feat: whitelist for user visibility

upgrade to vite 8

.gitignore

@@ -24,6 +24,9 @@ node_modules/
 # compiled documentation
 site/
 
+# rollup-bundle-visualizer report
+.bundle-size-report.html
+
 ### Redis ###
 
 # Ignore redis binary dump (dump.rdb) files

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.15.0
+    rev: v0.15.5
     hooks:
       - id: ruff-check  # just check the code, and print the errors
       - id: ruff-check  # actually fix the fixable errors, but print nothing
@@ -12,7 +12,7 @@ repos:
     rev: v0.6.1
     hooks:
       - id: biome-check
-        additional_dependencies: ["@biomejs/biome@2.3.14"]
+        additional_dependencies: ["@biomejs/biome@2.4.6"]
   - repo: https://github.com/rtts/djhtml
     rev: 3.0.10
     hooks:

biome.json

@@ -7,7 +7,7 @@
   },
   "files": {
     "ignoreUnknown": false,
-    "includes": ["**/static/**"]
+    "includes": ["**/static/**", "vite.config.mts"]
   },
   "formatter": {
     "enabled": true,

com/views.py

@@ -244,9 +244,8 @@ class NewsListView(TemplateView):
             .filter(
                 date_of_birth__month=localdate().month,
                 date_of_birth__day=localdate().day,
-                is_viewable=True,
+                role__in=["STUDENT", "FORMER STUDENT"],
             )
-            .filter(role__in=["STUDENT", "FORMER STUDENT"])
             .order_by("-date_of_birth"),
             key=lambda u: u.date_of_birth.year,
         )

core/admin.py

@@ -63,6 +63,7 @@ class UserAdmin(admin.ModelAdmin):
         "scrub_pict",
         "user_permissions",
         "groups",
+        "whitelisted_users",
     )
     inlines = (UserBanInline,)
     search_fields = ["first_name", "last_name", "username"]

core/migrations/0049_user_whitelisted_users.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.2.12 on 2026-03-14 08:39
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0048_alter_user_options")]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="whitelisted_users",
+            field=models.ManyToManyField(
+                help_text=(
+                    "If this profile is hidden, "
+                    "the users in this list will still be able to see it."
+                ),
+                related_name="visible_by_whitelist",
+                to=settings.AUTH_USER_MODEL,
+                verbose_name="whitelisted users",
+            ),
+        ),
+    ]

core/models.py

@@ -131,7 +131,7 @@ class UserQuerySet(models.QuerySet):
         if user.has_perm("core.view_hidden_user"):
             return self
         if user.has_perm("core.view_user"):
-            return self.filter(is_viewable=True)
+            return self.filter(Q(is_viewable=True) | Q(whitelisted_users=user))
         if user.is_anonymous:
             return self.none()
         return self.filter(id=user.id)
@@ -279,6 +279,15 @@ class User(AbstractUser):
         ),
         default=True,
     )
+    whitelisted_users = models.ManyToManyField(
+        "User",
+        related_name="visible_by_whitelist",
+        verbose_name=_("whitelisted users"),
+        help_text=_(
+            "If this profile is hidden, "
+            "the users in this list will still be able to see it."
+        ),
+    )
     godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)
 
     objects = CustomUserManager()
@@ -567,10 +576,31 @@ class User(AbstractUser):
         return user.is_root or user.is_board_member
 
     def can_be_viewed_by(self, user: User) -> bool:
+        """Check if the given user can be viewed by this user.
+
+        Given users A and B. A can be viewed by B if :
+
+        - A and B are the same user
+        - or B has the permission to view hidden users
+        - or B can view users in general and A didn't hide its profile
+        - or B is in A's whitelist.
+        """
+
+        def is_in_whitelist(u: User):
+            if (
+                hasattr(self, "_prefetched_objects_cache")
+                and "whitelisted_users" in self._prefetched_objects_cache
+            ):
+                return u in self.whitelisted_users.all()
+            return self.whitelisted_users.contains(u)
+
         return (
             user.id == self.id
             or user.has_perm("core.view_hidden_user")
-            or (user.has_perm("core.view_user") and self.is_viewable)
+            or (
+                user.has_perm("core.view_user")
+                and (self.is_viewable or is_in_whitelist(user))
+            )
         )
 
     def get_mini_item(self):

core/static/bundled/core/components/nfc-input-index.ts

@@ -26,7 +26,6 @@ export class NfcInput extends inheritHtmlElement("input") {
         window.alert(gettext("Unsupported NFC card"));
       });
 
-      // biome-ignore lint/correctness/noUndeclaredVariables: browser API
       ndef.addEventListener("reading", (event: NDEFReadingEvent) => {
         this.removeAttribute("scan");
         this.node.value = event.serialNumber.replace(/:/g, "").toUpperCase();

core/static/core/base.css

@@ -115,7 +115,6 @@ blockquote:before,
 blockquote:after,
 q:before,
 q:after {
-  content: "";
   content: none;
 }
 table {

core/tests/test_user.py

@@ -399,13 +399,12 @@ class TestUserQuerySetViewableBy:
         return [
             baker.make(User),
             subscriber_user.make(),
-            subscriber_user.make(is_viewable=False),
+            *subscriber_user.make(is_viewable=False, _quantity=2),
         ]
 
     def test_admin_user(self, users: list[User]):
         user = baker.make(
-            User,
-            user_permissions=[Permission.objects.get(codename="view_hidden_user")],
+            User, user_permissions=[Permission.objects.get(codename="view_hidden_user")]
         )
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == set(users)
@@ -418,6 +417,12 @@ class TestUserQuerySetViewableBy:
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == {users[0], users[1]}
 
+    def test_whitelist(self, users: list[User]):
+        user = subscriber_user.make()
+        users[3].whitelisted_users.add(user)
+        viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
+        assert set(viewable) == {users[0], users[1], users[3]}
+
     @pytest.mark.parametrize("user_factory", [lambda: baker.make(User), AnonymousUser])
     def test_not_subscriber(self, users: list[User], user_factory):
         user = user_factory()

core/urls.py

@@ -69,7 +69,6 @@ from core.views import (
     UserCreationView,
     UserGodfathersTreeView,
     UserGodfathersView,
-    UserListView,
     UserMeRedirect,
     UserMiniView,
     UserPreferencesView,
@@ -136,7 +135,6 @@ urlpatterns = [
         "group/<int:group_id>/detail/", GroupTemplateView.as_view(), name="group_detail"
     ),
     # User views
-    path("user/", UserListView.as_view(), name="user_list"),
     path(
         "user/me/<path:remaining_path>/",
         UserMeRedirect.as_view(),

core/views/user.py

@@ -48,7 +48,6 @@ from django.views.generic import (
     CreateView,
     DeleteView,
     DetailView,
-    ListView,
     RedirectView,
     TemplateView,
 )
@@ -404,13 +403,6 @@ class UserMiniView(CanViewMixin, DetailView):
     template_name = "core/user_mini.jinja"
 
 
-class UserListView(ListView, CanEditPropMixin):
-    """Displays the user list."""
-
-    model = User
-    template_name = "core/user_list.jinja"
-
-
 # FIXME: the edit_once fields aren't displayed to the user (as expected).
 #  However, if the user re-add them manually in the form, they are saved.
 class UserUpdateProfileView(UserTabsMixin, CanEditMixin, UpdateView):

counter/static/bundled/counter/counter-click-index.ts

@@ -64,7 +64,7 @@ document.addEventListener("alpine:init", () => {
 
     checkFormulas() {
       const products = new Set(
-        Object.keys(this.basket).map((i: string) => Number.parseInt(i)),
+        Object.keys(this.basket).map((i: string) => Number.parseInt(i, 10)),
       );
       const formula: ProductFormula = config.formulas.find((f: ProductFormula) => {
         return f.products.every((p: number) => products.has(p));

election/templates/election/election_detail.jinja

@@ -146,7 +146,7 @@
                           <label for="{{ input_id }}">
                         {%- endif %}
                         <figure>
-                          {%- if user.is_viewable %}
+                          {%- if user.can_view(candidature.user) %}
                             {% if candidature.user.profile_pict %}
                               <img class="candidate__picture" src="{{ candidature.user.profile_pict.get_download_url() }}" alt="{% trans %}Profile{% endtrans %}">
                             {% else %}

package.json

@@ -8,8 +8,6 @@
     "compile-dev": "vite build --mode development",
     "serve": "vite build --mode development --watch --minify false",
     "openapi": "openapi-ts",
-    "analyse-dev": "vite-bundle-visualizer --mode development",
-    "analyse-prod": "vite-bundle-visualizer --mode production",
     "check": "tsc && biome check --write"
   },
   "keywords": [],
@@ -28,29 +26,28 @@
   "devDependencies": {
     "@babel/core": "^7.29.0",
     "@babel/preset-env": "^7.29.0",
-    "@biomejs/biome": "^2.3.14",
-    "@hey-api/openapi-ts": "^0.92.4",
+    "@biomejs/biome": "^2.4.6",
+    "@hey-api/openapi-ts": "^0.94.0",
     "@rollup/plugin-inject": "^5.0.5",
     "@types/alpinejs": "^3.13.11",
     "@types/cytoscape-cxtmenu": "^3.4.5",
     "@types/cytoscape-klay": "^3.1.5",
     "@types/js-cookie": "^3.0.6",
+    "rollup-plugin-visualizer": "^7.0.1",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
-    "vite-bundle-visualizer": "^1.2.1",
-    "vite-plugin-static-copy": "^3.2.0"
+    "vite": "^8.0.0"
   },
   "dependencies": {
     "@alpinejs/sort": "^3.15.8",
     "@arendjr/text-clipper": "npm:@jsr/arendjr__text-clipper@^3.0.0",
-    "@floating-ui/dom": "^1.7.5",
+    "@floating-ui/dom": "^1.7.6",
     "@fortawesome/fontawesome-free": "^7.2.0",
     "@fullcalendar/core": "^6.1.20",
     "@fullcalendar/daygrid": "^6.1.20",
     "@fullcalendar/icalendar": "^6.1.20",
     "@fullcalendar/list": "^6.1.20",
-    "@sentry/browser": "^10.38.0",
-    "@zip.js/zip.js": "^2.8.20",
+    "@sentry/browser": "^10.43.0",
+    "@zip.js/zip.js": "^2.8.23",
     "3d-force-graph": "^1.79.1",
     "alpinejs": "^3.15.8",
     "chart.js": "^4.5.1",
@@ -60,14 +57,14 @@
     "cytoscape-klay": "^3.1.4",
     "d3-force-3d": "^3.0.6",
     "easymde": "^2.20.0",
-    "glob": "^13.0.2",
+    "glob": "^13.0.6",
     "html2canvas": "^1.4.1",
     "htmx.org": "^2.0.8",
     "js-cookie": "^3.0.5",
     "lit-html": "^3.3.2",
     "native-file-system-adapter": "^3.0.1",
-    "three": "^0.182.0",
+    "three": "^0.183.2",
     "three-spritetext": "^1.10.0",
-    "tom-select": "^2.5.1"
+    "tom-select": "^2.5.2"
   }
 }

pyproject.toml

@@ -19,7 +19,7 @@ authors = [
 license = { text = "GPL-3.0-only" }
 requires-python = "<4.0,>=3.12"
 dependencies = [
-    "django>=5.2.11,<6.0.0",
+    "django>=5.2.12,<6.0.0",
     "django-ninja>=1.5.3,<6.0.0",
     "django-ninja-extra>=0.31.0",
     "Pillow>=12.1.1,<13.0.0",
@@ -27,15 +27,15 @@ dependencies = [
     "django-jinja<3.0.0,>=2.11.0",
     "cryptography>=46.0.5,<47.0.0",
     "django-phonenumber-field>=8.4.0,<9.0.0",
-    "phonenumbers>=9.0.23,<10.0.0",
-    "reportlab>=4.4.9,<5.0.0",
+    "phonenumbers>=9.0.25,<10.0.0",
+    "reportlab>=4.4.10,<5.0.0",
     "django-haystack<4.0.0,>=3.3.0",
     "xapian-haystack<4.0.0,>=3.1.0",
     "libsass<1.0.0,>=0.23.0",
     "django-ordered-model<4.0.0,>=3.7.4",
     "django-simple-captcha<1.0.0,>=0.6.3",
     "python-dateutil<3.0.0.0,>=2.9.0.post0",
-    "sentry-sdk>=2.52.0,<3.0.0",
+    "sentry-sdk>=2.54.0,<3.0.0",
     "jinja2<4.0.0,>=3.1.6",
     "django-countries>=8.2.0,<9.0.0",
     "dict2xml>=1.7.8,<2.0.0",
@@ -51,7 +51,7 @@ dependencies = [
     "psutil>=7.2.2,<8.0.0",
     "celery[redis]>=5.6.2,<7",
     "django-celery-results>=2.5.1",
-    "django-celery-beat>=2.7.0",
+    "django-celery-beat>=2.9.0",
 ]
 
 [project.urls]
@@ -60,31 +60,31 @@ documentation = "https://sith-ae.readthedocs.io/"
 
 [dependency-groups]
 prod = [
-    "psycopg[c]>=3.3.2,<4.0.0",
+    "psycopg[c]>=3.3.3,<4.0.0",
 ]
 dev = [
     "django-debug-toolbar>=6.2.0,<7",
-    "ipython>=9.10.0,<10.0.0",
+    "ipython>=9.11.0,<10.0.0",
     "pre-commit>=4.5.1,<5.0.0",
-    "ruff>=0.15.0,<1.0.0",
+    "ruff>=0.15.5,<1.0.0",
     "djhtml>=3.0.10,<4.0.0",
-    "faker>=40.4.0,<41.0.0",
+    "faker>=40.8.0,<41.0.0",
     "rjsmin>=1.2.5,<2.0.0",
 ]
 tests = [
     "freezegun>=1.5.5,<2.0.0",
     "pytest>=9.0.2,<10.0.0",
     "pytest-cov>=7.0.0,<8.0.0",
-    "pytest-django<5.0.0,>=4.10.0",
-    "model-bakery<2.0.0,>=1.23.2",
+    "pytest-django<5.0.0,>=4.12.0",
+    "model-bakery<2.0.0,>=1.23.3",
     "beautifulsoup4>=4.14.3,<5",
     "lxml>=6.0.2,<7",
 ]
 docs = [
     "mkdocs<2.0.0,>=1.6.1",
-    "mkdocs-material>=9.7.1,<10.0.0",
+    "mkdocs-material>=9.7.5,<10.0.0",
     "mkdocstrings>=1.0.3,<2.0.0",
-    "mkdocstrings-python>=2.0.2,<3.0.0",
+    "mkdocstrings-python>=2.0.3,<3.0.0",
     "mkdocs-include-markdown-plugin>=7.2.1,<8.0.0",
 ]
 

sas/static/bundled/sas/viewer-index.ts

@@ -1,7 +1,6 @@
 import type TomSelect from "tom-select";
 import type { UserAjaxSelect } from "#core:core/components/ajax-select-index.ts";
 import { paginated } from "#core:utils/api.ts";
-import { exportToHtml } from "#core:utils/globals.ts";
 import { History } from "#core:utils/history.ts";
 import {
   type IdentifiedUserSchema,

vite.config.mts

@@ -1,14 +1,17 @@
-// biome-ignore lint/correctness/noNodejsModules: this is backend side
 import { parse, resolve } from "node:path";
 import inject from "@rollup/plugin-inject";
 import { glob } from "glob";
-import type { Rollup } from "vite";
-import { type AliasOptions, defineConfig, type UserConfig } from "vite";
+import { visualizer } from "rollup-plugin-visualizer";
+import {
+  type AliasOptions,
+  defineConfig,
+  type PluginOption,
+  type Rollup,
+  type UserConfig,
+} from "vite";
 import tsconfig from "./tsconfig.json";
 
 const outDir = resolve(__dirname, "./staticfiles/generated/bundled");
-const vendored = resolve(outDir, "vendored");
-const nodeModules = resolve(__dirname, "node_modules");
 const collectedFiles = glob.sync(
   "./!(static)/static/bundled/**/*?(-)index.?(m)[j|t]s?(x)",
 );
@@ -42,7 +45,6 @@ function getRelativeAssetPath(path: string): string {
   return relativePath.join("/");
 }
 
-// biome-ignore lint/style/noDefaultExport: this is recommended by documentation
 export default defineConfig((config: UserConfig) => {
   return {
     base: "/static/bundled/",
@@ -86,6 +88,7 @@ export default defineConfig((config: UserConfig) => {
         Alpine: "alpinejs",
         htmx: "htmx.org",
       }),
+      visualizer({ filename: ".bundle-size-report.html" }) as PluginOption,
     ],
   } satisfies UserConfig;
 });