apply review comments

remove CanCreateMixin usage from election
refactor election result computing
2025-09-13 11:35:44 +00:00 · 2025-06-27 13:28:44 +02:00 · 2025-06-27 12:01:15 +02:00 · 2025-06-27 12:01:15 +02:00 · 2025-06-27 12:01:14 +02:00 · 2025-06-27 12:00:52 +02:00
56 changed files with 1082 additions and 2507 deletions
--- a/core/admin.py
+++ b/core/admin.py
@@ -88,9 +88,9 @@ class PageAdmin(admin.ModelAdmin):

@admin.register(SithFile)
 class SithFileAdmin(admin.ModelAdmin):
-    list_display = ("name", "owner", "size", "date")
+    list_display = ("name", "owner", "size", "date", "is_in_sas")
    autocomplete_fields = ("parent", "owner", "moderator")
-    search_fields = ("name",)
+    search_fields = ("name", "parent__name")


@admin.register(OperationLog)
--- a/core/api.py
+++ b/core/api.py
@@ -97,7 +97,7 @@ class SithFileController(ControllerBase):
    )
    @paginate(PageNumberPaginationExtra, page_size=50)
    def search_files(self, search: Annotated[str, annotated_types.MinLen(1)]):
-        return SithFile.objects.filter(name__icontains=search)
+        return SithFile.objects.filter(is_in_sas=False).filter(name__icontains=search)


@api_controller("/group")
--- a/core/management/commands/install_xapian.sh
+++ b/core/management/commands/install_xapian.sh
@@ -4,13 +4,13 @@
 VERSION="$1"

 # Cleanup env vars for auto discovery mechanism
-unset CPATH
-unset LIBRARY_PATH
-unset CFLAGS
-unset LDFLAGS
-unset CCFLAGS
-unset CXXFLAGS
-unset CPPFLAGS
+export CPATH=
+export LIBRARY_PATH=
+export CFLAGS=
+export LDFLAGS=
+export CCFLAGS=
+export CXXFLAGS=
+export CPPFLAGS=

 # prepare
 rm -rf "$VIRTUAL_ENV/packages"
--- a/core/management/commands/populate.py
+++ b/core/management/commands/populate.py
@@ -110,6 +110,7 @@ class Command(BaseCommand):
        p.save(force_lock=True)

        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
        main_club = Club.objects.create(
            id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
        )
@@ -692,21 +693,33 @@ class Command(BaseCommand):
        # SAS
        for f in self.SAS_FIXTURE_PATH.glob("*"):
            if f.is_dir():
-                album = Album.objects.create(name=f.name, is_moderated=True)
+                album = Album(
+                    parent=sas,
+                    name=f.name,
+                    owner=root,
+                    is_folder=True,
+                    is_in_sas=True,
+                    is_moderated=True,
+                )
+                album.clean()
+                album.save()
                for p in f.iterdir():
                    file = resize_image(Image.open(p), 1000, "WEBP")
                    pict = Picture(
                        parent=album,
                        name=p.name,
-                        original=file,
+                        file=file,
                        owner=root,
+                        is_folder=False,
+                        is_in_sas=True,
                        is_moderated=True,
+                        mime_type="image/webp",
+                        size=file.size,
                    )
-                    pict.original.name = pict.name
-                    pict.generate_thumbnails()
+                    pict.file.name = p.name
                    pict.full_clean()
+                    pict.generate_thumbnails()
                    pict.save()
-                album.generate_thumbnail()

        img_skia = Picture.objects.get(name="skia.jpg")
        img_sli = Picture.objects.get(name="sli.jpg")
--- a/core/migrations/0048_remove_sithfiles.py
+++ b/core/migrations/0048_remove_sithfiles.py
@@ -1,27 +0,0 @@
-# Generated by Django 4.2.17 on 2025-01-26 15:01
-
-from typing import TYPE_CHECKING
-
-from django.db import migrations
-from django.db.migrations.state import StateApps
-
-if TYPE_CHECKING:
-    import core.models
-
-
-def remove_sas_sithfiles(apps: StateApps, schema_editor):
-    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
-    SithFile.objects.filter(is_in_sas=True).delete()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("core", "0047_alter_notification_date_alter_notification_type"),
-        ("sas", "0007_alter_peoplepicturerelation_picture_and_more"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            remove_sas_sithfiles, reverse_code=migrations.RunPython.noop, elidable=True
-        )
-    ]
--- a/core/migrations/0049_remove_sithfile_is_in_sas.py
+++ b/core/migrations/0049_remove_sithfile_is_in_sas.py
@@ -1,9 +0,0 @@
-# Generated by Django 4.2.17 on 2025-02-14 11:58
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [("core", "0048_remove_sithfiles")]
-
-    operations = [migrations.RemoveField(model_name="sithfile", name="is_in_sas")]
--- a/core/models.py
+++ b/core/models.py
@@ -863,6 +863,9 @@ class SithFile(models.Model):
        on_delete=models.CASCADE,
    )
    asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
+    is_in_sas = models.BooleanField(
+        _("is in the SAS"), default=False, db_index=True
+    )  # Allows to query this flag, updated at each call to save()

    class Meta:
        verbose_name = _("file")
@@ -871,10 +874,22 @@ class SithFile(models.Model):
        return self.get_parent_path() + "/" + self.name

    def save(self, *args, **kwargs):
+        sas = SithFile.objects.filter(id=settings.SITH_SAS_ROOT_DIR_ID).first()
+        self.is_in_sas = sas in self.get_parent_list() or self == sas
        adding = self._state.adding
        super().save(*args, **kwargs)
        if adding:
            self.copy_rights()
+        if self.is_in_sas:
+            for user in User.objects.filter(
+                groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
+            ):
+                Notification(
+                    user=user,
+                    url=reverse("sas:moderation"),
+                    type="SAS_MODERATION",
+                    param="1",
+                ).save()

    def is_owned_by(self, user: User) -> bool:
        if user.is_anonymous:
@@ -887,6 +902,8 @@ class SithFile(models.Model):
            return user.is_board_member
        if user.is_com_admin:
            return True
+        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return True
        return user.id == self.owner_id

    def can_be_viewed_by(self, user: User) -> bool:
@@ -913,6 +930,8 @@ class SithFile(models.Model):
        super().clean()
        if "/" in self.name:
            raise ValidationError(_("Character '/' not authorized in name"))
+        if self == self.parent:
+            raise ValidationError(_("Loop in folder tree"), code="loop")
        if self == self.parent or (
            self.parent is not None and self in self.get_parent_list()
        ):
@@ -1050,6 +1069,18 @@ class SithFile(models.Model):
    def is_file(self):
        return not self.is_folder

+    @cached_property
+    def as_picture(self):
+        from sas.models import Picture
+
+        return Picture.objects.filter(id=self.id).first()
+
+    @cached_property
+    def as_album(self):
+        from sas.models import Album
+
+        return Album.objects.filter(id=self.id).first()
+
    def get_parent_list(self):
        parents = []
        current = self.parent
--- a/core/static/bundled/alpine-index.js
+++ b/core/static/bundled/alpine-index.js
@@ -1,7 +1,8 @@
+import { limitedChoices } from "#core:alpine/limited-choices";
 import sort from "@alpinejs/sort";
 import Alpine from "alpinejs";

-Alpine.plugin(sort);
+Alpine.plugin([sort, limitedChoices]);
 window.Alpine = Alpine;

 window.addEventListener("DOMContentLoaded", () => {
--- a/core/static/bundled/alpine/limited-choices.ts
+++ b/core/static/bundled/alpine/limited-choices.ts
@@ -0,0 +1,69 @@
+import type { Alpine as AlpineType } from "alpinejs";
+
+export function limitedChoices(Alpine: AlpineType) {
+  /**
+   * Directive to limit the number of elements
+   * that can be selected in a group of checkboxes.
+   *
+   * When the max numbers of selectable elements is reached,
+   * new elements will still be inserted, but oldest ones will be deselected.
+   * For example, if checkboxes A, B and C have been selected and the max
+   * number of selections is 3, then selecting D will result in having
+   * B, C and D selected.
+   *
+   * # Example in template
+   * ```html
+   * <div x-data="{nbMax: 2}", x-limited-choices="nbMax">
+   *   <button @click="nbMax += 1">Click me to increase the limit</button>
+   *   <input type="checkbox" value="A" name="foo">
+   *   <input type="checkbox" value="B" name="foo">
+   *   <input type="checkbox" value="C" name="foo">
+   *   <input type="checkbox" value="D" name="foo">
+   * </div>
+   * ```
+   */
+  Alpine.directive(
+    "limited-choices",
+    (el, { expression }, { evaluateLater, effect }) => {
+      const getMaxChoices = evaluateLater(expression);
+      let maxChoices: number;
+      const inputs: HTMLInputElement[] = Array.from(
+        el.querySelectorAll("input[type='checkbox']"),
+      );
+      const checked = [] as HTMLInputElement[];
+
+      const manageDequeue = () => {
+        if (checked.length <= maxChoices) {
+          // There isn't too many checkboxes selected. Nothing to do
+          return;
+        }
+        const popped = checked.splice(0, checked.length - maxChoices);
+        for (const p of popped) {
+          p.checked = false;
+        }
+      };
+
+      for (const input of inputs) {
+        input.addEventListener("change", (_e) => {
+          if (input.checked) {
+            checked.push(input);
+          } else {
+            checked.splice(checked.indexOf(input), 1);
+          }
+          manageDequeue();
+        });
+      }
+      effect(() => {
+        getMaxChoices((value: string) => {
+          const previousValue = maxChoices;
+          maxChoices = Number.parseInt(value);
+          if (maxChoices < previousValue) {
+            // The maximum number of selectable items has been lowered.
+            // Some currently selected elements may need to be removed
+            manageDequeue();
+          }
+        });
+      });
+    },
+  );
+}
--- a/core/static/bundled/utils/alert-message.ts
+++ b/core/static/bundled/utils/alert-message.ts
@@ -1,38 +0,0 @@
-interface AlertParams {
-  success?: boolean;
-  duration?: number;
-}
-
-export class AlertMessage {
-  public open: boolean;
-  public success: boolean;
-  public content: string;
-  private timeoutId?: number;
-  private readonly defaultDuration: number;
-
-  constructor(params?: { defaultDuration: number }) {
-    this.open = false;
-    this.content = "";
-    this.timeoutId = null;
-    this.defaultDuration = params?.defaultDuration ?? 2000;
-  }
-
-  public display(message: string, params: AlertParams) {
-    this.clear();
-    this.open = true;
-    this.content = message;
-    this.success = params.success ?? true;
-    this.timeoutId = setTimeout(() => {
-      this.open = false;
-      this.timeoutId = null;
-    }, params.duration ?? this.defaultDuration);
-  }
-
-  public clear() {
-    if (this.timeoutId !== null) {
-      clearTimeout(this.timeoutId);
-      this.timeoutId = null;
-    }
-    this.open = false;
-  }
-}
--- a/core/static/bundled/utils/api.ts
+++ b/core/static/bundled/utils/api.ts
@@ -1,5 +1,5 @@
-import type { Client, RequestResult, TDataShape } from "#openapi:client";
-import { type Options, client } from "#openapi";
+import type { Client, Options, RequestResult, TDataShape } from "@hey-api/client-fetch";
+import { client } from "#openapi";

 export interface PaginatedResponse<T> {
  count: number;
--- a/core/static/core/footer.scss
+++ b/core/static/core/footer.scss
@@ -2,10 +2,6 @@
@import "devices";

 footer.bottom-links {
-  >section>a {
-    text-align: center;
-  }
-
  @media (max-width: $small-devices) {
    margin-top: 0.6em;
    padding: 1.25em;
--- a/core/tests/test_files.py
+++ b/core/tests/test_files.py
@@ -5,7 +5,6 @@ from typing import Callable
 from uuid import uuid4

 import pytest
-from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile, UploadedFile
 from django.test import Client, TestCase
@@ -18,8 +17,8 @@ from pytest_django.asserts import assertNumQueries
 from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
 from core.models import Group, QuickUploadImage, SithFile, User
 from core.utils import RED_PIXEL_PNG
-from sas.baker_recipes import picture_recipe
 from sas.models import Picture
+from sith import settings


@pytest.mark.django_db
@@ -31,19 +30,24 @@ class TestImageAccess:
            lambda: baker.make(
                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)]
            ),
+            lambda: baker.make(
+                User, groups=[Group.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)]
+            ),
        ],
    )
    def test_sas_image_access(self, user_factory: Callable[[], User]):
        """Test that only authorized users can access the sas image."""
        user = user_factory()
-        picture = picture_recipe.make()
-        assert user.can_edit(picture)
+        picture: SithFile = baker.make(
+            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        )
+        assert picture.is_owned_by(user)

    def test_sas_image_access_owner(self):
        """Test that the owner of the image can access it."""
        user = baker.make(User)
-        picture = picture_recipe.make(owner=user)
-        assert user.can_edit(picture)
+        picture: Picture = baker.make(Picture, owner=user)
+        assert picture.is_owned_by(user)

    @pytest.mark.parametrize(
        "user_factory",
@@ -59,41 +63,7 @@ class TestImageAccess:
        user = user_factory()
        owner = baker.make(User)
        picture: Picture = baker.make(Picture, owner=owner)
-        assert not user.can_edit(picture)
-
-
-@pytest.mark.django_db
-class TestUserPicture:
-    def test_anonymous_user_unauthorized(self, client):
-        """An anonymous user shouldn't have access to an user's photo page."""
-        response = client.get(
-            reverse(
-                "core:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == 403
-
-    @pytest.mark.parametrize(
-        ("username", "status"),
-        [
-            ("guy", 403),
-            ("root", 200),
-            ("skia", 200),
-            ("sli", 200),
-        ],
-    )
-    def test_page_is_working(self, client, username, status):
-        """Only user that subscribed (or admins) should be able to see the page."""
-        # Test for simple user
-        client.force_login(User.objects.get(username=username))
-        response = client.get(
-            reverse(
-                "core:user_pictures",
-                kwargs={"user_id": User.objects.get(username="sli").pk},
-            )
-        )
-        assert response.status_code == status
+        assert not picture.is_owned_by(user)


 # TODO: many tests on the pages:
--- a/core/tests/test_user.py
+++ b/core/tests/test_user.py
@@ -22,7 +22,6 @@ from core.models import Group, User
 from core.views import UserTabsMixin
 from counter.models import Counter, Refilling, Selling
 from eboutic.models import Invoice, InvoiceItem
-from sas.models import Picture


 class TestSearchUsers(TestCase):
@@ -30,7 +29,6 @@ class TestSearchUsers(TestCase):
    def setUpTestData(cls):
        # News.author has on_delete=PROTECT, so news must be deleted beforehand
        News.objects.all().delete()
-        Picture.objects.all().delete()  # same for pictures
        User.objects.all().delete()
        user_recipe = Recipe(
            User,
--- a/core/utils.py
+++ b/core/utils.py
@@ -12,23 +12,18 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from dataclasses import dataclass
+
 from datetime import date, timedelta

 # Image utils
 from io import BytesIO
-from typing import Any, Final, Unpack
+from typing import Final

 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.files.uploadedfile import UploadedFile
-from django.db import models
-from django.forms import BaseForm
-from django.http import Http404, HttpRequest
-from django.shortcuts import get_list_or_404
-from django.template.loader import render_to_string
-from django.utils.safestring import SafeString
+from django.http import HttpRequest
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
@@ -47,21 +42,6 @@ to generate a dummy image that is considered valid nonetheless
 """


-@dataclass
-class FormFragmentTemplateData[T: BaseForm]:
-    """Dataclass used to pre-render form fragments"""
-
-    form: T
-    template: str
-    context: dict[str, Any]
-
-    def render(self, request: HttpRequest) -> SafeString:
-        # Request is needed for csrf_tokens
-        return render_to_string(
-            self.template, context={"form": self.form, **self.context}, request=request
-        )
-
-
 def get_start_of_semester(today: date | None = None) -> date:
    """Return the date of the start of the semester of the given date.
    If no date is given, return the start date of the current semester.
@@ -215,56 +195,3 @@ def get_client_ip(request: HttpRequest) -> str | None:
            return ip

    return None
-
-
-Filterable = models.Model | models.QuerySet | models.Manager
-ListFilter = dict[str, list | tuple | set]
-
-
-def get_list_exact_or_404(klass: Filterable, **kwargs: Unpack[ListFilter]) -> list:
-    """Use filter() to return a list of objects from a list of unique keys (like ids)
-    or raises Http404 if the list has not the same length as the given one.
-
-    Work like `get_object_or_404()` but for lists of objects, with some caveats :
-
-    - The filter must be a list, a tuple or a set.
-    - There can't be more than exactly one filter.
-    - There must be no duplicate in the filter.
-    - The filter should consist in unique keys (like ids), or it could fail randomly.
-
-    klass may be a Model, Manager, or QuerySet object. All other passed
-    arguments and keyword arguments are used in the filter() query.
-
-    Raises:
-        Http404: If the list is empty or doesn't have as many elements as the keys list.
-        ValueError: If the first argument is not a Model, Manager, or QuerySet object.
-        ValueError: If more than one filter is passed.
-        TypeError: If the given filter is not a list, a tuple or a set.
-
-    Examples:
-        Get all the products with ids 1, 2, 3: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3])
-
-        Don't work with duplicate ids: ::
-
-            products = get_list_exact_or_404(Product, id__in=[1, 2, 3, 3])
-            # Raises Http404: "The list of keys must contain no duplicates."
-    """
-    if len(kwargs) > 1:
-        raise ValueError("get_list_exact_or_404() only accepts one filter.")
-    key, list_filter = next(iter(kwargs.items()))
-    if not isinstance(list_filter, (list, tuple, set)):
-        raise TypeError(
-            f"The given filter must be a list, a tuple or a set, not {type(list_filter)}"
-        )
-    if len(list_filter) != len(set(list_filter)):
-        raise ValueError("The list of keys must contain no duplicates.")
-    kwargs = {key: list_filter}
-    obj_list = get_list_or_404(klass, **kwargs)
-    if len(obj_list) != len(list_filter):
-        raise Http404(
-            "The given list of keys doesn't match the number of objects found."
-            f"Expected {len(list_filter)} items, got {len(obj_list)}."
-        )
-    return obj_list
--- a/core/views/files.py
+++ b/core/views/files.py
@@ -374,7 +374,7 @@ class FileDeleteView(AllowFragment, CanEditPropMixin, DeleteView):
 class FileModerationView(AllowFragment, ListView):
    model = SithFile
    template_name = "core/file_moderation.jinja"
-    queryset = SithFile.objects.filter(is_moderated=False)
+    queryset = SithFile.objects.filter(is_moderated=False, is_in_sas=False)
    ordering = "id"
    paginate_by = 100

--- a/counter/static/bundled/counter/counter-click-index.ts
+++ b/counter/static/bundled/counter/counter-click-index.ts
@@ -1,4 +1,3 @@
-import { AlertMessage } from "#core:utils/alert-message";
 import { BasketItem } from "#counter:counter/basket";
 import type { CounterConfig, ErrorMessage } from "#counter:counter/types";
 import type { CounterProductSelect } from "./components/counter-product-select-index.ts";
@@ -6,9 +5,14 @@ import type { CounterProductSelect } from "./components/counter-product-select-i
 document.addEventListener("alpine:init", () => {
  Alpine.data("counter", (config: CounterConfig) => ({
    basket: {} as Record<string, BasketItem>,
+    errors: [],
    customerBalance: config.customerBalance,
    codeField: null as CounterProductSelect | null,
-    alertMessage: new AlertMessage({ defaultDuration: 2000 }),
+    alertMessage: {
+      content: "",
+      show: false,
+      timeout: null,
+    },

    init() {
      // Fill the basket with the initial data
@@ -73,10 +77,22 @@ document.addEventListener("alpine:init", () => {
      return total;
    },

+    showAlertMessage(message: string) {
+      if (this.alertMessage.timeout !== null) {
+        clearTimeout(this.alertMessage.timeout);
+      }
+      this.alertMessage.content = message;
+      this.alertMessage.show = true;
+      this.alertMessage.timeout = setTimeout(() => {
+        this.alertMessage.show = false;
+        this.alertMessage.timeout = null;
+      }, 2000);
+    },
+
    addToBasketWithMessage(id: string, quantity: number) {
      const message = this.addToBasket(id, quantity);
      if (message.length > 0) {
-        this.alertMessage.display(message, { success: false });
+        this.showAlertMessage(message);
      }
    },

@@ -93,9 +109,7 @@ document.addEventListener("alpine:init", () => {

    finish() {
      if (this.getBasketSize() === 0) {
-        this.alertMessage.display(gettext("You can't send an empty basket."), {
-          success: false,
-        });
+        this.showAlertMessage(gettext("You can't send an empty basket."));
        return;
      }
      this.$refs.basketForm.submit();
--- a/counter/static/bundled/counter/product-list-index.ts
+++ b/counter/static/bundled/counter/product-list-index.ts
@@ -167,7 +167,7 @@ document.addEventListener("alpine:init", () => {
      });
      // if products to download are already in-memory, directly take them.
      // If not, fetch them.
-      const products: ProductSchema[] =
+      const products =
        this.nbPages > 1
          ? await paginated(productSearchProductsDetailed, this.getQueryParams())
          : Object.values<ProductSchema[]>(this.products).flat();
--- a/counter/static/bundled/counter/product-type-index.ts
+++ b/counter/static/bundled/counter/product-type-index.ts
@@ -1,11 +1,15 @@
-import { AlertMessage } from "#core:utils/alert-message";
 import Alpine from "alpinejs";
 import { producttypeReorder } from "#openapi";

 document.addEventListener("alpine:init", () => {
  Alpine.data("productTypesList", () => ({
    loading: false,
-    alertMessage: new AlertMessage({ defaultDuration: 2000 }),
+    alertMessage: {
+      open: false,
+      success: true,
+      content: "",
+      timeout: null,
+    },

    async reorder(itemId: number, newPosition: number) {
      // The sort plugin of Alpine doesn't manage dynamic lists with x-sort
@@ -37,14 +41,23 @@ document.addEventListener("alpine:init", () => {
    },

    openAlertMessage(response: Response) {
-      const success = response.ok;
-      const content = response.ok
-        ? gettext("Products types reordered!")
-        : interpolate(
+      if (response.ok) {
+        this.alertMessage.success = true;
+        this.alertMessage.content = gettext("Products types reordered!");
+      } else {
+        this.alertMessage.success = false;
+        this.alertMessage.content = interpolate(
          gettext("Product type reorganisation failed with status code : %d"),
          [response.status],
        );
-      this.alertMessage.display(content, { success: success });
+      }
+      this.alertMessage.open = true;
+      if (this.alertMessage.timeout !== null) {
+        clearTimeout(this.alertMessage.timeout);
+      }
+      this.alertMessage.timeout = setTimeout(() => {
+        this.alertMessage.open = false;
+      }, 2000);
      this.loading = false;
    },
  }));
--- a/counter/static/bundled/counter/types.d.ts
+++ b/counter/static/bundled/counter/types.d.ts
@@ -1,4 +1,4 @@
-export type ErrorMessage = string;
+type ErrorMessage = string;

 export interface InitialFormData {
  /* Used to refill the form when the backend raises an error */
--- a/docs/tutorial/groups.md
+++ b/docs/tutorial/groups.md
@@ -263,35 +263,3 @@ avec un unique champ permettant de sélectionner des groupes.
 Par défaut, seuls les utilisateurs avec la permission
 `auth.change_permission` auront accès à ce formulaire
 (donc, normalement, uniquement les utilisateurs Root).
-
-```mermaid
-sequenceDiagram
-    participant A as Utilisateur
-    participant B as ReverseProxy
-    participant C as MarkdownImage
-    participant D as Model
-
-    A->>B: GET /page/foo
-    B->>C: GET /page/foo
-    C-->>B: La page, avec les urls
-    B-->>A: La page, avec les urls
-    alt image publique 
-        A->>B: GET markdown/public/2025/img.webp
-        B-->>A: img.webp
-    end
-    alt image privée 
-        A->>B: GET markdown_image/{id}
-        B->>C: GET markdown_image/{id}
-        C->>D: user.can_view(image)
-        alt l'utilisateur a le droit de voir l'image
-            D-->>C: True
-            C-->>B: 200 (avec le X-Accel-Redirect)
-            B-->>A: img.webp
-        end
-        alt l'utilisateur n'a pas le droit de l'image
-            D-->>C: False
-            C-->>B: 403
-            B-->>A: 403
-        end
-    end
-```
--- a/eboutic/templates/eboutic/eboutic_main.jinja
+++ b/eboutic/templates/eboutic/eboutic_main.jinja
@@ -120,6 +120,56 @@
          </span>
        </div>
      {% endif %}
+      <section>
+        <div class="category-header">
+          <h3 class="margin-bottom">{% trans %}Eurockéennes 2025 partnership{% endtrans %}</h3>
+          {% if user.is_subscribed %}
+            <div id="eurok-partner" style="
+                                           min-height: 600px;
+                                           background-color: lightgrey;
+                                           display: flex;
+                                           justify-content: center;
+                                           align-items: center;
+                                           flex-direction: column;
+                                           gap: 10px;
+                                          ">
+              <p style="text-align: center;">
+                {% trans trimmed %}
+                  Our partner uses Weezevent to sell tickets.
+                  Weezevent may collect user info according to
+                  its own privacy policy.
+                  By clicking the accept button you consent to
+                  their terms of services.
+                {% endtrans %}
+              </p>
+
+              <a href="https://weezevent.com/fr/politique-de-confidentialite/">{% trans %}Privacy policy{% endtrans %}</a>
+
+              <button
+                hx-get="{{ url("eboutic:eurok") }}"
+                hx-target="#eurok-partner"
+                hx-swap="outerHTML"
+                hx-trigger="click, load[document.cookie.includes('weezevent_accept=true')]"
+                @htmx:after-request="document.cookie = 'weezevent_accept=true'"
+              >{% trans %}Accept{% endtrans %}
+              </button>
+            </div>
+          {% else %}
+            <p>
+              {%- trans trimmed %}
+                You must be subscribed to benefit from the partnership with the Eurockéennes.
+              {% endtrans -%}
+            </p>
+            <p>
+              {%- trans trimmed %}
+                This partnership offers a discount of up to 33%
+                on tickets for Friday, Saturday and Sunday,
+                as well as the 3-day package from Friday to Sunday.
+              {% endtrans -%}
+            </p>
+          {% endif %}
+        </div>
+      </section>
      {% for priority_groups in products|groupby('order') %}
        {% for category, items in priority_groups.list|groupby('category') %}
          {% if items|count > 0 %}
--- a/eboutic/urls.py
+++ b/eboutic/urls.py
@@ -31,6 +31,7 @@ from eboutic.views import (
    EbouticMainView,
    EbouticPayWithSith,
    EtransactionAutoAnswer,
+    EurokPartnerFragment,
    payment_result,
 )

@@ -45,6 +46,7 @@ urlpatterns = [
        "pay/sith/<int:basket_id>", EbouticPayWithSith.as_view(), name="pay_with_sith"
    ),
    path("pay/<res:result>/", payment_result, name="payment_result"),
+    path("eurok/", EurokPartnerFragment.as_view(), name="eurok"),
    path(
        "et_autoanswer",
        EtransactionAutoAnswer.as_view(),
--- a/eboutic/views.py
+++ b/eboutic/views.py
@@ -41,11 +41,11 @@ from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
-from django.views.generic import DetailView, FormView, UpdateView, View
+from django.views.generic import DetailView, FormView, TemplateView, UpdateView, View
 from django.views.generic.edit import SingleObjectMixin
 from django_countries.fields import Country

-from core.auth.mixins import CanViewMixin
+from core.auth.mixins import CanViewMixin, IsSubscriberMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BaseBasketForm, BillingInfoForm, ProductForm
 from counter.models import BillingInfo, Customer, Product, Selling, get_eboutic
@@ -142,6 +142,10 @@ def payment_result(request, result: str) -> HttpResponse:
    return render(request, "eboutic/eboutic_payment_result.jinja", context)


+class EurokPartnerFragment(IsSubscriberMixin, TemplateView):
+    template_name = "eboutic/eurok_fragment.jinja"
+
+
 class BillingInfoFormFragment(
    LoginRequiredMixin, FragmentMixin, SuccessMessageMixin, UpdateView
 ):
--- a/election/forms.py
+++ b/election/forms.py
@@ -0,0 +1,155 @@
+from django import forms
+from django.utils.translation import gettext_lazy as _
+
+from core.models import User
+from core.views.forms import SelectDateTime
+from core.views.widgets.ajax_select import (
+    AutoCompleteSelect,
+    AutoCompleteSelectMultipleGroup,
+    AutoCompleteSelectUser,
+)
+from core.views.widgets.markdown import MarkdownInput
+from election.models import Candidature, Election, ElectionList, Role
+
+
+class LimitedCheckboxField(forms.ModelMultipleChoiceField):
+    """A `ModelMultipleChoiceField`, with a max limit of selectable inputs."""
+
+    def __init__(self, queryset, max_choice, **kwargs):
+        self.max_choice = max_choice
+        super().__init__(queryset, **kwargs)
+
+    def clean(self, value):
+        qs = super().clean(value)
+        self.validate(qs)
+        return qs
+
+    def validate(self, qs):
+        if qs.count() > self.max_choice:
+            raise forms.ValidationError(
+                _("You have selected too many candidates."), code="invalid"
+            )
+
+
+class CandidateForm(forms.ModelForm):
+    """Form to candidate."""
+
+    required_css_class = "required"
+
+    class Meta:
+        model = Candidature
+        fields = ["user", "role", "program", "election_list"]
+        labels = {
+            "user": _("User to candidate"),
+        }
+        widgets = {
+            "program": MarkdownInput,
+            "user": AutoCompleteSelectUser,
+            "role": AutoCompleteSelect,
+            "election_list": AutoCompleteSelect,
+        }
+
+    def __init__(self, *args, election: Election, can_edit: bool = False, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["role"].queryset = election.roles.select_related("election")
+        self.fields["election_list"].queryset = election.election_lists.all()
+        if not can_edit:
+            self.fields["user"].widget = forms.HiddenInput()
+
+
+class VoteForm(forms.Form):
+    def __init__(self, election: Election, user: User, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if not election.can_vote(user):
+            return
+        for role in election.roles.all():
+            cand = role.candidatures
+            if role.max_choice > 1:
+                self.fields[role.title] = LimitedCheckboxField(
+                    cand, role.max_choice, required=False
+                )
+            else:
+                self.fields[role.title] = forms.ModelChoiceField(
+                    cand,
+                    required=False,
+                    widget=forms.RadioSelect(),
+                    empty_label=_("Blank vote"),
+                )
+
+
+class RoleForm(forms.ModelForm):
+    """Form for creating a role."""
+
+    class Meta:
+        model = Role
+        fields = ["title", "election", "description", "max_choice"]
+        widgets = {"election": AutoCompleteSelect}
+
+    def __init__(self, *args, **kwargs):
+        election_id = kwargs.pop("election_id", None)
+        super().__init__(*args, **kwargs)
+        if election_id:
+            self.fields["election"].queryset = Election.objects.filter(
+                id=election_id
+            ).all()
+
+    def clean(self):
+        cleaned_data = super().clean()
+        title = cleaned_data.get("title")
+        election = cleaned_data.get("election")
+        if Role.objects.filter(title=title, election=election).exists():
+            raise forms.ValidationError(
+                _("This role already exists for this election"), code="invalid"
+            )
+
+
+class ElectionListForm(forms.ModelForm):
+    class Meta:
+        model = ElectionList
+        fields = ("title", "election")
+        widgets = {"election": AutoCompleteSelect}
+
+    def __init__(self, *args, **kwargs):
+        election_id = kwargs.pop("election_id", None)
+        super().__init__(*args, **kwargs)
+        if election_id:
+            self.fields["election"].queryset = Election.objects.filter(
+                id=election_id
+            ).all()
+
+
+class ElectionForm(forms.ModelForm):
+    class Meta:
+        model = Election
+        fields = [
+            "title",
+            "description",
+            "archived",
+            "start_candidature",
+            "end_candidature",
+            "start_date",
+            "end_date",
+            "edit_groups",
+            "view_groups",
+            "vote_groups",
+            "candidature_groups",
+        ]
+        widgets = {
+            "edit_groups": AutoCompleteSelectMultipleGroup,
+            "view_groups": AutoCompleteSelectMultipleGroup,
+            "vote_groups": AutoCompleteSelectMultipleGroup,
+            "candidature_groups": AutoCompleteSelectMultipleGroup,
+        }
+
+    start_date = forms.DateTimeField(
+        label=_("Start date"), widget=SelectDateTime, required=True
+    )
+    end_date = forms.DateTimeField(
+        label=_("End date"), widget=SelectDateTime, required=True
+    )
+    start_candidature = forms.DateTimeField(
+        label=_("Start candidature"), widget=SelectDateTime, required=True
+    )
+    end_candidature = forms.DateTimeField(
+        label=_("End candidature"), widget=SelectDateTime, required=True
+    )
--- a/election/migrations/0005_alter_candidature_program_alter_candidature_user.py
+++ b/election/migrations/0005_alter_candidature_program_alter_candidature_user.py
@@ -0,0 +1,30 @@
+# Generated by Django 4.2.20 on 2025-03-14 18:18
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("election", "0004_auto_20191006_0049"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="candidature",
+            name="program",
+            field=models.TextField(blank=True, default="", verbose_name="description"),
+        ),
+        migrations.AlterField(
+            model_name="candidature",
+            name="user",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="candidates",
+                to=settings.AUTH_USER_MODEL,
+                verbose_name="user",
+            ),
+        ),
+    ]
--- a/election/models.py
+++ b/election/models.py
@@ -1,5 +1,7 @@
 from django.db import models
+from django.db.models import Count
 from django.utils import timezone
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from ordered_model.models import OrderedModel

@@ -22,21 +24,18 @@ class Election(models.Model):
        verbose_name=_("edit groups"),
        blank=True,
    )
-
    view_groups = models.ManyToManyField(
        Group,
        related_name="viewable_elections",
        verbose_name=_("view groups"),
        blank=True,
    )
-
    vote_groups = models.ManyToManyField(
        Group,
        related_name="votable_elections",
        verbose_name=_("vote groups"),
        blank=True,
    )
-
    candidature_groups = models.ManyToManyField(
        Group,
        related_name="candidate_elections",
@@ -45,7 +44,7 @@ class Election(models.Model):
    )

    voters = models.ManyToManyField(
-        User, verbose_name=("voters"), related_name="voted_elections"
+        User, verbose_name=_("voters"), related_name="voted_elections"
    )
    archived = models.BooleanField(_("archived"), default=False)

@@ -55,20 +54,20 @@ class Election(models.Model):
    @property
    def is_vote_active(self):
        now = timezone.now()
-        return bool(now <= self.end_date and now >= self.start_date)
+        return self.start_date <= now <= self.end_date

    @property
    def is_vote_finished(self):
-        return bool(timezone.now() > self.end_date)
+        return timezone.now() > self.end_date

    @property
    def is_candidature_active(self):
        now = timezone.now()
-        return bool(now <= self.end_candidature and now >= self.start_candidature)
+        return self.start_candidature <= now <= self.end_candidature

    @property
    def is_vote_editable(self):
-        return bool(timezone.now() <= self.end_candidature)
+        return timezone.now() <= self.end_candidature

    def can_candidate(self, user):
        for group_id in self.candidature_groups.values_list("pk", flat=True):
@@ -87,7 +86,7 @@ class Election(models.Model):
    def has_voted(self, user):
        return self.voters.filter(id=user.id).exists()

-    @property
+    @cached_property
    def results(self):
        results = {}
        total_vote = self.voters.count()
@@ -95,12 +94,6 @@ class Election(models.Model):
            results[role.title] = role.results(total_vote)
        return results

-    def delete(self, *args, **kwargs):
-        self.election_lists.all().delete()
-        super().delete(*args, **kwargs)
-
-    # Permissions
-

 class Role(OrderedModel):
    """This class allows to create a new role avaliable for a candidature."""
@@ -115,23 +108,27 @@ class Role(OrderedModel):
    description = models.TextField(_("description"), null=True, blank=True)
    max_choice = models.IntegerField(_("max choice"), default=1)

-    def results(self, total_vote):
-        results = {}
+    def __str__(self):
+        return f"{self.title} - {self.election.title}"
+
+    def results(self, total_vote: int) -> dict[str, dict[str, int | float]]:
+        if total_vote == 0:
+            candidates = self.candidatures.values_list("user__username")
+            return {
+                key: {"vote": 0, "percent": 0} for key in ["blank_votes", *candidates]
+            }
        total_vote *= self.max_choice
+        results = {"total vote": total_vote}
        non_blank = 0
-        for candidature in self.candidatures.all():
-            cand_results = {}
-            cand_results["vote"] = self.votes.filter(candidature=candidature).count()
-            if total_vote == 0:
-                cand_results["percent"] = 0
-            else:
-                cand_results["percent"] = cand_results["vote"] * 100 / total_vote
-            non_blank += cand_results["vote"]
-            results[candidature.user.username] = cand_results
-        results["total vote"] = total_vote
-        if total_vote == 0:
-            results["blank vote"] = {"vote": 0, "percent": 0}
-        else:
+        candidatures = self.candidatures.annotate(nb_votes=Count("votes")).values(
+            "nb_votes", "user__username"
+        )
+        for candidature in candidatures:
+            non_blank += candidature["nb_votes"]
+            results[candidature["user__username"]] = {
+                "vote": candidature["nb_votes"],
+                "percent": candidature["nb_votes"] * 100 / total_vote,
+            }
        results["blank vote"] = {
            "vote": total_vote - non_blank,
            "percent": (total_vote - non_blank) * 100 / total_vote,
@@ -142,9 +139,6 @@ class Role(OrderedModel):
    def edit_groups(self):
        return self.election.edit_groups

-    def __str__(self):
-        return ("%s : %s") % (self.election.title, self.title)
-

 class ElectionList(models.Model):
    """To allow per list vote."""
@@ -163,11 +157,6 @@ class ElectionList(models.Model):
    def can_be_edited_by(self, user):
        return user.can_edit(self.election)

-    def delete(self, *args, **kwargs):
-        for candidature in self.candidatures.all():
-            candidature.delete()
-        super().delete(*args, **kwargs)
-

 class Candidature(models.Model):
    """This class is a component of responsability."""
@@ -182,10 +171,9 @@ class Candidature(models.Model):
        User,
        verbose_name=_("user"),
        related_name="candidates",
-        blank=True,
        on_delete=models.CASCADE,
    )
-    program = models.TextField(_("description"), null=True, blank=True)
+    program = models.TextField(_("description"), default="", blank=True)
    election_list = models.ForeignKey(
        ElectionList,
        related_name="candidatures",
@@ -196,13 +184,10 @@ class Candidature(models.Model):
    def __str__(self):
        return f"{self.role.title} : {self.user.username}"

-    def delete(self):
-        for vote in self.votes.all():
-            vote.delete()
-        super().delete()
-
    def can_be_edited_by(self, user):
-        return (user == self.user) or user.can_edit(self.role.election)
+        return (
+            (user == self.user) or user.can_edit(self.role.election)
+        ) and self.role.election.is_vote_editable


 class Vote(models.Model):
--- a/election/templates/election/election_detail.jinja
+++ b/election/templates/election/election_detail.jinja
@@ -31,7 +31,7 @@
      <time datetime="{{ election.end_date }}">{{ election.end_date|localtime|date(DATETIME_FORMAT)}}</time>
      {% trans %} at {% endtrans %}<time>{{ election.end_date|localtime|time(DATETIME_FORMAT)}}</time>
    </p>
-    {%- if election.has_voted(user) %}
+    {%- if user_has_voted %}
      <p class="election__elector-infos">
        {%- if election.is_vote_active %}
          <span>{% trans %}You already have submitted your vote.{% endtrans %}</span>
@@ -45,12 +45,11 @@
    <form action="{{ url('election:vote', election.id) }}" method="post" class="election__vote-form" name="vote-form" id="vote-form">
      {% csrf_token %}
      <table class="election_table">
-        {%- set election_lists = election.election_lists.all() -%}
        <thead class="lists">
          <tr>
-            <th class="column" style="width: {{ 100 / (election_lists.count() + 1) }}%">{% trans %}Blank vote{% endtrans %}</th>
+            <th class="column" style="width: {{ 100 / (election_lists|length + 1) }}%">{% trans %}Blank vote{% endtrans %}</th>
            {%- for election_list in election_lists %}
-              <th class="column" style="width: {{ 100 / (election_lists.count() + 1) }}%">
+              <th class="column" style="width: {{ 100 / (election_lists|length + 1) }}%">
                <span>{{ election_list.title }}</span>
                {% if user.can_edit(election_list) and election.is_vote_editable -%}
                  <a href="{{ url('election:delete_list', list_id=election_list.id) }}"><i class="fa-regular fa-trash-can delete-action"></i></a>
@@ -59,18 +58,26 @@
            {%- endfor %}
          </tr>
        </thead>
-        {%- set role_list = election.roles.order_by('order').all() %}
-        {%- for role in role_list %}
-          {%- set count = [0] %}
+        {%- for role in election_roles %}
          {%- set role_data = election_form.data.getlist(role.title) if role.title in election_form.data else [] %}
-          <tbody data-max-choice="{{role.max_choice}}" class="role{{ ' role_error' if role.title in election_form.errors else '' }}{{ ' role__multiple-choices' if role.max_choice > 1 else ''}}">
+
+          <tbody
+            {% if role.max_choice > 1 -%}
+              x-data x-limited-choices="{{ role.max_choice }}"
+            {%- endif %}
+            class="role {% if role.title in election_form.errors %}role_error{% endif %}"
+          >
            <tr>
              <td class="role_title">
                <div class="role_text">
                  <h4>{{ role.title }}</h4>
                  <p class="role_description" show-more="300">{{ role.description }}</p>
-                  {%- if role.max_choice > 1 and not election.has_voted(user) and election.can_vote(user) %}
-                    <strong>{% trans %}You may choose up to{% endtrans %} {{ role.max_choice }} {% trans %}people.{% endtrans %}</strong>
+                  {%- if role.max_choice > 1 and show_vote_buttons %}
+                    <strong>
+                      {% trans trimmed nb_choices=role.max_choice %}
+                        You may choose up to {{ nb_choices }} people.
+                      {% endtrans %}
+                    </strong>
                  {%- endif %}

                  {%- if election_form.errors[role.title] is defined %}
@@ -81,36 +88,40 @@
                </div>
                {% if user.can_edit(role) and election.is_vote_editable -%}
                  <div class="role_buttons">
-                    <a href="{{url('election:update_role', role_id=role.id)}}">️<i class="fa-regular fa-pen-to-square edit-action"></i></a>
-                    <a href="{{url('election:delete_role', role_id=role.id)}}"><i class="fa-regular fa-trash-can delete-action"></i></a>
-                    {%- if role == role_list.last() %}
+                    <a href="{{ url('election:update_role', role_id=role.id) }}">️
+                      <i class="fa-regular fa-pen-to-square edit-action"></i>
+                    </a>
+                    <a href="{{ url('election:delete_role', role_id=role.id) }}">
+                      <i class="fa-regular fa-trash-can delete-action"></i>
+                    </a>
+                    {%- if loop.last -%}
                      <button disabled><i class="fa fa-arrow-down"></i></button>
                      <button disabled><i class="fa fa-caret-down"></i></button>
-                    {%- else %}
+                    {%- else -%}
                      <button type="button" onclick="window.location.replace('?role={{ role.id }}&action=bottom');"><i class="fa fa-arrow-down"></i></button>
                      <button type="button" onclick="window.location.replace('?role={{ role.id }}&action=down');"><i class="fa fa-caret-down"></i></button>
-                    {%- endif %}
-                    {% if role == role_list.first() %}
+                    {%- endif -%}
+                    {%- if loop.first -%}
                      <button disabled><i class="fa fa-caret-up"></i></button>
                      <button disabled><i class="fa fa-arrow-up"></i></button>
-                    {% else %}
+                    {%- else -%}
                      <button type="button" onclick="window.location.replace('?role={{ role.id }}&action=up');"><i class="fa fa-caret-up"></i></button>
                      <button type="button" onclick="window.location.replace('?role={{ role.id }}&action=top');"><i class="fa fa-arrow-up"></i></button>
-                    {% endif %}
+                    {%- endif -%}
                  </div>
                {%- endif -%}
              </td>
            </tr>
            <tr class="role_candidates">
-              <td class="list_per_role" style="width: 100%; max-width: {{ 100 / (election_lists.count() + 1) }}%">
-                {%- if role.max_choice == 1 and election.can_vote(user) %}
+              <td class="list_per_role" style="width: 100%; max-width: {{ 100 / (election_lists|length + 1) }}%">
+                {%- if role.max_choice == 1 and show_vote_buttons %}
                  <div class="radio-btn">
-                    <input id="id_{{ role.title }}_{{ count[0] }}" type="radio" name="{{ role.title }}" value {{ '' if role_data in election_form else 'checked' }} {{ 'disabled' if election.has_voted(user) else '' }}>
-                    <label for="id_{{ role.title }}_{{ count[0] }}">
+                    {% set input_id = "blank_vote_" + role.id|string %}
+                    <input id="{{ input_id }}" type="radio" name="{{ role.title }}">
+                    <label for="{{ input_id }}">
                      <span>{% trans %}Choose blank vote{% endtrans %}</span>
                    </label>
                  </div>
-                  {%- set _ = count.append(count.pop() + 1) %}
                {%- endif %}
                {%- if election.is_vote_finished %}
                  {%- set results = election_results[role.title]['blank vote'] %}
@@ -120,13 +131,14 @@
                {%- endif %}
              </td>
              {%- for election_list in election_lists %}
-                <td class="list_per_role" style="width: 100%; max-width: {{ 100 / (election_lists.count() + 1) }}%">
+                <td class="list_per_role" style="width: 100%; max-width: {{ 100 / (election_lists|length + 1) }}%">
                  <ul class="candidates">
-                    {%- for candidature in election_list.candidatures.filter(role=role) %}
+                    {%- for candidature in election_list.candidatures.select_related("user", "user__profile_pict").filter(role=role) %}
                      <li class="candidate">
-                        {%- if election.can_vote(user) %}
-                          <input id="id_{{ role.title }}_{{ count[0] }}" type="{{ 'checkbox' if role.max_choice > 1 else 'radio' }}" {{ 'checked' if candidature.id|string in role_data else '' }} {{ 'disabled' if election.has_voted(user) else '' }} name="{{ role.title }}" value="{{ candidature.id }}">
-                          <label for="id_{{ role.title }}_{{ count[0] }}">
+                        {%- if show_vote_buttons %}
+                          {% set input_id = "candidature_" + candidature.id|string %}
+                          <input id="{{ input_id }}" type="{{ 'checkbox' if role.max_choice > 1 else 'radio' }}" {{ 'checked' if candidature.id|string in role_data else '' }} {{ 'disabled' if user_has_voted else '' }} name="{{ role.title }}" value="{{ candidature.id }}">
+                          <label for="{{ input_id }}">
                        {%- endif %}
                        <figure>
                          {%- if user.is_subscriber_viewable %}
@@ -140,7 +152,7 @@
                            <h5>{{ candidature.user.first_name }} <em>{{candidature.user.nick_name or ''}} </em>{{ candidature.user.last_name }}</h5>
                            {%- if not election.is_vote_finished %}
                              <q class="candidate_program" show-more="200">
-                                {{ candidature.program|markdown or '' }}
+                                {{ candidature.program|markdown }}
                              </q>
                            {%- endif %}
                          </figcaption>
@@ -153,9 +165,8 @@
                            {%- endif -%}
                          {%- endif -%}
                        </figure>
-                        {%- if election.can_vote(user) %}
+                        {%- if show_vote_buttons %}
                          </label>
-                          {%- set _ = count.append(count.pop() + 1) %}
                        {%- endif %}
                        {%- if election.is_vote_finished %}
                          {%- set results = election_results[role.title][candidature.user.username] %}
@@ -191,36 +202,9 @@
      <a  class="button" href="{{ url('election:delete', election_id=object.id) }}">{% trans %}Delete{% endtrans %}</a>
    {%- endif %}
  </section>
-  {%- if not election.has_voted(user) and election.can_vote(user) %}
+  {%- if show_vote_buttons %}
    <section class="buttons">
      <button class="button button_send" form="vote-form">{% trans %}Submit the vote !{% endtrans %}</button>
    </section>
  {%- endif %}
 {% endblock %}
-
-{% block script %}
-  {{ super() }}
-  <script type="text/javascript">
-    document.querySelectorAll('.role__multiple-choices').forEach(setupRestrictions);
-
-    function setupRestrictions(role) {
-      var selectedChoices = [];
-      role.querySelectorAll('input').forEach(setupRestriction);
-
-      function setupRestriction(choice) {
-        if (choice.checked)
-          selectedChoices.push(choice);
-        choice.addEventListener('change', onChange);
-
-        function onChange() {
-          if (choice.checked)
-            selectedChoices.push(choice);
-          else
-            selectedChoices.splice(selectedChoices.indexOf(choice), 1);
-          while (selectedChoices.length > role.dataset.maxChoice)
-            selectedChoices.shift().checked = false;
-        }
-      }
-    }
-  </script>
-{% endblock %}
--- a/election/tests.py
+++ b/election/tests.py
@@ -1,9 +1,15 @@
-from django.conf import settings
-from django.test import TestCase
-from django.urls import reverse
+from datetime import timedelta

+import pytest
+from django.conf import settings
+from django.test import Client, TestCase
+from django.urls import reverse
+from django.utils.timezone import now
+from model_bakery import baker
+
+from core.baker_recipes import subscriber_user
 from core.models import Group, User
-from election.models import Election
+from election.models import Candidature, Election, ElectionList, Role, Vote


 class TestElection(TestCase):
@@ -12,8 +18,7 @@ class TestElection(TestCase):
        cls.election = Election.objects.first()
        cls.public_group = Group.objects.get(id=settings.SITH_GROUP_PUBLIC_ID)
        cls.sli = User.objects.get(username="sli")
-        cls.subscriber = User.objects.get(username="subscriber")
-        cls.public = User.objects.get(username="public")
+        cls.public = baker.make(User)


 class TestElectionDetail(TestElection):
@@ -36,7 +41,7 @@ class TestElectionDetail(TestElection):

 class TestElectionUpdateView(TestElection):
    def test_permission_denied(self):
-        self.client.force_login(self.subscriber)
+        self.client.force_login(subscriber_user.make())
        response = self.client.get(
            reverse("election:update", args=str(self.election.id))
        )
@@ -45,3 +50,68 @@ class TestElectionUpdateView(TestElection):
            reverse("election:update", args=str(self.election.id))
        )
        assert response.status_code == 403
+
+
+@pytest.mark.django_db
+def test_election_create_list_permission(client: Client):
+    election = baker.make(Election, end_candidature=now() + timedelta(hours=1))
+    groups = [
+        Group.objects.get(pk=settings.SITH_GROUP_SUBSCRIBERS_ID),
+        baker.make(Group),
+    ]
+    election.candidature_groups.add(groups[0])
+    election.edit_groups.add(groups[1])
+    url = reverse("election:create_list", kwargs={"election_id": election.id})
+    for user in subscriber_user.make(), baker.make(User, groups=[groups[1]]):
+        client.force_login(user)
+        assert client.get(url).status_code == 200
+        # the post is a 200 instead of a 302, because we don't give form data,
+        # but we don't care as we only test permissions here
+        assert client.post(url).status_code == 200
+    client.force_login(baker.make(User))
+    assert client.get(url).status_code == 403
+    assert client.post(url).status_code == 403
+
+
+@pytest.mark.django_db
+def test_election_results():
+    election = baker.make(
+        Election, voters=baker.make(User, _quantity=50, _bulk_create=True)
+    )
+    lists = baker.make(ElectionList, election=election, _quantity=2, _bulk_create=True)
+    roles = baker.make(
+        Role, election=election, max_choice=iter([1, 2]), _quantity=2, _bulk_create=True
+    )
+    users = baker.make(User, _quantity=4, _bulk_create=True)
+    cand = [
+        baker.make(Candidature, role=roles[0], user=users[0], election_list=lists[0]),
+        baker.make(Candidature, role=roles[0], user=users[1], election_list=lists[1]),
+        baker.make(Candidature, role=roles[1], user=users[2], election_list=lists[0]),
+        baker.make(Candidature, role=roles[1], user=users[3], election_list=lists[1]),
+    ]
+    votes = [
+        baker.make(Vote, role=roles[0], _quantity=20, _bulk_create=True),
+        baker.make(Vote, role=roles[0], _quantity=25, _bulk_create=True),
+        baker.make(Vote, role=roles[1], _quantity=20, _bulk_create=True),
+        baker.make(Vote, role=roles[1], _quantity=35, _bulk_create=True),
+        baker.make(Vote, role=roles[1], _quantity=10, _bulk_create=True),
+    ]
+    cand[0].votes.set(votes[0])
+    cand[1].votes.set(votes[1])
+    cand[2].votes.set([*votes[2], *votes[4]])
+    cand[3].votes.set([*votes[3], *votes[4]])
+
+    assert election.results == {
+        roles[0].title: {
+            cand[0].user.username: {"percent": 40.0, "vote": 20},
+            cand[1].user.username: {"percent": 50.0, "vote": 25},
+            "blank vote": {"percent": 10.0, "vote": 5},
+            "total vote": 50,
+        },
+        roles[1].title: {
+            cand[2].user.username: {"percent": 30.0, "vote": 30},
+            cand[3].user.username: {"percent": 45.0, "vote": 45},
+            "blank vote": {"percent": 25.0, "vote": 25},
+            "total vote": 100,
+        },
+    }
--- a/election/views.py
+++ b/election/views.py
@@ -1,183 +1,34 @@
 from typing import TYPE_CHECKING

-from django import forms
-from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from cryptography.utils import cached_property
+from django.conf import settings
+from django.contrib.auth.mixins import (
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UserPassesTestMixin,
+)
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
-from django.db.models.query import QuerySet
-from django.shortcuts import get_object_or_404, redirect
+from django.db.models import QuerySet
+from django.shortcuts import get_object_or_404
 from django.urls import reverse, reverse_lazy
-from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView
 from django.views.generic.edit import CreateView, DeleteView, FormView, UpdateView

-from core.auth.mixins import CanCreateMixin, CanEditMixin, CanViewMixin
-from core.views.forms import SelectDateTime
-from core.views.widgets.ajax_select import (
-    AutoCompleteSelect,
-    AutoCompleteSelectMultipleGroup,
-    AutoCompleteSelectUser,
+from core.auth.mixins import CanEditMixin, CanViewMixin
+from election.forms import (
+    CandidateForm,
+    ElectionForm,
+    ElectionListForm,
+    RoleForm,
+    VoteForm,
 )
-from core.views.widgets.markdown import MarkdownInput
 from election.models import Candidature, Election, ElectionList, Role, Vote

 if TYPE_CHECKING:
    from core.models import User


-# Custom form field
-
-
-class LimitedCheckboxField(forms.ModelMultipleChoiceField):
-    """A `ModelMultipleChoiceField`, with a max limit of selectable inputs."""
-
-    def __init__(self, queryset, max_choice, **kwargs):
-        self.max_choice = max_choice
-        super().__init__(queryset, **kwargs)
-
-    def clean(self, value):
-        qs = super().clean(value)
-        self.validate(qs)
-        return qs
-
-    def validate(self, qs):
-        if qs.count() > self.max_choice:
-            raise forms.ValidationError(
-                _("You have selected too much candidates."), code="invalid"
-            )
-
-
-# Forms
-
-
-class CandidateForm(forms.ModelForm):
-    """Form to candidate."""
-
-    class Meta:
-        model = Candidature
-        fields = ["user", "role", "program", "election_list"]
-        labels = {
-            "user": _("User to candidate"),
-        }
-        widgets = {
-            "program": MarkdownInput,
-            "user": AutoCompleteSelectUser,
-            "role": AutoCompleteSelect,
-            "election_list": AutoCompleteSelect,
-        }
-
-    def __init__(self, *args, **kwargs):
-        election_id = kwargs.pop("election_id", None)
-        can_edit = kwargs.pop("can_edit", False)
-        super().__init__(*args, **kwargs)
-        if election_id:
-            self.fields["role"].queryset = Role.objects.filter(
-                election__id=election_id
-            ).all()
-            self.fields["election_list"].queryset = ElectionList.objects.filter(
-                election__id=election_id
-            ).all()
-        if not can_edit:
-            self.fields["user"].widget = forms.HiddenInput()
-
-
-class VoteForm(forms.Form):
-    def __init__(self, election, user, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        if not election.has_voted(user):
-            for role in election.roles.all():
-                cand = role.candidatures
-                if role.max_choice > 1:
-                    self.fields[role.title] = LimitedCheckboxField(
-                        cand, role.max_choice, required=False
-                    )
-                else:
-                    self.fields[role.title] = forms.ModelChoiceField(
-                        cand,
-                        required=False,
-                        widget=forms.RadioSelect(),
-                        empty_label=_("Blank vote"),
-                    )
-
-
-class RoleForm(forms.ModelForm):
-    """Form for creating a role."""
-
-    class Meta:
-        model = Role
-        fields = ["title", "election", "description", "max_choice"]
-        widgets = {"election": AutoCompleteSelect}
-
-    def __init__(self, *args, **kwargs):
-        election_id = kwargs.pop("election_id", None)
-        super().__init__(*args, **kwargs)
-        if election_id:
-            self.fields["election"].queryset = Election.objects.filter(
-                id=election_id
-            ).all()
-
-    def clean(self):
-        cleaned_data = super().clean()
-        title = cleaned_data.get("title")
-        election = cleaned_data.get("election")
-        if Role.objects.filter(title=title, election=election).exists():
-            raise forms.ValidationError(
-                _("This role already exists for this election"), code="invalid"
-            )
-
-
-class ElectionListForm(forms.ModelForm):
-    class Meta:
-        model = ElectionList
-        fields = ("title", "election")
-        widgets = {"election": AutoCompleteSelect}
-
-    def __init__(self, *args, **kwargs):
-        election_id = kwargs.pop("election_id", None)
-        super().__init__(*args, **kwargs)
-        if election_id:
-            self.fields["election"].queryset = Election.objects.filter(
-                id=election_id
-            ).all()
-
-
-class ElectionForm(forms.ModelForm):
-    class Meta:
-        model = Election
-        fields = [
-            "title",
-            "description",
-            "archived",
-            "start_candidature",
-            "end_candidature",
-            "start_date",
-            "end_date",
-            "edit_groups",
-            "view_groups",
-            "vote_groups",
-            "candidature_groups",
-        ]
-        widgets = {
-            "edit_groups": AutoCompleteSelectMultipleGroup,
-            "view_groups": AutoCompleteSelectMultipleGroup,
-            "vote_groups": AutoCompleteSelectMultipleGroup,
-            "candidature_groups": AutoCompleteSelectMultipleGroup,
-        }
-
-    start_date = forms.DateTimeField(
-        label=_("Start date"), widget=SelectDateTime, required=True
-    )
-    end_date = forms.DateTimeField(
-        label=_("End date"), widget=SelectDateTime, required=True
-    )
-    start_candidature = forms.DateTimeField(
-        label=_("Start candidature"), widget=SelectDateTime, required=True
-    )
-    end_candidature = forms.DateTimeField(
-        label=_("End candidature"), widget=SelectDateTime, required=True
-    )
-
-
 # Display elections


@@ -185,25 +36,21 @@ class ElectionsListView(CanViewMixin, ListView):
    """A list of all non archived elections visible."""

    model = Election
+    queryset = model.objects.filter(archived=False)
    ordering = ["-id"]
    paginate_by = 10
    template_name = "election/election_list.jinja"

-    def get_queryset(self):
-        return super().get_queryset().filter(archived=False).all()
-

 class ElectionListArchivedView(CanViewMixin, ListView):
    """A list of all archived elections visible."""

    model = Election
+    queryset = model.objects.filter(archived=True)
    ordering = ["-id"]
    paginate_by = 10
    template_name = "election/election_list.jinja"

-    def get_queryset(self):
-        return super().get_queryset().filter(archived=True).all()
-

 class ElectionDetailView(CanViewMixin, DetailView):
    """Details an election responsability by responsability."""
@@ -212,46 +59,67 @@ class ElectionDetailView(CanViewMixin, DetailView):
    template_name = "election/election_detail.jinja"
    pk_url_kwarg = "election_id"

+    @staticmethod
+    def _reorder_votes(action: str, role: int):
+        role = Role.objects.filter(id=role).first()
+        if not role:
+            return
+        if action == "up":
+            role.up()
+        elif action == "down":
+            role.down()
+        elif action == "bottom":
+            role.bottom()
+        elif action == "top":
+            role.top()
+
    def get(self, request, *arg, **kwargs):
-        response = super().get(request, *arg, **kwargs)
        election: Election = self.get_object()
-        if request.user.can_edit(election) and election.is_vote_editable:
+        if election.is_vote_editable and request.user.can_edit(election):
            action = request.GET.get("action", None)
            role = request.GET.get("role", None)
-            if action and role and Role.objects.filter(id=role).exists():
-                if action == "up":
-                    Role.objects.get(id=role).up()
-                elif action == "down":
-                    Role.objects.get(id=role).down()
-                elif action == "bottom":
-                    Role.objects.get(id=role).bottom()
-                elif action == "top":
-                    Role.objects.get(id=role).top()
-                return redirect(
-                    reverse("election:detail", kwargs={"election_id": election.id})
-                )
-        return response
+            if action and role and role.isdigit():
+                self._reorder_votes(action, int(role))
+        return super().get(request, *arg, **kwargs)

    def get_context_data(self, **kwargs):
        """Add additionnal data to the template."""
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["election_form"] = VoteForm(self.object, self.request.user)
-        kwargs["election_results"] = self.object.results
-        return kwargs
+        user: User = self.request.user
+        return super().get_context_data(**kwargs) | {
+            "election_form": VoteForm(self.object, user),
+            "show_vote_buttons": self.object.can_vote(user),
+            "user_has_voted": self.object.has_voted(user),
+            "election_results": (
+                self.object.results if self.object.is_vote_finished else None
+            ),
+            "election_lists": list(self.object.election_lists.all()),
+            "election_roles": list(self.object.roles.order_by("order")),
+        }


 # Form view


-class VoteFormView(CanCreateMixin, FormView):
+class VoteFormView(LoginRequiredMixin, UserPassesTestMixin, FormView):
    """Alows users to vote."""

    form_class = VoteForm
    template_name = "election/election_detail.jinja"

-    def dispatch(self, request, *arg, **kwargs):
-        self.election = get_object_or_404(Election, pk=kwargs["election_id"])
-        return super().dispatch(request, *arg, **kwargs)
+    @cached_property
+    def election(self):
+        return get_object_or_404(Election, pk=self.kwargs["election_id"])
+
+    def test_func(self):
+        groups = set(self.election.vote_groups.values_list("id", flat=True))
+        if (
+            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
+            and self.request.user.is_subscribed
+        ):
+            # the subscriber group isn't truly attached to users,
+            # so it must be dealt with separately
+            return True
+        return self.request.user.groups.filter(id__in=groups).exists()

    def vote(self, election_data):
        with transaction.atomic():
@@ -271,20 +139,16 @@ class VoteFormView(CanCreateMixin, FormView):
            self.election.voters.add(self.request.user)

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["election"] = self.election
-        kwargs["user"] = self.request.user
-        return kwargs
+        return super().get_form_kwargs() | {
+            "election": self.election,
+            "user": self.request.user,
+        }

    def form_valid(self, form):
        """Verify that the user is part in a vote group."""
        data = form.clean()
-        res = super(FormView, self).form_valid(form)
-        for grp_id in self.election.vote_groups.values_list("pk", flat=True):
-            if self.request.user.is_in_group(pk=grp_id):
        self.vote(data)
-                return res
-        return res
+        return super().form_valid(form)

    def get_success_url(self, **kwargs):
        return reverse_lazy("election:detail", kwargs={"election_id": self.election.id})
@@ -310,26 +174,22 @@ class CandidatureCreateView(LoginRequiredMixin, CreateView):

    def dispatch(self, request, *arg, **kwargs):
        self.election = get_object_or_404(Election, pk=kwargs["election_id"])
+        self.can_edit = self.request.user.can_edit(self.election)
        return super().dispatch(request, *arg, **kwargs)

    def get_initial(self):
-        init = {}
-        self.can_edit = self.request.user.can_edit(self.election)
-        init["user"] = self.request.user.id
-        return init
+        return {"user": self.request.user.id}

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["election_id"] = self.election.id
-        kwargs["can_edit"] = self.can_edit
-        return kwargs
+        return super().get_form_kwargs() | {
+            "election": self.election,
+            "can_edit": self.can_edit,
+        }

-    def form_valid(self, form):
+    def form_valid(self, form: CandidateForm):
        """Verify that the selected user is in candidate group."""
        obj = form.instance
        obj.election = self.election
-        if not hasattr(obj, "user"):
-            obj.user = self.request.user
        if (obj.election.can_candidate(obj.user)) and (
            obj.user == self.request.user or self.can_edit
        ):
@@ -337,9 +197,7 @@ class CandidatureCreateView(LoginRequiredMixin, CreateView):
        raise PermissionDenied

    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["election"] = self.election
-        return kwargs
+        return super().get_context_data(**kwargs) | {"election": self.election}

    def get_success_url(self, **kwargs):
        return reverse_lazy("election:detail", kwargs={"election_id": self.election.id})
@@ -355,80 +213,79 @@ class ElectionCreateView(PermissionRequiredMixin, CreateView):
        return reverse("election:detail", kwargs={"election_id": self.object.id})


-class RoleCreateView(CanCreateMixin, CreateView):
+class RoleCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView):
    model = Role
    form_class = RoleForm
    template_name = "core/create.jinja"

-    def dispatch(self, request, *arg, **kwargs):
-        self.election = get_object_or_404(Election, pk=kwargs["election_id"])
+    @cached_property
+    def election(self):
+        return get_object_or_404(Election, pk=self.kwargs["election_id"])
+
+    def test_func(self):
        if not self.election.is_vote_editable:
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
+            return False
+        if self.request.user.has_perm("election.add_role"):
+            return True
+        groups = set(self.election.edit_groups.values_list("id", flat=True))
+        if (
+            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
+            and self.request.user.is_subscribed
+        ):
+            # the subscriber group isn't truly attached to users,
+            # so it must be dealt with separately
+            return True
+        return self.request.user.groups.filter(id__in=groups).exists()

    def get_initial(self):
-        init = {}
-        init["election"] = self.election
-        return init
-
-    def form_valid(self, form):
-        """Verify that the user can edit properly."""
-        obj: Role = form.instance
-        user: User = self.request.user
-        if obj.election:
-            for grp_id in obj.election.edit_groups.values_list("pk", flat=True):
-                if user.is_in_group(pk=grp_id):
-                    return super(CreateView, self).form_valid(form)
-        raise PermissionDenied
+        return {"election": self.election}

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["election_id"] = self.election.id
-        return kwargs
+        return super().get_form_kwargs() | {"election_id": self.election.id}

    def get_success_url(self, **kwargs):
-        return reverse_lazy(
-            "election:detail", kwargs={"election_id": self.object.election.id}
+        return reverse(
+            "election:detail", kwargs={"election_id": self.object.election_id}
        )


-class ElectionListCreateView(CanCreateMixin, CreateView):
+class ElectionListCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView):
    model = ElectionList
    form_class = ElectionListForm
    template_name = "core/create.jinja"

-    def dispatch(self, request, *arg, **kwargs):
-        self.election = get_object_or_404(Election, pk=kwargs["election_id"])
+    @cached_property
+    def election(self):
+        return get_object_or_404(Election, pk=self.kwargs["election_id"])
+
+    def test_func(self):
        if not self.election.is_vote_editable:
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
+            return False
+        if self.request.user.has_perm("election.add_electionlist"):
+            return True
+        groups = set(
+            self.election.candidature_groups.values("id")
+            .union(self.election.edit_groups.values("id"))
+            .values_list("id", flat=True)
+        )
+        if (
+            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
+            and self.request.user.is_subscribed
+        ):
+            # the subscriber group isn't truly attached to users,
+            # so it must be dealt with separately
+            return True
+        return self.request.user.groups.filter(id__in=groups).exists()

    def get_initial(self):
-        init = {}
-        init["election"] = self.election
-        return init
+        return {"election": self.election}

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["election_id"] = self.election.id
-        return kwargs
-
-    def form_valid(self, form):
-        """Verify that the user can vote on this election."""
-        obj: ElectionList = form.instance
-        user: User = self.request.user
-        if obj.election:
-            for grp_id in obj.election.candidature_groups.values_list("pk", flat=True):
-                if user.is_in_group(pk=grp_id):
-                    return super(CreateView, self).form_valid(form)
-            for grp_id in obj.election.edit_groups.values_list("pk", flat=True):
-                if user.is_in_group(pk=grp_id):
-                    return super(CreateView, self).form_valid(form)
-        raise PermissionDenied
+        return super().get_form_kwargs() | {"election_id": self.election.id}

    def get_success_url(self, **kwargs):
-        return reverse_lazy(
-            "election:detail", kwargs={"election_id": self.object.election.id}
+        return reverse(
+            "election:detail", kwargs={"election_id": self.object.election_id}
        )


@@ -457,45 +314,23 @@ class ElectionUpdateView(CanEditMixin, UpdateView):
        return reverse_lazy("election:detail", kwargs={"election_id": self.object.id})


-class CandidatureUpdateView(CanEditMixin, UpdateView):
+class CandidatureUpdateView(LoginRequiredMixin, CanEditMixin, UpdateView):
    model = Candidature
    form_class = CandidateForm
    template_name = "core/edit.jinja"
    pk_url_kwarg = "candidature_id"

-    def dispatch(self, request, *arg, **kwargs):
-        self.object = self.get_object()
-        if not self.object.role.election.is_vote_editable:
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
-
-    def remove_fields(self):
-        self.form.fields.pop("role", None)
-
-    def get(self, request, *args, **kwargs):
-        self.form = self.get_form()
-        self.remove_fields()
-        return self.render_to_response(self.get_context_data(form=self.form))
-
-    def post(self, request, *args, **kwargs):
-        self.form = self.get_form()
-        self.remove_fields()
-        if (
-            request.user.is_authenticated
-            and request.user.can_edit(self.object)
-            and self.form.is_valid()
-        ):
-            return super().form_valid(self.form)
-        return self.form_invalid(self.form)
+    def get_form(self, *args, **kwargs):
+        form = super().get_form(*args, **kwargs)
+        form.fields.pop("role", None)
+        return form

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["election_id"] = self.object.role.election.id
-        return kwargs
+        return super().get_form_kwargs() | {"election": self.object.role.election}

    def get_success_url(self, **kwargs):
-        return reverse_lazy(
-            "election:detail", kwargs={"election_id": self.object.role.election.id}
+        return reverse(
+            "election:detail", kwargs={"election_id": self.object.role.election_id}
        )


@@ -546,18 +381,12 @@ class RoleUpdateView(CanEditMixin, UpdateView):
 # Delete Views


-class ElectionDeleteView(DeleteView):
+class ElectionDeleteView(PermissionRequiredMixin, DeleteView):
    model = Election
    template_name = "core/delete_confirm.jinja"
    pk_url_kwarg = "election_id"
-
-    def dispatch(self, request, *args, **kwargs):
-        if request.user.is_root:
-            return super().dispatch(request, *args, **kwargs)
-        raise PermissionDenied
-
-    def get_success_url(self, **kwargs):
-        return reverse_lazy("election:list")
+    permission_required = "election.delete_election"
+    success_url = reverse_lazy("election:list")


 class CandidatureDeleteView(CanEditMixin, DeleteView):
@@ -573,7 +402,7 @@ class CandidatureDeleteView(CanEditMixin, DeleteView):
        return super().dispatch(request, *arg, **kwargs)

    def get_success_url(self, **kwargs):
-        return reverse_lazy("election:detail", kwargs={"election_id": self.election.id})
+        return reverse("election:detail", kwargs={"election_id": self.election.id})


 class RoleDeleteView(CanEditMixin, DeleteView):
@@ -589,7 +418,7 @@ class RoleDeleteView(CanEditMixin, DeleteView):
        return super().dispatch(request, *arg, **kwargs)

    def get_success_url(self, **kwargs):
-        return reverse_lazy("election:detail", kwargs={"election_id": self.election.id})
+        return reverse("election:detail", kwargs={"election_id": self.election.id})


 class ElectionListDeleteView(CanEditMixin, DeleteView):
@@ -605,4 +434,4 @@ class ElectionListDeleteView(CanEditMixin, DeleteView):
        return super().dispatch(request, *args, **kwargs)

    def get_success_url(self, **kwargs):
-        return reverse_lazy("election:detail", kwargs={"election_id": self.election.id})
+        return reverse("election:detail", kwargs={"election_id": self.election.id})
--- a/galaxy/management/commands/generate_galaxy_test_data.py
+++ b/galaxy/management/commands/generate_galaxy_test_data.py
@@ -25,12 +25,13 @@ import warnings
 from datetime import timedelta
 from typing import Final, Optional

+from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.management.base import BaseCommand
 from django.utils import timezone

 from club.models import Club, Membership
-from core.models import Group, Page, User
+from core.models import Group, Page, SithFile, User
 from core.utils import RED_PIXEL_PNG
 from sas.models import Album, PeoplePictureRelation, Picture
 from subscription.models import Subscription
@@ -90,8 +91,13 @@ class Command(BaseCommand):
        self.NB_CLUBS = options["club_count"]

        root = User.objects.filter(username="root").first()
+        sas = SithFile.objects.get(id=settings.SITH_SAS_ROOT_DIR_ID)
        self.galaxy_album = Album.objects.create(
-            name="galaxy-register-file", owner=root, is_moderated=True
+            name="galaxy-register-file",
+            owner=root,
+            is_moderated=True,
+            is_in_sas=True,
+            parent=sas,
        )

        self.make_clubs()
@@ -279,10 +285,14 @@ class Command(BaseCommand):
                    owner=u,
                    name=f"galaxy-picture {u} {i // self.NB_USERS}",
                    is_moderated=True,
+                    is_folder=False,
                    parent=self.galaxy_album,
-                    original=ContentFile(RED_PIXEL_PNG),
+                    is_in_sas=True,
+                    file=ContentFile(RED_PIXEL_PNG),
                    compressed=ContentFile(RED_PIXEL_PNG),
                    thumbnail=ContentFile(RED_PIXEL_PNG),
+                    mime_type="image/png",
+                    size=len(RED_PIXEL_PNG),
                )
            )
            self.picts[i].file.name = self.picts[i].name
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
--- a/locale/fr/LC_MESSAGES/djangojs.po
+++ b/locale/fr/LC_MESSAGES/djangojs.po
@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-23 15:30+0200\n"
+"POT-Creation-Date: 2025-05-18 12:17+0200\n"
 "PO-Revision-Date: 2024-09-17 11:54+0200\n"
 "Last-Translator: Sli <antoine@bartuccio.fr>\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -193,7 +193,7 @@ msgstr "Montrer moins"
 msgid "Show more"
 msgstr "Montrer plus"

-#: core/static/bundled/user/family-graph-index.ts
+#: core/static/bundled/user/family-graph-index.js
 msgid "family_tree.%(extension)s"
 msgstr "arbre_genealogique.%(extension)s"

--- a/package-lock.json
+++ b/package-lock.json
@@ -48,7 +48,6 @@
        "@types/cytoscape-cxtmenu": "^3.4.4",
        "@types/cytoscape-klay": "^3.1.4",
        "@types/jquery": "^3.5.31",
-        "@types/js-cookie": "^3.0.6",
        "typescript": "^5.8.3",
        "vite": "^6.2.5",
        "vite-bundle-visualizer": "^1.2.1",
@@ -2866,13 +2865,6 @@
        "@types/sizzle": "*"
      }
    },
-    "node_modules/@types/js-cookie": {
-      "version": "3.0.6",
-      "resolved": "https://registry.npmjs.org/@types/js-cookie/-/js-cookie-3.0.6.tgz",
-      "integrity": "sha512-wkw9yd1kEXOPnvEeEV1Go1MmxtBJL0RR79aOTAApecWFVu7w0NNXNqhcWgvw2YgZDYadliXkl14pa3WXw5jlCQ==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/@types/json-schema": {
      "version": "7.0.15",
      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
--- a/package.json
+++ b/package.json
@@ -10,7 +10,7 @@
    "openapi": "openapi-ts",
    "analyse-dev": "vite-bundle-visualizer --mode development",
    "analyse-prod": "vite-bundle-visualizer --mode production",
-    "check": "tsc && biome check --write"
+    "check": "biome check --write"
  },
  "keywords": [],
  "author": "",
@@ -30,10 +30,9 @@
    "@hey-api/openapi-ts": "^0.73.0",
    "@rollup/plugin-inject": "^5.0.5",
    "@types/alpinejs": "^3.13.10",
+    "@types/jquery": "^3.5.31",
    "@types/cytoscape-cxtmenu": "^3.4.4",
    "@types/cytoscape-klay": "^3.1.4",
-    "@types/jquery": "^3.5.31",
-    "@types/js-cookie": "^3.0.6",
    "typescript": "^5.8.3",
    "vite": "^6.2.5",
    "vite-bundle-visualizer": "^1.2.1",
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -92,7 +92,7 @@ docs = [
 default-groups = ["dev", "tests", "docs"]

 [tool.xapian]
-version = "1.4.29"
+version = "1.4.25"

 [tool.ruff]
 output-format = "concise" # makes ruff error logs easier to read
--- a/sas/admin.py
+++ b/sas/admin.py
@@ -20,9 +20,9 @@ from sas.models import Album, PeoplePictureRelation, Picture, PictureModerationR

@admin.register(Picture)
 class PictureAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent", "is_moderated")
+    list_display = ("name", "parent", "date", "size", "is_moderated")
    search_fields = ("name",)
-    autocomplete_fields = ("owner", "parent", "moderator")
+    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups", "moderator")


@admin.register(PeoplePictureRelation)
@@ -33,9 +33,9 @@ class PeoplePictureRelationAdmin(admin.ModelAdmin):

@admin.register(Album)
 class AlbumAdmin(admin.ModelAdmin):
-    list_display = ("name", "parent")
+    list_display = ("name", "parent", "date", "owner", "is_moderated")
    search_fields = ("name",)
-    autocomplete_fields = ("parent", "edit_groups", "view_groups")
+    autocomplete_fields = ("owner", "parent", "edit_groups", "view_groups")


@admin.register(PictureModerationRequest)
--- a/sas/api.py
+++ b/sas/api.py
@@ -2,10 +2,8 @@ from typing import Any, Literal

 from django.conf import settings
 from django.core.exceptions import ValidationError
-from django.shortcuts import get_list_or_404
 from django.urls import reverse
-from ninja import Body, Query, UploadedFile
-from ninja.errors import HttpError
+from ninja import Body, File, Query
 from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import NotFound, PermissionDenied
@@ -19,12 +17,11 @@ from api.permissions import (
    CanAccessLookup,
    CanEdit,
    CanView,
-    HasPerm,
    IsInGroup,
    IsRoot,
 )
 from core.models import Notification, User
-from core.utils import get_list_exact_or_404
+from core.schemas import UploadedImage
 from sas.models import Album, PeoplePictureRelation, Picture
 from sas.schemas import (
    AlbumAutocompleteSchema,
@@ -32,7 +29,6 @@ from sas.schemas import (
    AlbumSchema,
    IdentifiedUserSchema,
    ModerationRequestSchema,
-    MoveAlbumSchema,
    PictureFilterSchema,
    PictureSchema,
 )
@@ -75,48 +71,6 @@ class AlbumController(ControllerBase):
            Album.objects.viewable_by(self.context.request.user).order_by("-date")
        )

-    @route.patch("/parent", permissions=[IsAuthenticated])
-    def change_album_parent(self, payload: list[MoveAlbumSchema]):
-        """Change parents of albums
-
-        Note:
-            For this operation to work, the user must be authorized
-            to edit both the moved albums and their new parent.
-        """
-        user: User = self.context.request.user
-        albums: list[Album] = get_list_exact_or_404(
-            Album, pk__in={a.id for a in payload}
-        )
-        if not user.has_perm("sas.change_album"):
-            unauthorized = [a.id for a in albums if not user.can_edit(a)]
-            raise PermissionDenied(
-                f"You can't move the following albums : {unauthorized}"
-            )
-        parents: list[Album] = get_list_exact_or_404(
-            Album, pk__in={a.new_parent_id for a in payload}
-        )
-        if not user.has_perm("sas.change_album"):
-            unauthorized = [a.id for a in parents if not user.can_edit(a)]
-            raise PermissionDenied(
-                f"You can't move to the following albums : {unauthorized}"
-            )
-        id_to_new_parent = {i.id: i.new_parent_id for i in payload}
-        for album in albums:
-            album.parent_id = id_to_new_parent[album.id]
-        # known caveat : moving an album won't move it's thumbnail.
-        # E.g. if the album foo/bar is moved to foo/baz,
-        # the thumbnail will still be foo/bar/thumb.webp
-        # This has no impact for the end user
-        # and doing otherwise would be hard for us to implement,
-        # because we would then have to manage rollbacks on fail.
-        Album.objects.bulk_update(albums, fields=["parent_id"])
-
-    @route.delete("", permissions=[HasPerm("sas.delete_album")])
-    def delete_album(self, album_ids: list[int]):
-        # known caveat : deleting an album doesn't delete the pictures on the disk.
-        # It's a db only operation.
-        albums: list[Album] = get_list_or_404(Album, pk__in=album_ids)
-

@api_controller("/sas/picture")
 class PicturesController(ControllerBase):
@@ -149,7 +103,7 @@ class PicturesController(ControllerBase):
        return (
            filters.filter(Picture.objects.viewable_by(user))
            .distinct()
-            .order_by("-parent__event_date", "created_at")
+            .order_by("-parent__date", "date")
            .select_related("owner", "parent")
        )

@@ -163,25 +117,27 @@ class PicturesController(ControllerBase):
        },
        url_name="upload_picture",
    )
-    def upload_picture(self, album_id: Body[int], picture: UploadedFile):
+    def upload_picture(self, album_id: Body[int], picture: File[UploadedImage]):
        album = self.get_object_or_exception(Album, pk=album_id)
        user = self.context.request.user
        self_moderate = user.has_perm("sas.moderate_sasfile")
        new = Picture(
            parent=album,
            name=picture.name,
-            original=picture,
+            file=picture,
            owner=user,
            is_moderated=self_moderate,
+            is_folder=False,
+            mime_type=picture.content_type,
        )
        if self_moderate:
            new.moderator = user
-        new.generate_thumbnails()
        try:
+            new.generate_thumbnails()
            new.full_clean()
-        except ValidationError as e:
-            raise HttpError(status_code=409, message=str(e)) from e
            new.save()
+        except ValidationError as e:
+            return self.create_response({"detail": dict(e)}, status_code=409)

    @route.get(
        "/{picture_id}/identified",
--- a/sas/baker_recipes.py
+++ b/sas/baker_recipes.py
@@ -1,35 +1,18 @@
-from django.core.files.uploadedfile import SimpleUploadedFile
 from model_bakery import seq
 from model_bakery.recipe import Recipe

-from core.utils import RED_PIXEL_PNG
-from sas.models import Album, Picture
-
-album_recipe = Recipe(
-    Album,
-    name=seq("Album "),
-    thumbnail=SimpleUploadedFile(
-        name="thumb.webp", content=b"", content_type="image/webp"
-    ),
-)
-
+from sas.models import Picture

 picture_recipe = Recipe(
    Picture,
+    is_in_sas=True,
+    is_folder=False,
    is_moderated=True,
    name=seq("Picture "),
-    original=SimpleUploadedFile(
-        # compressed and thumbnail are generated on save (except if bulk creating).
-        # For this step no to fail, original must be a valid image.
-        name="img.png",
-        content=RED_PIXEL_PNG,
-        content_type="image/png",
-    ),
-    compressed=SimpleUploadedFile(
-        name="img.webp", content=b"", content_type="image/webp"
-    ),
-    thumbnail=SimpleUploadedFile(
-        name="img.webp", content=b"", content_type="image/webp"
-    ),
 )
-"""A SAS Picture fixture."""
+"""A SAS Picture fixture.
+
+Warnings:
+    If you don't `bulk_create` this, you need
+    to explicitly set the parent album, or it won't work
+"""
--- a/sas/forms.py
+++ b/sas/forms.py
@@ -48,12 +48,13 @@ class PictureEditForm(forms.ModelForm):
 class AlbumEditForm(forms.ModelForm):
    class Meta:
        model = Album
-        fields = ["name", "date", "thumbnail", "parent", "edit_groups"]
+        fields = ["name", "date", "file", "parent", "edit_groups"]
        widgets = {
            "parent": AutoCompleteSelectAlbum,
            "edit_groups": AutoCompleteSelectMultipleGroup,
        }

+    name = forms.CharField(max_length=Album.NAME_MAX_LENGTH, label=_("file name"))
    date = forms.DateField(label=_("Date"), widget=SelectDate, required=True)
    recursive = forms.BooleanField(label=_("Apply rights recursively"), required=False)

--- a/sas/migrations/0006_move_the_whole_sas.py
+++ b/sas/migrations/0006_move_the_whole_sas.py
@@ -1,357 +0,0 @@
-# Generated by Django 4.2.17 on 2025-01-22 21:53
-import collections
-import itertools
-import logging
-from typing import TYPE_CHECKING
-
-import django.db.models.deletion
-from django.conf import settings
-from django.db import migrations, models
-from django.db.migrations.state import StateApps
-
-import sas.models
-
-if TYPE_CHECKING:
-    import core.models
-
-# NB : tous les commentaires sont écrits en français,
-#      parce qu'on est sur des opérations qui sont complexes,
-#      et qui sont surtout DANGEREUSES.
-#      Ici, la clarté des explications prime sur toute autre considération.
-
-
-def copy_albums_and_pictures(apps: StateApps, schema_editor):
-    SithFile: type[core.models.SithFile] = apps.get_model("core", "SithFile")
-    Album: type[sas.models.Album] = apps.get_model("sas", "Album")
-    Picture: type[sas.models.Picture] = apps.get_model("sas", "Picture")
-    logger = logging.getLogger("django")
-
-    # Il y a environ 1800 albums, 257k photos et 488k identifications
-    # d'utilisateurs dans la db de prod.
-    # En supposant qu'une insertion prenne 10ms (ce qui est très optimiste),
-    # migrer tous les enregistrements de la db prendrait plus de 2h.
-    # C'est trop long.
-    # Mais d'un autre côté, j'ai pas assez confiance dans les capacités de nos
-    # machines pour charger presque un million d'objets en mémoire.
-    # Pour faire un compromis, les albums sont migrés individuellement un à un,
-    # mais tous les objets liés à ces albums
-    # (photos, groupes de vue, groupe d'édition, identification d'utilisateurs)
-    # sont migrés en tas.
-    #
-    # Ordre des opérations :
-    # 1. On migre les albums 1 à 1 (il y en a 1800, donc c'est relativement court)
-    # 2. On migre les photos par paquet de 2500 (soit ~une centaine d'opérations)
-    # 3. On migre tous les groupes de vue et tous les groupes d'édition des albums
-    #
-    # Au total, la migration devrait demander aux alentours de 2000 insertions,
-    # ce qui est un compromis acceptable entre une migration
-    # pas trop longue et une RAM pas trop surchargée.
-    #
-    # Pour ce qui est de la répartition des tables, quatre nouvelles tables
-    # sont créées : sas_album, sas_picture,
-    # sas_pictureviewgroups et sas_picture_editgroups.
-    # Tous les albums et toutes les photos qui sont dans core_sithfile
-    # vont être copiés dans ces tables.
-    # Comme les albums sont migrés un à un, ils recevront une nouvelle
-    # clef primaire.
-    # Pour les photos, en revanche, c'est beaucoup plus sûr de leur donner
-    # le même id que celui qu'il y avait dans core_sithfile.
-    #
-    # Les identifications des photos ne sont pas migrées pour l'instant.
-    # Ce qu'on va faire, c'est qu'on va changer la contrainte de clef étrangère
-    # sur la colonne des photos pour pointer vers sas_picture
-    # au lieu de core_sithfile.
-    # Cependant, pour que ça marche,
-    # il faut qu'au moment où ce changement est effectué,
-    # toutes les clefs primaires référencées existent à la fois dans
-    # les deux tables, sinon les contraintes d'intégrité ne sont pas respectées.
-    # La migration de ce fichier va donc s'occuper de créer les nouvelles tables
-    # et d'y copier les données nécessaires.
-    # Puis une deuxième migration s'occupera de changer les contraintes.
-    # Et enfin une troisième migration supprimera les anciennes données.
-    #
-    # Pavé César
-
-    albums = SithFile.objects.filter(is_in_sas=True, is_folder=True).prefetch_related(
-        "view_groups", "edit_groups"
-    )
-    old_albums = collections.deque(
-        albums.filter(parent_id=settings.SITH_SAS_ROOT_DIR_ID)
-    )
-
-    # Changement de représentation en DB.
-    # Dans l'ancien système, un fichier était dans le SAS si
-    # un fichier spécial (le SAS_ROOT) était parmi ses ancêtres.
-    # Comme maintenant les fichiers du SAS sont dans des tables à part,
-    # il ne peut plus y avoir de confusion.
-    # Les photos ont donc obligatoirement un parent (qui est un album)
-    # et les albums peuvent avoir un parent null.
-    # Un album sans parent est considéré comme se trouvant à la racine
-    # de l'arborescence.
-    # En quelque sorte, None est le nouveau SITH_SAS_ROOT_DIR_ID
-    album_id_old_to_new = {settings.SITH_SAS_ROOT_DIR_ID: None}
-
-    logger.info(f"migrating {albums.count()} albums")
-    while len(old_albums) > 0:
-        # Comme les albums référencent leur parent, les albums doivent être migrés
-        # par ordre croissant de profondeur dans l'arborescence.
-        # Chaque album est donc pris par la gauche de la file
-        # et ses enfants ajoutés sur la droite.
-        old_album = old_albums.popleft()
-        old_albums.extend(list(albums.filter(parent=old_album)))
-        new_album = Album.objects.create(
-            parent_id=album_id_old_to_new[old_album.parent_id],
-            event_date=old_album.date.date(),
-            name=old_album.name,
-            thumbnail=(old_album.file or None),
-            is_moderated=old_album.is_moderated,
-        )
-        # on garde un dictionnaire qui associe les id des albums dans l'ancienne table
-        # à leur id dans la nouvelle table, pour pouvoir recréer
-        # les liens de parenté entre albums
-        album_id_old_to_new[old_album.id] = new_album.id
-
-    pictures = SithFile.objects.filter(is_in_sas=True, is_folder=False)
-    nb_pictures = pictures.count()
-    logger.info(f"migrating {nb_pictures} pictures")
-    for i, pictures_batch in enumerate(itertools.batched(pictures, 2500), start=1):
-        Picture.objects.bulk_create(
-            [
-                Picture(
-                    id=p.id,
-                    name=p.name,
-                    parent_id=album_id_old_to_new[p.parent_id],
-                    thumbnail=p.thumbnail,
-                    compressed=p.compressed,
-                    original=p.file,
-                    owner_id=p.owner_id,
-                    created_at=p.date,
-                    is_moderated=p.is_moderated,
-                    asked_for_removal=p.asked_for_removal,
-                    moderator_id=p.moderator_id,
-                )
-                for p in pictures_batch
-            ]
-        )
-        logger.info(f"Migrated {min(i * 2500, nb_pictures)} / {nb_pictures} pictures")
-
-    logger.info("Migrating album groups")
-    albums = SithFile.objects.filter(is_in_sas=True, is_folder=True).exclude(
-        id=settings.SITH_SAS_ROOT_DIR_ID
-    )
-    Album.edit_groups.through.objects.bulk_create(
-        [
-            Album.view_groups.through(
-                album=album_id_old_to_new[g.sithfile_id], group_id=g.group_id
-            )
-            for g in SithFile.view_groups.through.objects.filter(sithfile__in=albums)
-        ]
-    )
-    Album.edit_groups.through.objects.bulk_create(
-        [
-            Album.view_groups.through(
-                album=album_id_old_to_new[g.sithfile_id], group_id=g.group_id
-            )
-            for g in SithFile.view_groups.through.objects.filter(sithfile__in=albums)
-        ]
-    )
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ("core", "0044_alter_userban_options"),
-        ("sas", "0005_alter_sasfile_options"),
-    ]
-
-    operations = [
-        # les relations et les demandes de modération étaient liées à SithFile,
-        # via le model proxy Picture.
-        # Pour que la migration marche malgré la disparition du modèle Proxy,
-        # on change la relation pour qu'elle pointe directement vers SithFile
-        migrations.AlterField(
-            model_name="peoplepicturerelation",
-            name="picture",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="people",
-                to="core.sithfile",
-                verbose_name="picture",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="picturemoderationrequest",
-            name="picture",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="moderation_requests",
-                to="core.sithfile",
-                verbose_name="Picture",
-            ),
-        ),
-        migrations.DeleteModel(name="Album"),
-        migrations.DeleteModel(name="Picture"),
-        migrations.DeleteModel(name="SasFile"),
-        migrations.CreateModel(
-            name="Album",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "thumbnail",
-                    models.FileField(
-                        max_length=256,
-                        upload_to=sas.models.get_thumbnail_directory,
-                        verbose_name="thumbnail",
-                    ),
-                ),
-                ("name", models.CharField(max_length=100, verbose_name="name")),
-                (
-                    "event_date",
-                    models.DateField(
-                        default=django.utils.timezone.localdate,
-                        help_text="The date on which the photos in this album were taken",
-                        verbose_name="event date",
-                    ),
-                ),
-                (
-                    "is_moderated",
-                    models.BooleanField(default=False, verbose_name="is moderated"),
-                ),
-                (
-                    "edit_groups",
-                    models.ManyToManyField(
-                        related_name="editable_albums",
-                        to="core.group",
-                        verbose_name="edit groups",
-                    ),
-                ),
-                (
-                    "parent",
-                    models.ForeignKey(
-                        blank=True,
-                        null=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="children",
-                        to="sas.album",
-                        verbose_name="parent",
-                    ),
-                ),
-                (
-                    "view_groups",
-                    models.ManyToManyField(
-                        related_name="viewable_albums",
-                        to="core.group",
-                        verbose_name="view groups",
-                    ),
-                ),
-            ],
-            options={"verbose_name": "album"},
-        ),
-        migrations.CreateModel(
-            name="Picture",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "thumbnail",
-                    models.FileField(
-                        unique=True,
-                        upload_to=sas.models.get_thumbnail_directory,
-                        verbose_name="thumbnail",
-                        max_length=256,
-                    ),
-                ),
-                ("name", models.CharField(max_length=256, verbose_name="file name")),
-                (
-                    "original",
-                    models.FileField(
-                        unique=True,
-                        upload_to=sas.models.get_directory,
-                        verbose_name="original image",
-                        max_length=256,
-                    ),
-                ),
-                (
-                    "compressed",
-                    models.FileField(
-                        unique=True,
-                        upload_to=sas.models.get_compressed_directory,
-                        verbose_name="compressed image",
-                        max_length=256,
-                    ),
-                ),
-                ("created_at", models.DateTimeField(default=django.utils.timezone.now)),
-                (
-                    "is_moderated",
-                    models.BooleanField(default=False, verbose_name="is moderated"),
-                ),
-                (
-                    "asked_for_removal",
-                    models.BooleanField(
-                        default=False, verbose_name="asked for removal"
-                    ),
-                ),
-                (
-                    "moderator",
-                    models.ForeignKey(
-                        blank=True,
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="moderated_pictures",
-                        to=settings.AUTH_USER_MODEL,
-                    ),
-                ),
-                (
-                    "owner",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.PROTECT,
-                        related_name="owned_pictures",
-                        to=settings.AUTH_USER_MODEL,
-                        verbose_name="owner",
-                    ),
-                ),
-                (
-                    "parent",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="pictures",
-                        to="sas.album",
-                        verbose_name="album",
-                    ),
-                ),
-            ],
-            options={"abstract": False, "verbose_name": "picture"},
-        ),
-        migrations.AddConstraint(
-            model_name="picture",
-            constraint=models.UniqueConstraint(
-                fields=("name", "parent"), name="sas_picture_unique_per_album"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="album",
-            constraint=models.UniqueConstraint(
-                fields=("name", "parent"), name="unique_album_name_if_same_parent"
-            ),
-        ),
-        migrations.RunPython(
-            copy_albums_and_pictures,
-            reverse_code=migrations.RunPython.noop,
-            elidable=True,
-        ),
-    ]
--- a/sas/migrations/0007_alter_peoplepicturerelation_picture_and_more.py
+++ b/sas/migrations/0007_alter_peoplepicturerelation_picture_and_more.py
@@ -1,31 +0,0 @@
-# Generated by Django 4.2.17 on 2025-01-25 23:50
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [("sas", "0006_move_the_whole_sas")]
-
-    operations = [
-        migrations.AlterField(
-            model_name="peoplepicturerelation",
-            name="picture",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="people",
-                to="sas.picture",
-                verbose_name="picture",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="picturemoderationrequest",
-            name="picture",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="moderation_requests",
-                to="sas.picture",
-                verbose_name="Picture",
-            ),
-        ),
-    ]
--- a/sas/models.py
+++ b/sas/models.py
@@ -18,52 +18,29 @@ from __future__ import annotations
 import contextlib
 from io import BytesIO
 from pathlib import Path
-from typing import TYPE_CHECKING, ClassVar, Self
+from typing import ClassVar, Self

 from django.conf import settings
 from django.core.cache import cache
-from django.core.exceptions import ValidationError
-from django.core.files.base import ContentFile
 from django.db import models
 from django.db.models import Exists, OuterRef, Q
-from django.db.models.deletion import Collector
 from django.urls import reverse
-from django.utils import timezone
-from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from PIL import Image

-from core.models import Group, Notification, User
+from core.models import Notification, SithFile, User
 from core.utils import exif_auto_rotate, resize_image

-if TYPE_CHECKING:
-    from django.db.models.fields.files import FieldFile

-
-def get_directory(instance: SasFile, filename: str):
-    return f"./{instance.parent_path}/{filename}"
-
-
-def get_compressed_directory(instance: SasFile, filename: str):
-    return f"./.compressed/{instance.parent_path}/{filename}"
-
-
-def get_thumbnail_directory(instance: SasFile, filename: str):
-    if isinstance(instance, Album):
-        _, extension = filename.rsplit(".", 1)
-        filename = f"{instance.name}/thumb.{extension}"
-    return f"./.thumbnails/{instance.parent_path}/{filename}"
-
-
-class SasFile(models.Model):
-    """Abstract model for SAS files
+class SasFile(SithFile):
+    """Proxy model for any file in the SAS.

    May be used to have logic that should be shared by both
    [Picture][sas.models.Picture] and [Album][sas.models.Album].
    """

    class Meta:
-        abstract = True
+        proxy = True
        permissions = [
            ("moderate_sasfile", "Can moderate SAS files"),
            ("view_unmoderated_sasfile", "Can view not moderated SAS files"),
@@ -88,169 +65,6 @@ class SasFile(models.Model):
    def can_be_edited_by(self, user):
        return user.has_perm("sas.change_sasfile")

-    @cached_property
-    def parent_path(self) -> str:
-        """The parent location in the SAS album tree (e.g. `SAS/foo/bar`)."""
-        return "/".join(["SAS", *[p.name for p in self.parent_list]])
-
-    @cached_property
-    def parent_list(self) -> list[Album]:
-        """The ancestors of this SAS object.
-
-        The result is ordered from the direct parent to the farthest one.
-        """
-        parents = []
-        current = self.parent
-        while current is not None:
-            parents.append(current)
-            current = current.parent
-        return parents
-
-
-class AlbumQuerySet(models.QuerySet):
-    def viewable_by(self, user: User) -> Self:
-        """Filter the albums that this user can view.
-
-        Warning:
-            Calling this queryset method may add several additional requests.
-        """
-        if user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            return self.all()
-        if user.was_subscribed:
-            return self.filter(is_moderated=True)
-        # known bug : if all children of an album are also albums
-        # then this album is excluded, even if one of the sub-albums should be visible.
-        # The fs-like navigation is likely to be half-broken for non-subscribers,
-        # but that's ok, since non-subscribers are expected to see only the albums
-        # containing pictures on which they have been identified (hence, very few).
-        # Most, if not all, of their albums will be displayed on the
-        # `latest albums` section of the SAS.
-        # Moreover, they will still see all of their picture in their profile.
-        return self.filter(
-            Exists(Picture.objects.filter(parent_id=OuterRef("pk")).viewable_by(user))
-        )
-
-
-class Album(SasFile):
-    NAME_MAX_LENGTH: ClassVar[int] = 50
-
-    name = models.CharField(_("name"), max_length=100)
-    parent = models.ForeignKey(
-        "self",
-        related_name="children",
-        verbose_name=_("parent"),
-        null=True,
-        blank=True,
-        on_delete=models.CASCADE,
-    )
-    thumbnail = models.FileField(
-        upload_to=get_thumbnail_directory,
-        verbose_name=_("thumbnail"),
-        max_length=256,
-        blank=True,
-    )
-    view_groups = models.ManyToManyField(
-        Group, related_name="viewable_albums", verbose_name=_("view groups"), blank=True
-    )
-    edit_groups = models.ManyToManyField(
-        Group, related_name="editable_albums", verbose_name=_("edit groups"), blank=True
-    )
-    event_date = models.DateField(
-        _("event date"),
-        help_text=_("The date on which the photos in this album were taken"),
-        default=timezone.localdate,
-        blank=True,
-    )
-    is_moderated = models.BooleanField(_("is moderated"), default=False)
-
-    objects = AlbumQuerySet.as_manager()
-
-    class Meta:
-        verbose_name = _("album")
-        constraints = [
-            models.UniqueConstraint(
-                fields=["name", "parent"],
-                name="unique_album_name_if_same_parent",
-                # TODO : add `nulls_distinct=True` after upgrading to django>=5.0
-            )
-        ]
-
-    def __str__(self):
-        return f"Album {self.name}"
-
-    def save(self, *args, **kwargs):
-        super().save(*args, **kwargs)
-        for user in User.objects.filter(
-            groups__id__in=[settings.SITH_GROUP_SAS_ADMIN_ID]
-        ):
-            Notification(
-                user=user,
-                url=reverse("sas:moderation"),
-                type="SAS_MODERATION",
-                param="1",
-            ).save()
-
-    def get_absolute_url(self):
-        return reverse("sas:album", kwargs={"album_id": self.id})
-
-    def clean(self):
-        super().clean()
-        if "/" in self.name:
-            raise ValidationError(_("Character '/' not authorized in name"))
-        if self.parent_id is not None and (
-            self.id == self.parent_id or self in self.parent_list
-        ):
-            raise ValidationError(_("Loop in album tree"), code="loop")
-        if self.thumbnail:
-            try:
-                Image.open(BytesIO(self.thumbnail.read()))
-            except Image.UnidentifiedImageError as e:
-                raise ValidationError(_("This is not a valid album thumbnail")) from e
-
-    def delete(self, *args, **kwargs):
-        """Delete the album, all of its children and all linked disk files"""
-        collector = Collector(using="default")
-        collector.collect([self])
-        albums: set[Album] = collector.data[Album]
-        pictures: set[Picture] = collector.data[Picture]
-        files: list[FieldFile] = [
-            *[a.thumbnail for a in albums],
-            *[p.thumbnail for p in pictures],
-            *[p.compressed for p in pictures],
-            *[p.original for p in pictures],
-        ]
-        # `bool(f)` checks that the file actually exists on the disk
-        files = [f for f in files if bool(f)]
-        folders = {Path(f.path).parent for f in files}
-        res = super().delete(*args, **kwargs)
-        # once the model instances have been deleted,
-        # delete the actual files.
-        for file in files:
-            # save=False ensures that django doesn't recreate the db record,
-            # which would make the whole deletion pointless
-            # cf. https://docs.djangoproject.com/en/stable/ref/models/fields/#django.db.models.fields.files.FieldFile.delete
-            file.delete(save=False)
-        for folder in folders:
-            # now that the files are deleted, remove the empty folders
-            if folder.is_dir() and next(folder.iterdir(), None) is None:
-                folder.rmdir()
-        return res
-
-    def get_download_url(self):
-        return reverse("sas:album_preview", kwargs={"album_id": self.id})
-
-    def generate_thumbnail(self):
-        p = (
-            self.pictures.exclude(thumbnail="").order_by("?").first()
-            or self.children.exclude(thumbnail="").order_by("?").first()
-        )
-        if p:
-            # The file is loaded into memory to duplicate it.
-            # It may not be the most efficient way, but thumbnails are
-            # usually quite small, so it's still ok
-            self.thumbnail = ContentFile(p.thumbnail.read(), name="thumb.webp")
-            self.save()
-

 class PictureQuerySet(models.QuerySet):
    def viewable_by(self, user: User) -> Self:
@@ -266,65 +80,23 @@ class PictureQuerySet(models.QuerySet):
        return self.filter(people__user_id=user.id, is_moderated=True)


+class SASPictureManager(models.Manager):
+    def get_queryset(self):
+        return super().get_queryset().filter(is_in_sas=True, is_folder=False)
+
+
 class Picture(SasFile):
-    name = models.CharField(_("file name"), max_length=256)
-    parent = models.ForeignKey(
-        Album,
-        related_name="pictures",
-        verbose_name=_("album"),
-        on_delete=models.CASCADE,
-    )
-    thumbnail = models.FileField(
-        upload_to=get_thumbnail_directory,
-        verbose_name=_("thumbnail"),
-        max_length=256,
-        unique=True,
-    )
-    original = models.FileField(
-        upload_to=get_directory,
-        verbose_name=_("original image"),
-        max_length=256,
-        unique=True,
-    )
-    compressed = models.FileField(
-        upload_to=get_compressed_directory,
-        verbose_name=_("compressed image"),
-        max_length=256,
-        unique=True,
-    )
-    created_at = models.DateTimeField(default=timezone.now)
-    owner = models.ForeignKey(
-        User,
-        related_name="owned_pictures",
-        verbose_name=_("owner"),
-        on_delete=models.PROTECT,
-    )
-
-    is_moderated = models.BooleanField(_("is moderated"), default=False)
-    asked_for_removal = models.BooleanField(_("asked for removal"), default=False)
-    moderator = models.ForeignKey(
-        User,
-        related_name="moderated_pictures",
-        null=True,
-        blank=True,
-        on_delete=models.SET_NULL,
-    )
-
-    objects = PictureQuerySet.as_manager()
-
    class Meta:
-        verbose_name = _("picture")
-        constraints = [
-            models.UniqueConstraint(
-                fields=["name", "parent"], name="sas_picture_unique_per_album"
-            )
-        ]
+        proxy = True

-    def __str__(self):
-        return self.name
+    objects = SASPictureManager.from_queryset(PictureQuerySet)()

-    def get_absolute_url(self):
-        return reverse("sas:picture", kwargs={"picture_id": self.id})
+    @property
+    def is_vertical(self):
+        with open(settings.MEDIA_ROOT / self.file.name, "rb") as f:
+            im = Image.open(BytesIO(f.read()))
+            (w, h) = im.size
+            return (w / h) < 1

    def get_download_url(self):
        return reverse("sas:download", kwargs={"picture_id": self.id})
@@ -335,34 +107,41 @@ class Picture(SasFile):
    def get_download_thumb_url(self):
        return reverse("sas:download_thumb", kwargs={"picture_id": self.id})

-    @property
-    def is_vertical(self):
-        # original, compressed and thumbnail image have all three the same ratio,
-        # so the smallest one is used to tell if the image is vertical
-        im = Image.open(BytesIO(self.thumbnail.read()))
-        (w, h) = im.size
-        return w < h
+    def get_absolute_url(self):
+        return reverse("sas:picture", kwargs={"picture_id": self.id})

-    def generate_thumbnails(self):
-        im = Image.open(self.original)
+    def generate_thumbnails(self, *, overwrite=False):
+        im = Image.open(BytesIO(self.file.read()))
        with contextlib.suppress(Exception):
            im = exif_auto_rotate(im)
        # convert the compressed image and the thumbnail into webp
+        # The original image keeps its original type, because it's not
+        # meant to be shown on the website, but rather to keep the real image
+        # for less frequent cases (like downloading the pictures of an user)
+        extension = self.mime_type.split("/")[-1]
        # the HD version of the image doesn't need to be optimized, because :
        # - it isn't frequently queried
-        # - optimizing large images takes a lot of time, which greatly hinders the UX
+        # - optimizing large images takes a lot time, which greatly hinders the UX
        # - photographers usually already optimize their images
+        file = resize_image(im, max(im.size), extension, optimize=False)
        thumb = resize_image(im, 200, "webp")
        compressed = resize_image(im, 1200, "webp")
-        new_extension_name = str(Path(self.original.name).with_suffix(".webp"))
+        if overwrite:
+            self.file.delete()
+            self.thumbnail.delete()
+            self.compressed.delete()
+        new_extension_name = str(Path(self.name).with_suffix(".webp"))
+        self.file = file
+        self.file.name = self.name
        self.thumbnail = thumb
        self.thumbnail.name = new_extension_name
        self.compressed = compressed
        self.compressed.name = new_extension_name

    def rotate(self, degree):
-        for field in self.original, self.compressed, self.thumbnail:
-            with open(field.file, "r+b") as file:
+        for attr in ["file", "compressed", "thumbnail"]:
+            name = self.__getattribute__(attr).name
+            with open(settings.MEDIA_ROOT / name, "r+b") as file:
                if file:
                    im = Image.open(BytesIO(file.read()))
                    file.seek(0)
@@ -375,6 +154,110 @@ class Picture(SasFile):
                        progressive=True,
                    )

+    def get_next(self):
+        if self.is_moderated:
+            pictures_qs = self.parent.children.filter(
+                is_moderated=True,
+                asked_for_removal=False,
+                is_folder=False,
+                id__gt=self.id,
+            )
+        else:
+            pictures_qs = Picture.objects.filter(id__gt=self.id, is_moderated=False)
+        return pictures_qs.order_by("id").first()
+
+    def get_previous(self):
+        if self.is_moderated:
+            pictures_qs = self.parent.children.filter(
+                is_moderated=True,
+                asked_for_removal=False,
+                is_folder=False,
+                id__lt=self.id,
+            )
+        else:
+            pictures_qs = Picture.objects.filter(id__lt=self.id, is_moderated=False)
+        return pictures_qs.order_by("-id").first()
+
+
+class AlbumQuerySet(models.QuerySet):
+    def viewable_by(self, user: User) -> Self:
+        """Filter the albums that this user can view.
+
+        Warning:
+            Calling this queryset method may add several additional requests.
+        """
+        if user.has_perm("sas.moderate_sasfile"):
+            return self.all()
+        if user.was_subscribed:
+            return self.filter(Q(is_moderated=True) | Q(owner=user))
+        # known bug : if all children of an album are also albums
+        # then this album is excluded, even if one of the sub-albums should be visible.
+        # The fs-like navigation is likely to be half-broken for non-subscribers,
+        # but that's ok, since non-subscribers are expected to see only the albums
+        # containing pictures on which they have been identified (hence, very few).
+        # Most, if not all, of their albums will be displayed on the
+        # `latest albums` section of the SAS.
+        # Moreover, they will still see all of their picture in their profile.
+        return self.filter(
+            Exists(Picture.objects.filter(parent_id=OuterRef("pk")).viewable_by(user))
+        )
+
+
+class SASAlbumManager(models.Manager):
+    def get_queryset(self):
+        return super().get_queryset().filter(is_in_sas=True, is_folder=True)
+
+
+class Album(SasFile):
+    NAME_MAX_LENGTH: ClassVar[int] = 50
+    """Maximum length of an album's name.
+    
+    [SithFile][core.models.SithFile] have a maximum length
+    of 256 characters.
+    However, this limit is too high for albums.
+    Names longer than 50 characters are harder to read
+    and harder to display on the SAS page.
+    
+    It is to be noted, though, that this does not
+    add or modify any db behaviour.
+    It's just a constant to be used in views and forms.
+    """
+
+    class Meta:
+        proxy = True
+
+    objects = SASAlbumManager.from_queryset(AlbumQuerySet)()
+
+    @property
+    def children_pictures(self):
+        return Picture.objects.filter(parent=self)
+
+    @property
+    def children_albums(self):
+        return Album.objects.filter(parent=self)
+
+    def get_absolute_url(self):
+        if self.id == settings.SITH_SAS_ROOT_DIR_ID:
+            return reverse("sas:main")
+        return reverse("sas:album", kwargs={"album_id": self.id})
+
+    def get_download_url(self):
+        return reverse("sas:album_preview", kwargs={"album_id": self.id})
+
+    def generate_thumbnail(self):
+        p = (
+            self.children_pictures.order_by("?").first()
+            or self.children_albums.exclude(file=None)
+            .exclude(file="")
+            .order_by("?")
+            .first()
+        )
+        if p and p.file:
+            image = resize_image(Image.open(BytesIO(p.file.read())), 200, "webp")
+            self.file = image
+            self.file.name = f"{self.name}/thumb.webp"
+            self.save()
+

 def sas_notification_callback(notif: Notification):
    count = Picture.objects.filter(is_moderated=False).count()
--- a/sas/schemas.py
+++ b/sas/schemas.py
@@ -56,12 +56,7 @@ class AlbumAutocompleteSchema(ModelSchema):

    @staticmethod
    def resolve_path(obj: Album) -> str:
-        return str(Path(obj.parent_path) / obj.name)
-
-
-class MoveAlbumSchema(Schema):
-    id: int
-    new_parent_id: int
+        return str(Path(obj.get_parent_path()) / obj.name)


 class PictureFilterSchema(FilterSchema):
@@ -74,7 +69,7 @@ class PictureFilterSchema(FilterSchema):
 class PictureSchema(ModelSchema):
    class Meta:
        model = Picture
-        fields = ["id", "name", "created_at", "is_moderated", "asked_for_removal"]
+        fields = ["id", "name", "date", "size", "is_moderated", "asked_for_removal"]

    owner: UserProfileSchema
    sas_url: str
--- a/sas/static/bundled/sas/album-index.ts
+++ b/sas/static/bundled/sas/album-index.ts
@@ -83,6 +83,7 @@ document.addEventListener("alpine:init", () => {

  Alpine.data("pictureUpload", (albumId: number) => ({
    errors: [] as string[],
+    pictures: [],
    sending: false,
    progress: null as HTMLProgressElement,

@@ -125,108 +126,3 @@ document.addEventListener("alpine:init", () => {
    },
  }));
 });
-
-// Todo: migrate to alpine.js if we have some time
-// $("form#upload_form").submit(function (event) {
-//   const formData = new FormData($(this)[0]);
-//
-//   if (!formData.get("album_name") && !formData.get("images").name) return false;
-//
-//   if (!formData.get("images").name) {
-//     return true;
-//   }
-//
-//   event.preventDefault();
-//
-//   let errorList = this.querySelector("#upload_form ul.errorlist.nonfield");
-//   if (errorList === null) {
-//     errorList = document.createElement("ul");
-//     errorList.classList.add("errorlist", "nonfield");
-//     this.insertBefore(errorList, this.firstElementChild);
-//   }
-//
-//   while (errorList.childElementCount > 0)
-//     errorList.removeChild(errorList.firstElementChild);
-//
-//   let progress = this.querySelector("progress");
-//   if (progress === null) {
-//     progress = document.createElement("progress");
-//     progress.value = 0;
-//     const p = document.createElement("p");
-//     p.appendChild(progress);
-//     this.insertBefore(p, this.lastElementChild);
-//   }
-//
-//   let dataHolder;
-//
-//   if (formData.get("album_name")) {
-//     dataHolder = new FormData();
-//     dataHolder.set("csrfmiddlewaretoken", "{{ csrf_token }}");
-//     dataHolder.set("album_name", formData.get("album_name"));
-//     $.ajax({
-//       method: "POST",
-//       url: "{{ url('sas:album_upload', album_id=object.id) }}",
-//       data: dataHolder,
-//       processData: false,
-//       contentType: false,
-//       success: onSuccess,
-//     });
-//   }
-//
-//   const images = formData.getAll("images");
-//   const imagesCount = images.length;
-//   let completeCount = 0;
-//
-//   const poolSize = 1;
-//   const imagePool = [];
-//
-//   while (images.length > 0 && imagePool.length < poolSize) {
-//     const image = images.shift();
-//     imagePool.push(image);
-//     sendImage(image);
-//   }
-//
-//   function sendImage(image) {
-//     dataHolder = new FormData();
-//     dataHolder.set("csrfmiddlewaretoken", "{{ csrf_token }}");
-//     dataHolder.set("images", image);
-//
-//     $.ajax({
-//       method: "POST",
-//       url: "{{ url('sas:album_upload', album_id=object.id) }}",
-//       data: dataHolder,
-//       processData: false,
-//       contentType: false,
-//     })
-//       .fail(onSuccess.bind(undefined, image))
-//       .done(onSuccess.bind(undefined, image))
-//       .always(next.bind(undefined, image));
-//   }
-//
-//   function next(image, _, __) {
-//     const index = imagePool.indexOf(image);
-//     const nextImage = images.shift();
-//
-//     if (index !== -1) {
-//       imagePool.splice(index, 1);
-//     }
-//
-//     if (nextImage) {
-//       imagePool.push(nextImage);
-//       sendImage(nextImage);
-//     }
-//   }
-//
-//   function onSuccess(image, data, _, __) {
-//     let errors = [];
-//
-//     if ($(data.responseText).find(".errorlist.nonfield")[0])
-//       errors = Array.from($(data.responseText).find(".errorlist.nonfield")[0].children);
-//
-//     while (errors.length > 0) errorList.appendChild(errors.shift());
-//
-//     progress.value = ++completeCount / imagesCount;
-//     if (progress.value === 1 && errorList.children.length === 0)
-//       document.location.reload();
-//   }
-// });
--- a/sas/static/bundled/sas/pictures-download-index.ts
+++ b/sas/static/bundled/sas/pictures-download-index.ts
@@ -30,10 +30,10 @@ document.addEventListener("alpine:init", () => {

      await Promise.all(
        this.pictures.map((p: PictureSchema) => {
-          const imgName = `${p.album}/IMG_${p.created_at.replace(/[:\-]/g, "_")}${p.name.slice(p.name.lastIndexOf("."))}`;
+          const imgName = `${p.album}/IMG_${p.date.replace(/[:\-]/g, "_")}${p.name.slice(p.name.lastIndexOf("."))}`;
          return zipWriter.add(imgName, new HttpReader(p.full_size_url), {
            level: 9,
-            lastModDate: new Date(p.created_at),
+            lastModDate: new Date(p.date),
            onstart: incrementProgressBar,
          });
        }),
--- a/sas/static/bundled/sas/viewer-index.ts
+++ b/sas/static/bundled/sas/viewer-index.ts
@@ -1,4 +1,3 @@
-import type { UserAjaxSelect } from "#core:core/components/ajax-select-index";
 import { paginated } from "#core:utils/api";
 import { exportToHtml } from "#core:utils/globals";
 import { History } from "#core:utils/history";
@@ -131,7 +130,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
      currentPicture: {
        // biome-ignore lint/style/useNamingConvention: api is in snake_case
        is_moderated: true,
-        id: null as number,
+        id: null,
        name: "",
        // biome-ignore lint/style/useNamingConvention: api is in snake_case
        display_name: "",
@@ -142,9 +141,8 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
        // biome-ignore lint/style/useNamingConvention: api is in snake_case
        full_size_url: "",
        owner: "",
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        created_at: new Date(),
-        identifications: [] as IdentifiedUserSchema[],
+        date: new Date(),
+        identifications: [],
      },
      /**
       * The picture which will be displayed next if the user press the "next" button
@@ -157,7 +155,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
      /**
       * The select2 component used to identify users
       **/
-      selector: undefined as UserAjaxSelect,
+      selector: undefined,
      /**
       * Error message when a moderation operation fails
       **/
--- a/sas/templates/sas/album.jinja
+++ b/sas/templates/sas/album.jinja
@@ -20,7 +20,7 @@

 {% block content %}
  <code>
-    <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album.parent) }} {{ album.name }}
+    <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album.parent) }} {{ album.get_display_name() }}
  </code>

  {% set is_sas_admin = user.can_edit(album) %}
@@ -30,7 +30,7 @@
    <form action="" method="post" enctype="multipart/form-data">
      {% csrf_token %}
      <div class="album-navbar">
-        <h3>{{ album.name }}</h3>
+        <h3>{{ album.get_display_name() }}</h3>

        <div class="toolbar">
          <a href="{{ url('sas:album_edit', album_id=album.id) }}">{% trans %}Edit{% endtrans %}</a>
@@ -40,17 +40,17 @@
        </div>
      </div>

-{#      {% if clipboard %}#}
-{#        <div class="clipboard">#}
-{#          {% trans %}Clipboard: {% endtrans %}#}
-{#          <ul>#}
-{#            {% for f in clipboard["albums"] %}#}
-{#              <li>{{ f.get_full_path() }}</li>#}
-{#            {% endfor %}#}
-{#          </ul>#}
-{#          <input name="clear" type="submit" value="{% trans %}Clear clipboard{% endtrans %}">#}
-{#        </div>#}
-{#      {% endif %}#}
+      {% if clipboard %}
+        <div class="clipboard">
+          {% trans %}Clipboard: {% endtrans %}
+          <ul>
+            {% for f in clipboard %}
+              <li>{{ f.get_full_path() }}</li>
+            {% endfor %}
+          </ul>
+          <input name="clear" type="submit" value="{% trans %}Clear clipboard{% endtrans %}">
+        </div>
+      {% endif %}
  {% endif %}

  {% if show_albums %}
@@ -73,8 +73,8 @@
                <div class="text">{% trans %}To be moderated{% endtrans %}</div>
              </template>
            </div>
-            {% if edit_mode %}
-              <input type="checkbox" name="album_list" :value="album.id">
+            {% if is_sas_admin %}
+              <input type="checkbox" name="file_list" :value="album.id">
            {% endif %}
          </a>
        </template>
@@ -100,7 +100,7 @@
            </template>
          </div>
          {% if is_sas_admin %}
-            <input type="checkbox" name="picture_list" :value="picture.id">
+            <input type="checkbox" name="file_list" :value="picture.id">
          {% endif %}
        </a>
      </template>
@@ -120,9 +120,9 @@
      {% csrf_token %}
      <div class="inputs">
        <p>
-          <label for="{{ form.images.id_for_label }}">{{ form.images.label }} :</label>
-          {{ form.images|add_attr("x-ref=pictures") }}
-          <span class="helptext">{{ form.images.help_text }}</span>
+          <label for="{{ upload_form.images.id_for_label }}">{{ upload_form.images.label }} :</label>
+          {{ upload_form.images|add_attr("x-ref=pictures") }}
+          <span class="helptext">{{ upload_form.images.help_text }}</span>
        </p>
        <input type="submit" value="{% trans %}Upload{% endtrans %}" />
        <progress x-ref="progress" x-show="sending"></progress>
--- a/sas/templates/sas/macros.jinja
+++ b/sas/templates/sas/macros.jinja
@@ -1,13 +1,19 @@
 {% macro display_album(a, edit_mode) %}
  <a href="{{ url('sas:album', album_id=a.id) }}">
-    {% if a.thumbnail %}
+    {% if a.file %}
      {% set img = a.get_download_url() %}
      {% set src = a.name %}
+    {% elif a.children.filter(is_folder=False, is_moderated=True).exists() %}
+      {% set picture = a.children.filter(is_folder=False).first().as_picture %}
+      {% set img = picture.get_download_thumb_url()  %}
+      {% set src = picture.name %}
    {% else %}
      {% set img = static('core/img/sas.jpg') %}
      {% set src = "sas.jpg" %}
    {% endif %}
-    <div class="album{% if not a.is_moderated %} not_moderated{% endif %}">
+    <div
+      class="album{% if not a.is_moderated %} not_moderated{% endif %}"
+    >
      <img src="{{ img }}" alt="{{ src }}" loading="lazy" />
      {% if not a.is_moderated %}
        <div class="overlay">&nbsp;</div>
@@ -25,7 +31,7 @@
 {% macro print_path(file) %}
  {% if file and file.parent %}
    {{ print_path(file.parent) }}
-    <a href="{{ url("sas:album", album_id=file.id) }}">{{ file.name }}</a> /
+    <a href="{{ url('sas:album', album_id=file.id) }}">{{ file.get_display_name() }}</a> /
  {% endif %}
 {% endmacro %}

--- a/sas/templates/sas/picture.jinja
+++ b/sas/templates/sas/picture.jinja
@@ -1,9 +1,9 @@
 {% extends "core/base.jinja" %}

 {%- block additional_css -%}
-  <link rel="stylesheet" href="{{ static('bundled/core/components/ajax-select-index.css') }}">
-  <link rel="stylesheet" href="{{ static('core/components/ajax-select.scss') }}">
-  <link rel="stylesheet" href="{{ static('sas/css/picture.scss') }}">
+  <link defer rel="stylesheet" href="{{ static('bundled/core/components/ajax-select-index.css') }}">
+  <link defer rel="stylesheet" href="{{ static('core/components/ajax-select.scss') }}">
+  <link defer rel="stylesheet" href="{{ static('sas/css/picture.scss') }}">
 {%- endblock -%}

 {%- block additional_js -%}
@@ -104,7 +104,7 @@
                <span
                  x-text="Intl.DateTimeFormat(
                          '{{ LANGUAGE_CODE }}', {dateStyle: 'long'}
-                          ).format(new Date(currentPicture.created_at))"
+                          ).format(new Date(currentPicture.date))"
                >
                </span>
              </div>
--- a/sas/tests/test_api.py
+++ b/sas/tests/test_api.py
@@ -27,8 +27,8 @@ class TestSas(TestCase):
        cls.user_b, cls.user_c = subscriber_user.make(_quantity=2)

        picture = picture_recipe.extend(owner=owner)
-        cls.album_a = baker.make(Album)
-        cls.album_b = baker.make(Album)
+        cls.album_a = baker.make(Album, is_in_sas=True, parent=sas)
+        cls.album_b = baker.make(Album, is_in_sas=True, parent=sas)
        relation_recipe = Recipe(PeoplePictureRelation)
        relations = []
        for album in cls.album_a, cls.album_b:
@@ -61,7 +61,7 @@ class TestPictureSearch(TestSas):
        self.client.force_login(self.user_b)
        res = self.client.get(self.url + f"?album_id={self.album_a.id}")
        assert res.status_code == 200
-        expected = list(self.album_a.pictures.values_list("id", flat=True))
+        expected = list(self.album_a.children_pictures.values_list("id", flat=True))
        assert [i["id"] for i in res.json()["results"]] == expected

    def test_filter_by_user(self):
@@ -70,7 +70,7 @@ class TestPictureSearch(TestSas):
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.order_by(
-                "-picture__parent__event_date", "picture__created_at"
+                "-picture__parent__date", "picture__date"
            ).values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected
@@ -84,7 +84,7 @@ class TestPictureSearch(TestSas):
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.union(self.user_b.pictures.all())
-            .order_by("-picture__parent__event_date", "picture__created_at")
+            .order_by("-picture__parent__date", "picture__date")
            .values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected
@@ -97,7 +97,7 @@ class TestPictureSearch(TestSas):
        assert res.status_code == 200
        expected = list(
            self.user_a.pictures.order_by(
-                "-picture__parent__event_date", "picture__created_at"
+                "-picture__parent__date", "picture__date"
            ).values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected
@@ -123,7 +123,7 @@ class TestPictureSearch(TestSas):
        assert res.status_code == 200
        expected = list(
            self.user_b.pictures.intersection(self.user_a.pictures.all())
-            .order_by("-picture__parent__event_date", "picture__created_at")
+            .order_by("-picture__parent__date", "picture__date")
            .values_list("picture_id", flat=True)
        )
        assert [i["id"] for i in res.json()["results"]] == expected
--- a/sas/tests/test_model.py
+++ b/sas/tests/test_model.py
@@ -3,8 +3,8 @@ from model_bakery import baker

 from core.baker_recipes import old_subscriber_user, subscriber_user
 from core.models import User
-from sas.baker_recipes import album_recipe, picture_recipe
-from sas.models import Album, Picture
+from sas.baker_recipes import picture_recipe
+from sas.models import Picture


 class TestPictureQuerySet(TestCase):
@@ -44,22 +44,3 @@ class TestPictureQuerySet(TestCase):
        user.pictures.create(picture=self.pictures[1])  # moderated
        pictures = list(Picture.objects.viewable_by(user))
        assert pictures == [self.pictures[1]]
-
-
-class TestDeleteAlbum(TestCase):
-    def setUp(cls):
-        cls.album: Album = album_recipe.make()
-        cls.album_pictures = picture_recipe.make(parent=cls.album, _quantity=5)
-        cls.sub_album = album_recipe.make(parent=cls.album)
-        cls.sub_album_pictures = picture_recipe.make(parent=cls.sub_album, _quantity=5)
-
-    def test_delete(self):
-        album_ids = [self.album.id, self.sub_album.id]
-        picture_ids = [
-            *[p.id for p in self.album_pictures],
-            *[p.id for p in self.sub_album_pictures],
-        ]
-        self.album.delete()
-        # assert not p.exists()
-        assert not Album.objects.filter(id__in=album_ids).exists()
-        assert not Picture.objects.filter(id__in=picture_ids).exists()
--- a/sas/tests/test_views.py
+++ b/sas/tests/test_views.py
@@ -136,7 +136,9 @@ class TestAlbumUpload:
 class TestSasModeration(TestCase):
    @classmethod
    def setUpTestData(cls):
-        album = baker.make(Album)
+        album = baker.make(
+            Album, parent_id=settings.SITH_SAS_ROOT_DIR_ID, is_moderated=True
+        )
        cls.pictures = picture_recipe.make(
            parent=album, _quantity=10, _bulk_create=True
        )
--- a/sas/views.py
+++ b/sas/views.py
@@ -12,7 +12,6 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from pathlib import Path
 from typing import Any

 from django.conf import settings
@@ -22,12 +21,12 @@ from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.safestring import SafeString
 from django.views.generic import CreateView, DetailView, TemplateView
-from django.views.generic.edit import FormMixin, FormView, UpdateView
+from django.views.generic.edit import FormView, UpdateView

 from core.auth.mixins import CanEditMixin, CanViewMixin
 from core.models import SithFile, User
-from core.views import FileView, UseFragmentsMixin
-from core.views.files import send_raw_file
+from core.views import UseFragmentsMixin
+from core.views.files import FileView, send_file
 from core.views.mixins import FragmentMixin, FragmentRenderer
 from core.views.user import UserTabsMixin
 from sas.forms import (
@@ -63,7 +62,6 @@ class AlbumCreateFragment(FragmentMixin, CreateView):


 class SASMainView(UseFragmentsMixin, TemplateView):
-    form_class = AlbumCreateForm
    template_name = "sas/main.jinja"

    def get_fragments(self) -> dict[str, FragmentRenderer]:
@@ -80,26 +78,12 @@ class SASMainView(UseFragmentsMixin, TemplateView):
        root_user = User.objects.get(pk=settings.SITH_ROOT_USER_ID)
        return {"album_create_fragment": {"owner": root_user}}

-    def dispatch(self, request, *args, **kwargs):
-        if request.method == "POST" and not self.request.user.has_perm("sas.add_album"):
-            raise PermissionDenied
-        return super().dispatch(request, *args, **kwargs)
-
-    def get_form(self, form_class=None):
-        if not self.request.user.has_perm("sas.add_album"):
-            return None
-        return super().get_form(form_class)
-
-    def get_form_kwargs(self):
-        return super().get_form_kwargs() | {
-            "owner": User.objects.get(pk=settings.SITH_ROOT_USER_ID),
-            "parent": None,
-        }
-
    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
        albums_qs = Album.objects.viewable_by(self.request.user)
-        kwargs["categories"] = list(albums_qs.filter(parent=None).order_by("id"))
+        kwargs["categories"] = list(
+            albums_qs.filter(parent_id=settings.SITH_SAS_ROOT_DIR_ID).order_by("id")
+        )
        kwargs["latest"] = list(albums_qs.order_by("-id")[:5])
        return kwargs

@@ -109,9 +93,6 @@ class PictureView(CanViewMixin, DetailView):
    pk_url_kwarg = "picture_id"
    template_name = "sas/picture.jinja"

-    def get_queryset(self):
-        return super().get_queryset().select_related("parent")
-
    def get(self, request, *args, **kwargs):
        self.object = self.get_object()
        if "rotate_right" in request.GET:
@@ -121,42 +102,31 @@ class PictureView(CanViewMixin, DetailView):
        return super().get(request, *args, **kwargs)

    def get_context_data(self, **kwargs):
-        return super().get_context_data(**kwargs) | {"album": self.object.parent}
+        return super().get_context_data(**kwargs) | {
+            "album": Album.objects.get(children=self.object)
+        }


 def send_album(request, album_id):
-    album = get_object_or_404(Album, id=album_id)
-    if not album.can_be_viewed_by(request.user):
-        raise PermissionDenied
-    return send_raw_file(Path(album.thumbnail.path))
+    return send_file(request, album_id, Album)


 def send_pict(request, picture_id):
-    picture = get_object_or_404(Picture, id=picture_id)
-    if not picture.can_be_viewed_by(request.user):
-        raise PermissionDenied
-    return send_raw_file(Path(picture.original.path))
+    return send_file(request, picture_id, Picture)


 def send_compressed(request, picture_id):
-    picture = get_object_or_404(Picture, id=picture_id)
-    if not picture.can_be_viewed_by(request.user):
-        raise PermissionDenied
-    return send_raw_file(Path(picture.compressed.path))
+    return send_file(request, picture_id, Picture, "compressed")


 def send_thumb(request, picture_id):
-    picture = get_object_or_404(Picture, id=picture_id)
-    if not picture.can_be_viewed_by(request.user):
-        raise PermissionDenied
-    return send_raw_file(Path(picture.thumbnail.path))
+    return send_file(request, picture_id, Picture, "thumbnail")


-class AlbumView(CanViewMixin, UseFragmentsMixin, FormMixin, DetailView):
+class AlbumView(CanViewMixin, UseFragmentsMixin, DetailView):
    model = Album
    pk_url_kwarg = "album_id"
    template_name = "sas/album.jinja"
-    form_class = PictureUploadForm

    def get_fragments(self) -> dict[str, FragmentRenderer]:
        return {
@@ -171,32 +141,27 @@ class AlbumView(CanViewMixin, UseFragmentsMixin, FormMixin, DetailView):
        except ValueError as e:
            raise Http404 from e
        if "clipboard" not in request.session:
-            request.session["clipboard"] = {"albums": [], "pictures": []}
+            request.session["clipboard"] = []
        return super().dispatch(request, *args, **kwargs)

-    def get_form(self, *args, **kwargs):
-        if not self.request.user.can_edit(self.object):
-            return None
-        return super().get_form(*args, **kwargs)
-
    def post(self, request, *args, **kwargs):
        self.object = self.get_object()
-        form = self.get_form()
-        if not form:
-            # the form is reserved for users that can edit this album.
-            # If there is no form, it means the user has no right to do a POST
-            raise PermissionDenied
-        FileView.handle_clipboard(self.request, self.object)
-        if not form.is_valid():
-            return self.form_invalid(form)
-        return self.form_valid(form)
+        if not self.object.file:
+            self.object.generate_thumbnail()
+        if request.user.can_edit(self.object):  # Handle the copy-paste functions
+            FileView.handle_clipboard(request, self.object)
+        return HttpResponseRedirect(self.request.path)

    def get_fragment_data(self) -> dict[str, dict[str, Any]]:
        return {"album_create_fragment": {"owner": self.request.user}}

    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
-        kwargs["clipboard"] = {}
+        if ids := self.request.session.get("clipboard", None):
+            kwargs["clipboard"] = SithFile.objects.filter(id__in=ids)
+        kwargs["upload_form"] = PictureUploadForm()
+        # if True, the albums will be fetched with a request to the API
+        # if False, the section won't be displayed at all
        kwargs["show_albums"] = (
            Album.objects.viewable_by(self.request.user)
            .filter(parent_id=self.object.id)
@@ -242,7 +207,7 @@ class ModerationView(TemplateView):
    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
        kwargs["albums_to_moderate"] = Album.objects.filter(
-            is_moderated=False
+            is_moderated=False, is_in_sas=True, is_folder=True
        ).order_by("id")
        pictures = Picture.objects.filter(is_moderated=False).select_related("parent")
        kwargs["pictures"] = pictures
--- a/staticfiles/processors.py
+++ b/staticfiles/processors.py
@@ -182,12 +182,13 @@ class OpenApi:
                path[action]["operationId"] = "_".join(
                    desc["operationId"].split("_")[:-1]
                )
-
        schema = str(schema)

        if old_hash == sha1(schema.encode("utf-8")).hexdigest():
            logging.getLogger("django").info("✨ Api did not change, nothing to do ✨")
            return

-        out.write_text(schema)
+        with open(out, "w") as f:
+            _ = f.write(schema)
+
        return subprocess.Popen(["npm", "run", "openapi"])
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -14,7 +14,6 @@
    "types": ["jquery", "alpinejs"],
    "paths": {
      "#openapi": ["./staticfiles/generated/openapi/client/index.ts"],
-      "#openapi:*": ["./staticfiles/generated/openapi/client/*"],
      "#core:*": ["./core/static/bundled/*"],
      "#pedagogy:*": ["./pedagogy/static/bundled/*"],
      "#counter:*": ["./counter/static/bundled/*"],
Author	SHA1	Message	Date
imperosol	5888b96271	apply review comments	2025-06-27 13:28:44 +02:00
imperosol	455e1d85d4	remove `CanCreateMixin` usage from election	2025-06-27 12:01:15 +02:00
imperosol	6072142a28	refactor election result computing	2025-06-27 12:01:15 +02:00
imperosol	f9c2794a25	refactor election detail view	2025-06-27 12:01:14 +02:00
imperosol	b245d5bc1b	feat: add x-limited-choices directive	2025-06-27 12:00:52 +02:00
imperosol	fc773f375b	refactor CandidatureForm	2025-06-27 12:00:51 +02:00
imperosol	e3d0c3f369	move forms to their own file	2025-06-27 12:00:51 +02:00