TemplateView
+from ninja_extra.shortcuts import get_object_or_none
+
+from api.forms import ThirdPartyAuthForm
+from api.models import ApiClient
+from api.schemas import ThirdPartyAuthParamsSchema
+from core.models import SithFile
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+class ThirdPartyAuthView(LoginRequiredMixin, FormView):
+    form_class = ThirdPartyAuthForm
+    template_name = "api/third_party/auth.jinja"
+    success_url = reverse_lazy("core:index")
+
+    def parse_params(self) -> ThirdPartyAuthParamsSchema:
+        """Parse and check the authentication parameters.
+
+        Raises:
+            PermissionDenied: if the verification failed.
+        """
+        # This is here rather than in ThirdPartyAuthForm because
+        # the given parameters and their signature are checked during both
+        # POST (for obvious reasons) and GET (in order not to make
+        # the user fill a form just to get an error he won't understand)
+        params = self.request.GET or self.request.POST
+        params = {key: unquote(val) for key, val in params.items()}
+        try:
+            params = ThirdPartyAuthParamsSchema(**params)
+        except pydantic.ValidationError as e:
+            raise PermissionDenied("Wrong data format") from e
+        client: ApiClient = get_object_or_none(ApiClient, id=params.client_id)
+        if not client:
+            raise PermissionDenied
+        if not hmac.compare_digest(
+            hmac_hexdigest(client.hmac_key, params.model_dump(exclude={"signature"})),
+            params.signature,
+        ):
+            raise PermissionDenied("Bad signature")
+        return params
+
+    def dispatch(self, request, *args, **kwargs):
+        self.params = self.parse_params()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get(self, *args, **kwargs):
+        messages.warning(
+            self.request,
+            _(
+                "You are going to link your AE account and your %(app)s account. "
+                "Continue only if this page was opened from %(app)s."
+            )
+            % {"app": self.params.third_party_app},
+        )
+        return super().get(*args, **kwargs)
+
+    def get_initial(self):
+        return self.params.model_dump()
+
+    def form_valid(self, form):
+        client = ApiClient.objects.get(id=form.cleaned_data["client_id"])
+        user = UserProfileSchema.from_orm(self.request.user).model_dump()
+        data = {"user": user, "signature": hmac_hexdigest(client.hmac_key, user)}
+        response = requests.post(form.cleaned_data["callback_url"], json=data)
+        self.success_url = reverse(
+            "api-link:third-party-auth-result",
+            kwargs={"result": "success" if response.ok else "failure"},
+        )
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "third_party_app": self.params.third_party_app,
+            "third_party_cgu": self.params.privacy_link,
+            "sith_cgu": SithFile.objects.get(id=settings.SITH_CGU_FILE_ID),
+        }
+
+
+class ThirdPartyAuthResultView(LoginRequiredMixin, TemplateView):
+    """View that the user will see if its authentication on sith was successful.
+
+    This can show either a success or a failure message :
+    - success : everything is good, the user is successfully authenticated
+      and can close the page
+    - failure : the authentication has been processed on the sith side,
+      but the request to the callback url received an error.
+      In such a case, there is nothing much we can do but to advice
+      the user to contact the developers of the third-party app.
+    """
+
+    template_name = "core/base.jinja"
+    success_message = _(
+        "You have been successfully authenticated. You can now close this page."
+    )
+    error_message = _(
+        "Your authentication on the AE website was successful, "
+        "but an error happened during the interaction "
+        "with the third-party application. "
+        "Please contact the managers of the latter."
+    )
+
+    def get(self, request, *args, **kwargs):
+        if self.kwargs.get("result") == "success":
+            messages.success(request, self.success_message)
+        else:
+            messages.error(request, self.error_message)
+        return super().get(request, *args, **kwargs)

biome.json

@@ -7,7 +7,7 @@
   },
   "files": {
     "ignoreUnknown": false,
-    "includes": ["**/static/**"]
+    "includes": ["**/static/**", "vite.config.mts"]
   },
   "formatter": {
     "enabled": true,

club/api.py

@@ -6,9 +6,15 @@ from ninja_extra.pagination import PageNumberPaginationExtra
 from ninja_extra.schemas import PaginatedResponseSchema
 
 from api.auth import ApiKeyAuth
-from api.permissions import CanAccessLookup, HasPerm
+from api.permissions import CanView, HasPerm
 from club.models import Club, Membership
-from club.schemas import ClubSchema, ClubSearchFilterSchema, SimpleClubSchema
+from club.schemas import (
+    ClubSchema,
+    ClubSearchFilterSchema,
+    SimpleClubSchema,
+    UserMembershipSchema,
+)
+from core.models import User
 
 
 @api_controller("/club")
@@ -16,13 +22,11 @@ class ClubController(ControllerBase):
     @route.get(
         "/search",
         response=PaginatedResponseSchema[SimpleClubSchema],
-        auth=[ApiKeyAuth(), SessionAuth()],
-        permissions=[CanAccessLookup],
         url_name="search_club",
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
     def search_club(self, filters: Query[ClubSearchFilterSchema]):
-        return filters.filter(Club.objects.all())
+        return filters.filter(Club.objects.order_by("name")).values()
 
     @route.get(
         "/{int:club_id}",
@@ -38,3 +42,22 @@ class ClubController(ControllerBase):
         return self.get_object_or_exception(
             Club.objects.prefetch_related(prefetch), id=club_id
         )
+
+
+@api_controller("/user/{int:user_id}/club")
+class UserClubController(ControllerBase):
+    @route.get(
+        "",
+        response=list[UserMembershipSchema],
+        auth=[ApiKeyAuth(), SessionAuth()],
+        permissions=[CanView],
+        url_name="fetch_user_clubs",
+    )
+    def fetch_user_clubs(self, user_id: int):
+        """Get all the active memberships of the given user."""
+        user = self.get_object_or_exception(User, id=user_id)
+        return (
+            Membership.objects.ongoing()
+            .filter(user=user)
+            .select_related("club", "user")
+        )

club/forms.py

@@ -315,3 +315,27 @@ class JoinClubForm(ClubMemberForm):
                 _("You are already a member of this club"), code="invalid"
             )
         return super().clean()
+
+
+class ClubSearchForm(forms.ModelForm):
+    class Meta:
+        model = Club
+        fields = ["name"]
+        widgets = {"name": forms.SearchInput(attrs={"autocomplete": "off"})}
+
+    club_status = forms.NullBooleanField(
+        label=_("Club status"),
+        widget=forms.RadioSelect(
+            choices=[(True, _("Active")), (False, _("Inactive")), ("", _("All clubs"))],
+        ),
+        initial=True,
+    )
+
+    def __init__(self, *args, data: dict | None = None, **kwargs):
+        super().__init__(*args, data=data, **kwargs)
+        if data is not None and "club_status" not in data:
+            # if the key is missing, it is considered as None,
+            # even though we want the default True value to be applied in such a case
+            # so we enforce it.
+            self.fields["club_status"].value = True
+        self.fields["name"].required = False

club/schemas.py

@@ -30,7 +30,7 @@ class ClubProfileSchema(ModelSchema):
 
     class Meta:
         model = Club
-        fields = ["id", "name", "logo"]
+        fields = ["id", "name", "logo", "is_active", "short_description"]
 
     url: str
 
@@ -40,6 +40,8 @@ class ClubProfileSchema(ModelSchema):
 
 
 class ClubMemberSchema(ModelSchema):
+    """A schema to represent all memberships in a club."""
+
     class Meta:
         model = Membership
         fields = ["start_date", "end_date", "role", "description"]
@@ -53,3 +55,13 @@ class ClubSchema(ModelSchema):
         fields = ["id", "name", "logo", "is_active", "short_description", "address"]
 
     members: list[ClubMemberSchema]
+
+
+class UserMembershipSchema(ModelSchema):
+    """A schema to represent the active club memberships of a user."""
+
+    class Meta:
+        model = Membership
+        fields = ["id", "start_date", "role", "description"]
+
+    club: SimpleClubSchema

club/static/club/list.scss

@@ -0,0 +1,47 @@
+#club-list {
+  display: flex;
+  flex-direction: column;
+  gap: 2em;
+  padding: 2em;
+
+  .card {
+    display: block;
+    background-color: unset;
+
+    .club-image {
+      float: left;
+      margin-right: 2rem;
+      margin-bottom: .5rem;
+      width: 150px;
+      height: 150px;
+      border-radius: 10%;
+      background-color: rgba(173, 173, 173, 0.2);
+
+      @media screen and (max-width: 500px) {
+        width: 100px;
+        height: 100px;
+      }
+    }
+
+    i.club-image {
+      display: flex;
+      flex-direction: column;
+      justify-content: center;
+      color: black;
+    }
+
+    .content {
+      display: block;
+      text-align: justify;
+
+      h4 {
+        margin-top: 0;
+        margin-right: .5rem;
+      }
+
+      p {
+        font-size: 100%;
+      }
+    }
+  }
+}

club/templates/club/club_list.jinja

@@ -1,52 +1,76 @@
-{% extends "core/base.jinja" %}
+{% if is_fragment %}
+  {% extends "core/base_fragment.jinja" %}
 
-{% block title -%}
-  {% trans %}Club list{% endtrans %}
-{%- endblock %}
+  {# Don't display tabs and errors #}
+  {% block tabs %}
+  {% endblock %}
+  {% block errors %}
+  {% endblock %}
+{% else %}
+  {% extends "core/base.jinja" %}
+  {% block additional_css %}
+    <link rel="stylesheet" href="{{ static("club/list.scss") }}">
+  {% endblock %}
+  {% block description -%}
+    {% trans %}The list of all clubs existing at UTBM.{% endtrans %}
+  {%- endblock %}
+  {% block title -%}
+    {% trans %}Club list{% endtrans %}
+  {%- endblock %}
+{% endif %}
 
-{% block description -%}
-  {% trans %}The list of all clubs existing at UTBM.{% endtrans %}
-{%- endblock %}
-
-{% macro display_club(club) -%}
-
-  {% if club.is_active or user.is_root %}
-
-    <li><a href="{{ url('club:club_view', club_id=club.id) }}">{{ club.name }}</a>
-
-      {% if not club.is_active %}
-        ({% trans %}inactive{% endtrans %})
-      {% endif %}
-
-      {% if club.president %} - <a href="{{ url('core:user_profile', user_id=club.president.user.id) }}">{{ club.president.user }}</a>{% endif %}
-      {% if club.short_description %}<p>{{ club.short_description|markdown }}</p>{% endif %}
-
-  {% endif %}
-
-  {%- if club.children.all()|length != 0 %}
-    <ul>
-      {%- for c in club.children.order_by('name').prefetch_related("children") %}
-        {{ display_club(c) }}
-      {%- endfor %}
-    </ul>
-  {%- endif -%}
-  </li>
-{%- endmacro %}
+{% from "core/macros.jinja" import paginate_htmx %}
 
 {% block content %}
-  {% if user.is_root %}
-    <p><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></p>
-  {% endif %}
-  {% if club_list %}
+  <main>
+    <h3>{% trans %}Filters{% endtrans %}</h3>
+    <form
+      id="club-list-filters"
+      hx-get="{{ url("club:club_list") }}"
+      hx-target="#content"
+      hx-swap="outerHtml"
+      hx-push-url="true"
+    >
+      <div class="row gap-4x">
+        {{ form }}
+      </div>
+      <button type="submit" class="btn btn-blue margin-bottom">
+        <i class="fa fa-magnifying-glass"></i>{% trans %}Search{% endtrans %}
+      </button>
+    </form>
     <h3>{% trans %}Club list{% endtrans %}</h3>
-    <ul>
-      {%- for club in club_list %}
-        {{ display_club(club) }}
-      {%- endfor %}
-    </ul>
-  {% else %}
-    {% trans %}There is no club in this website.{% endtrans %}
-  {% endif %}
+    {% if user.has_perm("club.add_club") %}
+      <br>
+      <a href="{{ url('club:club_new') }}" class="btn btn-blue">
+        <i class="fa fa-plus"></i> {% trans %}New club{% endtrans %}
+      </a>
+    {% endif %}
+    <section class="aria-busy-grow" id="club-list">
+      {% for club in object_list %}
+        <div class="card">
+          {% set club_url = club.get_absolute_url() %}
+          <a href="{{ club_url }}">
+            {% if club.logo %}
+              <img class="club-image" src="{{ club.logo.url }}" alt="logo {{ club.name }}">
+            {% else %}
+              <i class="fa-regular fa-image fa-4x club-image"></i>
+            {% endif %}
+          </a>
+          <div class="content">
+            <a href="{{ club_url }}">
+              <h4>
+                {{ club.name }} {% if not club.is_active %}({% trans %}inactive{% endtrans %}){% endif %}
+              </h4>
+            </a>
+            {{ club.short_description|markdown }}
+          </div>
+        </div>
+      {% endfor %}
+    </section>
+    {% if is_paginated %}
+      {{ paginate_htmx(request, page_obj, paginator) }}
+    {% endif %}
+  </main>
 {% endblock %}
 
 

club/templates/club/club_members.jinja

@@ -1,11 +1,7 @@
 {% extends "core/base.jinja" %}
 {% from 'core/macros.jinja' import user_profile_link, select_all_checkbox %}
 
-{% block additional_js %}
-  <script type="module" src="{{ static("bundled/core/components/ajax-select-index.ts") }}"></script>
-{% endblock %}
 {% block additional_css %}
-  <link rel="stylesheet" href="{{ static("bundled/core/components/ajax-select-index.css") }}">
   <link rel="stylesheet" href="{{ static("club/members.scss") }}">
 {% endblock %}
 

club/tests/test_club.py

@@ -1,12 +1,15 @@
 from datetime import timedelta
 
 import pytest
+from django.test import Client
+from django.urls import reverse
 from django.utils.timezone import localdate
 from model_bakery import baker
 from model_bakery.recipe import Recipe
 
 from club.models import Club, Membership
 from core.baker_recipes import subscriber_user
+from core.models import User
 
 
 @pytest.mark.django_db
@@ -25,3 +28,14 @@ def test_club_queryset_having_board_member():
 
     club_ids = Club.objects.having_board_member(user).values_list("id", flat=True)
     assert set(club_ids) == {clubs[1].id, clubs[2].id}
+
+
+@pytest.mark.parametrize("nb_additional_clubs", [10, 30])
+@pytest.mark.parametrize("is_fragment", [True, False])
+@pytest.mark.django_db
+def test_club_list(client: Client, nb_additional_clubs: int, is_fragment):
+    client.force_login(baker.make(User))
+    baker.make(Club, _quantity=nb_additional_clubs)
+    headers = {"HX-Request": True} if is_fragment else {}
+    res = client.get(reverse("club:club_list"), headers=headers)
+    assert res.status_code == 200

club/tests/test_user_club_controller.py

@@ -0,0 +1,50 @@
+from datetime import timedelta
+
+from django.test import TestCase
+from django.urls import reverse
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from club.schemas import UserMembershipSchema
+from core.baker_recipes import subscriber_user
+from core.models import Page
+
+
+class TestFetchClub(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        pages = baker.make(Page, _quantity=3, _bulk_create=True)
+        clubs = baker.make(Club, page=iter(pages), _quantity=3, _bulk_create=True)
+        recipe = Recipe(
+            Membership, user=cls.user, start_date=localdate() - timedelta(days=2)
+        )
+        cls.members = Membership.objects.bulk_create(
+            [
+                recipe.prepare(club=clubs[0]),
+                recipe.prepare(club=clubs[1], end_date=localdate() - timedelta(days=1)),
+                recipe.prepare(club=clubs[1]),
+            ]
+        )
+
+    def test_fetch_memberships(self):
+        self.client.force_login(subscriber_user.make())
+        res = self.client.get(
+            reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+        )
+        assert res.status_code == 200
+        assert [UserMembershipSchema.model_validate(m) for m in res.json()] == [
+            UserMembershipSchema.from_orm(m) for m in (self.members[0], self.members[2])
+        ]
+
+    def test_fetch_club_nb_queries(self):
+        self.client.force_login(subscriber_user.make())
+        with self.assertNumQueries(6):
+            # - 5 queries for authentication
+            # - 1 query for the actual data
+            res = self.client.get(
+                reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+            )
+            assert res.status_code == 200

club/views.py

@@ -44,13 +44,19 @@ from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView, View
 from django.views.generic.detail import SingleObjectMixin
-from django.views.generic.edit import CreateView, DeleteView, UpdateView
+from django.views.generic.edit import (
+    CreateView,
+    DeleteView,
+    FormMixin,
+    UpdateView,
+)
 
 from club.forms import (
     ClubAddMemberForm,
     ClubAdminEditForm,
     ClubEditForm,
     ClubOldMemberForm,
+    ClubSearchForm,
     JoinClubForm,
     MailingForm,
     SellingsForm,
@@ -66,7 +72,12 @@ from com.views import (
 from core.auth.mixins import CanEditMixin, PermissionOrClubBoardRequiredMixin
 from core.models import Page, PageRev
 from core.views import BasePageEditView, DetailFormView, UseFragmentsMixin
-from core.views.mixins import FragmentMixin, FragmentRenderer, TabedViewMixin
+from core.views.mixins import (
+    AllowFragment,
+    FragmentMixin,
+    FragmentRenderer,
+    TabedViewMixin,
+)
 from counter.models import Selling
 
 if TYPE_CHECKING:
@@ -180,15 +191,41 @@ class ClubTabsMixin(TabedViewMixin):
         return tab_list
 
 
-class ClubListView(ListView):
-    """List the Clubs."""
+class ClubListView(AllowFragment, FormMixin, ListView):
+    """List the clubs of the AE, with a form to perform basic search.
+
+    Notes:
+        This view is fully public, because we want to advertise as much as possible
+        the cultural life of the AE.
+        In accordance with that matter, searching and listing the clubs is done
+        entirely server-side (no AlpineJS involved) ;
+        this is done this way in order to be sure the page is the most accessible
+        and SEO-friendly possible, even if it makes the UX slightly less smooth.
+    """
 
-    model = Club
     template_name = "club/club_list.jinja"
-    queryset = (
-        Club.objects.filter(parent=None).order_by("name").prefetch_related("children")
-    )
-    context_object_name = "club_list"
+    form_class = ClubSearchForm
+    queryset = Club.objects.order_by("name")
+    paginate_by = 20
+
+    def get_form_kwargs(self):
+        res = super().get_form_kwargs()
+        if self.request.method == "GET":
+            res |= {"data": self.request.GET, "initial": self.request.GET}
+        return res
+
+    def get_queryset(self):
+        form: ClubSearchForm = self.get_form()
+        qs = self.queryset
+        if not form.is_bound:
+            return qs.filter(is_active=True)
+        if not form.is_valid():
+            return qs.none()
+        if name := form.cleaned_data.get("name"):
+            qs = qs.filter(name__icontains=name)
+        if (is_active := form.cleaned_data.get("club_status")) is not None:
+            qs = qs.filter(is_active=is_active)
+        return qs
 
 
 class ClubView(ClubTabsMixin, DetailView):

com/views.py

@@ -244,9 +244,8 @@ class NewsListView(TemplateView):
             .filter(
                 date_of_birth__month=localdate().month,
                 date_of_birth__day=localdate().day,
-                is_viewable=True,
+                role__in=["STUDENT", "FORMER STUDENT"],
             )
-            .filter(role__in=["STUDENT", "FORMER STUDENT"])
             .order_by("-date_of_birth"),
             key=lambda u: u.date_of_birth.year,
         )

core/admin.py

@@ -63,6 +63,7 @@ class UserAdmin(admin.ModelAdmin):
         "scrub_pict",
         "user_permissions",
         "groups",
+        "whitelisted_users",
     )
     inlines = (UserBanInline,)
     search_fields = ["first_name", "last_name", "username"]
@@ -98,9 +99,9 @@ class PageAdmin(admin.ModelAdmin):
 
 @admin.register(SithFile)
 class SithFileAdmin(admin.ModelAdmin):
-    list_display = ("name", "owner", "size", "date")
+    list_display = ("name", "owner", "size", "date", "is_in_sas")
     autocomplete_fields = ("parent", "owner", "moderator")
-    search_fields = ("name",)
+    search_fields = ("name", "parent__name")
 
 
 @admin.register(OperationLog)

core/api.py

@@ -110,7 +110,7 @@ class SithFileController(ControllerBase):
     )
     @paginate(PageNumberPaginationExtra, page_size=50)
     def search_files(self, search: Annotated[str, MinLen(1)]):
-        return SithFile.objects.filter(name__icontains=search)
+        return SithFile.objects.filter(is_in_sas=False).filter(name__icontains=search)
 
 
 @api_controller("/group")

core/auth/mixins.py

@@ -307,6 +307,7 @@ class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
             return False
         if super().has_permission():
             return True
-        return self.club is not None and any(
-            g.id == self.club.board_group_id for g in self.request.user.cached_groups
+        return (
+            self.club is not None
+            and self.club.board_group_id in self.request.user.all_groups
         )

core/converters.py

@@ -1,19 +1,16 @@
-class FourDigitYearConverter:
-    regex = "[0-9]{4}"
+from django.urls.converters import IntConverter, StringConverter
 
-    def to_python(self, value):
-        return int(value)
+
+class FourDigitYearConverter(IntConverter):
+    regex = "[0-9]{4}"
 
     def to_url(self, value):
         return str(value).zfill(4)
 
 
-class TwoDigitMonthConverter:
+class TwoDigitMonthConverter(IntConverter):
     regex = "[0-9]{2}"
 
-    def to_python(self, value):
-        return int(value)
-
     def to_url(self, value):
         return str(value).zfill(2)
 
@@ -28,3 +25,9 @@ class BooleanStringConverter:
 
     def to_url(self, value):
         return str(value)
+
+
+class ResultConverter(StringConverter):
+    """Converter whose regex match either "success" or "failure"."""
+
+    regex = "(success|failure)"

core/management/commands/install_xapian.py

@@ -39,12 +39,16 @@ class Command(BaseCommand):
             return None
         return xapian.version_string()
 
-    def _desired_version(self) -> str:
+    def _desired_version(self) -> tuple[str, str, str]:
         with open(
             Path(__file__).parent.parent.parent.parent / "pyproject.toml", "rb"
         ) as f:
             pyproject = tomli.load(f)
-            return pyproject["tool"]["xapian"]["version"]
+            return (
+                pyproject["tool"]["xapian"]["version"],
+                pyproject["tool"]["xapian"]["core-sha256"],
+                pyproject["tool"]["xapian"]["bindings-sha256"],
+            )
 
     def handle(self, *args, force: bool, **options):
         if not os.environ.get("VIRTUAL_ENV", None):
@@ -53,7 +57,7 @@ class Command(BaseCommand):
             )
             return
 
-        desired = self._desired_version()
+        desired, core_checksum, bindings_checksum = self._desired_version()
         if desired == self._current_version():
             if not force:
                 self.stdout.write(
@@ -65,7 +69,12 @@ class Command(BaseCommand):
             f"Installing xapian version {desired} at {os.environ['VIRTUAL_ENV']}"
         )
         subprocess.run(
-            [str(Path(__file__).parent / "install_xapian.sh"), desired],
+            [
+                str(Path(__file__).parent / "install_xapian.sh"),
+                desired,
+                core_checksum,
+                bindings_checksum,
+            ],
             env=dict(os.environ),
             check=True,
         )

core/management/commands/install_xapian.sh

@@ -1,7 +1,11 @@
 #!/usr/bin/env bash
 # Originates from https://gist.github.com/jorgecarleitao/ab6246c86c936b9c55fd
 # first argument of the script is Xapian version (e.g. 1.2.19)
+# second argument of the script is core sha256
+# second argument of the script is binding sha256
 VERSION="$1"
+CORE_SHA256="$2"
+BINDINGS_SHA256="$3"
 
 # Cleanup env vars for auto discovery mechanism
 unset CPATH
@@ -21,9 +25,15 @@ BINDINGS=xapian-bindings-$VERSION
 
 # download
 echo "Downloading source..."
-curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz"
+curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz" || exit 1
+
+echo "${CORE_SHA256}  ${CORE}.tar.xz" | sha256sum -c - || exit 1
+
 curl -O "https://oligarchy.co.uk/xapian/$VERSION/${BINDINGS}.tar.xz"
 
+echo "${BINDINGS_SHA256}  ${BINDINGS}.tar.xz" | sha256sum -c - || exit 1
+
+
 # extract
 echo "Extracting source..."
 tar xf "${CORE}.tar.xz"

core/management/commands/populate.py

@@ -16,7 +16,7 @@
 # details.
 #
 # You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
+# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
@@ -28,6 +28,7 @@ from typing import ClassVar, NamedTuple
 from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
+from django.core.files.base import ContentFile
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django.db import connection
@@ -104,18 +105,31 @@ class Command(BaseCommand):
         )
         self.profiles_root = SithFile.objects.create(name="profiles", owner=root)
         home_root = SithFile.objects.create(name="users", owner=root)
+        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root, is_in_sas=True)
+        SithFile.objects.create(
+            name="CGU",
+            is_folder=False,
+            file=ContentFile(
+                content="Conditions générales d'utilisation", name="cgu.txt"
+            ),
+            owner=root,
+        )
 
         # Page needed for club creation
         p = Page(name=settings.SITH_CLUB_ROOT_PAGE)
         p.save(force_lock=True)
 
-        club_root = SithFile.objects.create(name="clubs", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )
         main_club.board_group.permissions.add(
             *Permission.objects.filter(
-                codename__in=["view_subscription", "add_subscription"]
+                codename__in=[
+                    "view_subscription",
+                    "add_subscription",
+                    "view_hidden_user",
+                ]
             )
         )
         bar_club = Club.objects.create(
@@ -693,21 +707,33 @@ class Command(BaseCommand):
         # SAS
         for f in self.SAS_FIXTURE_PATH.glob("*"):
             if f.is_dir():
-                album = Album.objects.create(name=f.name, is_moderated=True)
+                album = Album(
+                    parent=sas,
+                    name=f.name,
+                    owner=root,
+                    is_folder=True,
+                    is_in_sas=True,
+                    is_moderated=True,
+                )
+                album.clean()
+                album.save()
                 for p in f.iterdir():
                     file = resize_image(Image.open(p), 1000, "WEBP")
                     pict = Picture(
                         parent=album,
                         name=p.name,
-                        original=file,
+                        file=file,
                         owner=root,
+                        is_folder=False,
+                        is_in_sas=True,
                         is_moderated=True,
+                        mime_type="image/webp",
+                        size=file.size,
                     )
-                    pict.original.name = pict.name
-                    pict.generate_thumbnails()
+                    pict.file.name = p.name
                     pict.full_clean()
+                    pict.generate_thumbnails()
                     pict.save()
-                album.generate_thumbnail()
 
         img_skia = Picture.objects.get(name="skia.jpg")
         img_sli = Picture.objects.get(name="sli.jpg")

core/management/commands/populate_more.py

@@ -1,3 +1,4 @@
+import math
 import random
 from datetime import date, timedelta
 from datetime import timezone as tz
@@ -34,12 +35,17 @@ class Command(BaseCommand):
         super().__init__(*args, **kwargs)
         self.faker = Faker("fr_FR")
 
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-n", "--nb-users", help="Number of users to create", type=int, default=600
+        )
+
     def handle(self, *args, **options):
         if not settings.DEBUG:
             raise Exception("Never call this command in prod. Never.")
 
         self.stdout.write("Creating users...")
-        users = self.create_users()
+        users = self.create_users(options["nb_users"])
         self.create_bans(random.sample(users, k=len(users) // 200))  # 0.5% of users
         subscribers = random.sample(users, k=int(0.8 * len(users)))
         self.stdout.write("Creating subscriptions...")
@@ -79,7 +85,7 @@ class Command(BaseCommand):
         self.stdout.write("Creating products...")
         self.create_products()
         self.stdout.write("Creating sales and refills...")
-        sellers = random.sample(list(User.objects.all()), 100)
+        sellers = random.sample(users, len(users) // 10)
         self.create_sales(sellers)
         self.stdout.write("Creating permanences...")
         self.create_permanences(sellers)
@@ -88,7 +94,7 @@ class Command(BaseCommand):
 
         self.stdout.write("Done")
 
-    def create_users(self) -> list[User]:
+    def create_users(self, nb_users: int = 600) -> list[User]:
         # Create a single password hash for all users to make it faster.
         # It's insecure as hell, but it's ok since it's only for dev purposes.
         password = make_password("plop")
@@ -107,7 +113,7 @@ class Command(BaseCommand):
                 address=self.faker.address(),
                 password=password,
             )
-            for _ in range(600)
+            for _ in range(nb_users)
         ]
         # there may a duplicate or two
         # Not a problem, we will just have 599 users instead of 600
@@ -410,8 +416,9 @@ class Command(BaseCommand):
         Permanency.objects.bulk_create(perms)
 
     def create_forums(self):
-        forumers = random.sample(list(User.objects.all()), 100)
-        most_actives = random.sample(forumers, 10)
+        users = list(User.objects.all())
+        forumers = random.sample(users, math.ceil(len(users) / 10))
+        most_actives = random.sample(forumers, math.ceil(len(forumers) / 6))
         categories = list(Forum.objects.filter(is_category=True))
         new_forums = [
             Forum(name=self.faker.text(20), parent=random.choice(categories))

core/migrations/0049_remove_sithfiles.py

@@ -1,27 +0,0 @@
-# Generated by Django 4.2.17 on 2025-01-26 15:01
-
-from typing import TYPE_CHECKING
-
-from django.db import migrations
-from django.db.migrations.state import StateApps
-
-if TYPE_CHECKING:
-    import core.models
-
-
-def remove_sas_sithfiles(apps: StateApps, schema_editor):
-    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
-    SithFile.objects.filter(is_in_sas=True).delete()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("core", "0048_alter_user_options"),
-        ("sas", "0007_alter_peoplepicturerelation_picture_and_more"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            remove_sas_sithfiles, reverse_code=migrations.RunPython.noop, elidable=True
-        )
-    ]

core/migrations/0049_user_whitelisted_users.py

@@ -0,0 +1,37 @@
+# Generated by Django 5.2.12 on 2026-03-14 08:39
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0048_alter_user_options")]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="whitelisted_users",
+            field=models.ManyToManyField(
+                blank=True,
+                help_text=(
+                    "Even if this profile is hidden, "
+                    "the users in this list will still be able to see it."
+                ),
+                related_name="visible_by_whitelist",
+                to=settings.AUTH_USER_MODEL,
+                verbose_name="whitelisted users",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="preferences",
+            name="show_my_stats",
+            field=models.BooleanField(
+                default=False,
+                help_text=(
+                    "Allow subscribers (or whitelisted users "
+                    "if your profile is hidden) to access your AE account stats."
+                ),
+                verbose_name="show your stats to others",
+            ),
+        ),
+    ]

core/migrations/0050_remove_sithfile_is_in_sas.py

@@ -1,9 +0,0 @@
-# Generated by Django 4.2.17 on 2025-02-14 11:58
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [("core", "0049_remove_sithfiles")]
-
-    operations = [migrations.RemoveField(model_name="sithfile", name="is_in_sas")]

core/models.py

@@ -131,7 +131,9 @@ class UserQuerySet(models.QuerySet):
         if user.has_perm("core.view_hidden_user"):
             return self
         if user.has_perm("core.view_user"):
-            return self.filter(is_viewable=True)
+            return self.filter(
+                Q(is_viewable=True) | Q(whitelisted_users=user) | Q(pk=user.pk)
+            )
         if user.is_anonymous:
             return self.none()
         return self.filter(id=user.id)
@@ -279,6 +281,16 @@ class User(AbstractUser):
         ),
         default=True,
     )
+    whitelisted_users = models.ManyToManyField(
+        "User",
+        related_name="visible_by_whitelist",
+        verbose_name=_("whitelisted users"),
+        help_text=_(
+            "Even if this profile is hidden, "
+            "the users in this list will still be able to see it."
+        ),
+        blank=True,
+    )
     godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)
 
     objects = CustomUserManager()
@@ -356,23 +368,27 @@ class User(AbstractUser):
         )
         if group_id is None:
             return False
-        if group_id == settings.SITH_GROUP_SUBSCRIBERS_ID:
-            return self.is_subscribed
-        if group_id == settings.SITH_GROUP_ROOT_ID:
-            return self.is_root
-        return any(g.id == group_id for g in self.cached_groups)
+        return group_id in self.all_groups
 
     @cached_property
-    def cached_groups(self) -> list[Group]:
+    def all_groups(self) -> dict[int, Group]:
         """Get the list of groups this user is in."""
-        return list(self.groups.all())
+        additional_groups = []
+        if self.is_subscribed:
+            additional_groups.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
+        if self.is_superuser:
+            additional_groups.append(settings.SITH_GROUP_ROOT_ID)
+        qs = self.groups.all()
+        if additional_groups:
+            # This is somewhat counter-intuitive, but this query runs way faster with
+            # a UNION rather than a OR (in average, 0.25ms vs 14ms).
+            # For the why, cf. https://dba.stackexchange.com/questions/293836/why-is-an-or-statement-slower-than-union
+            qs = qs.union(Group.objects.filter(id__in=additional_groups))
+        return {g.id: g for g in qs}
 
     @cached_property
     def is_root(self) -> bool:
-        if self.is_superuser:
-            return True
-        root_id = settings.SITH_GROUP_ROOT_ID
-        return any(g.id == root_id for g in self.cached_groups)
+        return self.is_superuser or settings.SITH_GROUP_ROOT_ID in self.all_groups
 
     @cached_property
     def is_board_member(self) -> bool:
@@ -514,7 +530,7 @@ class User(AbstractUser):
         self.username = user_name
         return user_name
 
-    def is_owner(self, obj):
+    def is_owner(self, obj: models.Model):
         """Determine if the object is owned by the user."""
         if hasattr(obj, "is_owned_by") and obj.is_owned_by(self):
             return True
@@ -522,7 +538,7 @@ class User(AbstractUser):
             return True
         return self.is_root
 
-    def can_edit(self, obj):
+    def can_edit(self, obj: models.Model):
         """Determine if the object can be edited by the user."""
         if hasattr(obj, "can_be_edited_by") and obj.can_be_edited_by(self):
             return True
@@ -536,11 +552,9 @@ class User(AbstractUser):
                 pks = list(obj.edit_groups.values_list("id", flat=True))
             if any(self.is_in_group(pk=pk) for pk in pks):
                 return True
-        if isinstance(obj, User) and obj == self:
-            return True
         return self.is_owner(obj)
 
-    def can_view(self, obj):
+    def can_view(self, obj: models.Model):
         """Determine if the object can be viewed by the user."""
         if hasattr(obj, "can_be_viewed_by") and obj.can_be_viewed_by(self):
             return True
@@ -559,14 +573,35 @@ class User(AbstractUser):
                 return True
         return self.can_edit(obj)
 
-    def can_be_edited_by(self, user):
-        return user.is_root or user.is_board_member
+    def can_be_edited_by(self, user: User):
+        return user == self or user.is_root or user.is_board_member
 
     def can_be_viewed_by(self, user: User) -> bool:
+        """Check if the given user can be viewed by this user.
+
+        Given users A and B. A can be viewed by B if :
+
+        - A and B are the same user
+        - or B has the permission to view hidden users
+        - or B can view users in general and A didn't hide its profile
+        - or B is in A's whitelist.
+        """
+
+        def is_in_whitelist(u: User):
+            if (
+                hasattr(self, "_prefetched_objects_cache")
+                and "whitelisted_users" in self._prefetched_objects_cache
+            ):
+                return u in self.whitelisted_users.all()
+            return self.whitelisted_users.contains(u)
+
         return (
             user.id == self.id
             or user.has_perm("core.view_hidden_user")
-            or (user.has_perm("core.view_user") and self.is_viewable)
+            or (
+                user.has_perm("core.view_user")
+                and (self.is_viewable or is_in_whitelist(user))
+            )
         )
 
     def get_mini_item(self):
@@ -746,7 +781,14 @@ class Preferences(models.Model):
         User, related_name="_preferences", on_delete=models.CASCADE
     )
     receive_weekmail = models.BooleanField(_("receive the Weekmail"), default=False)
-    show_my_stats = models.BooleanField(_("show your stats to others"), default=False)
+    show_my_stats = models.BooleanField(
+        _("show your stats to others"),
+        help_text=_(
+            "Allow subscribers (or whitelisted users "
+            "if your profile is hidden) to access your AE account stats."
+        ),
+        default=False,
+    )
     notify_on_click = models.BooleanField(
         _("get a notification for every click"), default=False
     )
@@ -833,6 +875,9 @@ class SithFile(models.Model):
         on_delete=models.CASCADE,
     )
     asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
+    is_in_sas = models.BooleanField(
+        _("is in the SAS"), default=False, db_index=True
+    )  # Allows to query this flag, updated at each call to save()
 
     class Meta:
         verbose_name = _("file")
@@ -841,10 +886,22 @@ class SithFile(models.Model):
         return self.get_parent_path() + "/" + self.name
 
     def save(self, *args, **kwargs):
+        sas = SithFile.objects.filter(id=settings.SITH_SAS_ROOT_DIR_ID).first()
+        self.is_in_sas = sas in self.get_parent_list() or self == sas
         adding = self._state.adding
         super().save(*args, **kwargs)
         if adding:
             self.copy_rights()
+        if self.is_in_sas:
+            for user in User.objects.filter(
+                groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
+            ):
+                Notification(
+                    user=user,
+                    url=reverse("sas:moderation"),
+                    type="SAS_MODERATION",
+                    param="1",
+                ).save()
 
     def is_owned_by(self, user: User) -> bool:
         if user.is_anonymous:
@@ -857,6 +914,8 @@ class SithFile(models.Model):
             return user.is_board_member
         if user.is_com_admin:
             return True
+        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return True
         return user.id == self.owner_id
 
     def can_be_viewed_by(self, user: User) -> bool:
@@ -883,6 +942,8 @@ class SithFile(models.Model):
         super().clean()
         if "/" in self.name:
             raise ValidationError(_("Character '/' not authorized in name"))
+        if self == self.parent:
+            raise ValidationError(_("Loop in folder tree"), code="loop")
         if self == self.parent or (
             self.parent is not None and self in self.get_parent_list()
         ):
@@ -963,6 +1024,18 @@ class SithFile(models.Model):
     def is_file(self):
         return not self.is_folder
 
+    @cached_property
+    def as_picture(self):
+        from sas.models import Picture
+
+        return Picture.objects.filter(id=self.id).first()
+
+    @cached_property
+    def as_album(self):
+        from sas.models import Album
+
+        return Album.objects.filter(id=self.id).first()
+
     def get_parent_list(self):
         parents = []
         current = self.parent
@@ -1068,10 +1141,7 @@ class PageQuerySet(models.QuerySet):
             return self.filter(view_groups=settings.SITH_GROUP_PUBLIC_ID)
         if user.has_perm("core.view_page"):
             return self.all()
-        groups_ids = [g.id for g in user.cached_groups]
-        if user.is_subscribed:
-            groups_ids.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
-        return self.filter(view_groups__in=groups_ids)
+        return self.filter(view_groups__in=user.all_groups)
 
 
 # This function prevents generating migration upon settings change
@@ -1345,7 +1415,7 @@ class PageRev(models.Model):
         return self.page.can_be_edited_by(user)
 
     def is_owned_by(self, user: User) -> bool:
-        return any(g.id == self.page.owner_group_id for g in user.cached_groups)
+        return self.page.owner_group_id in user.all_groups
 
     def similarity_ratio(self, text: str) -> float:
         """Similarity ratio between this revision's content and the given text.

core/static/bundled/core/components/include-index.ts

@@ -1,18 +1,136 @@
-import { inheritHtmlElement, registerComponent } from "#core:utils/web-components.ts";
+import {
+  type InheritedHtmlElement,
+  inheritHtmlElement,
+  registerComponent,
+} from "#core:utils/web-components.ts";
+
+/**
+ * ElementOnce web components
+ *
+ * Those elements ensures that their content is always included only once on a document
+ * They are compatible with elements that are not managed with our Web Components
+ **/
+export interface ElementOnce<K extends keyof HTMLElementTagNameMap>
+  extends InheritedHtmlElement<K> {
+  getElementQuerySelector(): string;
+  refresh(): void;
+}
+
+/**
+ * Create an abstract class for ElementOnce types Web Components
+ **/
+export function elementOnce<K extends keyof HTMLElementTagNameMap>(tagName: K) {
+  abstract class ElementOnceImpl
+    extends inheritHtmlElement(tagName)
+    implements ElementOnce<K>
+  {
+    abstract getElementQuerySelector(): string;
+
+    clearNode() {
+      while (this.firstChild) {
+        this.removeChild(this.lastChild);
+      }
+    }
+
+    refresh() {
+      this.clearNode();
+      if (document.querySelectorAll(this.getElementQuerySelector()).length === 0) {
+        this.appendChild(this.node);
+      }
+    }
+
+    connectedCallback() {
+      super.connectedCallback(false);
+      this.refresh();
+    }
+
+    disconnectedCallback() {
+      // The MutationObserver can't see web components being removed
+      // It also can't see if something is removed inside after the component gets deleted
+      // We need to manually clear the containing node to trigger the observer
+      this.clearNode();
+    }
+  }
+  return ElementOnceImpl;
+}
+
+// Set of ElementOnce type components to refresh with the observer
+const registeredComponents: Set<string> = new Set();
+
+/**
+ * Helper to register ElementOnce types Web Components
+ * It's a wrapper around registerComponent that registers that component on
+ * a MutationObserver that activates a refresh on them when elements are removed
+ *
+ * You are not supposed to unregister an element
+ **/
+export function registerElementOnce(name: string, options?: ElementDefinitionOptions) {
+  registeredComponents.add(name);
+  return registerComponent(name, options);
+}
+
+// Refresh all ElementOnce components on the document based on the tag name of the removed element
+const refreshElement = <
+  T extends keyof HTMLElementTagNameMap,
+  K extends keyof HTMLElementTagNameMap,
+>(
+  components: HTMLCollectionOf<ElementOnce<T>>,
+  removedTagName: K,
+) => {
+  for (const element of components) {
+    // We can't guess if an element is compatible before we get one
+    // We exit the function completely if it's not compatible
+    if (element.inheritedTagName.toUpperCase() !== removedTagName.toUpperCase()) {
+      return;
+    }
+
+    element.refresh();
+  }
+};
+
+// Since we need to pause the observer, we make an helper to start it with consistent arguments
+const startObserver = (observer: MutationObserver) => {
+  observer.observe(document, {
+    // We want to also listen for elements contained in the header (eg: link)
+    subtree: true,
+    childList: true,
+  });
+};
+
+// Refresh ElementOnce components when changes happens
+const observer = new MutationObserver((mutations: MutationRecord[]) => {
+  // To avoid infinite recursion, we need to pause the observer while manipulation nodes
+  observer.disconnect();
+  for (const mutation of mutations) {
+    for (const node of mutation.removedNodes) {
+      if (node.nodeType !== node.ELEMENT_NODE) {
+        continue;
+      }
+      for (const registered of registeredComponents) {
+        refreshElement(
+          document.getElementsByTagName(registered) as HTMLCollectionOf<
+            ElementOnce<"html"> // The specific tag doesn't really matter
+          >,
+          (node as HTMLElement).tagName as keyof HTMLElementTagNameMap,
+        );
+      }
+    }
+  }
+  // We then resume the observer
+  startObserver(observer);
+});
+
+startObserver(observer);
 
 /**
  * Web component used to import css files only once
  * If called multiple times or the file was already imported, it does nothing
  **/
-@registerComponent("link-once")
-export class LinkOnce extends inheritHtmlElement("link") {
-  connectedCallback() {
-    super.connectedCallback(false);
+@registerElementOnce("link-once")
+export class LinkOnce extends elementOnce("link") {
+  getElementQuerySelector(): string {
     // We get href from node.attributes instead of node.href to avoid getting the domain part
-    const href = this.node.attributes.getNamedItem("href").nodeValue;
-    if (document.querySelectorAll(`link[href='${href}']`).length === 0) {
-      this.appendChild(this.node);
-    }
+    return `link[href='${this.node.attributes.getNamedItem("href").nodeValue}']`;
   }
 }
 
@@ -20,14 +138,10 @@ export class LinkOnce extends inheritHtmlElement("link") {
  * Web component used to import javascript files only once
  * If called multiple times or the file was already imported, it does nothing
  **/
-@registerComponent("script-once")
+@registerElementOnce("script-once")
 export class ScriptOnce extends inheritHtmlElement("script") {
-  connectedCallback() {
-    super.connectedCallback(false);
-    // We get src from node.attributes instead of node.src to avoid getting the domain part
-    const src = this.node.attributes.getNamedItem("src").nodeValue;
-    if (document.querySelectorAll(`script[src='${src}']`).length === 0) {
-      this.appendChild(this.node);
-    }
+  getElementQuerySelector(): string {
+    // We get href from node.attributes instead of node.src to avoid getting the domain part
+    return `script[src='${this.node.attributes.getNamedItem("src").nodeValue}']`;
   }
 }

core/static/bundled/core/components/nfc-input-index.ts

@@ -26,7 +26,6 @@ export class NfcInput extends inheritHtmlElement("input") {
         window.alert(gettext("Unsupported NFC card"));
       });
 
-      // biome-ignore lint/correctness/noUndeclaredVariables: browser API
       ndef.addEventListener("reading", (event: NDEFReadingEvent) => {
         this.removeAttribute("scan");
         this.node.value = event.serialNumber.replace(/:/g, "").toUpperCase();

core/static/bundled/core/dynamic-formset-index.ts

@@ -0,0 +1,77 @@
+interface Config {
+  /**
+   * The prefix of the formset, in case it has been changed.
+   * See https://docs.djangoproject.com/fr/stable/topics/forms/formsets/#customizing-a-formset-s-prefix
+   */
+  prefix?: string;
+}
+
+// biome-ignore lint/style/useNamingConvention: It's the DOM API naming
+type HTMLFormInputElement = HTMLInputElement | HTMLSelectElement | HTMLTextAreaElement;
+
+document.addEventListener("alpine:init", () => {
+  /**
+   * Alpine data element to allow the dynamic addition of forms to a formset.
+   *
+   * To use this, you need :
+   * - an HTML element containing the existing forms, noted by `x-ref="formContainer"`
+   * - a template containing the empty form
+   *   (that you can obtain jinja-side with `{{ formset.empty_form }}`),
+   *   noted by `x-ref="formTemplate"`
+   * - a button with `@click="addForm"`
+   * - you may also have one or more buttons with `@click="removeForm(element)"`,
+   *   where `element` is the HTML element containing the form.
+   *
+   * For an example of how this is used, you can have a look to
+   * `counter/templates/counter/product_form.jinja`
+   */
+  Alpine.data("dynamicFormSet", (config?: Config) => ({
+    init() {
+      this.formContainer = this.$refs.formContainer as HTMLElement;
+      this.nbForms = this.formContainer.children.length as number;
+      this.template = this.$refs.formTemplate as HTMLTemplateElement;
+      const prefix = config?.prefix ?? "form";
+      this.$root
+        .querySelector(`#id_${prefix}-TOTAL_FORMS`)
+        .setAttribute(":value", "nbForms");
+    },
+
+    addForm() {
+      this.formContainer.appendChild(document.importNode(this.template.content, true));
+      const newForm = this.formContainer.lastElementChild;
+      const inputs: NodeListOf<HTMLFormInputElement> = newForm.querySelectorAll(
+        "input, select, textarea",
+      );
+      for (const el of inputs) {
+        el.name = el.name.replace("__prefix__", this.nbForms.toString());
+        el.id = el.id.replace("__prefix__", this.nbForms.toString());
+      }
+      const labels: NodeListOf<HTMLLabelElement> = newForm.querySelectorAll("label");
+      for (const el of labels) {
+        el.htmlFor = el.htmlFor.replace("__prefix__", this.nbForms.toString());
+      }
+      inputs[0].focus();
+      this.nbForms += 1;
+    },
+
+    removeForm(container: HTMLDivElement) {
+      container.remove();
+      this.nbForms -= 1;
+      // adjust the id of remaining forms
+      for (let i = 0; i < this.nbForms; i++) {
+        const form: HTMLDivElement = this.formContainer.children[i];
+        const inputs: NodeListOf<HTMLFormInputElement> = form.querySelectorAll(
+          "input, select, textarea",
+        );
+        for (const el of inputs) {
+          el.name = el.name.replace(/\d+/, i.toString());
+          el.id = el.id.replace(/\d+/, i.toString());
+        }
+        const labels: NodeListOf<HTMLLabelElement> = form.querySelectorAll("label");
+        for (const el of labels) {
+          el.htmlFor = el.htmlFor.replace(/\d+/, i.toString());
+        }
+      }
+    },
+  }));
+});

core/static/bundled/utils/web-components.ts

@@ -23,10 +23,17 @@ export function registerComponent(name: string, options?: ElementDefinitionOptio
  * The technique is to:
  *  create a new web component
  *  create the desired type inside
- *  pass all attributes to the child component
+ *  move all attributes to the child component
  *  store is at as `node` inside the parent
- *
- * Since we can't use the generic type to instantiate the node, we create a generator function
+ **/
+export interface InheritedHtmlElement<K extends keyof HTMLElementTagNameMap>
+  extends HTMLElement {
+  readonly inheritedTagName: K;
+  node: HTMLElementTagNameMap[K];
+}
+
+/**
+ * Generator function that creates an InheritedHtmlElement compatible class
  *
  * ```js
  * class MyClass extends inheritHtmlElement("select") {
@@ -35,11 +42,15 @@ export function registerComponent(name: string, options?: ElementDefinitionOptio
  * ```
  **/
 export function inheritHtmlElement<K extends keyof HTMLElementTagNameMap>(tagName: K) {
-  return class Inherited extends HTMLElement {
-    protected node: HTMLElementTagNameMap[K];
+  return class InheritedHtmlElementImpl
+    extends HTMLElement
+    implements InheritedHtmlElement<K>
+  {
+    readonly inheritedTagName = tagName;
+    node: HTMLElementTagNameMap[K];
 
     connectedCallback(autoAddNode?: boolean) {
-      this.node = document.createElement(tagName);
+      this.node = document.createElement(this.inheritedTagName);
       const attributes: Attr[] = []; // We need to make a copy to delete while iterating
       for (const attr of this.attributes) {
         if (attr.name in this.node) {
@@ -47,6 +58,10 @@ export function inheritHtmlElement<K extends keyof HTMLElementTagNameMap>(tagNam
         }
       }
 
+      // We move compatible attributes to the child element
+      // This avoids weird inconsistencies between attributes
+      // when we manipulate the dom in the future
+      // This is especially important when using attribute based reactivity
       for (const attr of attributes) {
         this.removeAttributeNode(attr);
         this.node.setAttributeNode(attr);

core/static/core/base.css

@@ -115,7 +115,6 @@ blockquote:before,
 blockquote:after,
 q:before,
 q:after {
-  content: "";
   content: none;
 }
 table {

core/static/core/forms.scss

@@ -141,7 +141,6 @@ form {
   display: block;
   margin: calc(var(--nf-input-size) * 1.5) auto 10px;
   line-height: 1;
-  white-space: nowrap;
 
   .fields-centered {
     padding: 10px 10px 0;
@@ -157,6 +156,7 @@ form {
     margin-bottom: .25rem;
     font-size: 80%;
     display: block;
+    max-width: calc(100% - calc(var(--nf-input-size) * 2))
   }
 
   fieldset {

core/static/user/user_edit.scss

@@ -5,17 +5,6 @@
 }
 
 .profile {
-  &-visible {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    gap: 5px;
-    padding-top: 10px;
-    input[type="checkbox"]+label {
-      max-width: unset;
-    }
-  }
-
   &-pictures {
     box-sizing: border-box;
     display: flex;

core/static/user/user_preferences.scss

@@ -19,28 +19,6 @@
       }
     }
   }
-
-  &-cards,
-  &-trombi {
-    >p {
-      display: flex;
-      flex-direction: column;
-      align-items: flex-start;
-      text-align: justify;
-      gap: 5px;
-      margin: 0;
-
-      >input,
-      >select {
-        min-width: 300px;
-      }
-    }
-  }
-
-  &-submit-btn {
-    margin-top: 10px !important;
-    max-width: 100px;
-  }
 }
 
 .justify {

core/templates/core/base.jinja

@@ -35,8 +35,8 @@
       <noscript><link rel="stylesheet" href="{{ static('bundled/fontawesome-index.css') }}"></noscript>
 
       <script src="{{ url('javascript-catalog') }}"></script>
-      <script type="module" src={{ static("bundled/core/navbar-index.ts") }}></script>
-      <script type="module" src={{ static("bundled/core/components/include-index.ts") }}></script>
+      <script type="module" src="{{ static("bundled/core/navbar-index.ts") }}"></script>
+      <script type="module" src="{{ static("bundled/core/components/include-index.ts") }}"></script>
       <script type="module" src="{{ static('bundled/alpine-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/htmx-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/country-flags-index.ts') }}"></script>

core/templates/core/base/navbar.jinja

@@ -5,9 +5,8 @@
     <details name="navbar" class="menu">
       <summary class="head">{% trans %}Associations & Clubs{% endtrans %}</summary>
       <ul class="content">
-        <li><a href="{{ url('core:page', page_name='ae') }}">{% trans %}AE{% endtrans %}</a></li>
-        <li><a href="{{ url('core:page', page_name='clubs') }}">{% trans %}AE's clubs{% endtrans %}</a></li>
-        <li><a href="{{ url('core:page', page_name='utbm-associations') }}">{% trans %}Others UTBM's Associations{% endtrans %}</a></li>
+        <li><a href="{{ url("core:page", page_name="ae") }}">{% trans %}AE{% endtrans %}</a></li>
+        <li><a href="{{ url("club:club_list") }}">{% trans %}AE's clubs{% endtrans %}</a></li>
       </ul>
     </details>
     <details name="navbar" class="menu">

core/templates/core/base/notifications.jinja

@@ -1,14 +1,11 @@
 <div id="quick-notifications"
      x-data="{
              messages: [
-             {% if messages %}
-               {% for message in messages %}
-                 {
-                 tag: '{{ message.tags }}',
-                 text: '{{ message }}',
-                 },
-               {% endfor %}
-             {% endif %}
+             {%- for message in messages -%}
+               {%- if not message.extra_tags -%}
+                 { tag: '{{ message.tags }}', text: '{{ message }}' },
+               {%- endif -%}
+             {%- endfor -%}
              ]
              }"
      @quick-notification-add="(e) => messages.push(e?.detail)"

core/templates/core/file_moderation.jinja

@@ -48,6 +48,6 @@
           >{% trans %}Delete{% endtrans %}</button></p>
       </div>
     {% endfor %}
-    {{ paginate_htmx(page_obj, paginator) }}
+    {{ paginate_htmx(request, page_obj, paginator) }}
   </div>
 {% endblock %}

core/templates/core/fragment/user_visibility.jinja

@@ -0,0 +1,33 @@
+<form
+  hx-post="{{ url("core:user_visibility_fragment", user_id=form.instance.id) }}"
+  hx-disabled-elt="find input[type='submit']"
+  hx-swap="outerHTML" x-data="{ isViewable: {{ form.is_viewable.value()|tojson }} }"
+>
+  {% for message in messages %}
+    {% if message.extra_tags=="visibility" %}
+      <div class="alert alert-success">
+        {{ message }}
+      </div>
+    {% endif %}
+  {% endfor %}
+  {% csrf_token %}
+  {{ form.non_field_errors() }}
+  <fieldset class="form-group">
+    {{ form.is_viewable|add_attr("x-model=isViewable") }}
+    {{ form.is_viewable.label_tag() }}
+    <span class="helptext">{{ form.is_viewable.help_text }}</span>
+    {{ form.is_viewable.errors }}
+  </fieldset>
+  <fieldset class="form-group" x-show="!isViewable">
+    {{ form.whitelisted_users.as_field_group() }}
+  </fieldset>
+  <fieldset class="form-group">
+    {{ form.show_my_stats }}
+    {{ form.show_my_stats.label_tag() }}
+    <span class="helptext">
+      {{ form.show_my_stats.help_text }}
+    </span>
+    {{ form.show_my_stats.errors }}
+  </fieldset>
+  <input type="submit" class="btn btn-blue" value="{% trans %}Save{% endtrans %}">
+</form>

core/templates/core/macros.jinja

@@ -118,20 +118,21 @@
   </nav>
 {% endmacro %}
 
-{% macro paginate_jinja(current_page, paginator) %}
+{% macro paginate_jinja(request, current_page, paginator) %}
     {# Add pagination buttons for pages without Alpine.
 
     This must be coupled with a view that handles pagination
     with the Django Paginator object.
 
     Parameters:
+        request (django.http.request.HttpRequest): the current django request
         current_page (django.core.paginator.Page): the current page object
         paginator (django.core.paginator.Paginator): the paginator object
     #}
-  {{ paginate_server_side(current_page, paginator, False) }}
+  {{ paginate_server_side(request, current_page, paginator, "") }}
 {% endmacro %}
 
-{% macro paginate_htmx(current_page, paginator) %}
+{% macro paginate_htmx(request, current_page, paginator, htmx_target="#content") %}
     {# Add pagination buttons for pages without Alpine but supporting fragments.
 
     This must be coupled with a view that handles pagination
@@ -140,24 +141,26 @@
     The replaced fragment will be #content so make sure you are calling this macro inside your content block.
 
     Parameters:
+        request (django.http.request.HttpRequest): the current django request
         current_page (django.core.paginator.Page): the current page object
         paginator (django.core.paginator.Paginator): the paginator object
+        htmx_target (string): htmx target selector (default '#content')
     #}
-  {{ paginate_server_side(current_page, paginator, True) }}
+  {{ paginate_server_side(request, current_page, paginator, htmx_target) }}
 {% endmacro %}
 
-{% macro paginate_server_side(current_page, paginator, use_htmx) %}
+{% macro paginate_server_side(request, current_page, paginator, htmx_target) %}
   <nav class="pagination">
     {% if current_page.has_previous() %}
       <a
-        {% if use_htmx -%}
-          hx-get="?{{ querystring(page=current_page.previous_page_number()) }}"
+        {% if htmx_target -%}
+          hx-get="?{{ querystring(request, page=current_page.previous_page_number()) }}"
           hx-swap="innerHTML"
-          hx-target="#content"
+          hx-target="{{ htmx_target }}"
           hx-push-url="true"
           hx-trigger="click, keyup[key=='ArrowLeft'] from:body"
         {%- else -%}
-          href="?{{ querystring(page=current_page.previous_page_number()) }}"
+          href="?{{ querystring(request, page=current_page.previous_page_number()) }}"
         {%- endif -%}
       >
         <button>
@@ -174,13 +177,13 @@
         <strong>{{ paginator.ELLIPSIS }}</strong>
       {% else %}
         <a
-          {% if use_htmx -%}
-            hx-get="?{{ querystring(page=i) }}"
+          {% if htmx_target -%}
+            hx-get="?{{ querystring(request, page=i) }}"
             hx-swap="innerHTML"
-            hx-target="#content"
+            hx-target="{{ htmx_target }}"
             hx-push-url="true"
           {%- else -%}
-            href="?{{ querystring(page=i) }}"
+            href="?{{ querystring(request, page=i) }}"
           {%- endif -%}
         >
           <button>{{ i }}</button>
@@ -189,14 +192,14 @@
     {% endfor %}
     {% if current_page.has_next() %}
       <a
-        {% if use_htmx -%}
-          hx-get="?{{querystring(page=current_page.next_page_number())}}"
+        {% if htmx_target -%}
+          hx-get="?{{querystring(request, page=current_page.next_page_number())}}"
           hx-swap="innerHTML"
-          hx-target="#content"
+          hx-target="{{ htmx_target }}"
           hx-push-url="true"
           hx-trigger="click, keyup[key=='ArrowRight'] from:body"
         {%- else -%}
-          href="?{{querystring(page=current_page.next_page_number())}}"
+          href="?{{querystring(request, page=current_page.next_page_number())}}"
         {%- endif -%}
       ><button>
         <i class="fa fa-caret-right"></i>
@@ -247,15 +250,8 @@
 {% endmacro %}
 
 
-{% macro querystring() %}
-  {%- for key, values in request.GET.lists() -%}
-    {%- if key not in kwargs -%}
-      {%- for value in values -%}
-        {{ key }}={{ value }}&amp;
-      {%- endfor -%}
-    {%- endif -%}
-  {%- endfor -%}
-  {%- for key, value in kwargs.items() -%}
-    {{ key }}={{ value }}&amp;
-  {%- endfor -%}
+{% macro querystring(request) %}
+  {%- set qs = request.GET.copy() -%}
+  {%- do qs.update(kwargs) -%}
+  {{- qs | urlencode -}}
 {% endmacro %}

core/templates/core/user_edit.jinja

@@ -147,18 +147,7 @@
       {%- endfor -%}
     </div>
 
-    {# Checkboxes #}
-    <div class="profile-visible">
-      <div class="row">
-        {{ form.is_viewable }}
-        {{ form.is_viewable.label_tag() }}
-      </div>
-      <span class="helptext">
-        {{ form.is_viewable.help_text }}
-      </span>
-    </div>
     <div class="final-actions">
-
       {%- if form.instance == user -%}
         <p>
           <a href="{{ url('core:password_change') }}">{%- trans -%}Change my password{%- endtrans -%}</a>
@@ -170,7 +159,6 @@
           </a>
         </p>
       {%- endif -%}
-
       <p>
         <input type="submit" value="{%- trans -%}Update{%- endtrans -%}" />
       </p>

core/templates/core/user_preferences.jinja

@@ -11,30 +11,22 @@
 {% block content %}
   <div class="main">
     <h2>{% trans %}Preferences{% endtrans %}</h2>
-    <h3>{% trans %}General{% endtrans %}</h3>
-    <form class="form form-general" action="" method="post" enctype="multipart/form-data">
+    <br />
+    <h3>{% trans %}Notifications{% endtrans %}</h3>
+    <form action="" method="post" enctype="multipart/form-data">
       {% csrf_token %}
-      {{ form.as_p() }}
-      <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
+      <div class="form form-general">
+        {{ form.as_p() }}
+      </div>
+      <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
     </form>
 
-    <h3>{% trans %}Trombi{% endtrans %}</h3>
-
-    {% if trombi_form %}
-      <form class="form form-trombi" action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
-        {% csrf_token %}
-        {{ trombi_form.as_p() }}
-        <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
-      </form>
-
-    {% else %}
-      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
-        <br />
-        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
-      </p>
-    {% endif %}
+    <br />
+    <h3>{% trans %}Visibility{% endtrans %}</h3>
 
+    {{ user_visibility_fragment }}
 
+    <br />
     {% if student_card_fragment %}
       <h3>{% trans %}Student card{% endtrans %}</h3>
       {{ student_card_fragment }}
@@ -43,5 +35,21 @@
           add a student card yourself, you'll need a NFC reader. We store the UID of the card which is 14 characters long.{% endtrans %}
       </p>
     {% endif %}
+
+    <br />
+    <h3>{% trans %}Trombi{% endtrans %}</h3>
+
+    {% if trombi_form %}
+      <form action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
+        {% csrf_token %}
+        {{ trombi_form.as_p() }}
+        <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
+      </form>
+    {% else %}
+      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
+        <br />
+        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
+      </p>
+    {% endif %}
   </div>
 {% endblock %}

core/tests/test_commands.py

@@ -0,0 +1,13 @@
+import contextlib
+import os
+
+import pytest
+from django.core.management import call_command
+
+
+@pytest.mark.django_db
+def test_populate_more(settings):
+    """Just check that populate more doesn't crash"""
+    settings.DEBUG = True
+    with open(os.devnull, "w") as devnull, contextlib.redirect_stdout(devnull):
+        call_command("populate_more", "--nb-users", "50")

core/tests/test_core.py

@@ -418,16 +418,16 @@ class TestUserIsInGroup(TestCase):
         group_in = baker.make(Group)
         self.public_user.groups.add(group_in)
 
-        # clear the cached property `User.cached_groups`
-        self.public_user.__dict__.pop("cached_groups", None)
+        # clear the cached property `User.all_groups`
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is in the group
-        with self.assertNumQueries(1):
+        with self.assertNumQueries(2):
             self.public_user.is_in_group(pk=group_in.id)
         with self.assertNumQueries(0):
             self.public_user.is_in_group(pk=group_in.id)
 
         group_not_in = baker.make(Group)
-        self.public_user.__dict__.pop("cached_groups", None)
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is not in the group
         with self.assertNumQueries(1):
             self.public_user.is_in_group(pk=group_not_in.id)

core/tests/test_files.py

@@ -5,7 +5,6 @@ from typing import Callable
 from uuid import uuid4
 
 import pytest
-from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile, UploadedFile
 from django.test import Client, TestCase
@@ -18,8 +17,8 @@ from pytest_django.asserts import assertNumQueries
 from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
 from core.models import Group, QuickUploadImage, SithFile, User
 from core.utils import RED_PIXEL_PNG
-from sas.baker_recipes import picture_recipe
 from sas.models import Picture
+from sith import settings
 
 
 @pytest.mark.django_db
@@ -31,19 +30,24 @@ class TestImageAccess:
             lambda: baker.make(
                 User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
             ),
+            lambda: baker.make(
+                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)]
+            ),
         ],
     )
     def test_sas_image_access(self, user_factory: Callable[[], User]):
         """Test that only authorized users can access the sas image."""
         user = user_factory()
-        picture = picture_recipe.make()
-        assert user.can_edit(picture)
+        picture: SithFile = baker.make(
+            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        )
+        assert picture.is_owned_by(user)
 
     def test_sas_image_access_owner(self):
         """Test that the owner of the image can access it."""
         user = baker.make(User)
-        picture = picture_recipe.make(owner=user)
-        assert user.can_edit(picture)
+        picture: Picture = baker.make(Picture, owner=user)
+        assert picture.is_owned_by(user)
 
     @pytest.mark.parametrize(
         "user_factory",
@@ -59,41 +63,7 @@ class TestImageAccess:
         user = user_factory()
         owner = baker.make(User)
         picture: Picture = baker.make(Picture, owner=owner)
-        assert not user.can_edit(picture)
-
-
-@pytest.mark.django_db
-class TestUserPicture:
-    def test_anonymous_user_unauthorized(self, client):
-        """An anonymous user shouldn't have access to an user's photo page."""
-        response = client.get(
-            reverse(
-                "sas:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == 403
-
-    @pytest.mark.parametrize(
-        ("username", "status"),
-        [
-            ("guy", 403),
-            ("root", 200),
-            ("skia", 200),
-            ("sli", 200),
-        ],
-    )
-    def test_page_is_working(self, client, username, status):
-        """Only user that subscribed (or admins) should be able to see the page."""
-        # Test for simple user
-        client.force_login(User.objects.get(username=username))
-        response = client.get(
-            reverse(
-                "sas:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == status
+        assert not picture.is_owned_by(user)
 
 
 # TODO: many tests on the pages:

core/tests/test_user.py

@@ -27,7 +27,6 @@ from counter.baker_recipes import sale_recipe
 from counter.models import Counter, Customer, Permanency, Refilling, Selling
 from counter.utils import is_logged_in_counter
 from eboutic.models import Invoice, InvoiceItem
-from sas.models import Picture
 
 
 class TestSearchUsers(TestCase):
@@ -35,7 +34,6 @@ class TestSearchUsers(TestCase):
     def setUpTestData(cls):
         # News.author has on_delete=PROTECT, so news must be deleted beforehand
         News.objects.all().delete()
-        Picture.objects.all().delete()  # same for pictures
         User.objects.all().delete()
         user_recipe = Recipe(
             User,
@@ -401,24 +399,37 @@ class TestUserQuerySetViewableBy:
         return [
             baker.make(User),
             subscriber_user.make(),
-            subscriber_user.make(is_viewable=False),
+            *subscriber_user.make(is_viewable=False, _quantity=2),
         ]
 
     def test_admin_user(self, users: list[User]):
         user = baker.make(
-            User,
-            user_permissions=[Permission.objects.get(codename="view_hidden_user")],
+            User, user_permissions=[Permission.objects.get(codename="view_hidden_user")]
         )
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == set(users)
 
     @pytest.mark.parametrize(
-        "user_factory", [old_subscriber_user.make, subscriber_user.make]
+        "user_factory",
+        [
+            old_subscriber_user.make,
+            lambda: old_subscriber_user.make(is_viewable=False),
+            subscriber_user.make,
+            lambda: subscriber_user.make(is_viewable=False),
+        ],
     )
-    def test_subscriber(self, users: list[User], user_factory):
+    def test_can_search(self, users: list[User], user_factory):
         user = user_factory()
+        viewable = User.objects.filter(
+            id__in=[u.id for u in [*users, user]]
+        ).viewable_by(user)
+        assert set(viewable) == {user, users[0], users[1]}
+
+    def test_whitelist(self, users: list[User]):
+        user = subscriber_user.make()
+        users[3].whitelisted_users.add(user)
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
-        assert set(viewable) == {users[0], users[1]}
+        assert set(viewable) == {users[0], users[1], users[3]}
 
     @pytest.mark.parametrize("user_factory", [lambda: baker.make(User), AnonymousUser])
     def test_not_subscriber(self, users: list[User], user_factory):

core/urls.py

@@ -69,7 +69,6 @@ from core.views import (
     UserCreationView,
     UserGodfathersTreeView,
     UserGodfathersView,
-    UserListView,
     UserMeRedirect,
     UserMiniView,
     UserPreferencesView,
@@ -78,6 +77,7 @@ from core.views import (
     UserUpdateGroupView,
     UserUpdateProfileView,
     UserView,
+    UserVisibilityFormFragment,
     delete_user_godfather,
     logout,
     notification,
@@ -136,7 +136,11 @@ urlpatterns = [
         "group/<int:group_id>/detail/", GroupTemplateView.as_view(), name="group_detail"
     ),
     # User views
-    path("user/", UserListView.as_view(), name="user_list"),
+    path(
+        "fragment/user/<int:user_id>/",
+        UserVisibilityFormFragment.as_view(),
+        name="user_visibility_fragment",
+    ),
     path(
         "user/me/<path:remaining_path>/",
         UserMeRedirect.as_view(),

core/utils.py

@@ -12,27 +12,32 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from dataclasses import dataclass
+from __future__ import annotations
+
+import hmac
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Any, Final, Unpack
+from typing import TYPE_CHECKING
+from urllib.parse import urlencode
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
-from django.core.files.uploadedfile import UploadedFile
-from django.db import models
-from django.forms import BaseForm
-from django.http import Http404, HttpRequest
-from django.shortcuts import get_list_or_404
-from django.template.loader import render_to_string
-from django.utils.safestring import SafeString
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
 
+if TYPE_CHECKING:
+    from _hashlib import HASH
+    from collections.abc import Buffer, Mapping, Sequence
+    from typing import Any, Callable, Final
+
+    from django.core.files.uploadedfile import UploadedFile
+    from django.http import HttpRequest
+
+
 RED_PIXEL_PNG: Final[bytes] = (
     b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52"
     b"\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90\x77\x53"
@@ -47,21 +52,6 @@ to generate a dummy image that is considered valid nonetheless
 """
 
 
-@dataclass
-class FormFragmentTemplateData[T: BaseForm]:
-    """Dataclass used to pre-render form fragments"""
-
-    form: T
-    template: str
-    context: dict[str, Any]
-
-    def render(self, request: HttpRequest) -> SafeString:
-        # Request is needed for csrf_tokens
-        return render_to_string(
-            self.template, context={"form": self.form, **self.context}, request=request
-        )
-
-
 def get_start_of_semester(today: date | None = None) -> date:
     """Return the date of the start of the semester of the given date.
     If no date is given, return the start date of the current semester.
@@ -227,54 +217,28 @@ def get_client_ip(request: HttpRequest) -> str | None:
     return None
 
 
-Filterable = type[models.Model] | models.QuerySet | models.Manager
-ListFilter = dict[str, list | tuple | set]
+def hmac_hexdigest(
+    key: str | bytes,
+    data: Mapping[str, Any] | Sequence[tuple[str, Any]],
+    digest: str | Callable[[Buffer], HASH] = "sha512",
+) -> str:
+    """Return the hexdigest of the signature of the given data.
 
-
-def get_list_exact_or_404(klass: Filterable, **kwargs: Unpack[ListFilter]) -> list:
-    """Use filter() to return a list of objects from a list of unique keys (like ids)
-    or raises Http404 if the list has not the same length as the given one.
-
-    Work like `get_object_or_404()` but for lists of objects, with some caveats :
-
-    - The filter must be a list, a tuple or a set.
-    - There can't be more than exactly one filter.
-    - There must be no duplicate in the filter.
-    - The filter should consist in unique keys (like ids), or it could fail randomly.
-
-    klass may be a Model, Manager, or QuerySet object. All other passed
-    arguments and keyword arguments are used in the filter() query.
-
-    Raises:
-        Http404: If the list is empty or doesn't have as many elements as the keys list.
-        ValueError: If the first argument is not a Model, Manager, or QuerySet object.
-        ValueError: If more than one filter is passed.
-        TypeError: If the given filter is not a list, a tuple or a set.
+    Args:
+        key: the HMAC key used for the signature
+        data: the data to sign
+        digest: a PEP247 hashing algorithm (by default, sha512)
 
     Examples:
-        Get all the products with ids 1, 2, 3: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3])
-
-        Don't work with duplicate ids: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3, 3])
-            # Raises Http404: "The list of keys must contain no duplicates."
+        ```python
+        data = {
+            "foo": 5,
+            "bar": "somevalue",
+        }
+        hmac_key = secrets.token_hex(64)
+        signature = hmac_hexdigest(hmac_key, data, "sha256")
+        ```
     """
-    if len(kwargs) > 1:
-        raise ValueError("get_list_exact_or_404() only accepts one filter.")
-    key, list_filter = next(iter(kwargs.items()))
-    if not isinstance(list_filter, (list, tuple, set)):
-        raise TypeError(
-            f"The given filter must be a list, a tuple or a set, not {type(list_filter)}"
-        )
-    if len(list_filter) != len(set(list_filter)):
-        raise ValueError("The list of keys must contain no duplicates.")
-    kwargs = {key: list_filter}
-    obj_list = get_list_or_404(klass, **kwargs)
-    if len(obj_list) != len(list_filter):
-        raise Http404(
-            "The given list of keys doesn't match the number of objects found."
-            f"Expected {len(list_filter)} items, got {len(obj_list)}."
-        )
-    return obj_list
+    if isinstance(key, str):
+        key = key.encode()
+    return hmac.digest(key, urlencode(data).encode(), digest).hex()

core/views/files.py

@@ -374,7 +374,7 @@ class FileDeleteView(AllowFragment, CanEditPropMixin, DeleteView):
 class FileModerationView(AllowFragment, ListView):
     model = SithFile
     template_name = "core/file_moderation.jinja"
-    queryset = SithFile.objects.filter(is_moderated=False)
+    queryset = SithFile.objects.filter(is_moderated=False, is_in_sas=False)
     ordering = "id"
     paginate_by = 100
 

core/views/forms.py

@@ -48,12 +48,13 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from PIL import Image
 
 from antispam.forms import AntiSpamEmailField
-from core.models import Gift, Group, Page, PageRev, SithFile, User
+from core.models import Gift, Group, Page, PageRev, Preferences, SithFile, User
 from core.utils import resize_image
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
     AutoCompleteSelectGroup,
     AutoCompleteSelectMultipleGroup,
+    AutoCompleteSelectMultipleUser,
     AutoCompleteSelectUser,
 )
 from core.views.widgets.markdown import MarkdownInput
@@ -179,7 +180,6 @@ class UserProfileForm(forms.ModelForm):
             "school",
             "promo",
             "forum_signature",
-            "is_viewable",
         ]
         widgets = {
             "date_of_birth": SelectDate,
@@ -264,6 +264,38 @@ class UserProfileForm(forms.ModelForm):
         self._post_clean()
 
 
+class UserVisibilityForm(forms.ModelForm):
+    class Meta:
+        model = User
+        fields = ["is_viewable", "whitelisted_users"]
+        widgets = {
+            "is_viewable": forms.CheckboxInput(attrs={"class": "switch"}),
+            "whitelisted_users": AutoCompleteSelectMultipleUser,
+        }
+
+    __preferences_fields = forms.fields_for_model(
+        Preferences,
+        ["show_my_stats"],
+        widgets={"show_my_stats": forms.CheckboxInput(attrs={"class": "switch"})},
+    )
+    show_my_stats = __preferences_fields["show_my_stats"]
+
+    def __init__(
+        self, *args, initial: dict | None = None, instance: User | None = None, **kwargs
+    ):
+        if instance:
+            initial = initial or {}
+            initial["show_my_stats"] = instance.preferences.show_my_stats
+        super().__init__(*args, initial=initial, instance=instance, **kwargs)
+
+    def save(self, commit=True) -> User:  # noqa: FBT002
+        instance = super().save(commit=commit)
+        if commit:
+            instance.preferences.show_my_stats = self.cleaned_data["show_my_stats"]
+            instance.preferences.save()
+        return instance
+
+
 class UserGroupsForm(forms.ModelForm):
     error_css_class = "error"
     required_css_class = "required"

core/views/user.py

@@ -28,10 +28,12 @@ from datetime import timedelta
 from operator import itemgetter
 from smtplib import SMTPException
 
+from django.contrib import messages
 from django.contrib.auth import login, views
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import PasswordChangeForm, SetPasswordForm
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import DateField, F, QuerySet, Sum
 from django.db.models.functions import Trunc
@@ -48,7 +50,6 @@ from django.views.generic import (
     CreateView,
     DeleteView,
     DetailView,
-    ListView,
     RedirectView,
     TemplateView,
 )
@@ -65,8 +66,9 @@ from core.views.forms import (
     UserGodfathersForm,
     UserGroupsForm,
     UserProfileForm,
+    UserVisibilityForm,
 )
-from core.views.mixins import TabedViewMixin, UseFragmentsMixin
+from core.views.mixins import FragmentMixin, TabedViewMixin, UseFragmentsMixin
 from counter.models import Refilling, Selling
 from eboutic.models import Invoice
 from trombi.views import UserTrombiForm
@@ -248,14 +250,15 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Groups"),
                 }
             )
-        if (
+        can_view_account = (
             hasattr(user, "customer")
             and user.customer
             and (
                 user == self.request.user
                 or self.request.user.has_perm("counter.view_customer")
             )
-        ):
+        )
+        if can_view_account or user.preferences.show_my_stats:
             tab_list.append(
                 {
                     "url": reverse("core:user_stats", kwargs={"user_id": user.id}),
@@ -263,6 +266,7 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Stats"),
                 }
             )
+        if can_view_account:
             tab_list.append(
                 {
                     "url": reverse("core:user_account", kwargs={"user_id": user.id}),
@@ -349,7 +353,7 @@ class UserGodfathersTreeView(UserTabsMixin, CanViewMixin, DetailView):
         return kwargs
 
 
-class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
+class UserStatsView(UserTabsMixin, UserPassesTestMixin, DetailView):
     """Display a user's stats."""
 
     model = User
@@ -357,15 +361,20 @@ class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
     context_object_name = "profile"
     template_name = "core/user_stats.jinja"
     current_tab = "stats"
-    queryset = User.objects.exclude(customer=None).select_related("customer")
+    queryset = User.objects.exclude(customer=None).select_related(
+        "customer", "_preferences"
+    )
 
-    def dispatch(self, request, *arg, **kwargs):
-        profile = self.get_object()
-        if not (
-            profile == request.user or request.user.has_perm("counter.view_customer")
-        ):
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
+    def test_func(self):
+        profile: User = self.get_object()
+        return (
+            profile == self.request.user
+            or self.request.user.has_perm("counter.view_customer")
+            or (
+                self.request.user.can_view(profile)
+                and profile.preferences.show_my_stats
+            )
+        )
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
@@ -404,13 +413,6 @@ class UserMiniView(CanViewMixin, DetailView):
     template_name = "core/user_mini.jinja"
 
 
-class UserListView(ListView, CanEditPropMixin):
-    """Displays the user list."""
-
-    model = User
-    template_name = "core/user_list.jinja"
-
-
 # FIXME: the edit_once fields aren't displayed to the user (as expected).
 #  However, if the user re-add them manually in the form, they are saved.
 class UserUpdateProfileView(UserTabsMixin, CanEditMixin, UpdateView):
@@ -468,6 +470,30 @@ class UserClubView(UserTabsMixin, CanViewMixin, DetailView):
     current_tab = "clubs"
 
 
+class UserVisibilityFormFragment(FragmentMixin, SuccessMessageMixin, UpdateView):
+    model = User
+    form_class = UserVisibilityForm
+    template_name = "core/fragment/user_visibility.jinja"
+    pk_url_kwarg = "user_id"
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"label_suffix": ""}
+
+    def form_valid(self, form):
+        response = super().form_valid(form)
+        messages.success(
+            self.request, _("Visibility parameters updated."), extra_tags="visibility"
+        )
+        return response
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.get("user")
+        return super().render_fragment(request, **kwargs)
+
+    def get_success_url(self, **kwargs):
+        return self.request.path
+
+
 class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, UpdateView):
     """Edit a user's preferences."""
 
@@ -481,7 +507,10 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
     current_tab = "prefs"
 
     def get_form_kwargs(self):
-        return super().get_form_kwargs() | {"instance": self.object.preferences}
+        return super().get_form_kwargs() | {
+            "instance": self.object.preferences,
+            "label_suffix": "",
+        }
 
     def get_success_url(self):
         return self.request.path
@@ -491,6 +520,9 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
         from counter.views.student_card import StudentCardFormFragment
 
         res = super().get_fragment_context_data()
+        res["user_visibility_fragment"] = UserVisibilityFormFragment.as_fragment()(
+            self.request, user=self.object
+        )
         if hasattr(self.object, "customer"):
             res["student_card_fragment"] = StudentCardFormFragment.as_fragment()(
                 self.request, customer=self.object.customer

counter/forms.py

@@ -5,6 +5,7 @@ from datetime import date, datetime, timezone
 
 from dateutil.relativedelta import relativedelta
 from django import forms
+from django.core.exceptions import ValidationError
 from django.core.validators import MaxValueValidator
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
@@ -15,7 +16,7 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 
 from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
-from core.models import User
+from core.models import User, UserQuerySet
 from core.views.forms import (
     FutureDateTimeField,
     NFCTextInput,
@@ -32,6 +33,7 @@ from core.views.widgets.ajax_select import (
 from counter.models import (
     BillingInfo,
     Counter,
+    CounterSellers,
     Customer,
     Eticket,
     InvoiceCall,
@@ -170,14 +172,39 @@ class RefillForm(forms.ModelForm):
 class CounterEditForm(forms.ModelForm):
     class Meta:
         model = Counter
-        fields = ["sellers", "products"]
-        widgets = {"sellers": AutoCompleteSelectMultipleUser}
+        fields = ["products"]
+
+    sellers_regular = forms.ModelMultipleChoiceField(
+        label=_("Regular barmen"),
+        help_text=_(
+            "Barmen having regular permanences "
+            "or frequently giving a hand throughout the semester."
+        ),
+        queryset=User.objects.all(),
+        widget=AutoCompleteSelectMultipleUser,
+        required=False,
+    )
+    sellers_temporary = forms.ModelMultipleChoiceField(
+        label=_("Temporary barmen"),
+        help_text=_(
+            "Barmen who will be there only for a limited period (e.g. for one evening)"
+        ),
+        queryset=User.objects.all(),
+        widget=AutoCompleteSelectMultipleUser,
+        required=False,
+    )
+    field_order = ["sellers_regular", "sellers_temporary", "products"]
 
     def __init__(self, *args, user: User, instance: Counter, **kwargs):
         super().__init__(*args, instance=instance, **kwargs)
+        # if the user is an admin, he will have access to all products,
+        # else only to active products owned by the counter's club
+        # or already on the counter
         if user.has_perm("counter.change_counter"):
             self.fields["products"].widget = AutoCompleteSelectMultipleProduct()
         else:
+            # updating the queryset of the field also updates the choices of
+            # the widget, so it's important to set the queryset after the widget
             self.fields["products"].widget = AutoCompleteSelectMultiple()
             self.fields["products"].queryset = Product.objects.filter(
                 Q(club_id=instance.club_id) | Q(counters=instance), archived=False
@@ -186,6 +213,61 @@ class CounterEditForm(forms.ModelForm):
                 "If you want to add a product that is not owned by "
                 "your club to this counter, you should ask an admin."
             )
+        self.fields["sellers_regular"].initial = self.instance.sellers.filter(
+            countersellers__is_regular=True
+        ).all()
+        self.fields["sellers_temporary"].initial = self.instance.sellers.filter(
+            countersellers__is_regular=False
+        ).all()
+
+    def clean(self):
+        regular: UserQuerySet = self.cleaned_data["sellers_regular"]
+        temporary: UserQuerySet = self.cleaned_data["sellers_temporary"]
+        duplicates = list(regular.intersection(temporary))
+        if duplicates:
+            raise ValidationError(
+                _(
+                    "A user cannot be a regular and a temporary barman "
+                    "at the same time, "
+                    "but the following users have been defined as both : %(users)s"
+                )
+                % {"users": ", ".join([u.get_display_name() for u in duplicates])}
+            )
+        return self.cleaned_data
+
+    def save_sellers(self):
+        sellers = []
+        for users, is_regular in (
+            (self.cleaned_data["sellers_regular"], True),
+            (self.cleaned_data["sellers_temporary"], False),
+        ):
+            sellers.extend(
+                [
+                    CounterSellers(counter=self.instance, user=u, is_regular=is_regular)
+                    for u in users
+                ]
+            )
+        # start by deleting removed CounterSellers objects
+        user_ids = [seller.user.id for seller in sellers]
+        CounterSellers.objects.filter(
+            ~Q(user_id__in=user_ids), counter=self.instance
+        ).delete()
+
+        # then create or update the new barmen
+        CounterSellers.objects.bulk_create(
+            sellers,
+            update_conflicts=True,
+            update_fields=["is_regular"],
+            unique_fields=["user", "counter"],
+        )
+
+    def save(self, commit=True):  # noqa: FBT002
+        self.instance = super().save(commit=commit)
+        if commit and any(
+            key in self.changed_data for key in ("sellers_regular", "sellers_temporary")
+        ):
+            self.save_sellers()
+        return self.instance
 
 
 class ScheduledProductActionForm(forms.ModelForm):
@@ -291,7 +373,8 @@ ScheduledProductActionFormSet = forms.modelformset_factory(
     absolute_max=None,
     can_delete=True,
     can_delete_extra=False,
-    extra=2,
+    extra=0,
+    min_num=1,
 )
 
 

counter/migrations/0038_countersellers.py

@@ -0,0 +1,88 @@
+# Generated by Django 5.2.11 on 2026-03-04 15:26
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("counter", "0037_productformula"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        # cf. https://docs.djangoproject.com/fr/stable/howto/writing-migrations/#changing-a-manytomanyfield-to-use-a-through-model
+        migrations.SeparateDatabaseAndState(
+            database_operations=[
+                migrations.RunSQL(
+                    sql="ALTER TABLE counter_counter_sellers RENAME TO counter_countersellers",
+                    reverse_sql="ALTER TABLE counter_countersellers RENAME TO counter_counter_sellers",
+                ),
+            ],
+            state_operations=[
+                migrations.CreateModel(
+                    name="CounterSellers",
+                    fields=[
+                        (
+                            "id",
+                            models.AutoField(
+                                auto_created=True,
+                                primary_key=True,
+                                serialize=False,
+                                verbose_name="ID",
+                            ),
+                        ),
+                        (
+                            "counter",
+                            models.ForeignKey(
+                                on_delete=django.db.models.deletion.CASCADE,
+                                to="counter.counter",
+                            ),
+                        ),
+                        (
+                            "user",
+                            models.ForeignKey(
+                                on_delete=django.db.models.deletion.CASCADE,
+                                to=settings.AUTH_USER_MODEL,
+                            ),
+                        ),
+                    ],
+                    options={
+                        "constraints": [
+                            models.UniqueConstraint(
+                                fields=("counter", "user"),
+                                name="counter_counter_sellers_counter_id_subscriber_id_key",
+                            )
+                        ],
+                    },
+                ),
+                migrations.AlterField(
+                    model_name="counter",
+                    name="sellers",
+                    field=models.ManyToManyField(
+                        blank=True,
+                        related_name="counters",
+                        through="counter.CounterSellers",
+                        to=settings.AUTH_USER_MODEL,
+                        verbose_name="sellers",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="countersellers",
+            name="created_at",
+            field=models.DateTimeField(
+                auto_now_add=True,
+                default=django.utils.timezone.now,
+                verbose_name="created at",
+            ),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name="countersellers",
+            name="is_regular",
+            field=models.BooleanField(default=False, verbose_name="regular barman"),
+        ),
+    ]

counter/models.py

@@ -551,7 +551,11 @@ class Counter(models.Model):
         choices=[("BAR", _("Bar")), ("OFFICE", _("Office")), ("EBOUTIC", _("Eboutic"))],
     )
     sellers = models.ManyToManyField(
-        User, verbose_name=_("sellers"), related_name="counters", blank=True
+        User,
+        verbose_name=_("sellers"),
+        related_name="counters",
+        blank=True,
+        through="CounterSellers",
     )
     edit_groups = models.ManyToManyField(
         Group, related_name="editable_counters", blank=True
@@ -743,6 +747,26 @@ class Counter(models.Model):
         ]
 
 
+class CounterSellers(models.Model):
+    """Custom through model for the counter-sellers M2M relationship."""
+
+    counter = models.ForeignKey(Counter, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    is_regular = models.BooleanField(_("regular barman"), default=False)
+    created_at = models.DateTimeField(_("created at"), auto_now_add=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["counter", "user"],
+                name="counter_counter_sellers_counter_id_subscriber_id_key",
+            )
+        ]
+
+    def __str__(self):
+        return f"counter {self.counter_id} - user {self.user_id}"
+
+
 class RefillingQuerySet(models.QuerySet):
     def annotate_total(self) -> Self:
         """Annotate the Queryset with the total amount.

counter/static/bundled/counter/counter-click-index.ts

@@ -64,7 +64,7 @@ document.addEventListener("alpine:init", () => {
 
     checkFormulas() {
       const products = new Set(
-        Object.keys(this.basket).map((i: string) => Number.parseInt(i)),
+        Object.keys(this.basket).map((i: string) => Number.parseInt(i, 10)),
       );
       const formula: ProductFormula = config.formulas.find((f: ProductFormula) => {
         return f.products.every((p: number) => products.has(p));

counter/templates/counter/cash_summary_list.jinja

@@ -57,7 +57,7 @@
     </table>
     <br>
     {% if is_paginated %}
-      {{ paginate_jinja(page_obj, paginator) }}
+      {{ paginate_jinja(request, page_obj, paginator) }}
     {% endif %}
   {% else %}
     {% trans %}There is no cash register summary in this website.{% endtrans %}

counter/templates/counter/product_form.jinja

@@ -1,5 +1,44 @@
 {% extends "core/base.jinja" %}
 
+{% block additional_js %}
+  <script type="module" src="{{ static("bundled/core/dynamic-formset-index.ts") }}"></script>
+{% endblock %}
+
+
+{% macro action_form(form) %}
+  <fieldset x-data="{action: '{{ form.task.initial }}'}">
+    {{ form.non_field_errors() }}
+    <div class="row gap-2x margin-bottom">
+      <div>
+        {{ form.task.errors }}
+        {{ form.task.label_tag() }}
+        {{ form.task|add_attr("x-model=action") }}
+      </div>
+      <div>{{ form.trigger_at.as_field_group() }}</div>
+    </div>
+    <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
+      {{ form.counters.as_field_group() }}
+    </div>
+    {%- if form.DELETE -%}
+      <div class="row gap">
+        {{ form.DELETE.as_field_group() }}
+      </div>
+    {%- else -%}
+      <button
+        class="btn btn-grey"
+        @click.prevent="removeForm($event.target.closest('fieldset'))"
+      >
+        <i class="fa fa-minus"></i>{% trans %}Remove this action{% endtrans %}
+      </button>
+    {%- endif -%}
+    {%- for field in form.hidden_fields() -%}
+      {{ field }}
+    {%- endfor -%}
+    <hr />
+  </fieldset>
+{% endmacro %}
+
+
 {% block content %}
   {% if object %}
     <h2>{% trans name=object %}Edit product {{ name }}{% endtrans %}</h2>
@@ -25,34 +64,20 @@
       </em>
     </p>
 
-    {{ form.action_formset.management_form }}
-    {%- for action_form in form.action_formset.forms -%}
-      <fieldset x-data="{action: '{{ action_form.task.initial }}'}">
-        {{ action_form.non_field_errors() }}
-        <div class="row gap-2x margin-bottom">
-          <div>
-            {{ action_form.task.errors }}
-            {{ action_form.task.label_tag() }}
-            {{ action_form.task|add_attr("x-model=action") }}
-          </div>
-          <div>{{ action_form.trigger_at.as_field_group() }}</div>
-        </div>
-        <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
-          {{ action_form.counters.as_field_group() }}
-        </div>
-        {%- if action_form.DELETE -%}
-          <div class="row gap">
-            {{ action_form.DELETE.as_field_group() }}
-          </div>
-        {%- endif -%}
-        {%- for field in action_form.hidden_fields() -%}
-          {{ field }}
+    <div x-data="dynamicFormSet" class="margin-bottom">
+      {{ form.action_formset.management_form }}
+      <div x-ref="formContainer">
+        {%- for f in form.action_formset.forms -%}
+          {{ action_form(f) }}
         {%- endfor -%}
-      </fieldset>
-      {%- if not loop.last -%}
-        <hr class="margin-bottom">
-      {%- endif -%}
-    {%- endfor -%}
-    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+      </div>
+      <template x-ref="formTemplate">
+        {{ action_form(form.action_formset.empty_form) }}
+      </template>
+      <button @click.prevent="addForm()" class="btn btn-grey">
+        <i class="fa fa-plus"></i>{% trans %}Add action{% endtrans %}
+      </button>
+    </div>
+    <p><input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" /></p>
   </form>
 {% endblock %}

counter/templates/counter/refilling_list.jinja

@@ -28,7 +28,7 @@
       {%- endfor %}
     </table>
     {% if is_paginated %}
-      {{ paginate_jinja(page_obj, paginator) }}
+      {{ paginate_jinja(request, page_obj, paginator) }}
     {% endif %}
 {%- endblock %}
 

counter/tests/test_counter_admin.py

@@ -1,13 +1,132 @@
+from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.test import TestCase
+from django.urls import reverse
 from model_bakery import baker
 
 from club.models import Membership
 from core.baker_recipes import subscriber_user
-from core.models import User
+from core.models import Group, User
 from counter.baker_recipes import product_recipe
 from counter.forms import CounterEditForm
-from counter.models import Counter
+from counter.models import Counter, CounterSellers
+
+
+class TestEditCounterSellers(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.counter = baker.make(Counter, type="BAR")
+        cls.products = product_recipe.make(_quantity=2, _bulk_create=True)
+        cls.counter.products.add(*cls.products)
+        users = subscriber_user.make(_quantity=6, _bulk_create=True)
+        cls.regular_barmen = users[:2]
+        cls.tmp_barmen = users[2:4]
+        cls.not_barmen = users[4:]
+        CounterSellers.objects.bulk_create(
+            [
+                *baker.prepare(
+                    CounterSellers,
+                    counter=cls.counter,
+                    user=iter(cls.regular_barmen),
+                    is_regular=True,
+                    _quantity=len(cls.regular_barmen),
+                ),
+                *baker.prepare(
+                    CounterSellers,
+                    counter=cls.counter,
+                    user=iter(cls.tmp_barmen),
+                    is_regular=False,
+                    _quantity=len(cls.tmp_barmen),
+                ),
+            ]
+        )
+        cls.operator = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
+
+    def test_view_ok(self):
+        url = reverse("counter:admin", kwargs={"counter_id": self.counter.id})
+        self.client.force_login(self.operator)
+        res = self.client.get(url)
+        assert res.status_code == 200
+        res = self.client.post(
+            url,
+            data={
+                "sellers_regular": [u.id for u in self.regular_barmen],
+                "sellers_temporary": [u.id for u in self.tmp_barmen],
+                "products": [p.id for p in self.products],
+            },
+        )
+        self.assertRedirects(res, url)
+
+    def test_add_barmen(self):
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.not_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen, self.not_barmen[1]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == {
+            *self.regular_barmen,
+            self.not_barmen[0],
+        }
+        assert set(self.counter.sellers.filter(countersellers__is_regular=False)) == {
+            *self.tmp_barmen,
+            self.not_barmen[1],
+        }
+
+    def test_barman_change_status(self):
+        """Test when a barman goes from temporary to regular"""
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.tmp_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen[1:]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == {
+            *self.regular_barmen,
+            self.tmp_barmen[0],
+        }
+        assert set(
+            self.counter.sellers.filter(countersellers__is_regular=False)
+        ) == set(self.tmp_barmen[1:])
+
+    def test_barman_duplicate(self):
+        """Test that a barman cannot be regular and temporary at the same time."""
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.not_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen, self.not_barmen[0]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "__all__": [
+                "Un utilisateur ne peut pas être un barman "
+                "régulier et temporaire en même temps, "
+                "mais les utilisateurs suivants ont été définis "
+                f"comme les deux : {self.not_barmen[0].get_display_name()}"
+            ],
+        }
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == set(
+            self.regular_barmen
+        )
+        assert set(
+            self.counter.sellers.filter(countersellers__is_regular=False)
+        ) == set(self.tmp_barmen)
 
 
 class TestEditCounterProducts(TestCase):

counter/views/admin.py

@@ -16,6 +16,7 @@ from datetime import datetime, timedelta
 
 from django.conf import settings
 from django.contrib.auth.mixins import PermissionRequiredMixin, UserPassesTestMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.forms import CheckboxSelectMultiple
@@ -58,7 +59,9 @@ class CounterListView(CounterAdminTabsMixin, CanViewMixin, ListView):
     current_tab = "counters"
 
 
-class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
+class CounterEditView(
+    CounterAdminTabsMixin, UserPassesTestMixin, SuccessMessageMixin, UpdateView
+):
     """Edit a counter's main informations (for the counter's manager)."""
 
     model = Counter
@@ -66,6 +69,7 @@ class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
     pk_url_kwarg = "counter_id"
     template_name = "core/edit.jinja"
     current_tab = "counters"
+    success_message = _("Counter update done")
 
     def test_func(self):
         if self.request.user.has_perm("counter.change_counter"):

docs/howto/xapian.md

@@ -0,0 +1,73 @@
+## Pourquoi Xapian
+
+Xapian permet de faire de la recherche fulltext.
+C'est une librairie écrite en C++ avec des bindings Python 
+qu'on utilise avec la dépendance `django-haystack` via `xapian-haystack`.
+
+Elle a les avantages suivants:
+
+* C'est très rapide et ça correspond très bien à notre échelle
+* C'est performant
+* Pas besoin de service supplémentaire, c'est une librairie qui utilise des fichiers, comme sqlite
+
+Mais elle a un défaut majeur: on ne peut pas « juste » la `pip install`, 
+il faut installer une librairie système et des bindings et ça a toujours été 
+l'étape la plus frustrante et buggée de notre process d'installation. C'est 
+aussi la seule raison qui fait que le projet n'es pas compatible windows.
+
+## Mettre à jour Xapian
+
+Pour installer xapian le plus simplement possible, on le compile depuis les 
+sources via la commande `./manage.py install_xapian` comme indiqué dans la 
+documentation d'installation.
+
+La version de xapian est contrôlée par le `pyproject.toml` dans la section 
+`[tool.xapian]`.
+
+Cette section ressemble à ceci:
+
+```toml
+[tool.xapian]
+version = "x.y.z"
+core-sha256 = "abcdefghijklmnopqrstuvwyz0123456789"
+bindings-sha256 = "abcdefghijklmnopqrstuvwyz0123456789"
+```
+
+Comme on peut le voir, il y a 3 variables différentes, une variable de version, 
+qui sert à choisir la version à télécharger, et deux variables sha256.
+
+Ces variables sha256 permettent de protéger des attaques par supply chain, un 
+peu comme uv et npm font avec leurs respectifs `uv.lock` et `package-lock.json`
+. Elles permettent de vérifier que les fichiers téléchargés n'ont pas été 
+altérés entre la configuration du fichier et l'installation par l'utilisateur 
+et/ou le déploiement.
+
+L'installation de xapian passe par deux fichiers, `xapian-core` et 
+`xapian-bindings` disponibles sur [https://xapian.org/download](https://xapian.org/download).
+
+Lorsque le script d'installation télécharge les fichiers, il vérifie leur 
+signature sha256 contre celles contenues dans ces deux variables. Si la 
+signature n'est pas la même, une erreur est levée, protégant l'utilisateur 
+d'une potentielle attaque.
+
+Pour mettre à jour, il faut donc changer la version ET modifier la signature !
+
+Pour récupérer ces signatures, il suffit de télécharger soi-même les archives 
+du logiciel sur ce site, utiliser la commande `sha256sum` dessus et, enfin, 
+reporter la valeur sortie par cette commande.
+
+Pour ce qui est de la correspondance, `core-sha256` correspond à la signature 
+de `xapian-core` et `bindings-sha256` de `xapian-bindings`.
+
+Voici un bout de script qui peut faciliter une mise à jour:
+
+```bash
+VERSION="x.y.z" # À modifier avec la bonne version
+curl -O "https://oligarchy.co.uk/xapian/${VERSION}/xapian-core-${VERSION}.tar.xz"
+sha256sum xapian-core-${VERSION}.tar.xz # Affiche la signature pour `core-sha256`
+rm -f xapian-core-${VERSION}
+
+curl -O "https://oligarchy.co.uk/xapian/${VERSION}/xapian-bindings-${VERSION}.tar.xz"
+sha256sum xapian-bindings-${VERSION}.tar.xz # Affiche la signature pour `bindingse-sha256`
+rm -f xapian-bindings-${VERSION}.tar.xz
+```

docs/reference/api/schemas.md

@@ -0,0 +1 @@
+::: api.schemas

docs/reference/api/views.md

@@ -0,0 +1 @@
+::: api.views

docs/tutorial/api/account-link.md

@@ -0,0 +1,368 @@
+Le site AE offre des mécanismes permettant aux applications tierces
+de récupérer les informations sur un utilisateur du site AE.
+De cette manière, il devient possible de synchroniser les informations
+qu possède l'application tierce sur l'utilisateur, directement depuis
+le site AE.
+
+## Fonctionnement général
+
+Pour authentifier vos utilisateurs, vous aurez besoin d'un serveur web
+et d'un client d'API (celui auquel est liée votre
+[clef d'API](./connect.md#obtenir-une-clef-dapi)).
+Deux informations vous sont nécessaires, en plus de votre clef d'API :
+
+- l'id du client : vous pouvez l'obtenir soit en le demandant à l'équipe info,
+  soit en appelant la route `GET /api/client/me` avec votre clef d'API
+  renseignée dans le header [X-APIKey](./connect.md#x-apikey)
+- la clef HMAC du client : vous devez la demander à l'équipe info.
+
+Grâce à ces informations, vous allez pouvoir fournir le contexte nécessaire
+au site AE pour qu'il authentifie vos utilisateurs.
+
+En effet, la démarche d'authentification s'effectue presque entièrement
+sur le site : le travail de l'application tierce consiste uniquement
+à fournir à l'utilisateur une url avec les bons paramètres, puis
+à recevoir la réponse du serveur si tout s'est bien passé.
+
+Comme un dessin vaut parfois mieux que mille mots,
+voici les diagrammes décrivant le processus.
+L'un montre l'entièreté de la démarche ;
+l'autre dans un souci de simplicité, ne montre que ce qui est visible
+directement par l'application tierce.
+
+=== "Intégralité du processus"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        User->>+Sith: GET url
+        opt Utilisateur non-connecté
+            Sith->>+User: Formulaire de connexion
+            User-->>-Sith: Connexion
+        end
+        Sith->>Sith: vérification de la signature
+        Sith->>+User: Formulaire<br/>des conditions<br/>d'utilisation
+        User-->>-Sith: Validation
+        Sith->>+App: URL de retour<br/>avec données utilisateur
+        App->>App: Traitement des <br/>données utilisateur
+        App-->>-Sith: 204 OK, No content
+        Sith-->>-User: Message de succès
+        App--)User: Message de succès
+    ```
+
+=== "Point de vue de l'application tierce"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        opt
+            Sith->>+App: URL de retour<br/>avec données utilisateur
+            App->>App: Traitement des <br/>données utilisateur
+            App-->>-Sith: 204 OK, No content
+            App--)User: Message de succès
+        end
+    ```
+
+## Données attendues
+
+### URL de connexion
+
+L'URL de connexion que vous allez fournir à l'utilisateur doit
+être `https://ae.utbm.fr/api-link/auth/`
+et doit contenir les données décrites dans
+[`ThirdPartyAuthParamsSchema`][api.schemas.ThirdPartyAuthParamsSchema] :
+
+- `client_id` (integer) : l'id de votre client, que vous pouvez obtenir
+  de la manière décrite plus haut
+- `third_party_app`(string) : le nom de la plateforme pour laquelle
+  l'authentification va être réalisée (si votre application est un bot
+  discord, mettez la valeur "discord")
+- `privacy_link`(URL) : l'URL vers la page de politique de confidentialité
+  qui s'appliquera dans le cadre de l'application
+  (s'il s'agit d'un bot discord, donnez le lien vers celles de Discord)
+- `username`(string) : le pseudonyme que l'utilisateur possède sur
+  votre application
+- `callback_url`(URL) : l'URL que le site AE appellera si l'authentification
+  réussit
+- `signature`(string) : la signature des données de la requête.
+  Il s'agit d'une signature par clef HMAC dont le fonctionnement 
+  est détaillé plus bas.
+
+Ces données doivent être url-encodées et passées dans les paramètres GET.
+
+!!!warning "URL de retour"
+
+    Les URLs fournies doivent être des URLs HTTP valides.
+    En outre, elles doivent obligatoirement inclure la barre oblique finale.
+
+    === "URL correcte ✔️"
+
+        `https://exemple.ae.utbm.fr/foo/`
+
+    === "URL incorrecte ❌"
+
+        `https://exemple.ae.utbm.fr/foo`
+
+!!!tip
+
+    Inclure l'id de votre utilisateur dans l'URL de retour
+    peut être un bon moyen de l'identifier lors du callback.
+    Par exemple : `GET /callback/{int:user_id}/`.
+
+???Example
+
+    Supposons que votre client d'API soit utilisé dans le cadre d'un bot Discord,
+    avec les données suivantes :
+    
+    - l'id du client est 15
+    - sa clef HMAC est "beb99dd53"
+      (c'est pour l'exemple, une vraie clef sera beaucoup plus longue)
+    - le pseudonyme discord de votre utilisateur est Brian
+    - son id sur discord est 123456789
+    - votre route de callback est `GET /callback/{int:user_id}/`,
+      accessible au domaine `https://bot.ae.utbm.fr`
+    
+    Alors les paramètres de votre URL seront :
+    
+    | Paramètre       | valeur                                                                |
+    |-----------------|-----------------------------------------------------------------------|
+    | client_id       | 15                                                                    |
+    | third_party_app | discord                                                               |
+    | privacy_link    | `https://discord.com/privacy`                                         |
+    | username        | Brian                                                                 |
+    | callback_url    | `https://bot.ae.utbm.fr/callback/123456789/`                          |
+    | signature       | 1a383c51060be64f07772aa42e07<br/>18ae096b8f21f2cdb4061c0834a416d12101 |
+    
+    Et l'url fournie à l'utilisateur sera :
+    
+    `https://ae.utbm.fr/api-link/auth/?client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F
+    &signature=1a383c51060be64f07772aa42e0718ae096b8f21f2cdb4061c0834a416d12101`
+
+### Données de retour
+
+Si l'authentification réussit, le site AE enverra une requête HTTP POST
+à l'URL de retour fournie dans l'URL de connexion.
+
+Le corps de la requête de callback et au format JSON 
+et contient deux paires clef-valeur :
+
+- `user` : les données utilisateur, telles que décrites
+  par [UserProfileSchema][core.schemas.UserProfileSchema]
+- `signature` : la signature des données utilisateur
+
+???Example
+
+    En reprenant les mêmes paramètres que dans l'exemple précédent,
+    le site AE pourra renvoyer à l'application la requête suivante :
+
+    ```http
+    POST https://bot.ae.utbm.fr/callback/123456789/
+    content-type: application/json
+    body: {
+        "user": {
+            "id": 144131,
+            "nick_name": "inzekitchen",
+            "first_name": "Brian",
+            ...
+        },
+        "signature": "f16955bab6b805f6e1abbb98a86dfee53fed0bf812aa6513ca46cfd461b70020"
+    }
+    ```
+
+L'application doit répondre avec un des codes HTTP suivants :
+
+| Code | Raison                                                                         |
+|------|--------------------------------------------------------------------------------|
+| 204  | Tout s'est bien passé                                                          |
+| 403  | Les données de retour ne sont <br>pas signées ou sont mal signées              |
+| 404  | L'URL de retour ne permet pas <br>d'identifier un utilisateur de l'application |
+
+!!!note "Code d'erreur par défaut"
+
+    Si l'appel de la route fait face à plusieurs problèmes en même temps 
+    (par exemple, l'URL ne permet pas de retrouver votre utilisateur, 
+    et en plus les données sont mal signées),
+    le 403 prime et doit être retourné par défaut.
+
+## Signature des données
+
+Les données de l'URL de connexion doivent être signées,
+et la signature de l'URL de retour doit être vérifiée.
+
+Dans le deux cas, la signature est le digest HMAC-SHA512
+des données url-encodées, en utilisant la clef HMAC du client d'API.
+L'ordre dans lequel ces données sont placées dans l'encodage URL
+doit être strictement le même que celui donné plus haut.
+
+???Example "Signature de l'URL de connexion"
+
+    En reprenant le même exemple que les fois précédentes,
+    l'url-encodage des données est :
+
+    `client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy%2F&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F`
+
+    Notez que la signature n'est pas (encore) dedans.
+    Cette dernière peut-être obtenue avec le code suivant :
+
+    === ":simple-python: Python"
+    
+        Dépendances :
+    
+        - `environs` (>=14.1)
+    
+        ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        key = env.str("HMAC_KEY").encode()
+        data = {
+            "client_id": 15,
+            "third_party_app": "discord",
+            "privacy_link": "https://discord.com/privacy/",
+            "username": "Brian",
+            "callback_url": "https://bot.ae.utbm.fr/callback/123456789/",
+        }
+        urlencoded = urlencode(data)
+        data["signature"] = hmac.digest(key, urlencoded.encode(), "sha512").hex()
+        
+        # URL a fournir à l'utilisateur pour son authentification
+        user_url = f"https://ae.ubtm.fr/api-link/auth/?{urlencode(data)}"
+        ```    
+    
+    === ":simple-rust: Rust"
+    
+        Dépendances :
+        
+        - `hmac` (>=0.12.1)
+        - `url` (>=2.5.7, features `serde`)
+        - `serde` (>=1.0.228, features `derive`)
+        - `serde_urlencoded` (>="0.7.1)
+        - `sha2` (>=0.10.9)
+        - `dotenvy` (>= 0.15)
+    
+        ```rust
+        use hmac::{Mac, SimpleHmac};
+        use serde::Serialize;
+        use sha2::Sha512;
+        use url::Url;
+        
+        #[derive(Serialize, Debug)]
+        struct UrlData<'a> {
+            client_id: u32,
+            third_party_app: &'a str,
+            privacy_link: Url,
+            username: &'a str,
+            callback_url: Url,
+        }
+        
+        impl<'a> UrlData<'a> {
+            pub fn signature(&self, key: &[u8]) -> CtOutput<SimpleHmac<Sha512>> {
+                let urlencoded = serde_urlencoded::to_string(self).unwrap();
+                SimpleHmac::<Sha512>::new_from_slice(key)
+                    .unwrap()
+                    .chain_update(urlencoded.as_bytes())
+                    .finalize()
+            }
+        }
+        
+        impl Into<Url> for UrlData<'_> {
+            fn into(self) -> Url {
+                let key = std::env::var("HMAC_KEY").unwrap();
+                let mut url = Url::parse("http://ae.utbm.fr/api-link/auth/").unwrap();
+                url.set_query(Some(
+                    format!(
+                        "{}&signature={:x}",
+                        serde_urlencoded::to_string(&self).unwrap(),
+                        self.signature(key.as_bytes()).into_bytes()
+                    )
+                    .as_str(),
+                ));
+                url
+            }
+        }
+        
+        fn main() {
+            dotenvy::dotenv().expect("Couldn't load env");
+            let data = UrlData {
+                client_id: 1,
+                third_party_app: "discord",
+                privacy_link: "https://discord.com/privacy/".parse().unwrap(),
+                username: "Brian",
+                callback_url: "https://bot.ae.utbm.fr/callback/123456789/"
+                    .parse()
+                    .unwrap(),
+            };
+            let url: Url = data.into();
+            println!("{:?}", url);
+        }
+        ```
+
+???Example "Vérification de la signature de la réponse"
+
+    Les données utilisateur peuvent ressembler à :
+
+    ```json
+    {
+        "user": {
+            "display_name": "Matthieu Vincent",
+            "profile_url": "/user/380/",
+            "profile_pict": "/static/core/img/unknown.jpg",
+            "id": 380,
+            "nick_name": None,
+            "first_name": "Matthieu",
+            "last_name": "Vincent",
+        },
+        "signature": "3802a280fbb01bd9fetc."
+    }
+    ```
+
+    Vous pouvez vérifier la signature ainsi :
+
+    ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        def is_signature_valid(user_data: dict, signature: str) -> bool:
+            key = env.str("HMAC_KEY").encode()
+            urlencoded = urlencode(user_data)
+            return hmac.compare_digest(
+                hmac.digest(key, urlencoded.encode(), "sha512").hex(),
+                signature,
+            )
+        
+        
+        post_data = <récupération des données POST>
+        print(
+            "signature valide :", 
+            is_signature_valid(post_data["user"], post_data["signature"]
+        )
+    ```
+
+!!!Warning
+
+    Vous devez impérativement vérifier la signature 
+    des données de la requête de callback !
+
+    Si l'équipe informatique se rend compte que vous ne le faites pas,
+    elle se réserve le droit de suspendre votre application,
+    immédiatement et sans préavis.

docs/tutorial/api/connect.md

@@ -112,7 +112,7 @@ cf. [HTTP persistant connection (wikipedia)](https://en.wikipedia.org/wiki/HTTP_
 
 Voici quelques exemples : 
 
-=== "Python (requests)"
+=== ":simple-python: Python (requests)"
 
     Dépendances :
 
@@ -132,7 +132,7 @@ Voici quelques exemples :
         print(response.json())
     ```
 
-=== "Python (aiohttp)"
+=== ":simple-python: Python (aiohttp)"
 
     Dépendances :
 
@@ -158,7 +158,7 @@ Voici quelques exemples :
     asyncio.run(main())
     ```
 
-=== "Javascript (axios)"
+=== ":simple-javascript: Javascript (axios)"
 
     Dépendances :
 
@@ -178,7 +178,7 @@ Voici quelques exemples :
     console.log(await instance.get("club/1").json());
     ```
 
-=== "Rust (reqwest)"
+=== ":simple-rust: Rust (reqwest)"
 
     Dépendances :
     

docs/tutorial/groups.md

@@ -263,35 +263,3 @@ avec un unique champ permettant de sélectionner des groupes.
 Par défaut, seuls les utilisateurs avec la permission
 `auth.change_permission` auront accès à ce formulaire
 (donc, normalement, uniquement les utilisateurs Root).
-
-```mermaid
-sequenceDiagram
-    participant A as Utilisateur
-    participant B as ReverseProxy
-    participant C as MarkdownImage
-    participant D as Model
-
-    A->>B: GET /page/foo
-    B->>C: GET /page/foo
-    C-->>B: La page, avec les urls
-    B-->>A: La page, avec les urls
-    alt image publique 
-        A->>B: GET markdown/public/2025/img.webp
-        B-->>A: img.webp
-    end
-    alt image privée 
-        A->>B: GET markdown_image/{id}
-        B->>C: GET markdown_image/{id}
-        C->>D: user.can_view(image)
-        alt l'utilisateur a le droit de voir l'image
-            D-->>C: True
-            C-->>B: 200 (avec le X-Accel-Redirect)
-            B-->>A: img.webp
-        end
-        alt l'utilisateur n'a pas le droit de l'image
-            D-->>C: False
-            C-->>B: 403
-            B-->>A: 403
-        end
-    end
-```

docs/tutorial/install-advanced.md

@@ -56,6 +56,12 @@ Commencez par installer les dépendances système :
         sudo pacman -S postgresql nginx
         ```
 
+    === "Fedora/RHEL/AlmaLinux/Rocky"
+
+        ```bash
+        sudo dnf install postgresql libpq-devel nginx
+        ```
+
 === "macOS"
 
     ```bash
@@ -100,9 +106,11 @@ PROCFILE_SERVICE=
     vous devez ouvrir une autre fenêtre de votre terminal
     et lancer la commande `npm run serve`
 
-## Configurer Redis en service externe
+## Configurer Redis/Valkey en service externe
 
-Redis est installé comme dépendance mais pas lancé par défaut.
+Redis est installé comme dépendance mais n'es pas lancé par défaut.
+
+Si vous avez installé Valkey parce que Redis n'es pas disponible, remplacez juste `redis` par `valkey`.
 
 En mode développement, le sith se charge de le démarrer mais
 pas en production !

docs/tutorial/install.md

@@ -79,6 +79,29 @@ cd /mnt/<la_lettre_du_disque>/vos/fichiers/comme/dhab
         sudo pacman -S uv gcc git gettext pkgconf npm valkey
         ```
 
+    === "Fedora"
+        ```bash
+        sudo dnf update
+        sudo dnf install epel-release
+        sudo dnf install python-devel uv git gettext pkgconf npm redis @c-development @development-tools
+        ```
+
+    === "RHEL/AlmaLinux/Rocky"
+        ```bash
+        dnf update
+        dnf install epel-release
+        dnf install python-devel uv git gettext pkgconf npm valkey
+        dnf group install "Development Tools"
+        ```
+
+        La couche de compatibilitée valkey/redis est un package Fedora. 
+        Il est nécessaire de faire un alias nous même:
+
+        ```bash
+        ln -s /usr/bin/valkey-server /usr/bin/redis-server
+        ```
+
+
 === "macOS"
 
     Pour installer les dépendances, il est fortement recommandé d'installer le gestionnaire de paquets `homebrew <https://brew.sh/index_fr>`_.  
@@ -98,7 +121,7 @@ cd /mnt/<la_lettre_du_disque>/vos/fichiers/comme/dhab
 !!!note
 
     Python ne fait pas parti des dépendances puisqu'il est automatiquement
-    installé par uv.
+    installé par uv. Il est cependant parfois nécessaire d'installer les headers Python nécessaire à la compilation de certains paquets.
 
 ## Finaliser l'installation
 

eboutic/converters.py

@@ -1,37 +0,0 @@
-#
-# Copyright 2022
-# - Maréchal <thgirod@hotmail.com
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-
-
-class PaymentResultConverter:
-    """Converter used for url mapping of the `eboutic.views.payment_result` view.
-
-    It's meant to build an url that can match
-    either `/eboutic/pay/success/` or `/eboutic/pay/failure/`
-    but nothing else.
-    """
-
-    regex = "(success|failure)"
-
-    def to_python(self, value):
-        return str(value)
-
-    def to_url(self, value):
-        return str(value)

eboutic/templates/eboutic/eboutic_main.jinja

@@ -116,6 +116,56 @@
           </span>
         </div>
       {% endif %}
+      <section>
+        <div class="category-header">
+          <h3 class="margin-bottom">{% trans %}Eurockéennes 2025 partnership{% endtrans %}</h3>
+          {% if user.is_subscribed %}
+            <div id="eurock-partner" style="
+                                            min-height: 600px;
+                                            background-color: lightgrey;
+                                            display: flex;
+                                            justify-content: center;
+                                            align-items: center;
+                                            flex-direction: column;
+                                            gap: 10px;
+                                           ">
+              <p style="text-align: center;">
+                {% trans trimmed %}
+                  Our partner uses Weezevent to sell tickets.
+                  Weezevent may collect user info according to
+                  its own privacy policy.
+                  By clicking the accept button you consent to
+                  their terms of services.
+                {% endtrans %}
+              </p>
+
+              <a href="https://weezevent.com/fr/politique-de-confidentialite/">{% trans %}Privacy policy{% endtrans %}</a>
+
+              <button
+                hx-get="{{ url("eboutic:eurock") }}"
+                hx-target="#eurock-partner"
+                hx-swap="outerHTML"
+                hx-trigger="click, load[document.cookie.includes('weezevent_accept=true')]"
+                @htmx:after-request="document.cookie = 'weezevent_accept=true'"
+              >{% trans %}Accept{% endtrans %}
+              </button>
+            </div>
+          {% else %}
+            <p>
+              {%- trans trimmed %}
+                You must be subscribed to benefit from the partnership with the Eurockéennes.
+              {% endtrans -%}
+            </p>
+            <p>
+              {%- trans trimmed %}
+                This partnership offers a discount of up to 33%
+                on tickets for Friday, Saturday and Sunday,
+                as well as the 3-day package from Friday to Sunday.
+              {% endtrans -%}
+            </p>
+          {% endif %}
+        </div>
+      </section>
       {% for priority_groups in products|groupby('order') %}
         {% for category, items in priority_groups.list|groupby('category') %}
           {% if items|count > 0 %}

eboutic/templates/eboutic/eurock_fragment.jinja

@@ -0,0 +1,16 @@
+<a title="Logiciel billetterie en ligne"
+   href="https://www.weezevent.com?c=sys_widget"
+   class="weezevent-widget-integration"
+   target="_blank"
+   data-src="https://widget.weezevent.com/ticket/8aaba226-f7a3-4192-a64e-72ff8f5b35b7?id_evenement=1419869&locale=fr-FR&code=28747"
+   data-width="650"
+   data-height="600"
+   data-resize="1"
+   data-nopb="0"
+   data-type="neo"
+   data-width_auto="1"
+   data-noscroll="0"
+   data-id="1419869">
+  Billetterie Weezevent
+</a>
+<script type="text/javascript" src="https://widget.weezevent.com/weez.js"  async defer></script>

eboutic/templates/eboutic/eurok_fragment.jinja

@@ -1,17 +0,0 @@
-<a
-  title="Logiciel billetterie en ligne"
-  href="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  class="weezevent-widget-integration"
-  target="_blank"
-  data-src="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  data-width="650"
-  data-height="600"
-  data-resize="1"
-  data-nopb="0"
-  data-type="neo"
-  data-width_auto="1"
-  data-noscroll="0"
-  data-id="1211855">
-  Billetterie Weezevent
-</a>
-<script type="text/javascript" src="https://widget.weezevent.com/weez.js" async defer></script>

eboutic/urls.py

@@ -24,17 +24,18 @@
 
 from django.urls import path, register_converter
 
-from eboutic.converters import PaymentResultConverter
+from core.converters import ResultConverter
 from eboutic.views import (
     BillingInfoFormFragment,
     EbouticCheckout,
     EbouticMainView,
     EbouticPayWithSith,
     EtransactionAutoAnswer,
+    EurockPartnerFragment,
     payment_result,
 )
 
-register_converter(PaymentResultConverter, "res")
+register_converter(ResultConverter, "res")
 
 urlpatterns = [
     # Subscription views
@@ -50,4 +51,5 @@ urlpatterns = [
         EtransactionAutoAnswer.as_view(),
         name="etransation_autoanswer",
     ),
+    path("eurock/", EurockPartnerFragment.as_view(), name="eurock"),
 ]

eboutic/views.py

@@ -42,11 +42,11 @@ from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
-from django.views.generic import DetailView, FormView, UpdateView, View
+from django.views.generic import DetailView, FormView, TemplateView, UpdateView, View
 from django.views.generic.edit import SingleObjectMixin
 from django_countries.fields import Country
 
-from core.auth.mixins import CanViewMixin
+from core.auth.mixins import CanViewMixin, IsSubscriberMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BaseBasketForm, BasketProductForm, BillingInfoForm
 from counter.models import (
@@ -350,3 +350,7 @@ class EtransactionAutoAnswer(View):
             return HttpResponse(
                 "Payment failed with error: " + request.GET["Error"], status=202
             )
+
+
+class EurockPartnerFragment(IsSubscriberMixin, TemplateView):
+    template_name = "eboutic/eurock_fragment.jinja"

election/templates/election/election_detail.jinja

@@ -146,7 +146,7 @@
                           <label for="{{ input_id }}">
                         {%- endif %}
                         <figure>
-                          {%- if user.is_viewable %}
+                          {%- if user.can_view(candidature.user) %}
                             {% if candidature.user.profile_pict %}
                               <img class="candidate__picture" src="{{ candidature.user.profile_pict.get_download_url() }}" alt="{% trans %}Profile{% endtrans %}">
                             {% else %}

election/templates/election/election_list.jinja

@@ -46,7 +46,7 @@
     </section>
   {%- endfor %}
   {% if is_paginated %}
-    {{ paginate_jinja(page_obj, paginator) }}
+    {{ paginate_jinja(request, page_obj, paginator) }}
   {% endif %}
 {%- endblock %}
 

election/tests.py

@@ -6,6 +6,8 @@ from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.timezone import now
 from model_bakery import baker
+from model_bakery.recipe import Recipe
+from pytest_django.asserts import assertRedirects
 
 from core.baker_recipes import subscriber_user
 from core.models import Group, User
@@ -52,6 +54,102 @@ class TestElectionUpdateView(TestElection):
         assert response.status_code == 403
 
 
+class TestElectionForm(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.election = baker.make(Election, end_date=now() + timedelta(days=1))
+        cls.group = baker.make(Group)
+        cls.election.vote_groups.add(cls.group)
+        cls.election.edit_groups.add(cls.group)
+        lists = baker.make(
+            ElectionList, election=cls.election, _quantity=2, _bulk_create=True
+        )
+        cls.roles = baker.make(
+            Role, election=cls.election, _quantity=2, _bulk_create=True
+        )
+        users = baker.make(User, _quantity=4, _bulk_create=True)
+        recipe = Recipe(Candidature)
+        cls.cand = [
+            recipe.prepare(role=cls.roles[0], user=users[0], election_list=lists[0]),
+            recipe.prepare(role=cls.roles[0], user=users[1], election_list=lists[1]),
+            recipe.prepare(role=cls.roles[1], user=users[2], election_list=lists[0]),
+            recipe.prepare(role=cls.roles[1], user=users[3], election_list=lists[1]),
+        ]
+        Candidature.objects.bulk_create(cls.cand)
+        cls.vote_url = reverse("election:vote", kwargs={"election_id": cls.election.id})
+        cls.detail_url = reverse(
+            "election:detail", kwargs={"election_id": cls.election.id}
+        )
+
+    def test_election_good_form(self):
+        postes = (self.roles[0].title, self.roles[1].title)
+        votes = [
+            {postes[0]: "", postes[1]: str(self.cand[2].id)},
+            {postes[0]: "", postes[1]: ""},
+            {postes[0]: str(self.cand[0].id), postes[1]: str(self.cand[2].id)},
+            {postes[0]: str(self.cand[0].id), postes[1]: str(self.cand[3].id)},
+        ]
+        voters = subscriber_user.make(_quantity=len(votes), _bulk_create=True)
+        self.group.users.set(voters)
+
+        for voter, vote in zip(voters, votes, strict=True):
+            assert self.election.can_vote(voter)
+            self.client.force_login(voter)
+            response = self.client.post(self.vote_url, data=vote)
+            assertRedirects(response, self.detail_url)
+
+        assert set(self.election.voters.all()) == set(voters)
+        assert self.election.results == {
+            postes[0]: {
+                self.cand[0].user.username: {"percent": 50.0, "vote": 2},
+                self.cand[1].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 50.0, "vote": 2},
+                "total vote": 4,
+            },
+            postes[1]: {
+                self.cand[2].user.username: {"percent": 50.0, "vote": 2},
+                self.cand[3].user.username: {"percent": 25.0, "vote": 1},
+                "blank vote": {"percent": 25.0, "vote": 1},
+                "total vote": 4,
+            },
+        }
+
+    def test_election_bad_form(self):
+        postes = (self.roles[0].title, self.roles[1].title)
+
+        votes = [
+            {postes[0]: "", postes[1]: str(self.cand[0].id)},  # wrong candidate
+            {postes[0]: ""},
+            {
+                postes[0]: "0123456789",  # unknow users
+                postes[1]: str(subscriber_user.make().id),  # not a candidate
+            },
+            {},
+        ]
+        voters = subscriber_user.make(_quantity=len(votes), _bulk_create=True)
+        self.group.users.set(voters)
+
+        for voter, vote in zip(voters, votes, strict=True):
+            self.client.force_login(voter)
+            response = self.client.post(self.vote_url, data=vote)
+            assertRedirects(response, self.detail_url)
+
+        assert self.election.results == {
+            postes[0]: {
+                self.cand[0].user.username: {"percent": 0.0, "vote": 0},
+                self.cand[1].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 100.0, "vote": 2},
+                "total vote": 2,
+            },
+            postes[1]: {
+                self.cand[2].user.username: {"percent": 0.0, "vote": 0},
+                self.cand[3].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 100.0, "vote": 2},
+                "total vote": 2,
+            },
+        }
+
+
 @pytest.mark.django_db
 def test_election_create_list_permission(client: Client):
     election = baker.make(Election, end_candidature=now() + timedelta(hours=1))

election/views.py

@@ -1,7 +1,6 @@
 from typing import TYPE_CHECKING
 
 from cryptography.utils import cached_property
-from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.mixins import (
     LoginRequiredMixin,
@@ -115,16 +114,9 @@ class VoteFormView(LoginRequiredMixin, UserPassesTestMixin, FormView):
     def test_func(self):
         if not self.election.can_vote(self.request.user):
             return False
-
-        groups = set(self.election.vote_groups.values_list("id", flat=True))
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return self.election.vote_groups.filter(
+            id__in=self.request.user.all_groups
+        ).exists()
 
     def vote(self, election_data):
         with transaction.atomic():
@@ -238,15 +230,9 @@ class RoleCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView):
             return False
         if self.request.user.has_perm("election.add_role"):
             return True
-        groups = set(self.election.edit_groups.values_list("id", flat=True))
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return self.election.edit_groups.filter(
+            id__in=self.request.user.all_groups
+        ).exists()
 
     def get_initial(self):
         return {"election": self.election}
@@ -279,14 +265,7 @@ class ElectionListCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView
             .union(self.election.edit_groups.values("id"))
             .values_list("id", flat=True)
         )
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return not groups.isdisjoint(self.request.user.all_groups.keys())
 
     def get_initial(self):
         return {"election": self.election}

forum/templates/forum/topic.jinja

@@ -27,7 +27,7 @@
     </p>
 
     {{ display_search_bar(request) }}
-    {{ paginate_jinja(msgs, msgs.paginator) }}
+    {{ paginate_jinja(request, msgs, msgs.paginator) }}
 
     <main class="message-list">
       {% for m in msgs %}
@@ -44,7 +44,9 @@
 
     <p><a class="ib button" href="{{ url('forum:new_message', topic_id=topic.id) }}">{% trans %}Reply{% endtrans %}</a></p>
 
-    {{ paginate_jinja(msgs, msgs.paginator) }}
+    {% if is_paginated %}
+      {{ paginate_jinja(request, msgs, msgs.paginator) }}
+    {% endif %}
   </div>
 {% endblock %}
 

galaxy/management/commands/generate_galaxy_test_data.py

@@ -25,12 +25,13 @@ import warnings
 from datetime import timedelta
 from typing import Final, Optional
 
+from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.management.base import BaseCommand
 from django.utils import timezone
 
 from club.models import Club, Membership
-from core.models import Group, Page, User
+from core.models import Group, Page, SithFile, User
 from core.utils import RED_PIXEL_PNG
 from sas.models import Album, PeoplePictureRelation, Picture
 from subscription.models import Subscription
@@ -90,8 +91,13 @@ class Command(BaseCommand):
         self.NB_CLUBS = options["club_count"]
 
         root = User.objects.filter(username="root").first()
+        sas = SithFile.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
         self.galaxy_album = Album.objects.create(
-            name="galaxy-register-file", owner=root, is_moderated=True
+            name="galaxy-register-file",
+            owner=root,
+            is_moderated=True,
+            is_in_sas=True,
+            parent=sas,
         )
 
         self.make_clubs()
@@ -279,10 +285,14 @@ class Command(BaseCommand):
                     owner=u,
                     name=f"galaxy-picture {u} {i // self.NB_USERS}",
                     is_moderated=True,
+                    is_folder=False,
                     parent=self.galaxy_album,
-                    original=ContentFile(RED_PIXEL_PNG),
+                    is_in_sas=True,
+                    file=ContentFile(RED_PIXEL_PNG),
                     compressed=ContentFile(RED_PIXEL_PNG),
                     thumbnail=ContentFile(RED_PIXEL_PNG),
+                    mime_type="image/png",
+                    size=len(RED_PIXEL_PNG),
                 )
             )
             self.picts[i].file.name = self.picts[i].name

mkdocs.yml

@@ -69,6 +69,7 @@ nav:
     - API:
       - Développement: tutorial/api/dev.md
       - Connexion à l'API: tutorial/api/connect.md
+      - Liaison avec le compte AE: tutorial/api/account-link.md
     - Etransactions: tutorial/etransaction.md
   - How-to:
     - L'ORM de Django: howto/querysets.md
@@ -80,6 +81,7 @@ nav:
     - Ajouter un logo de promo: howto/logo.md
     - Ajouter une cotisation: howto/subscriptions.md
     - Modifier le weekmail: howto/weekmail.md
+    - Mettre à jour xapian: howto/xapian.md
     - Terminal: howto/terminal.md
     - Direnv: howto/direnv.md
   - Reference:
@@ -91,6 +93,8 @@ nav:
       - reference/api/hashers.md
       - reference/api/models.md
       - reference/api/perms.md
+      - reference/api/schemas.md
+      - reference/api/views.md
     - club:
       - reference/club/models.md
       - reference/club/views.md

package.json

@@ -8,8 +8,6 @@
     "compile-dev": "vite build --mode development",
     "serve": "vite build --mode development --watch --minify false",
     "openapi": "openapi-ts",
-    "analyse-dev": "vite-bundle-visualizer --mode development",
-    "analyse-prod": "vite-bundle-visualizer --mode production",
     "check": "tsc && biome check --write"
   },
   "keywords": [],
@@ -28,29 +26,28 @@
   "devDependencies": {
     "@babel/core": "^7.29.0",
     "@babel/preset-env": "^7.29.0",
-    "@biomejs/biome": "^2.3.14",
-    "@hey-api/openapi-ts": "^0.92.4",
+    "@biomejs/biome": "^2.4.6",
+    "@hey-api/openapi-ts": "^0.94.0",
     "@rollup/plugin-inject": "^5.0.5",
     "@types/alpinejs": "^3.13.11",
     "@types/cytoscape-cxtmenu": "^3.4.5",
     "@types/cytoscape-klay": "^3.1.5",
     "@types/js-cookie": "^3.0.6",
+    "rollup-plugin-visualizer": "^7.0.1",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
-    "vite-bundle-visualizer": "^1.2.1",
-    "vite-plugin-static-copy": "^3.2.0"
+    "vite": "^8.0.0"
   },
   "dependencies": {
     "@alpinejs/sort": "^3.15.8",
     "@arendjr/text-clipper": "npm:@jsr/arendjr__text-clipper@^3.0.0",
-    "@floating-ui/dom": "^1.7.5",
+    "@floating-ui/dom": "^1.7.6",
     "@fortawesome/fontawesome-free": "^7.2.0",
     "@fullcalendar/core": "^6.1.20",
     "@fullcalendar/daygrid": "^6.1.20",
     "@fullcalendar/icalendar": "^6.1.20",
     "@fullcalendar/list": "^6.1.20",
-    "@sentry/browser": "^10.38.0",
-    "@zip.js/zip.js": "^2.8.20",
+    "@sentry/browser": "^10.43.0",
+    "@zip.js/zip.js": "^2.8.23",
     "3d-force-graph": "^1.79.1",
     "alpinejs": "^3.15.8",
     "chart.js": "^4.5.1",
@@ -60,14 +57,14 @@
     "cytoscape-klay": "^3.1.4",
     "d3-force-3d": "^3.0.6",
     "easymde": "^2.20.0",
-    "glob": "^13.0.2",
+    "glob": "^13.0.6",
     "html2canvas": "^1.4.1",
     "htmx.org": "^2.0.8",
     "js-cookie": "^3.0.5",
     "lit-html": "^3.3.2",
     "native-file-system-adapter": "^3.0.1",
-    "three": "^0.182.0",
+    "three": "^0.183.2",
     "three-spritetext": "^1.10.0",
-    "tom-select": "^2.5.1"
+    "tom-select": "^2.5.2"
   }
 }

pyproject.toml

@@ -19,7 +19,7 @@ authors = [
 license = { text = "GPL-3.0-only" }
 requires-python = "<4.0,>=3.12"
 dependencies = [
-    "django>=5.2.11,<6.0.0",
+    "django>=5.2.12,<6.0.0",
     "django-ninja>=1.5.3,<6.0.0",
     "django-ninja-extra>=0.31.0",
     "Pillow>=12.1.1,<13.0.0",
@@ -27,15 +27,15 @@ dependencies = [
     "django-jinja<3.0.0,>=2.11.0",
     "cryptography>=46.0.5,<47.0.0",
     "django-phonenumber-field>=8.4.0,<9.0.0",
-    "phonenumbers>=9.0.23,<10.0.0",
-    "reportlab>=4.4.9,<5.0.0",
+    "phonenumbers>=9.0.25,<10.0.0",
+    "reportlab>=4.4.10,<5.0.0",
     "django-haystack<4.0.0,>=3.3.0",
     "xapian-haystack<4.0.0,>=3.1.0",
     "libsass<1.0.0,>=0.23.0",
     "django-ordered-model<4.0.0,>=3.7.4",
     "django-simple-captcha<1.0.0,>=0.6.3",
     "python-dateutil<3.0.0.0,>=2.9.0.post0",
-    "sentry-sdk>=2.52.0,<3.0.0",
+    "sentry-sdk>=2.54.0,<3.0.0",
     "jinja2<4.0.0,>=3.1.6",
     "django-countries>=8.2.0,<9.0.0",
     "dict2xml>=1.7.8,<2.0.0",
@@ -51,7 +51,7 @@ dependencies = [
     "psutil>=7.2.2,<8.0.0",
     "celery[redis]>=5.6.2,<7",
     "django-celery-results>=2.5.1",
-    "django-celery-beat>=2.7.0",
+    "django-celery-beat>=2.9.0",
 ]
 
 [project.urls]
@@ -60,31 +60,31 @@ documentation = "https://sith-ae.readthedocs.io/"
 
 [dependency-groups]
 prod = [
-    "psycopg[c]>=3.3.2,<4.0.0",
+    "psycopg[c]>=3.3.3,<4.0.0",
 ]
 dev = [
     "django-debug-toolbar>=6.2.0,<7",
-    "ipython>=9.10.0,<10.0.0",
+    "ipython>=9.11.0,<10.0.0",
     "pre-commit>=4.5.1,<5.0.0",
-    "ruff>=0.15.0,<1.0.0",
+    "ruff>=0.15.5,<1.0.0",
     "djhtml>=3.0.10,<4.0.0",
-    "faker>=40.4.0,<41.0.0",
+    "faker>=40.8.0,<41.0.0",
     "rjsmin>=1.2.5,<2.0.0",
 ]
 tests = [
     "freezegun>=1.5.5,<2.0.0",
     "pytest>=9.0.2,<10.0.0",
     "pytest-cov>=7.0.0,<8.0.0",
-    "pytest-django<5.0.0,>=4.10.0",
-    "model-bakery<2.0.0,>=1.23.2",
+    "pytest-django<5.0.0,>=4.12.0",
+    "model-bakery<2.0.0,>=1.23.3",
     "beautifulsoup4>=4.14.3,<5",
     "lxml>=6.0.2,<7",
 ]
 docs = [
     "mkdocs<2.0.0,>=1.6.1",
-    "mkdocs-material>=9.7.1,<10.0.0",
+    "mkdocs-material>=9.7.5,<10.0.0",
     "mkdocstrings>=1.0.3,<2.0.0",
-    "mkdocstrings-python>=2.0.2,<3.0.0",
+    "mkdocstrings-python>=2.0.3,<3.0.0",
     "mkdocs-include-markdown-plugin>=7.2.1,<8.0.0",
 ]
 
@@ -92,7 +92,11 @@ docs = [
 default-groups = ["dev", "tests", "docs"]
 
 [tool.xapian]
-version = "1.4.29"
+version = "1.4.31"
+# Those hashes are here to protect against supply chains attacks
+# See `https://ae-utbm.github.io/sith/howto/xapian/` for more information
+core-sha256 = "fecf609ea2efdc8a64be369715aac733336a11f7480a6545244964ae6bc80811"
+bindings-sha256 = "a38cc7ba4188cc0bd27dc7369f03906772047087a1c54f1b93355d5e9103c304"
 
 [tool.ruff]
 output-format = "concise" # makes ruff error logs easier to read

rootplace/templates/rootplace/logs.jinja

@@ -28,5 +28,7 @@
   </table>
 
   <br>
-  {{ paginate_jinja(page_obj, paginator) }}
+  {% if is_paginated %}
+    {{ paginate_jinja(request, page_obj, paginator) }}
+  {% endif %}
 {% endblock content %}

sas/admin.py

@@ -20,9 +20,9 @@ from sas.models import Album, PeoplePictureRelation, Picture, PictureModerationR
 
 @admin.register(Picture)
 class PictureAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent", "is_moderated")
+    list_display = ("name", "parent", "date", "size", "is_moderated")
     search_fields = ("name",)
-    autocomplete_fields = ("owner", "parent", "moderator")
+    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups", "moderator")
 
 
 @admin.register(PeoplePictureRelation)
@@ -33,9 +33,9 @@ class PeoplePictureRelationAdmin(admin.ModelAdmin):
 
 @admin.register(Album)
 class AlbumAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent")
+    list_display = ("name", "parent", "date", "owner", "is_moderated")
     search_fields = ("name",)
-    autocomplete_fields = ("parent", "edit_groups", "view_groups")
+    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups")
 
 
 @admin.register(PictureModerationRequest)

sas/api.py

@@ -3,8 +3,7 @@ from typing import Any, Literal
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.urls import reverse
-from ninja import Body, Query, UploadedFile
-from ninja.errors import HttpError
+from ninja import Body, File, Query
 from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import NotFound, PermissionDenied
@@ -17,12 +16,11 @@ from api.permissions import (
     CanAccessLookup,
     CanEdit,
     CanView,
-    HasPerm,
     IsInGroup,
     IsRoot,
 )
 from core.models import Notification, User
-from core.utils import get_list_exact_or_404
+from core.schemas import UploadedImage
 from sas.models import Album, PeoplePictureRelation, Picture
 from sas.schemas import (
     AlbumAutocompleteSchema,
@@ -30,7 +28,6 @@ from sas.schemas import (
     AlbumSchema,
     IdentifiedUserSchema,
     ModerationRequestSchema,
-    MoveAlbumSchema,
     PictureFilterSchema,
     PictureSchema,
 )
@@ -72,44 +69,6 @@ class AlbumController(ControllerBase):
             Album.objects.viewable_by(self.context.request.user).order_by("-date")
         )
 
-    @route.patch("/parent")
-    def change_album_parent(self, payload: list[MoveAlbumSchema]):
-        """Change parents of albums
-
-        Note:
-            For this operation to work, the user must be authorized
-            to edit both the moved albums and their new parent.
-        """
-        user: User = self.context.request.user
-        albums: list[Album] = get_list_exact_or_404(
-            Album, pk__in={a.id for a in payload}
-        )
-        if not user.has_perm("sas.change_album"):
-            unauthorized = [a.id for a in albums if not user.can_edit(a)]
-            if unauthorized:
-                raise PermissionDenied(
-                    f"You can't move the following albums : {unauthorized}"
-                )
-        parents: list[Album] = get_list_exact_or_404(
-            Album, pk__in={a.new_parent_id for a in payload}
-        )
-        if not user.has_perm("sas.change_album"):
-            unauthorized = [a.id for a in parents if not user.can_edit(a)]
-            if unauthorized:
-                raise PermissionDenied(
-                    f"You can't move to the following albums : {unauthorized}"
-                )
-        id_to_new_parent = {i.id: i.new_parent_id for i in payload}
-        for album in albums:
-            album.parent_id = id_to_new_parent[album.id]
-        # known caveat : moving an album won't move it's thumbnail.
-        # E.g. if the album foo/bar is moved to foo/baz,
-        # the thumbnail will still be foo/bar/thumb.webp
-        # This has no impact for the end user
-        # and doing otherwise would be hard for us to implement,
-        # because we would then have to manage rollbacks on fail.
-        Album.objects.bulk_update(albums, fields=["parent_id"])
-
 
 @api_controller("/sas/picture")
 class PicturesController(ControllerBase):
@@ -137,7 +96,7 @@ class PicturesController(ControllerBase):
         return (
             filters.filter(Picture.objects.viewable_by(user))
             .distinct()
-            .order_by("-parent__event_date", "created_at")
+            .order_by("-parent__date", "date")
             .select_related("owner", "parent")
         )
 
@@ -151,25 +110,27 @@ class PicturesController(ControllerBase):
         },
         url_name="upload_picture",
     )
-    def upload_picture(self, album_id: Body[int], picture: UploadedFile):
+    def upload_picture(self, album_id: Body[int], picture: File[UploadedImage]):
         album = self.get_object_or_exception(Album, pk=album_id)
         user = self.context.request.user
         self_moderate = user.has_perm("sas.moderate_sasfile")
         new = Picture(
             parent=album,
             name=picture.name,
-            original=picture,
+            file=picture,
             owner=user,
             is_moderated=self_moderate,
+            is_folder=False,
+            mime_type=picture.content_type,
         )
         if self_moderate:
             new.moderator = user
-        new.generate_thumbnails()
         try:
+            new.generate_thumbnails()
             new.full_clean()
+            new.save()
         except ValidationError as e:
-            raise HttpError(status_code=409, message=str(e)) from e
-        new.save()
+            return self.create_response({"detail": dict(e)}, status_code=409)
 
     @route.get(
         "/{picture_id}/identified",
@@ -254,9 +215,9 @@ class UsersIdentifiedController(ControllerBase):
         relation = self.get_object_or_exception(PeoplePictureRelation, pk=relation_id)
         user: User = self.context.request.user
         if (
-                relation.user_id != user.id
-                and not user.is_root
-                and not user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
+            relation.user_id != user.id
+            and not user.is_root
+            and not user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
         ):
             raise PermissionDenied
         relation.delete()