Fix link-once and script-once not triggering when another one disappears

Eurock

.gitignore

@@ -24,6 +24,9 @@ node_modules/
 # compiled documentation
 site/
 
+# rollup-bundle-visualizer report
+.bundle-size-report.html
+
 ### Redis ###
 
 # Ignore redis binary dump (dump.rdb) files

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.15.0
+    rev: v0.15.5
     hooks:
       - id: ruff-check  # just check the code, and print the errors
       - id: ruff-check  # actually fix the fixable errors, but print nothing
@@ -12,7 +12,7 @@ repos:
     rev: v0.6.1
     hooks:
       - id: biome-check
-        additional_dependencies: ["@biomejs/biome@2.3.14"]
+        additional_dependencies: ["@biomejs/biome@2.4.6"]
   - repo: https://github.com/rtts/djhtml
     rev: 3.0.10
     hooks:

biome.json

@@ -7,7 +7,7 @@
   },
   "files": {
     "ignoreUnknown": false,
-    "includes": ["**/static/**"]
+    "includes": ["**/static/**", "vite.config.mts"]
   },
   "formatter": {
     "enabled": true,

club/api.py

@@ -6,9 +6,15 @@ from ninja_extra.pagination import PageNumberPaginationExtra
 from ninja_extra.schemas import PaginatedResponseSchema
 
 from api.auth import ApiKeyAuth
-from api.permissions import CanAccessLookup, HasPerm
+from api.permissions import CanAccessLookup, CanView, HasPerm
 from club.models import Club, Membership
-from club.schemas import ClubSchema, ClubSearchFilterSchema, SimpleClubSchema
+from club.schemas import (
+    ClubSchema,
+    ClubSearchFilterSchema,
+    SimpleClubSchema,
+    UserMembershipSchema,
+)
+from core.models import User
 
 
 @api_controller("/club")
@@ -38,3 +44,22 @@ class ClubController(ControllerBase):
         return self.get_object_or_exception(
             Club.objects.prefetch_related(prefetch), id=club_id
         )
+
+
+@api_controller("/user/{int:user_id}/club")
+class UserClubController(ControllerBase):
+    @route.get(
+        "",
+        response=list[UserMembershipSchema],
+        auth=[ApiKeyAuth(), SessionAuth()],
+        permissions=[CanView],
+        url_name="fetch_user_clubs",
+    )
+    def fetch_user_clubs(self, user_id: int):
+        """Get all the active memberships of the given user."""
+        user = self.get_object_or_exception(User, id=user_id)
+        return (
+            Membership.objects.ongoing()
+            .filter(user=user)
+            .select_related("club", "user")
+        )

club/schemas.py

@@ -40,6 +40,8 @@ class ClubProfileSchema(ModelSchema):
 
 
 class ClubMemberSchema(ModelSchema):
+    """A schema to represent all memberships in a club."""
+
     class Meta:
         model = Membership
         fields = ["start_date", "end_date", "role", "description"]
@@ -53,3 +55,13 @@ class ClubSchema(ModelSchema):
         fields = ["id", "name", "logo", "is_active", "short_description", "address"]
 
     members: list[ClubMemberSchema]
+
+
+class UserMembershipSchema(ModelSchema):
+    """A schema to represent the active club memberships of a user."""
+
+    class Meta:
+        model = Membership
+        fields = ["id", "start_date", "role", "description"]
+
+    club: SimpleClubSchema

club/tests/test_user_club_controller.py

@@ -0,0 +1,50 @@
+from datetime import timedelta
+
+from django.test import TestCase
+from django.urls import reverse
+from django.utils.timezone import localdate
+from model_bakery import baker
+from model_bakery.recipe import Recipe
+
+from club.models import Club, Membership
+from club.schemas import UserMembershipSchema
+from core.baker_recipes import subscriber_user
+from core.models import Page
+
+
+class TestFetchClub(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        pages = baker.make(Page, _quantity=3, _bulk_create=True)
+        clubs = baker.make(Club, page=iter(pages), _quantity=3, _bulk_create=True)
+        recipe = Recipe(
+            Membership, user=cls.user, start_date=localdate() - timedelta(days=2)
+        )
+        cls.members = Membership.objects.bulk_create(
+            [
+                recipe.prepare(club=clubs[0]),
+                recipe.prepare(club=clubs[1], end_date=localdate() - timedelta(days=1)),
+                recipe.prepare(club=clubs[1]),
+            ]
+        )
+
+    def test_fetch_memberships(self):
+        self.client.force_login(subscriber_user.make())
+        res = self.client.get(
+            reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+        )
+        assert res.status_code == 200
+        assert [UserMembershipSchema.model_validate(m) for m in res.json()] == [
+            UserMembershipSchema.from_orm(m) for m in (self.members[0], self.members[2])
+        ]
+
+    def test_fetch_club_nb_queries(self):
+        self.client.force_login(subscriber_user.make())
+        with self.assertNumQueries(6):
+            # - 5 queries for authentication
+            # - 1 query for the actual data
+            res = self.client.get(
+                reverse("api:fetch_user_clubs", kwargs={"user_id": self.user.id})
+            )
+            assert res.status_code == 200

com/views.py

@@ -244,9 +244,8 @@ class NewsListView(TemplateView):
             .filter(
                 date_of_birth__month=localdate().month,
                 date_of_birth__day=localdate().day,
-                is_viewable=True,
+                role__in=["STUDENT", "FORMER STUDENT"],
             )
-            .filter(role__in=["STUDENT", "FORMER STUDENT"])
             .order_by("-date_of_birth"),
             key=lambda u: u.date_of_birth.year,
         )

core/admin.py

@@ -63,6 +63,7 @@ class UserAdmin(admin.ModelAdmin):
         "scrub_pict",
         "user_permissions",
         "groups",
+        "whitelisted_users",
     )
     inlines = (UserBanInline,)
     search_fields = ["first_name", "last_name", "username"]

core/auth/mixins.py

@@ -307,6 +307,7 @@ class PermissionOrClubBoardRequiredMixin(PermissionRequiredMixin):
             return False
         if super().has_permission():
             return True
-        return self.club is not None and any(
-            g.id == self.club.board_group_id for g in self.request.user.cached_groups
+        return (
+            self.club is not None
+            and self.club.board_group_id in self.request.user.all_groups
         )

core/management/commands/populate.py

@@ -116,7 +116,11 @@ class Command(BaseCommand):
         )
         main_club.board_group.permissions.add(
             *Permission.objects.filter(
-                codename__in=["view_subscription", "add_subscription"]
+                codename__in=[
+                    "view_subscription",
+                    "add_subscription",
+                    "view_hidden_user",
+                ]
             )
         )
         bar_club = Club.objects.create(

core/migrations/0049_user_whitelisted_users.py

@@ -0,0 +1,37 @@
+# Generated by Django 5.2.12 on 2026-03-14 08:39
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0048_alter_user_options")]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="whitelisted_users",
+            field=models.ManyToManyField(
+                blank=True,
+                help_text=(
+                    "Even if this profile is hidden, "
+                    "the users in this list will still be able to see it."
+                ),
+                related_name="visible_by_whitelist",
+                to=settings.AUTH_USER_MODEL,
+                verbose_name="whitelisted users",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="preferences",
+            name="show_my_stats",
+            field=models.BooleanField(
+                default=False,
+                help_text=(
+                    "Allow subscribers (or whitelisted users "
+                    "if your profile is hidden) to access your AE account stats."
+                ),
+                verbose_name="show your stats to others",
+            ),
+        ),
+    ]

core/models.py

@@ -131,7 +131,7 @@ class UserQuerySet(models.QuerySet):
         if user.has_perm("core.view_hidden_user"):
             return self
         if user.has_perm("core.view_user"):
-            return self.filter(is_viewable=True)
+            return self.filter(Q(is_viewable=True) | Q(whitelisted_users=user))
         if user.is_anonymous:
             return self.none()
         return self.filter(id=user.id)
@@ -279,6 +279,16 @@ class User(AbstractUser):
         ),
         default=True,
     )
+    whitelisted_users = models.ManyToManyField(
+        "User",
+        related_name="visible_by_whitelist",
+        verbose_name=_("whitelisted users"),
+        help_text=_(
+            "Even if this profile is hidden, "
+            "the users in this list will still be able to see it."
+        ),
+        blank=True,
+    )
     godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)
 
     objects = CustomUserManager()
@@ -356,23 +366,27 @@ class User(AbstractUser):
         )
         if group_id is None:
             return False
-        if group_id == settings.SITH_GROUP_SUBSCRIBERS_ID:
-            return self.is_subscribed
-        if group_id == settings.SITH_GROUP_ROOT_ID:
-            return self.is_root
-        return any(g.id == group_id for g in self.cached_groups)
+        return group_id in self.all_groups
 
     @cached_property
-    def cached_groups(self) -> list[Group]:
+    def all_groups(self) -> dict[int, Group]:
         """Get the list of groups this user is in."""
-        return list(self.groups.all())
+        additional_groups = []
+        if self.is_subscribed:
+            additional_groups.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
+        if self.is_superuser:
+            additional_groups.append(settings.SITH_GROUP_ROOT_ID)
+        qs = self.groups.all()
+        if additional_groups:
+            # This is somewhat counter-intuitive, but this query runs way faster with
+            # a UNION rather than a OR (in average, 0.25ms vs 14ms).
+            # For the why, cf. https://dba.stackexchange.com/questions/293836/why-is-an-or-statement-slower-than-union
+            qs = qs.union(Group.objects.filter(id__in=additional_groups))
+        return {g.id: g for g in qs}
 
     @cached_property
     def is_root(self) -> bool:
-        if self.is_superuser:
-            return True
-        root_id = settings.SITH_GROUP_ROOT_ID
-        return any(g.id == root_id for g in self.cached_groups)
+        return self.is_superuser or settings.SITH_GROUP_ROOT_ID in self.all_groups
 
     @cached_property
     def is_board_member(self) -> bool:
@@ -514,7 +528,7 @@ class User(AbstractUser):
         self.username = user_name
         return user_name
 
-    def is_owner(self, obj):
+    def is_owner(self, obj: models.Model):
         """Determine if the object is owned by the user."""
         if hasattr(obj, "is_owned_by") and obj.is_owned_by(self):
             return True
@@ -522,7 +536,7 @@ class User(AbstractUser):
             return True
         return self.is_root
 
-    def can_edit(self, obj):
+    def can_edit(self, obj: models.Model):
         """Determine if the object can be edited by the user."""
         if hasattr(obj, "can_be_edited_by") and obj.can_be_edited_by(self):
             return True
@@ -536,11 +550,9 @@ class User(AbstractUser):
                 pks = list(obj.edit_groups.values_list("id", flat=True))
             if any(self.is_in_group(pk=pk) for pk in pks):
                 return True
-        if isinstance(obj, User) and obj == self:
-            return True
         return self.is_owner(obj)
 
-    def can_view(self, obj):
+    def can_view(self, obj: models.Model):
         """Determine if the object can be viewed by the user."""
         if hasattr(obj, "can_be_viewed_by") and obj.can_be_viewed_by(self):
             return True
@@ -559,14 +571,35 @@ class User(AbstractUser):
                 return True
         return self.can_edit(obj)
 
-    def can_be_edited_by(self, user):
-        return user.is_root or user.is_board_member
+    def can_be_edited_by(self, user: User):
+        return user == self or user.is_root or user.is_board_member
 
     def can_be_viewed_by(self, user: User) -> bool:
+        """Check if the given user can be viewed by this user.
+
+        Given users A and B. A can be viewed by B if :
+
+        - A and B are the same user
+        - or B has the permission to view hidden users
+        - or B can view users in general and A didn't hide its profile
+        - or B is in A's whitelist.
+        """
+
+        def is_in_whitelist(u: User):
+            if (
+                hasattr(self, "_prefetched_objects_cache")
+                and "whitelisted_users" in self._prefetched_objects_cache
+            ):
+                return u in self.whitelisted_users.all()
+            return self.whitelisted_users.contains(u)
+
         return (
             user.id == self.id
             or user.has_perm("core.view_hidden_user")
-            or (user.has_perm("core.view_user") and self.is_viewable)
+            or (
+                user.has_perm("core.view_user")
+                and (self.is_viewable or is_in_whitelist(user))
+            )
         )
 
     def get_mini_item(self):
@@ -746,7 +779,14 @@ class Preferences(models.Model):
         User, related_name="_preferences", on_delete=models.CASCADE
     )
     receive_weekmail = models.BooleanField(_("receive the Weekmail"), default=False)
-    show_my_stats = models.BooleanField(_("show your stats to others"), default=False)
+    show_my_stats = models.BooleanField(
+        _("show your stats to others"),
+        help_text=_(
+            "Allow subscribers (or whitelisted users "
+            "if your profile is hidden) to access your AE account stats."
+        ),
+        default=False,
+    )
     notify_on_click = models.BooleanField(
         _("get a notification for every click"), default=False
     )
@@ -1099,10 +1139,7 @@ class PageQuerySet(models.QuerySet):
             return self.filter(view_groups=settings.SITH_GROUP_PUBLIC_ID)
         if user.has_perm("core.view_page"):
             return self.all()
-        groups_ids = [g.id for g in user.cached_groups]
-        if user.is_subscribed:
-            groups_ids.append(settings.SITH_GROUP_SUBSCRIBERS_ID)
-        return self.filter(view_groups__in=groups_ids)
+        return self.filter(view_groups__in=user.all_groups)
 
 
 # This function prevents generating migration upon settings change
@@ -1376,7 +1413,7 @@ class PageRev(models.Model):
         return self.page.can_be_edited_by(user)
 
     def is_owned_by(self, user: User) -> bool:
-        return any(g.id == self.page.owner_group_id for g in user.cached_groups)
+        return self.page.owner_group_id in user.all_groups
 
     def similarity_ratio(self, text: str) -> float:
         """Similarity ratio between this revision's content and the given text.

core/static/bundled/core/components/include-index.ts

@@ -6,14 +6,36 @@ import { inheritHtmlElement, registerComponent } from "#core:utils/web-component
  **/
 @registerComponent("link-once")
 export class LinkOnce extends inheritHtmlElement("link") {
-  connectedCallback() {
-    super.connectedCallback(false);
+  refresh() {
+    this.clearNode();
+
     // We get href from node.attributes instead of node.href to avoid getting the domain part
     const href = this.node.attributes.getNamedItem("href").nodeValue;
     if (document.querySelectorAll(`link[href='${href}']`).length === 0) {
       this.appendChild(this.node);
     }
   }
+
+  clearNode() {
+    while (this.firstChild) {
+      this.removeChild(this.lastChild);
+    }
+  }
+
+  connectedCallback() {
+    super.connectedCallback(false);
+    this.refresh();
+  }
+
+  disconnectedCallback() {
+    this.clearNode();
+
+    // This re-triggers link-once elements that still exists and suppressed
+    // themeselves once it gets removed from the page
+    for (const link of document.getElementsByTagName("link-once")) {
+      (link as LinkOnce).refresh();
+    }
+  }
 }
 
 /**
@@ -22,12 +44,34 @@ export class LinkOnce extends inheritHtmlElement("link") {
  **/
 @registerComponent("script-once")
 export class ScriptOnce extends inheritHtmlElement("script") {
-  connectedCallback() {
-    super.connectedCallback(false);
+  refresh() {
+    this.clearNode();
+
     // We get src from node.attributes instead of node.src to avoid getting the domain part
     const src = this.node.attributes.getNamedItem("src").nodeValue;
     if (document.querySelectorAll(`script[src='${src}']`).length === 0) {
       this.appendChild(this.node);
     }
   }
+
+  clearNode() {
+    while (this.firstChild) {
+      this.removeChild(this.lastChild);
+    }
+  }
+
+  connectedCallback() {
+    super.connectedCallback(false);
+    this.refresh();
+  }
+
+  disconnectedCallback() {
+    this.clearNode();
+
+    // This re-triggers script-once elements that still exists and suppressed
+    // themeselves once it gets removed from the page
+    for (const link of document.getElementsByTagName("script-once")) {
+      (link as LinkOnce).refresh();
+    }
+  }
 }

core/static/bundled/core/components/nfc-input-index.ts

@@ -26,7 +26,6 @@ export class NfcInput extends inheritHtmlElement("input") {
         window.alert(gettext("Unsupported NFC card"));
       });
 
-      // biome-ignore lint/correctness/noUndeclaredVariables: browser API
       ndef.addEventListener("reading", (event: NDEFReadingEvent) => {
         this.removeAttribute("scan");
         this.node.value = event.serialNumber.replace(/:/g, "").toUpperCase();

core/static/bundled/core/dynamic-formset-index.ts

@@ -0,0 +1,77 @@
+interface Config {
+  /**
+   * The prefix of the formset, in case it has been changed.
+   * See https://docs.djangoproject.com/fr/stable/topics/forms/formsets/#customizing-a-formset-s-prefix
+   */
+  prefix?: string;
+}
+
+// biome-ignore lint/style/useNamingConvention: It's the DOM API naming
+type HTMLFormInputElement = HTMLInputElement | HTMLSelectElement | HTMLTextAreaElement;
+
+document.addEventListener("alpine:init", () => {
+  /**
+   * Alpine data element to allow the dynamic addition of forms to a formset.
+   *
+   * To use this, you need :
+   * - an HTML element containing the existing forms, noted by `x-ref="formContainer"`
+   * - a template containing the empty form
+   *   (that you can obtain jinja-side with `{{ formset.empty_form }}`),
+   *   noted by `x-ref="formTemplate"`
+   * - a button with `@click="addForm"`
+   * - you may also have one or more buttons with `@click="removeForm(element)"`,
+   *   where `element` is the HTML element containing the form.
+   *
+   * For an example of how this is used, you can have a look to
+   * `counter/templates/counter/product_form.jinja`
+   */
+  Alpine.data("dynamicFormSet", (config?: Config) => ({
+    init() {
+      this.formContainer = this.$refs.formContainer as HTMLElement;
+      this.nbForms = this.formContainer.children.length as number;
+      this.template = this.$refs.formTemplate as HTMLTemplateElement;
+      const prefix = config?.prefix ?? "form";
+      this.$root
+        .querySelector(`#id_${prefix}-TOTAL_FORMS`)
+        .setAttribute(":value", "nbForms");
+    },
+
+    addForm() {
+      this.formContainer.appendChild(document.importNode(this.template.content, true));
+      const newForm = this.formContainer.lastElementChild;
+      const inputs: NodeListOf<HTMLFormInputElement> = newForm.querySelectorAll(
+        "input, select, textarea",
+      );
+      for (const el of inputs) {
+        el.name = el.name.replace("__prefix__", this.nbForms.toString());
+        el.id = el.id.replace("__prefix__", this.nbForms.toString());
+      }
+      const labels: NodeListOf<HTMLLabelElement> = newForm.querySelectorAll("label");
+      for (const el of labels) {
+        el.htmlFor = el.htmlFor.replace("__prefix__", this.nbForms.toString());
+      }
+      inputs[0].focus();
+      this.nbForms += 1;
+    },
+
+    removeForm(container: HTMLDivElement) {
+      container.remove();
+      this.nbForms -= 1;
+      // adjust the id of remaining forms
+      for (let i = 0; i < this.nbForms; i++) {
+        const form: HTMLDivElement = this.formContainer.children[i];
+        const inputs: NodeListOf<HTMLFormInputElement> = form.querySelectorAll(
+          "input, select, textarea",
+        );
+        for (const el of inputs) {
+          el.name = el.name.replace(/\d+/, i.toString());
+          el.id = el.id.replace(/\d+/, i.toString());
+        }
+        const labels: NodeListOf<HTMLLabelElement> = form.querySelectorAll("label");
+        for (const el of labels) {
+          el.htmlFor = el.htmlFor.replace(/\d+/, i.toString());
+        }
+      }
+    },
+  }));
+});

core/static/core/base.css

@@ -115,7 +115,6 @@ blockquote:before,
 blockquote:after,
 q:before,
 q:after {
-  content: "";
   content: none;
 }
 table {

core/static/core/forms.scss

@@ -157,6 +157,7 @@ form {
     margin-bottom: .25rem;
     font-size: 80%;
     display: block;
+    max-width: calc(100% - calc(var(--nf-input-size) * 2))
   }
 
   fieldset {

core/static/user/user_edit.scss

@@ -5,17 +5,6 @@
 }
 
 .profile {
-  &-visible {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    gap: 5px;
-    padding-top: 10px;
-    input[type="checkbox"]+label {
-      max-width: unset;
-    }
-  }
-
   &-pictures {
     box-sizing: border-box;
     display: flex;

core/static/user/user_preferences.scss

@@ -19,28 +19,6 @@
       }
     }
   }
-
-  &-cards,
-  &-trombi {
-    >p {
-      display: flex;
-      flex-direction: column;
-      align-items: flex-start;
-      text-align: justify;
-      gap: 5px;
-      margin: 0;
-
-      >input,
-      >select {
-        min-width: 300px;
-      }
-    }
-  }
-
-  &-submit-btn {
-    margin-top: 10px !important;
-    max-width: 100px;
-  }
 }
 
 .justify {

core/templates/core/base.jinja

@@ -35,8 +35,8 @@
       <noscript><link rel="stylesheet" href="{{ static('bundled/fontawesome-index.css') }}"></noscript>
 
       <script src="{{ url('javascript-catalog') }}"></script>
-      <script type="module" src={{ static("bundled/core/navbar-index.ts") }}></script>
-      <script type="module" src={{ static("bundled/core/components/include-index.ts") }}></script>
+      <script type="module" src="{{ static("bundled/core/navbar-index.ts") }}"></script>
+      <script type="module" src="{{ static("bundled/core/components/include-index.ts") }}"></script>
       <script type="module" src="{{ static('bundled/alpine-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/htmx-index.js') }}"></script>
       <script type="module" src="{{ static('bundled/country-flags-index.ts') }}"></script>

core/templates/core/base/notifications.jinja

@@ -1,14 +1,11 @@
 <div id="quick-notifications"
      x-data="{
              messages: [
-             {% if messages %}
-               {% for message in messages %}
-                 {
-                 tag: '{{ message.tags }}',
-                 text: '{{ message }}',
-                 },
-               {% endfor %}
-             {% endif %}
+             {%- for message in messages -%}
+               {%- if not message.extra_tags -%}
+                 { tag: '{{ message.tags }}', text: '{{ message }}' },
+               {%- endif -%}
+             {%- endfor -%}
              ]
              }"
      @quick-notification-add="(e) => messages.push(e?.detail)"

core/templates/core/fragment/user_visibility.jinja

@@ -0,0 +1,33 @@
+<form
+  hx-post="{{ url("core:user_visibility_fragment", user_id=form.instance.id) }}"
+  hx-disabled-elt="find input[type='submit']"
+  hx-swap="outerHTML" x-data="{ isViewable: {{ form.is_viewable.value()|tojson }} }"
+>
+  {% for message in messages %}
+    {% if message.extra_tags=="visibility" %}
+      <div class="alert alert-success">
+        {{ message }}
+      </div>
+    {% endif %}
+  {% endfor %}
+  {% csrf_token %}
+  {{ form.non_field_errors() }}
+  <fieldset class="form-group">
+    {{ form.is_viewable|add_attr("x-model=isViewable") }}
+    {{ form.is_viewable.label_tag() }}
+    <span class="helptext">{{ form.is_viewable.help_text }}</span>
+    {{ form.is_viewable.errors }}
+  </fieldset>
+  <fieldset class="form-group" x-show="!isViewable">
+    {{ form.whitelisted_users.as_field_group() }}
+  </fieldset>
+  <fieldset class="form-group">
+    {{ form.show_my_stats }}
+    {{ form.show_my_stats.label_tag() }}
+    <span class="helptext">
+      {{ form.show_my_stats.help_text }}
+    </span>
+    {{ form.show_my_stats.errors }}
+  </fieldset>
+  <input type="submit" class="btn btn-blue" value="{% trans %}Save{% endtrans %}">
+</form>

core/templates/core/user_edit.jinja

@@ -147,18 +147,7 @@
       {%- endfor -%}
     </div>
 
-    {# Checkboxes #}
-    <div class="profile-visible">
-      <div class="row">
-        {{ form.is_viewable }}
-        {{ form.is_viewable.label_tag() }}
-      </div>
-      <span class="helptext">
-        {{ form.is_viewable.help_text }}
-      </span>
-    </div>
     <div class="final-actions">
-
       {%- if form.instance == user -%}
         <p>
           <a href="{{ url('core:password_change') }}">{%- trans -%}Change my password{%- endtrans -%}</a>
@@ -170,7 +159,6 @@
           </a>
         </p>
       {%- endif -%}
-
       <p>
         <input type="submit" value="{%- trans -%}Update{%- endtrans -%}" />
       </p>

core/templates/core/user_preferences.jinja

@@ -11,30 +11,22 @@
 {% block content %}
   <div class="main">
     <h2>{% trans %}Preferences{% endtrans %}</h2>
-    <h3>{% trans %}General{% endtrans %}</h3>
-    <form class="form form-general" action="" method="post" enctype="multipart/form-data">
+    <br />
+    <h3>{% trans %}Notifications{% endtrans %}</h3>
+    <form action="" method="post" enctype="multipart/form-data">
       {% csrf_token %}
-      {{ form.as_p() }}
-      <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
+      <div class="form form-general">
+        {{ form.as_p() }}
+      </div>
+      <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
     </form>
 
-    <h3>{% trans %}Trombi{% endtrans %}</h3>
-
-    {% if trombi_form %}
-      <form class="form form-trombi" action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
-        {% csrf_token %}
-        {{ trombi_form.as_p() }}
-        <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
-      </form>
-
-    {% else %}
-      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
-        <br />
-        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
-      </p>
-    {% endif %}
+    <br />
+    <h3>{% trans %}Visibility{% endtrans %}</h3>
 
+    {{ user_visibility_fragment }}
 
+    <br />
     {% if student_card_fragment %}
       <h3>{% trans %}Student card{% endtrans %}</h3>
       {{ student_card_fragment }}
@@ -43,5 +35,21 @@
           add a student card yourself, you'll need a NFC reader. We store the UID of the card which is 14 characters long.{% endtrans %}
       </p>
     {% endif %}
+
+    <br />
+    <h3>{% trans %}Trombi{% endtrans %}</h3>
+
+    {% if trombi_form %}
+      <form action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
+        {% csrf_token %}
+        {{ trombi_form.as_p() }}
+        <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
+      </form>
+    {% else %}
+      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
+        <br />
+        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
+      </p>
+    {% endif %}
   </div>
 {% endblock %}

core/tests/test_core.py

@@ -418,16 +418,16 @@ class TestUserIsInGroup(TestCase):
         group_in = baker.make(Group)
         self.public_user.groups.add(group_in)
 
-        # clear the cached property `User.cached_groups`
-        self.public_user.__dict__.pop("cached_groups", None)
+        # clear the cached property `User.all_groups`
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is in the group
-        with self.assertNumQueries(1):
+        with self.assertNumQueries(2):
             self.public_user.is_in_group(pk=group_in.id)
         with self.assertNumQueries(0):
             self.public_user.is_in_group(pk=group_in.id)
 
         group_not_in = baker.make(Group)
-        self.public_user.__dict__.pop("cached_groups", None)
+        self.public_user.__dict__.pop("all_groups", None)
         # Test when the user is not in the group
         with self.assertNumQueries(1):
             self.public_user.is_in_group(pk=group_not_in.id)

core/tests/test_user.py

@@ -399,13 +399,12 @@ class TestUserQuerySetViewableBy:
         return [
             baker.make(User),
             subscriber_user.make(),
-            subscriber_user.make(is_viewable=False),
+            *subscriber_user.make(is_viewable=False, _quantity=2),
         ]
 
     def test_admin_user(self, users: list[User]):
         user = baker.make(
-            User,
-            user_permissions=[Permission.objects.get(codename="view_hidden_user")],
+            User, user_permissions=[Permission.objects.get(codename="view_hidden_user")]
         )
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == set(users)
@@ -418,6 +417,12 @@ class TestUserQuerySetViewableBy:
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == {users[0], users[1]}
 
+    def test_whitelist(self, users: list[User]):
+        user = subscriber_user.make()
+        users[3].whitelisted_users.add(user)
+        viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
+        assert set(viewable) == {users[0], users[1], users[3]}
+
     @pytest.mark.parametrize("user_factory", [lambda: baker.make(User), AnonymousUser])
     def test_not_subscriber(self, users: list[User], user_factory):
         user = user_factory()

core/urls.py

@@ -69,7 +69,6 @@ from core.views import (
     UserCreationView,
     UserGodfathersTreeView,
     UserGodfathersView,
-    UserListView,
     UserMeRedirect,
     UserMiniView,
     UserPreferencesView,
@@ -78,6 +77,7 @@ from core.views import (
     UserUpdateGroupView,
     UserUpdateProfileView,
     UserView,
+    UserVisibilityFormFragment,
     delete_user_godfather,
     logout,
     notification,
@@ -136,7 +136,11 @@ urlpatterns = [
         "group/<int:group_id>/detail/", GroupTemplateView.as_view(), name="group_detail"
     ),
     # User views
-    path("user/", UserListView.as_view(), name="user_list"),
+    path(
+        "fragment/user/<int:user_id>/",
+        UserVisibilityFormFragment.as_view(),
+        name="user_visibility_fragment",
+    ),
     path(
         "user/me/<path:remaining_path>/",
         UserMeRedirect.as_view(),

core/views/forms.py

@@ -48,12 +48,13 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from PIL import Image
 
 from antispam.forms import AntiSpamEmailField
-from core.models import Gift, Group, Page, PageRev, SithFile, User
+from core.models import Gift, Group, Page, PageRev, Preferences, SithFile, User
 from core.utils import resize_image
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
     AutoCompleteSelectGroup,
     AutoCompleteSelectMultipleGroup,
+    AutoCompleteSelectMultipleUser,
     AutoCompleteSelectUser,
 )
 from core.views.widgets.markdown import MarkdownInput
@@ -179,7 +180,6 @@ class UserProfileForm(forms.ModelForm):
             "school",
             "promo",
             "forum_signature",
-            "is_viewable",
         ]
         widgets = {
             "date_of_birth": SelectDate,
@@ -264,6 +264,38 @@ class UserProfileForm(forms.ModelForm):
         self._post_clean()
 
 
+class UserVisibilityForm(forms.ModelForm):
+    class Meta:
+        model = User
+        fields = ["is_viewable", "whitelisted_users"]
+        widgets = {
+            "is_viewable": forms.CheckboxInput(attrs={"class": "switch"}),
+            "whitelisted_users": AutoCompleteSelectMultipleUser,
+        }
+
+    __preferences_fields = forms.fields_for_model(
+        Preferences,
+        ["show_my_stats"],
+        widgets={"show_my_stats": forms.CheckboxInput(attrs={"class": "switch"})},
+    )
+    show_my_stats = __preferences_fields["show_my_stats"]
+
+    def __init__(
+        self, *args, initial: dict | None = None, instance: User | None = None, **kwargs
+    ):
+        if instance:
+            initial = initial or {}
+            initial["show_my_stats"] = instance.preferences.show_my_stats
+        super().__init__(*args, initial=initial, instance=instance, **kwargs)
+
+    def save(self, commit=True) -> User:  # noqa: FBT002
+        instance = super().save(commit=commit)
+        if commit:
+            instance.preferences.show_my_stats = self.cleaned_data["show_my_stats"]
+            instance.preferences.save()
+        return instance
+
+
 class UserGroupsForm(forms.ModelForm):
     error_css_class = "error"
     required_css_class = "required"

core/views/user.py

@@ -28,10 +28,12 @@ from datetime import timedelta
 from operator import itemgetter
 from smtplib import SMTPException
 
+from django.contrib import messages
 from django.contrib.auth import login, views
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import PasswordChangeForm, SetPasswordForm
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import DateField, F, QuerySet, Sum
 from django.db.models.functions import Trunc
@@ -48,7 +50,6 @@ from django.views.generic import (
     CreateView,
     DeleteView,
     DetailView,
-    ListView,
     RedirectView,
     TemplateView,
 )
@@ -65,8 +66,9 @@ from core.views.forms import (
     UserGodfathersForm,
     UserGroupsForm,
     UserProfileForm,
+    UserVisibilityForm,
 )
-from core.views.mixins import TabedViewMixin, UseFragmentsMixin
+from core.views.mixins import FragmentMixin, TabedViewMixin, UseFragmentsMixin
 from counter.models import Refilling, Selling
 from eboutic.models import Invoice
 from trombi.views import UserTrombiForm
@@ -248,14 +250,15 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Groups"),
                 }
             )
-        if (
+        can_view_account = (
             hasattr(user, "customer")
             and user.customer
             and (
                 user == self.request.user
                 or self.request.user.has_perm("counter.view_customer")
             )
-        ):
+        )
+        if can_view_account or user.preferences.show_my_stats:
             tab_list.append(
                 {
                     "url": reverse("core:user_stats", kwargs={"user_id": user.id}),
@@ -263,6 +266,7 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Stats"),
                 }
             )
+        if can_view_account:
             tab_list.append(
                 {
                     "url": reverse("core:user_account", kwargs={"user_id": user.id}),
@@ -349,7 +353,7 @@ class UserGodfathersTreeView(UserTabsMixin, CanViewMixin, DetailView):
         return kwargs
 
 
-class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
+class UserStatsView(UserTabsMixin, UserPassesTestMixin, DetailView):
     """Display a user's stats."""
 
     model = User
@@ -357,15 +361,20 @@ class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
     context_object_name = "profile"
     template_name = "core/user_stats.jinja"
     current_tab = "stats"
-    queryset = User.objects.exclude(customer=None).select_related("customer")
+    queryset = User.objects.exclude(customer=None).select_related(
+        "customer", "_preferences"
+    )
 
-    def dispatch(self, request, *arg, **kwargs):
-        profile = self.get_object()
-        if not (
-            profile == request.user or request.user.has_perm("counter.view_customer")
-        ):
-            raise PermissionDenied
-        return super().dispatch(request, *arg, **kwargs)
+    def test_func(self):
+        profile: User = self.get_object()
+        return (
+            profile == self.request.user
+            or self.request.user.has_perm("counter.view_customer")
+            or (
+                self.request.user.can_view(profile)
+                and profile.preferences.show_my_stats
+            )
+        )
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
@@ -404,13 +413,6 @@ class UserMiniView(CanViewMixin, DetailView):
     template_name = "core/user_mini.jinja"
 
 
-class UserListView(ListView, CanEditPropMixin):
-    """Displays the user list."""
-
-    model = User
-    template_name = "core/user_list.jinja"
-
-
 # FIXME: the edit_once fields aren't displayed to the user (as expected).
 #  However, if the user re-add them manually in the form, they are saved.
 class UserUpdateProfileView(UserTabsMixin, CanEditMixin, UpdateView):
@@ -468,6 +470,30 @@ class UserClubView(UserTabsMixin, CanViewMixin, DetailView):
     current_tab = "clubs"
 
 
+class UserVisibilityFormFragment(FragmentMixin, SuccessMessageMixin, UpdateView):
+    model = User
+    form_class = UserVisibilityForm
+    template_name = "core/fragment/user_visibility.jinja"
+    pk_url_kwarg = "user_id"
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"label_suffix": ""}
+
+    def form_valid(self, form):
+        response = super().form_valid(form)
+        messages.success(
+            self.request, _("Visibility parameters updated."), extra_tags="visibility"
+        )
+        return response
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.get("user")
+        return super().render_fragment(request, **kwargs)
+
+    def get_success_url(self, **kwargs):
+        return self.request.path
+
+
 class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, UpdateView):
     """Edit a user's preferences."""
 
@@ -481,7 +507,10 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
     current_tab = "prefs"
 
     def get_form_kwargs(self):
-        return super().get_form_kwargs() | {"instance": self.object.preferences}
+        return super().get_form_kwargs() | {
+            "instance": self.object.preferences,
+            "label_suffix": "",
+        }
 
     def get_success_url(self):
         return self.request.path
@@ -491,6 +520,9 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
         from counter.views.student_card import StudentCardFormFragment
 
         res = super().get_fragment_context_data()
+        res["user_visibility_fragment"] = UserVisibilityFormFragment.as_fragment()(
+            self.request, user=self.object
+        )
         if hasattr(self.object, "customer"):
             res["student_card_fragment"] = StudentCardFormFragment.as_fragment()(
                 self.request, customer=self.object.customer

counter/forms.py

@@ -5,6 +5,7 @@ from datetime import date, datetime, timezone
 
 from dateutil.relativedelta import relativedelta
 from django import forms
+from django.core.exceptions import ValidationError
 from django.core.validators import MaxValueValidator
 from django.db.models import Exists, OuterRef, Q
 from django.forms import BaseModelFormSet
@@ -15,7 +16,7 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 
 from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
-from core.models import User
+from core.models import User, UserQuerySet
 from core.views.forms import (
     FutureDateTimeField,
     NFCTextInput,
@@ -32,6 +33,7 @@ from core.views.widgets.ajax_select import (
 from counter.models import (
     BillingInfo,
     Counter,
+    CounterSellers,
     Customer,
     Eticket,
     InvoiceCall,
@@ -170,14 +172,39 @@ class RefillForm(forms.ModelForm):
 class CounterEditForm(forms.ModelForm):
     class Meta:
         model = Counter
-        fields = ["sellers", "products"]
-        widgets = {"sellers": AutoCompleteSelectMultipleUser}
+        fields = ["products"]
+
+    sellers_regular = forms.ModelMultipleChoiceField(
+        label=_("Regular barmen"),
+        help_text=_(
+            "Barmen having regular permanences "
+            "or frequently giving a hand throughout the semester."
+        ),
+        queryset=User.objects.all(),
+        widget=AutoCompleteSelectMultipleUser,
+        required=False,
+    )
+    sellers_temporary = forms.ModelMultipleChoiceField(
+        label=_("Temporary barmen"),
+        help_text=_(
+            "Barmen who will be there only for a limited period (e.g. for one evening)"
+        ),
+        queryset=User.objects.all(),
+        widget=AutoCompleteSelectMultipleUser,
+        required=False,
+    )
+    field_order = ["sellers_regular", "sellers_temporary", "products"]
 
     def __init__(self, *args, user: User, instance: Counter, **kwargs):
         super().__init__(*args, instance=instance, **kwargs)
+        # if the user is an admin, he will have access to all products,
+        # else only to active products owned by the counter's club
+        # or already on the counter
         if user.has_perm("counter.change_counter"):
             self.fields["products"].widget = AutoCompleteSelectMultipleProduct()
         else:
+            # updating the queryset of the field also updates the choices of
+            # the widget, so it's important to set the queryset after the widget
             self.fields["products"].widget = AutoCompleteSelectMultiple()
             self.fields["products"].queryset = Product.objects.filter(
                 Q(club_id=instance.club_id) | Q(counters=instance), archived=False
@@ -186,6 +213,61 @@ class CounterEditForm(forms.ModelForm):
                 "If you want to add a product that is not owned by "
                 "your club to this counter, you should ask an admin."
             )
+        self.fields["sellers_regular"].initial = self.instance.sellers.filter(
+            countersellers__is_regular=True
+        ).all()
+        self.fields["sellers_temporary"].initial = self.instance.sellers.filter(
+            countersellers__is_regular=False
+        ).all()
+
+    def clean(self):
+        regular: UserQuerySet = self.cleaned_data["sellers_regular"]
+        temporary: UserQuerySet = self.cleaned_data["sellers_temporary"]
+        duplicates = list(regular.intersection(temporary))
+        if duplicates:
+            raise ValidationError(
+                _(
+                    "A user cannot be a regular and a temporary barman "
+                    "at the same time, "
+                    "but the following users have been defined as both : %(users)s"
+                )
+                % {"users": ", ".join([u.get_display_name() for u in duplicates])}
+            )
+        return self.cleaned_data
+
+    def save_sellers(self):
+        sellers = []
+        for users, is_regular in (
+            (self.cleaned_data["sellers_regular"], True),
+            (self.cleaned_data["sellers_temporary"], False),
+        ):
+            sellers.extend(
+                [
+                    CounterSellers(counter=self.instance, user=u, is_regular=is_regular)
+                    for u in users
+                ]
+            )
+        # start by deleting removed CounterSellers objects
+        user_ids = [seller.user.id for seller in sellers]
+        CounterSellers.objects.filter(
+            ~Q(user_id__in=user_ids), counter=self.instance
+        ).delete()
+
+        # then create or update the new barmen
+        CounterSellers.objects.bulk_create(
+            sellers,
+            update_conflicts=True,
+            update_fields=["is_regular"],
+            unique_fields=["user", "counter"],
+        )
+
+    def save(self, commit=True):  # noqa: FBT002
+        self.instance = super().save(commit=commit)
+        if commit and any(
+            key in self.changed_data for key in ("sellers_regular", "sellers_temporary")
+        ):
+            self.save_sellers()
+        return self.instance
 
 
 class ScheduledProductActionForm(forms.ModelForm):
@@ -291,7 +373,8 @@ ScheduledProductActionFormSet = forms.modelformset_factory(
     absolute_max=None,
     can_delete=True,
     can_delete_extra=False,
-    extra=2,
+    extra=0,
+    min_num=1,
 )
 
 

counter/migrations/0038_countersellers.py

@@ -0,0 +1,88 @@
+# Generated by Django 5.2.11 on 2026-03-04 15:26
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("counter", "0037_productformula"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        # cf. https://docs.djangoproject.com/fr/stable/howto/writing-migrations/#changing-a-manytomanyfield-to-use-a-through-model
+        migrations.SeparateDatabaseAndState(
+            database_operations=[
+                migrations.RunSQL(
+                    sql="ALTER TABLE counter_counter_sellers RENAME TO counter_countersellers",
+                    reverse_sql="ALTER TABLE counter_countersellers RENAME TO counter_counter_sellers",
+                ),
+            ],
+            state_operations=[
+                migrations.CreateModel(
+                    name="CounterSellers",
+                    fields=[
+                        (
+                            "id",
+                            models.AutoField(
+                                auto_created=True,
+                                primary_key=True,
+                                serialize=False,
+                                verbose_name="ID",
+                            ),
+                        ),
+                        (
+                            "counter",
+                            models.ForeignKey(
+                                on_delete=django.db.models.deletion.CASCADE,
+                                to="counter.counter",
+                            ),
+                        ),
+                        (
+                            "user",
+                            models.ForeignKey(
+                                on_delete=django.db.models.deletion.CASCADE,
+                                to=settings.AUTH_USER_MODEL,
+                            ),
+                        ),
+                    ],
+                    options={
+                        "constraints": [
+                            models.UniqueConstraint(
+                                fields=("counter", "user"),
+                                name="counter_counter_sellers_counter_id_subscriber_id_key",
+                            )
+                        ],
+                    },
+                ),
+                migrations.AlterField(
+                    model_name="counter",
+                    name="sellers",
+                    field=models.ManyToManyField(
+                        blank=True,
+                        related_name="counters",
+                        through="counter.CounterSellers",
+                        to=settings.AUTH_USER_MODEL,
+                        verbose_name="sellers",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="countersellers",
+            name="created_at",
+            field=models.DateTimeField(
+                auto_now_add=True,
+                default=django.utils.timezone.now,
+                verbose_name="created at",
+            ),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name="countersellers",
+            name="is_regular",
+            field=models.BooleanField(default=False, verbose_name="regular barman"),
+        ),
+    ]

counter/models.py

@@ -551,7 +551,11 @@ class Counter(models.Model):
         choices=[("BAR", _("Bar")), ("OFFICE", _("Office")), ("EBOUTIC", _("Eboutic"))],
     )
     sellers = models.ManyToManyField(
-        User, verbose_name=_("sellers"), related_name="counters", blank=True
+        User,
+        verbose_name=_("sellers"),
+        related_name="counters",
+        blank=True,
+        through="CounterSellers",
     )
     edit_groups = models.ManyToManyField(
         Group, related_name="editable_counters", blank=True
@@ -743,6 +747,26 @@ class Counter(models.Model):
         ]
 
 
+class CounterSellers(models.Model):
+    """Custom through model for the counter-sellers M2M relationship."""
+
+    counter = models.ForeignKey(Counter, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    is_regular = models.BooleanField(_("regular barman"), default=False)
+    created_at = models.DateTimeField(_("created at"), auto_now_add=True)
+
+    class Meta:
+        constraints = [
+            models.UniqueConstraint(
+                fields=["counter", "user"],
+                name="counter_counter_sellers_counter_id_subscriber_id_key",
+            )
+        ]
+
+    def __str__(self):
+        return f"counter {self.counter_id} - user {self.user_id}"
+
+
 class RefillingQuerySet(models.QuerySet):
     def annotate_total(self) -> Self:
         """Annotate the Queryset with the total amount.

counter/static/bundled/counter/counter-click-index.ts

@@ -64,7 +64,7 @@ document.addEventListener("alpine:init", () => {
 
     checkFormulas() {
       const products = new Set(
-        Object.keys(this.basket).map((i: string) => Number.parseInt(i)),
+        Object.keys(this.basket).map((i: string) => Number.parseInt(i, 10)),
       );
       const formula: ProductFormula = config.formulas.find((f: ProductFormula) => {
         return f.products.every((p: number) => products.has(p));

counter/templates/counter/product_form.jinja

@@ -1,5 +1,44 @@
 {% extends "core/base.jinja" %}
 
+{% block additional_js %}
+  <script type="module" src="{{ static("bundled/core/dynamic-formset-index.ts") }}"></script>
+{% endblock %}
+
+
+{% macro action_form(form) %}
+  <fieldset x-data="{action: '{{ form.task.initial }}'}">
+    {{ form.non_field_errors() }}
+    <div class="row gap-2x margin-bottom">
+      <div>
+        {{ form.task.errors }}
+        {{ form.task.label_tag() }}
+        {{ form.task|add_attr("x-model=action") }}
+      </div>
+      <div>{{ form.trigger_at.as_field_group() }}</div>
+    </div>
+    <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
+      {{ form.counters.as_field_group() }}
+    </div>
+    {%- if form.DELETE -%}
+      <div class="row gap">
+        {{ form.DELETE.as_field_group() }}
+      </div>
+    {%- else -%}
+      <button
+        class="btn btn-grey"
+        @click.prevent="removeForm($event.target.closest('fieldset'))"
+      >
+        <i class="fa fa-minus"></i>{% trans %}Remove this action{% endtrans %}
+      </button>
+    {%- endif -%}
+    {%- for field in form.hidden_fields() -%}
+      {{ field }}
+    {%- endfor -%}
+    <hr />
+  </fieldset>
+{% endmacro %}
+
+
 {% block content %}
   {% if object %}
     <h2>{% trans name=object %}Edit product {{ name }}{% endtrans %}</h2>
@@ -25,34 +64,20 @@
       </em>
     </p>
 
-    {{ form.action_formset.management_form }}
-    {%- for action_form in form.action_formset.forms -%}
-      <fieldset x-data="{action: '{{ action_form.task.initial }}'}">
-        {{ action_form.non_field_errors() }}
-        <div class="row gap-2x margin-bottom">
-          <div>
-            {{ action_form.task.errors }}
-            {{ action_form.task.label_tag() }}
-            {{ action_form.task|add_attr("x-model=action") }}
-          </div>
-          <div>{{ action_form.trigger_at.as_field_group() }}</div>
-        </div>
-        <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
-          {{ action_form.counters.as_field_group() }}
-        </div>
-        {%- if action_form.DELETE -%}
-          <div class="row gap">
-            {{ action_form.DELETE.as_field_group() }}
-          </div>
-        {%- endif -%}
-        {%- for field in action_form.hidden_fields() -%}
-          {{ field }}
+    <div x-data="dynamicFormSet" class="margin-bottom">
+      {{ form.action_formset.management_form }}
+      <div x-ref="formContainer">
+        {%- for f in form.action_formset.forms -%}
+          {{ action_form(f) }}
         {%- endfor -%}
-      </fieldset>
-      {%- if not loop.last -%}
-        <hr class="margin-bottom">
-      {%- endif -%}
-    {%- endfor -%}
-    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+      </div>
+      <template x-ref="formTemplate">
+        {{ action_form(form.action_formset.empty_form) }}
+      </template>
+      <button @click.prevent="addForm()" class="btn btn-grey">
+        <i class="fa fa-plus"></i>{% trans %}Add action{% endtrans %}
+      </button>
+    </div>
+    <p><input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" /></p>
   </form>
 {% endblock %}

counter/tests/test_counter_admin.py

@@ -1,13 +1,132 @@
+from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.test import TestCase
+from django.urls import reverse
 from model_bakery import baker
 
 from club.models import Membership
 from core.baker_recipes import subscriber_user
-from core.models import User
+from core.models import Group, User
 from counter.baker_recipes import product_recipe
 from counter.forms import CounterEditForm
-from counter.models import Counter
+from counter.models import Counter, CounterSellers
+
+
+class TestEditCounterSellers(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.counter = baker.make(Counter, type="BAR")
+        cls.products = product_recipe.make(_quantity=2, _bulk_create=True)
+        cls.counter.products.add(*cls.products)
+        users = subscriber_user.make(_quantity=6, _bulk_create=True)
+        cls.regular_barmen = users[:2]
+        cls.tmp_barmen = users[2:4]
+        cls.not_barmen = users[4:]
+        CounterSellers.objects.bulk_create(
+            [
+                *baker.prepare(
+                    CounterSellers,
+                    counter=cls.counter,
+                    user=iter(cls.regular_barmen),
+                    is_regular=True,
+                    _quantity=len(cls.regular_barmen),
+                ),
+                *baker.prepare(
+                    CounterSellers,
+                    counter=cls.counter,
+                    user=iter(cls.tmp_barmen),
+                    is_regular=False,
+                    _quantity=len(cls.tmp_barmen),
+                ),
+            ]
+        )
+        cls.operator = baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
+
+    def test_view_ok(self):
+        url = reverse("counter:admin", kwargs={"counter_id": self.counter.id})
+        self.client.force_login(self.operator)
+        res = self.client.get(url)
+        assert res.status_code == 200
+        res = self.client.post(
+            url,
+            data={
+                "sellers_regular": [u.id for u in self.regular_barmen],
+                "sellers_temporary": [u.id for u in self.tmp_barmen],
+                "products": [p.id for p in self.products],
+            },
+        )
+        self.assertRedirects(res, url)
+
+    def test_add_barmen(self):
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.not_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen, self.not_barmen[1]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == {
+            *self.regular_barmen,
+            self.not_barmen[0],
+        }
+        assert set(self.counter.sellers.filter(countersellers__is_regular=False)) == {
+            *self.tmp_barmen,
+            self.not_barmen[1],
+        }
+
+    def test_barman_change_status(self):
+        """Test when a barman goes from temporary to regular"""
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.tmp_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen[1:]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert form.is_valid()
+        form.save()
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == {
+            *self.regular_barmen,
+            self.tmp_barmen[0],
+        }
+        assert set(
+            self.counter.sellers.filter(countersellers__is_regular=False)
+        ) == set(self.tmp_barmen[1:])
+
+    def test_barman_duplicate(self):
+        """Test that a barman cannot be regular and temporary at the same time."""
+        form = CounterEditForm(
+            data={
+                "sellers_regular": [*self.regular_barmen, self.not_barmen[0]],
+                "sellers_temporary": [*self.tmp_barmen, self.not_barmen[0]],
+                "products": self.products,
+            },
+            instance=self.counter,
+            user=self.operator,
+        )
+        assert not form.is_valid()
+        assert form.errors == {
+            "__all__": [
+                "Un utilisateur ne peut pas être un barman "
+                "régulier et temporaire en même temps, "
+                "mais les utilisateurs suivants ont été définis "
+                f"comme les deux : {self.not_barmen[0].get_display_name()}"
+            ],
+        }
+        assert set(self.counter.sellers.filter(countersellers__is_regular=True)) == set(
+            self.regular_barmen
+        )
+        assert set(
+            self.counter.sellers.filter(countersellers__is_regular=False)
+        ) == set(self.tmp_barmen)
 
 
 class TestEditCounterProducts(TestCase):

counter/views/admin.py

@@ -16,6 +16,7 @@ from datetime import datetime, timedelta
 
 from django.conf import settings
 from django.contrib.auth.mixins import PermissionRequiredMixin, UserPassesTestMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.forms import CheckboxSelectMultiple
@@ -58,7 +59,9 @@ class CounterListView(CounterAdminTabsMixin, CanViewMixin, ListView):
     current_tab = "counters"
 
 
-class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
+class CounterEditView(
+    CounterAdminTabsMixin, UserPassesTestMixin, SuccessMessageMixin, UpdateView
+):
     """Edit a counter's main informations (for the counter's manager)."""
 
     model = Counter
@@ -66,6 +69,7 @@ class CounterEditView(CounterAdminTabsMixin, UserPassesTestMixin, UpdateView):
     pk_url_kwarg = "counter_id"
     template_name = "core/edit.jinja"
     current_tab = "counters"
+    success_message = _("Counter update done")
 
     def test_func(self):
         if self.request.user.has_perm("counter.change_counter"):

eboutic/templates/eboutic/eboutic_main.jinja

@@ -116,6 +116,56 @@
           </span>
         </div>
       {% endif %}
+      <section>
+        <div class="category-header">
+          <h3 class="margin-bottom">{% trans %}Eurockéennes 2025 partnership{% endtrans %}</h3>
+          {% if user.is_subscribed %}
+            <div id="eurock-partner" style="
+                                            min-height: 600px;
+                                            background-color: lightgrey;
+                                            display: flex;
+                                            justify-content: center;
+                                            align-items: center;
+                                            flex-direction: column;
+                                            gap: 10px;
+                                           ">
+              <p style="text-align: center;">
+                {% trans trimmed %}
+                  Our partner uses Weezevent to sell tickets.
+                  Weezevent may collect user info according to
+                  its own privacy policy.
+                  By clicking the accept button you consent to
+                  their terms of services.
+                {% endtrans %}
+              </p>
+
+              <a href="https://weezevent.com/fr/politique-de-confidentialite/">{% trans %}Privacy policy{% endtrans %}</a>
+
+              <button
+                hx-get="{{ url("eboutic:eurock") }}"
+                hx-target="#eurock-partner"
+                hx-swap="outerHTML"
+                hx-trigger="click, load[document.cookie.includes('weezevent_accept=true')]"
+                @htmx:after-request="document.cookie = 'weezevent_accept=true'"
+              >{% trans %}Accept{% endtrans %}
+              </button>
+            </div>
+          {% else %}
+            <p>
+              {%- trans trimmed %}
+                You must be subscribed to benefit from the partnership with the Eurockéennes.
+              {% endtrans -%}
+            </p>
+            <p>
+              {%- trans trimmed %}
+                This partnership offers a discount of up to 33%
+                on tickets for Friday, Saturday and Sunday,
+                as well as the 3-day package from Friday to Sunday.
+              {% endtrans -%}
+            </p>
+          {% endif %}
+        </div>
+      </section>
       {% for priority_groups in products|groupby('order') %}
         {% for category, items in priority_groups.list|groupby('category') %}
           {% if items|count > 0 %}

eboutic/templates/eboutic/eurock_fragment.jinja

@@ -0,0 +1,16 @@
+<a title="Logiciel billetterie en ligne"
+   href="https://www.weezevent.com?c=sys_widget"
+   class="weezevent-widget-integration"
+   target="_blank"
+   data-src="https://widget.weezevent.com/ticket/8aaba226-f7a3-4192-a64e-72ff8f5b35b7?id_evenement=1419869&locale=fr-FR&code=28747"
+   data-width="650"
+   data-height="600"
+   data-resize="1"
+   data-nopb="0"
+   data-type="neo"
+   data-width_auto="1"
+   data-noscroll="0"
+   data-id="1419869">
+  Billetterie Weezevent
+</a>
+<script type="text/javascript" src="https://widget.weezevent.com/weez.js"  async defer></script>

eboutic/templates/eboutic/eurok_fragment.jinja

@@ -1,17 +0,0 @@
-<a
-  title="Logiciel billetterie en ligne"
-  href="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  class="weezevent-widget-integration"
-  target="_blank"
-  data-src="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  data-width="650"
-  data-height="600"
-  data-resize="1"
-  data-nopb="0"
-  data-type="neo"
-  data-width_auto="1"
-  data-noscroll="0"
-  data-id="1211855">
-  Billetterie Weezevent
-</a>
-<script type="text/javascript" src="https://widget.weezevent.com/weez.js" async defer></script>

eboutic/urls.py

@@ -31,6 +31,7 @@ from eboutic.views import (
     EbouticMainView,
     EbouticPayWithSith,
     EtransactionAutoAnswer,
+    EurockPartnerFragment,
     payment_result,
 )
 
@@ -50,4 +51,5 @@ urlpatterns = [
         EtransactionAutoAnswer.as_view(),
         name="etransation_autoanswer",
     ),
+    path("eurock/", EurockPartnerFragment.as_view(), name="eurock"),
 ]

eboutic/views.py

@@ -42,11 +42,11 @@ from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
-from django.views.generic import DetailView, FormView, UpdateView, View
+from django.views.generic import DetailView, FormView, TemplateView, UpdateView, View
 from django.views.generic.edit import SingleObjectMixin
 from django_countries.fields import Country
 
-from core.auth.mixins import CanViewMixin
+from core.auth.mixins import CanViewMixin, IsSubscriberMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BaseBasketForm, BasketProductForm, BillingInfoForm
 from counter.models import (
@@ -350,3 +350,7 @@ class EtransactionAutoAnswer(View):
             return HttpResponse(
                 "Payment failed with error: " + request.GET["Error"], status=202
             )
+
+
+class EurockPartnerFragment(IsSubscriberMixin, TemplateView):
+    template_name = "eboutic/eurock_fragment.jinja"

election/templates/election/election_detail.jinja

@@ -146,7 +146,7 @@
                           <label for="{{ input_id }}">
                         {%- endif %}
                         <figure>
-                          {%- if user.is_viewable %}
+                          {%- if user.can_view(candidature.user) %}
                             {% if candidature.user.profile_pict %}
                               <img class="candidate__picture" src="{{ candidature.user.profile_pict.get_download_url() }}" alt="{% trans %}Profile{% endtrans %}">
                             {% else %}

election/tests.py

@@ -6,6 +6,8 @@ from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.timezone import now
 from model_bakery import baker
+from model_bakery.recipe import Recipe
+from pytest_django.asserts import assertRedirects
 
 from core.baker_recipes import subscriber_user
 from core.models import Group, User
@@ -52,6 +54,102 @@ class TestElectionUpdateView(TestElection):
         assert response.status_code == 403
 
 
+class TestElectionForm(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.election = baker.make(Election, end_date=now() + timedelta(days=1))
+        cls.group = baker.make(Group)
+        cls.election.vote_groups.add(cls.group)
+        cls.election.edit_groups.add(cls.group)
+        lists = baker.make(
+            ElectionList, election=cls.election, _quantity=2, _bulk_create=True
+        )
+        cls.roles = baker.make(
+            Role, election=cls.election, _quantity=2, _bulk_create=True
+        )
+        users = baker.make(User, _quantity=4, _bulk_create=True)
+        recipe = Recipe(Candidature)
+        cls.cand = [
+            recipe.prepare(role=cls.roles[0], user=users[0], election_list=lists[0]),
+            recipe.prepare(role=cls.roles[0], user=users[1], election_list=lists[1]),
+            recipe.prepare(role=cls.roles[1], user=users[2], election_list=lists[0]),
+            recipe.prepare(role=cls.roles[1], user=users[3], election_list=lists[1]),
+        ]
+        Candidature.objects.bulk_create(cls.cand)
+        cls.vote_url = reverse("election:vote", kwargs={"election_id": cls.election.id})
+        cls.detail_url = reverse(
+            "election:detail", kwargs={"election_id": cls.election.id}
+        )
+
+    def test_election_good_form(self):
+        postes = (self.roles[0].title, self.roles[1].title)
+        votes = [
+            {postes[0]: "", postes[1]: str(self.cand[2].id)},
+            {postes[0]: "", postes[1]: ""},
+            {postes[0]: str(self.cand[0].id), postes[1]: str(self.cand[2].id)},
+            {postes[0]: str(self.cand[0].id), postes[1]: str(self.cand[3].id)},
+        ]
+        voters = subscriber_user.make(_quantity=len(votes), _bulk_create=True)
+        self.group.users.set(voters)
+
+        for voter, vote in zip(voters, votes, strict=True):
+            assert self.election.can_vote(voter)
+            self.client.force_login(voter)
+            response = self.client.post(self.vote_url, data=vote)
+            assertRedirects(response, self.detail_url)
+
+        assert set(self.election.voters.all()) == set(voters)
+        assert self.election.results == {
+            postes[0]: {
+                self.cand[0].user.username: {"percent": 50.0, "vote": 2},
+                self.cand[1].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 50.0, "vote": 2},
+                "total vote": 4,
+            },
+            postes[1]: {
+                self.cand[2].user.username: {"percent": 50.0, "vote": 2},
+                self.cand[3].user.username: {"percent": 25.0, "vote": 1},
+                "blank vote": {"percent": 25.0, "vote": 1},
+                "total vote": 4,
+            },
+        }
+
+    def test_election_bad_form(self):
+        postes = (self.roles[0].title, self.roles[1].title)
+
+        votes = [
+            {postes[0]: "", postes[1]: str(self.cand[0].id)},  # wrong candidate
+            {postes[0]: ""},
+            {
+                postes[0]: "0123456789",  # unknow users
+                postes[1]: str(subscriber_user.make().id),  # not a candidate
+            },
+            {},
+        ]
+        voters = subscriber_user.make(_quantity=len(votes), _bulk_create=True)
+        self.group.users.set(voters)
+
+        for voter, vote in zip(voters, votes, strict=True):
+            self.client.force_login(voter)
+            response = self.client.post(self.vote_url, data=vote)
+            assertRedirects(response, self.detail_url)
+
+        assert self.election.results == {
+            postes[0]: {
+                self.cand[0].user.username: {"percent": 0.0, "vote": 0},
+                self.cand[1].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 100.0, "vote": 2},
+                "total vote": 2,
+            },
+            postes[1]: {
+                self.cand[2].user.username: {"percent": 0.0, "vote": 0},
+                self.cand[3].user.username: {"percent": 0.0, "vote": 0},
+                "blank vote": {"percent": 100.0, "vote": 2},
+                "total vote": 2,
+            },
+        }
+
+
 @pytest.mark.django_db
 def test_election_create_list_permission(client: Client):
     election = baker.make(Election, end_candidature=now() + timedelta(hours=1))

election/views.py

@@ -1,7 +1,6 @@
 from typing import TYPE_CHECKING
 
 from cryptography.utils import cached_property
-from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.mixins import (
     LoginRequiredMixin,
@@ -115,16 +114,9 @@ class VoteFormView(LoginRequiredMixin, UserPassesTestMixin, FormView):
     def test_func(self):
         if not self.election.can_vote(self.request.user):
             return False
-
-        groups = set(self.election.vote_groups.values_list("id", flat=True))
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return self.election.vote_groups.filter(
+            id__in=self.request.user.all_groups
+        ).exists()
 
     def vote(self, election_data):
         with transaction.atomic():
@@ -238,15 +230,9 @@ class RoleCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView):
             return False
         if self.request.user.has_perm("election.add_role"):
             return True
-        groups = set(self.election.edit_groups.values_list("id", flat=True))
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return self.election.edit_groups.filter(
+            id__in=self.request.user.all_groups
+        ).exists()
 
     def get_initial(self):
         return {"election": self.election}
@@ -279,14 +265,7 @@ class ElectionListCreateView(LoginRequiredMixin, UserPassesTestMixin, CreateView
             .union(self.election.edit_groups.values("id"))
             .values_list("id", flat=True)
         )
-        if (
-            settings.SITH_GROUP_SUBSCRIBERS_ID in groups
-            and self.request.user.is_subscribed
-        ):
-            # the subscriber group isn't truly attached to users,
-            # so it must be dealt with separately
-            return True
-        return self.request.user.groups.filter(id__in=groups).exists()
+        return not groups.isdisjoint(self.request.user.all_groups.keys())
 
     def get_initial(self):
         return {"election": self.election}

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 15:47+0100\n"
+"POT-Creation-Date: 2026-03-23 22:21+0100\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -551,8 +551,9 @@ msgstr ""
 #: com/templates/com/news_edit.jinja com/templates/com/poster_edit.jinja
 #: com/templates/com/screen_edit.jinja com/templates/com/weekmail.jinja
 #: core/templates/core/create.jinja core/templates/core/edit.jinja
-#: core/templates/core/file_edit.jinja core/templates/core/page/edit.jinja
-#: core/templates/core/page/prop.jinja
+#: core/templates/core/file_edit.jinja
+#: core/templates/core/fragment/user_visibility.jinja
+#: core/templates/core/page/edit.jinja core/templates/core/page/prop.jinja
 #: core/templates/core/user_godfathers.jinja
 #: core/templates/core/user_godfathers_tree.jinja
 #: core/templates/core/user_preferences.jinja
@@ -1547,6 +1548,18 @@ msgid ""
 msgstr ""
 "Si vous désactivez cette option, seuls les admins pourront voir votre profil."
 
+#: core/models.py
+msgid "whitelisted users"
+msgstr "utilisateurs whitelistés"
+
+#: core/models.py
+msgid ""
+"Even if this profile is hidden, the users in this list will still be able to "
+"see it."
+msgstr ""
+"Même si ce profil est caché, les utilisateurs sur cette liste pourront "
+"toujours le voir."
+
 #: core/models.py
 msgid "A user with that username already exists"
 msgstr "Un utilisateur de ce nom d'utilisateur existe déjà"
@@ -1603,6 +1616,14 @@ msgstr "recevoir le Weekmail"
 msgid "show your stats to others"
 msgstr "montrez vos statistiques aux autres"
 
+#: core/models.py
+msgid ""
+"Allow subscribers (or whitelisted users if your profile is hidden) to access "
+"your AE account stats."
+msgstr ""
+"Autorise les cotisants (ou les personnes whitelistées, si votre profil est "
+"caché) à accéder aux statistiques de votre compte AE"
+
 #: core/models.py
 msgid "get a notification for every click"
 msgstr "avoir une notification pour chaque click"
@@ -2612,21 +2633,12 @@ msgid "Preferences"
 msgstr "Préférences"
 
 #: core/templates/core/user_preferences.jinja
-msgid "General"
-msgstr "Général"
-
-#: core/templates/core/user_preferences.jinja trombi/views.py
-msgid "Trombi"
-msgstr "Trombi"
+msgid "Notifications"
+msgstr "Notifications"
 
 #: core/templates/core/user_preferences.jinja
-#, python-format
-msgid "You already choose to be in that Trombi: %(trombi)s."
-msgstr "Vous avez déjà choisi ce Trombi: %(trombi)s."
-
-#: core/templates/core/user_preferences.jinja
-msgid "Go to my Trombi tools"
-msgstr "Allez à mes outils de Trombi"
+msgid "Visibility"
+msgstr "Visibilité"
 
 #: core/templates/core/user_preferences.jinja
 #: counter/templates/counter/counter_click.jinja
@@ -2645,6 +2657,19 @@ msgstr ""
 "aurez besoin d'un lecteur NFC. Nous enregistrons l'UID de la carte qui fait "
 "14 caractères de long."
 
+#: core/templates/core/user_preferences.jinja trombi/views.py
+msgid "Trombi"
+msgstr "Trombi"
+
+#: core/templates/core/user_preferences.jinja
+#, python-format
+msgid "You already choose to be in that Trombi: %(trombi)s."
+msgstr "Vous avez déjà choisi ce Trombi: %(trombi)s."
+
+#: core/templates/core/user_preferences.jinja
+msgid "Go to my Trombi tools"
+msgstr "Allez à mes outils de Trombi"
+
 #: core/templates/core/user_stats.jinja
 #, python-format
 msgid "%(user_name)s's stats"
@@ -2925,6 +2950,10 @@ msgstr "Photos"
 msgid "Account"
 msgstr "Compte"
 
+#: core/views/user.py
+msgid "Visibility parameters updated."
+msgstr "Paramètres de visibilité mis à jour."
+
 #: counter/apps.py counter/models.py
 msgid "counter"
 msgstr "comptoir"
@@ -2937,6 +2966,29 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"
 
+#: counter/forms.py
+msgid "Regular barmen"
+msgstr "Barmen réguliers"
+
+#: counter/forms.py
+msgid ""
+"Barmen having regular permanences or frequently giving a hand throughout the "
+"semester."
+msgstr ""
+"Les barmen assurant des permanences régulières ou donnant régulièrement un "
+"coup de main au cours du semestre."
+
+#: counter/forms.py
+msgid "Temporary barmen"
+msgstr "Barmen temporaires"
+
+#: counter/forms.py
+msgid ""
+"Barmen who will be there only for a limited period (e.g. for one evening)"
+msgstr ""
+"Les barmen qui seront là uniquement pour une durée limitée (par exemple, le "
+"temps d'une soirée)"
+
 #: counter/forms.py
 msgid ""
 "If you want to add a product that is not owned by your club to this counter, "
@@ -2945,6 +2997,16 @@ msgstr ""
 "Si vous souhaitez ajouter sur ce comptoir un produit qui n'appartient pas à "
 "votre club, vous devriez demander à un admin."
 
+#: counter/forms.py
+#, python-format
+msgid ""
+"A user cannot be a regular and a temporary barman at the same time, but the "
+"following users have been defined as both : %(users)s"
+msgstr ""
+"Un utilisateur ne peut pas être un barman régulier et temporaire en même "
+"temps, mais les utilisateurs suivants ont été définis comme les deux : "
+"%(users)s"
+
 #: counter/forms.py
 msgid "Date and time of action"
 msgstr "Date et heure de l'action"
@@ -3193,6 +3255,10 @@ msgstr "vendeurs"
 msgid "token"
 msgstr "jeton"
 
+#: counter/models.py
+msgid "regular barman"
+msgstr "barman régulier"
+
 #: counter/models.py sith/settings.py
 msgid "Credit card"
 msgstr "Carte bancaire"
@@ -3757,6 +3823,10 @@ msgstr ""
 "votre cotisation. Si vous ne renouvelez pas votre cotisation, il n'y aura "
 "aucune conséquence autre que le retrait de l'argent de votre compte."
 
+#: counter/templates/counter/product_form.jinja
+msgid "Remove this action"
+msgstr "Retirer cette action"
+
 #: counter/templates/counter/product_form.jinja
 #, python-format
 msgid "Edit product %(name)s"
@@ -3784,6 +3854,10 @@ msgstr ""
 "Les actions automatiques vous permettent de planifier des modifications du "
 "produit à l'avance."
 
+#: counter/templates/counter/product_form.jinja
+msgid "Add action"
+msgstr "Ajouter une action"
+
 #: counter/templates/counter/product_list.jinja
 msgid "Product list"
 msgstr "Liste des produits"
@@ -3897,6 +3971,10 @@ msgstr "Temps"
 msgid "Top 100 barman %(counter_name)s (all semesters)"
 msgstr "Top 100 barman %(counter_name)s (tous les semestres)"
 
+#: counter/views/admin.py
+msgid "Counter update done"
+msgstr "Mise à jour du comptoir effectuée"
+
 #: counter/views/admin.py
 #, python-format
 msgid "%(formula)s (formula)"
@@ -5245,8 +5323,6 @@ msgid "One day"
 msgstr "Un jour"
 
 #: sith/settings.py
-#, fuzzy
-#| msgid "GA staff member"
 msgid "GA staff member"
 msgstr "Membre staff GA"
 
@@ -5791,3 +5867,39 @@ msgstr "Vous ne pouvez plus écrire de commentaires, la date est passée."
 #, python-format
 msgid "Maximum characters: %(max_length)s"
 msgstr "Nombre de caractères max: %(max_length)s"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Eurockéennes 2025 partnership"
+msgstr "Partenariat Eurockéennes 2025"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"Our partner uses Weezevent to sell tickets. Weezevent may collect user info "
+"according to its own privacy policy. By clicking the accept button you "
+"consent to their terms of services."
+msgstr ""
+"Notre partenaire utilises Wezevent pour vendre ses billets. Weezevent peut "
+"collecter des informations utilisateur conformément à sa propre politique de "
+"confidentialité. En cliquant sur le bouton d'acceptation vous consentez à "
+"leurs termes de service."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Privacy policy"
+msgstr "Politique de confidentialité"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"You must be subscribed to benefit from the partnership with the Eurockéennes."
+msgstr ""
+"Vous devez être cotisant pour bénéficier du partenariat avec les "
+"Eurockéennes."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+#, python-format
+msgid ""
+"This partnership offers a discount of up to 33%% on tickets for Friday, "
+"Saturday and Sunday, as well as the 3-day package from Friday to Sunday."
+msgstr ""
+"Ce partenariat permet de profiter d'une réduction jusqu'à 33%% sur les "
+"billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
+"du vendredi au dimanche."

package.json

@@ -8,8 +8,6 @@
     "compile-dev": "vite build --mode development",
     "serve": "vite build --mode development --watch --minify false",
     "openapi": "openapi-ts",
-    "analyse-dev": "vite-bundle-visualizer --mode development",
-    "analyse-prod": "vite-bundle-visualizer --mode production",
     "check": "tsc && biome check --write"
   },
   "keywords": [],
@@ -28,29 +26,28 @@
   "devDependencies": {
     "@babel/core": "^7.29.0",
     "@babel/preset-env": "^7.29.0",
-    "@biomejs/biome": "^2.3.14",
-    "@hey-api/openapi-ts": "^0.92.4",
+    "@biomejs/biome": "^2.4.6",
+    "@hey-api/openapi-ts": "^0.94.0",
     "@rollup/plugin-inject": "^5.0.5",
     "@types/alpinejs": "^3.13.11",
     "@types/cytoscape-cxtmenu": "^3.4.5",
     "@types/cytoscape-klay": "^3.1.5",
     "@types/js-cookie": "^3.0.6",
+    "rollup-plugin-visualizer": "^7.0.1",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
-    "vite-bundle-visualizer": "^1.2.1",
-    "vite-plugin-static-copy": "^3.2.0"
+    "vite": "^8.0.0"
   },
   "dependencies": {
     "@alpinejs/sort": "^3.15.8",
     "@arendjr/text-clipper": "npm:@jsr/arendjr__text-clipper@^3.0.0",
-    "@floating-ui/dom": "^1.7.5",
+    "@floating-ui/dom": "^1.7.6",
     "@fortawesome/fontawesome-free": "^7.2.0",
     "@fullcalendar/core": "^6.1.20",
     "@fullcalendar/daygrid": "^6.1.20",
     "@fullcalendar/icalendar": "^6.1.20",
     "@fullcalendar/list": "^6.1.20",
-    "@sentry/browser": "^10.38.0",
-    "@zip.js/zip.js": "^2.8.20",
+    "@sentry/browser": "^10.43.0",
+    "@zip.js/zip.js": "^2.8.23",
     "3d-force-graph": "^1.79.1",
     "alpinejs": "^3.15.8",
     "chart.js": "^4.5.1",
@@ -60,14 +57,14 @@
     "cytoscape-klay": "^3.1.4",
     "d3-force-3d": "^3.0.6",
     "easymde": "^2.20.0",
-    "glob": "^13.0.2",
+    "glob": "^13.0.6",
     "html2canvas": "^1.4.1",
     "htmx.org": "^2.0.8",
     "js-cookie": "^3.0.5",
     "lit-html": "^3.3.2",
     "native-file-system-adapter": "^3.0.1",
-    "three": "^0.182.0",
+    "three": "^0.183.2",
     "three-spritetext": "^1.10.0",
-    "tom-select": "^2.5.1"
+    "tom-select": "^2.5.2"
   }
 }

pyproject.toml

@@ -19,7 +19,7 @@ authors = [
 license = { text = "GPL-3.0-only" }
 requires-python = "<4.0,>=3.12"
 dependencies = [
-    "django>=5.2.11,<6.0.0",
+    "django>=5.2.12,<6.0.0",
     "django-ninja>=1.5.3,<6.0.0",
     "django-ninja-extra>=0.31.0",
     "Pillow>=12.1.1,<13.0.0",
@@ -27,15 +27,15 @@ dependencies = [
     "django-jinja<3.0.0,>=2.11.0",
     "cryptography>=46.0.5,<47.0.0",
     "django-phonenumber-field>=8.4.0,<9.0.0",
-    "phonenumbers>=9.0.23,<10.0.0",
-    "reportlab>=4.4.9,<5.0.0",
+    "phonenumbers>=9.0.25,<10.0.0",
+    "reportlab>=4.4.10,<5.0.0",
     "django-haystack<4.0.0,>=3.3.0",
     "xapian-haystack<4.0.0,>=3.1.0",
     "libsass<1.0.0,>=0.23.0",
     "django-ordered-model<4.0.0,>=3.7.4",
     "django-simple-captcha<1.0.0,>=0.6.3",
     "python-dateutil<3.0.0.0,>=2.9.0.post0",
-    "sentry-sdk>=2.52.0,<3.0.0",
+    "sentry-sdk>=2.54.0,<3.0.0",
     "jinja2<4.0.0,>=3.1.6",
     "django-countries>=8.2.0,<9.0.0",
     "dict2xml>=1.7.8,<2.0.0",
@@ -51,7 +51,7 @@ dependencies = [
     "psutil>=7.2.2,<8.0.0",
     "celery[redis]>=5.6.2,<7",
     "django-celery-results>=2.5.1",
-    "django-celery-beat>=2.7.0",
+    "django-celery-beat>=2.9.0",
 ]
 
 [project.urls]
@@ -60,31 +60,31 @@ documentation = "https://sith-ae.readthedocs.io/"
 
 [dependency-groups]
 prod = [
-    "psycopg[c]>=3.3.2,<4.0.0",
+    "psycopg[c]>=3.3.3,<4.0.0",
 ]
 dev = [
     "django-debug-toolbar>=6.2.0,<7",
-    "ipython>=9.10.0,<10.0.0",
+    "ipython>=9.11.0,<10.0.0",
     "pre-commit>=4.5.1,<5.0.0",
-    "ruff>=0.15.0,<1.0.0",
+    "ruff>=0.15.5,<1.0.0",
     "djhtml>=3.0.10,<4.0.0",
-    "faker>=40.4.0,<41.0.0",
+    "faker>=40.8.0,<41.0.0",
     "rjsmin>=1.2.5,<2.0.0",
 ]
 tests = [
     "freezegun>=1.5.5,<2.0.0",
     "pytest>=9.0.2,<10.0.0",
     "pytest-cov>=7.0.0,<8.0.0",
-    "pytest-django<5.0.0,>=4.10.0",
-    "model-bakery<2.0.0,>=1.23.2",
+    "pytest-django<5.0.0,>=4.12.0",
+    "model-bakery<2.0.0,>=1.23.3",
     "beautifulsoup4>=4.14.3,<5",
     "lxml>=6.0.2,<7",
 ]
 docs = [
     "mkdocs<2.0.0,>=1.6.1",
-    "mkdocs-material>=9.7.1,<10.0.0",
+    "mkdocs-material>=9.7.5,<10.0.0",
     "mkdocstrings>=1.0.3,<2.0.0",
-    "mkdocstrings-python>=2.0.2,<3.0.0",
+    "mkdocstrings-python>=2.0.3,<3.0.0",
     "mkdocs-include-markdown-plugin>=7.2.1,<8.0.0",
 ]
 

sas/models.py

@@ -270,7 +270,11 @@ class PeoplePictureRelationQuerySet(models.QuerySet):
         if user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
             return self
         if user.was_subscribed:
-            return self.filter(Q(user_id=user.id) | Q(user__is_viewable=True))
+            return self.filter(
+                Q(user_id=user.id)
+                | Q(user__is_viewable=True)
+                | Q(user__whitelisted_users=user)
+            )
         return self.filter(user_id=user.id)
 
 

sas/static/bundled/sas/viewer-index.ts

@@ -1,7 +1,6 @@
 import type TomSelect from "tom-select";
 import type { UserAjaxSelect } from "#core:core/components/ajax-select-index.ts";
 import { paginated } from "#core:utils/api.ts";
-import { exportToHtml } from "#core:utils/globals.ts";
 import { History } from "#core:utils/history.ts";
 import {
   type IdentifiedUserSchema,
@@ -109,232 +108,225 @@ interface ViewerConfig {
   /** id of the first picture to load on the page */
   firstPictureId: number;
   /** if the user is sas admin */
-  userIsSasAdmin: boolean;
+  userCanModerate: boolean;
 }
 
 /**
  * Load user picture page with a nice download bar
  **/
-exportToHtml("loadViewer", (config: ViewerConfig) => {
-  document.addEventListener("alpine:init", () => {
-    Alpine.data("picture_viewer", () => ({
-      /**
-       * All the pictures that can be displayed on this picture viewer
-       **/
-      pictures: [] as PictureWithIdentifications[],
-      /**
-       * The currently displayed picture
-       * Default dummy data are pre-loaded to avoid javascript error
-       * when loading the page at the beginning
-       * @type PictureWithIdentifications
-       **/
-      currentPicture: {
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        is_moderated: true,
-        id: null as number,
-        name: "",
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        display_name: "",
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        compressed_url: "",
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        profile_url: "",
-        // biome-ignore lint/style/useNamingConvention: api is in snake_case
-        full_size_url: "",
-        owner: "",
-        date: new Date(),
-        identifications: [] as IdentifiedUserSchema[],
-      },
-      /**
-       * The picture which will be displayed next if the user press the "next" button
-       **/
-      nextPicture: null as PictureWithIdentifications,
-      /**
-       * The picture which will be displayed next if the user press the "previous" button
-       **/
-      previousPicture: null as PictureWithIdentifications,
-      /**
-       * The select2 component used to identify users
-       **/
-      selector: undefined as UserAjaxSelect,
-      /**
-       * Error message when a moderation operation fails
-       **/
-      moderationError: "",
-      /**
-       * Method of pushing new url to the browser history
-       * Used by popstate event and always reset to it's default value when used
-       **/
-      pushstate: History.Push,
+document.addEventListener("alpine:init", () => {
+  Alpine.data("picture_viewer", (config: ViewerConfig) => ({
+    /**
+     * All the pictures that can be displayed on this picture viewer
+     **/
+    pictures: [] as PictureWithIdentifications[],
+    /**
+     * The currently displayed picture
+     * Default dummy data are pre-loaded to avoid javascript error
+     * when loading the page at the beginning
+     * @type PictureWithIdentifications
+     **/
+    currentPicture: {
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      is_moderated: true,
+      id: null as number,
+      name: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      display_name: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      compressed_url: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      profile_url: "",
+      // biome-ignore lint/style/useNamingConvention: api is in snake_case
+      full_size_url: "",
+      owner: "",
+      date: new Date(),
+      identifications: [] as IdentifiedUserSchema[],
+    },
+    /**
+     * The picture which will be displayed next if the user press the "next" button
+     **/
+    nextPicture: null as PictureWithIdentifications,
+    /**
+     * The picture which will be displayed next if the user press the "previous" button
+     **/
+    previousPicture: null as PictureWithIdentifications,
+    /**
+     * The select2 component used to identify users
+     **/
+    selector: undefined as UserAjaxSelect,
+    /**
+     * Error message when a moderation operation fails
+     **/
+    moderationError: "",
+    /**
+     * Method of pushing new url to the browser history
+     * Used by popstate event and always reset to it's default value when used
+     **/
+    pushstate: History.Push,
 
-      async init() {
-        this.pictures = (
-          await paginated(picturesFetchPictures, {
-            // biome-ignore lint/style/useNamingConvention: api is in snake_case
-            query: { album_id: config.albumId },
-          } as PicturesFetchPicturesData)
-        ).map(PictureWithIdentifications.fromPicture);
-        this.selector = this.$refs.search;
-        this.selector.setFilter((users: UserProfileSchema[]) => {
-          const resp: UserProfileSchema[] = [];
-          const ids = [
-            ...(this.currentPicture.identifications || []).map(
-              (i: IdentifiedUserSchema) => i.user.id,
-            ),
-          ];
-          for (const user of users) {
-            if (!ids.includes(user.id)) {
-              resp.push(user);
-            }
+    async init() {
+      this.pictures = (
+        await paginated(picturesFetchPictures, {
+          // biome-ignore lint/style/useNamingConvention: api is in snake_case
+          query: { album_id: config.albumId },
+        } as PicturesFetchPicturesData)
+      ).map(PictureWithIdentifications.fromPicture);
+      this.selector = this.$refs.search;
+      this.selector.setFilter((users: UserProfileSchema[]) => {
+        const resp: UserProfileSchema[] = [];
+        const ids = [
+          ...(this.currentPicture.identifications || []).map(
+            (i: IdentifiedUserSchema) => i.user.id,
+          ),
+        ];
+        for (const user of users) {
+          if (!ids.includes(user.id)) {
+            resp.push(user);
           }
-          return resp;
-        });
-        this.currentPicture = this.pictures.find(
-          (i: PictureSchema) => i.id === config.firstPictureId,
-        );
-        this.$watch(
-          "currentPicture",
-          (current: PictureSchema, previous: PictureSchema) => {
-            if (current === previous) {
-              /* Avoid recursive updates */
-              return;
-            }
-            this.updatePicture();
-          },
-        );
-        window.addEventListener("popstate", async (event) => {
-          if (!event.state || event.state.sasPictureId === undefined) {
+        }
+        return resp;
+      });
+      this.currentPicture = this.pictures.find(
+        (i: PictureSchema) => i.id === config.firstPictureId,
+      );
+      this.$watch(
+        "currentPicture",
+        (current: PictureSchema, previous: PictureSchema) => {
+          if (current === previous) {
+            /* Avoid recursive updates */
             return;
           }
-          this.pushstate = History.Replace;
-          this.currentPicture = this.pictures.find(
-            (i: PictureSchema) =>
-              i.id === Number.parseInt(event.state.sasPictureId, 10),
-          );
-        });
-        this.pushstate = History.Replace; /* Avoid first url push */
-        await this.updatePicture();
-      },
-
-      /**
-       * Update the page.
-       * Called when the `currentPicture` property changes.
-       *
-       * The url is modified without reloading the page,
-       * and the previous picture, the next picture and
-       * the list of identified users are updated.
-       */
-      async updatePicture(): Promise<void> {
-        const updateArgs = {
-          data: { sasPictureId: this.currentPicture.id },
-          unused: "",
-          url: this.currentPicture.sas_url,
-        };
-        if (this.pushstate === History.Replace) {
-          window.history.replaceState(
-            updateArgs.data,
-            updateArgs.unused,
-            updateArgs.url,
-          );
-          this.pushstate = History.Push;
-        } else {
-          window.history.pushState(updateArgs.data, updateArgs.unused, updateArgs.url);
-        }
-
-        this.moderationError = "";
-        const index: number = this.pictures.indexOf(this.currentPicture);
-        this.previousPicture = this.pictures[index - 1] || null;
-        this.nextPicture = this.pictures[index + 1] || null;
-        this.$refs.mainPicture?.addEventListener("load", () => {
-          // once the current picture is loaded,
-          // start preloading the next and previous pictures
-          this.nextPicture?.preload();
-          this.previousPicture?.preload();
-        });
-        if (this.currentPicture.asked_for_removal && config.userIsSasAdmin) {
-          await Promise.all([
-            this.currentPicture.loadIdentifications(),
-            this.currentPicture.loadModeration(),
-          ]);
-        } else {
-          await this.currentPicture.loadIdentifications();
-        }
-      },
-
-      async moderatePicture() {
-        const res = await picturesModeratePicture({
-          // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          path: { picture_id: this.currentPicture.id },
-        });
-        if (res.error) {
-          this.moderationError = `${gettext("Couldn't moderate picture")} : ${(res.error as { detail: string }).detail}`;
+          this.updatePicture();
+        },
+      );
+      window.addEventListener("popstate", async (event) => {
+        if (!event.state || event.state.sasPictureId === undefined) {
           return;
         }
-        this.currentPicture.is_moderated = true;
-        this.currentPicture.asked_for_removal = false;
-      },
+        this.pushstate = History.Replace;
+        this.currentPicture = this.pictures.find(
+          (i: PictureSchema) => i.id === Number.parseInt(event.state.sasPictureId, 10),
+        );
+      });
+      this.pushstate = History.Replace; /* Avoid first url push */
+      await this.updatePicture();
+    },
 
-      async deletePicture() {
-        const res = await picturesDeletePicture({
+    /**
+     * Update the page.
+     * Called when the `currentPicture` property changes.
+     *
+     * The url is modified without reloading the page,
+     * and the previous picture, the next picture and
+     * the list of identified users are updated.
+     */
+    async updatePicture(): Promise<void> {
+      const updateArgs = {
+        data: { sasPictureId: this.currentPicture.id },
+        unused: "",
+        url: this.currentPicture.sas_url,
+      };
+      if (this.pushstate === History.Replace) {
+        window.history.replaceState(updateArgs.data, updateArgs.unused, updateArgs.url);
+        this.pushstate = History.Push;
+      } else {
+        window.history.pushState(updateArgs.data, updateArgs.unused, updateArgs.url);
+      }
+
+      this.moderationError = "";
+      const index: number = this.pictures.indexOf(this.currentPicture);
+      this.previousPicture = this.pictures[index - 1] || null;
+      this.nextPicture = this.pictures[index + 1] || null;
+      this.$refs.mainPicture?.addEventListener("load", () => {
+        // once the current picture is loaded,
+        // start preloading the next and previous pictures
+        this.nextPicture?.preload();
+        this.previousPicture?.preload();
+      });
+      if (this.currentPicture.asked_for_removal && config.userCanModerate) {
+        await Promise.all([
+          this.currentPicture.loadIdentifications(),
+          this.currentPicture.loadModeration(),
+        ]);
+      } else {
+        await this.currentPicture.loadIdentifications();
+      }
+    },
+
+    async moderatePicture() {
+      const res = await picturesModeratePicture({
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        path: { picture_id: this.currentPicture.id },
+      });
+      if (res.error) {
+        this.moderationError = `${gettext("Couldn't moderate picture")} : ${(res.error as { detail: string }).detail}`;
+        return;
+      }
+      this.currentPicture.is_moderated = true;
+      this.currentPicture.asked_for_removal = false;
+    },
+
+    async deletePicture() {
+      const res = await picturesDeletePicture({
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        path: { picture_id: this.currentPicture.id },
+      });
+      if (res.error) {
+        this.moderationError = `${gettext("Couldn't delete picture")} : ${(res.error as { detail: string }).detail}`;
+        return;
+      }
+      this.pictures.splice(this.pictures.indexOf(this.currentPicture), 1);
+      if (this.pictures.length === 0) {
+        // The deleted picture was the only one in the list.
+        // As the album is now empty, go back to the parent page
+        document.location.href = config.albumUrl;
+      }
+      this.currentPicture = this.nextPicture || this.previousPicture;
+    },
+
+    /**
+     * Send the identification request and update the list of identified users.
+     */
+    async submitIdentification(): Promise<void> {
+      const widget: TomSelect = this.selector.widget;
+      await picturesIdentifyUsers({
+        path: {
           // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          path: { picture_id: this.currentPicture.id },
-        });
-        if (res.error) {
-          this.moderationError = `${gettext("Couldn't delete picture")} : ${(res.error as { detail: string }).detail}`;
-          return;
-        }
-        this.pictures.splice(this.pictures.indexOf(this.currentPicture), 1);
-        if (this.pictures.length === 0) {
-          // The deleted picture was the only one in the list.
-          // As the album is now empty, go back to the parent page
-          document.location.href = config.albumUrl;
-        }
-        this.currentPicture = this.nextPicture || this.previousPicture;
-      },
+          picture_id: this.currentPicture.id,
+        },
+        body: widget.items.map((i: string) => Number.parseInt(i, 10)),
+      });
+      // refresh the identified users list
+      await this.currentPicture.loadIdentifications({ forceReload: true });
 
-      /**
-       * Send the identification request and update the list of identified users.
-       */
-      async submitIdentification(): Promise<void> {
-        const widget: TomSelect = this.selector.widget;
-        await picturesIdentifyUsers({
-          path: {
-            // biome-ignore lint/style/useNamingConvention: api is in snake_case
-            picture_id: this.currentPicture.id,
-          },
-          body: widget.items.map((i: string) => Number.parseInt(i, 10)),
-        });
-        // refresh the identified users list
-        await this.currentPicture.loadIdentifications({ forceReload: true });
+      // Clear selection and cache of retrieved user so they can be filtered again
+      widget.clear(false);
+      widget.clearOptions();
+      widget.setTextboxValue("");
+    },
 
-        // Clear selection and cache of retrieved user so they can be filtered again
-        widget.clear(false);
-        widget.clearOptions();
-        widget.setTextboxValue("");
-      },
+    /**
+     * Check if an identification can be removed by the currently logged user
+     */
+    canBeRemoved(identification: IdentifiedUserSchema): boolean {
+      return config.userCanModerate || identification.user.id === config.userId;
+    },
 
-      /**
-       * Check if an identification can be removed by the currently logged user
-       */
-      canBeRemoved(identification: IdentifiedUserSchema): boolean {
-        return config.userIsSasAdmin || identification.user.id === config.userId;
-      },
-
-      /**
-       * Untag a user from the current picture
-       */
-      async removeIdentification(identification: IdentifiedUserSchema): Promise<void> {
-        const res = await usersidentifiedDeleteRelation({
-          // biome-ignore lint/style/useNamingConvention: api is in snake_case
-          path: { relation_id: identification.id },
-        });
-        if (!res.error && Array.isArray(this.currentPicture.identifications)) {
-          this.currentPicture.identifications =
-            this.currentPicture.identifications.filter(
-              (i: IdentifiedUserSchema) => i.id !== identification.id,
-            );
-        }
-      },
-    }));
-  });
+    /**
+     * Untag a user from the current picture
+     */
+    async removeIdentification(identification: IdentifiedUserSchema): Promise<void> {
+      const res = await usersidentifiedDeleteRelation({
+        // biome-ignore lint/style/useNamingConvention: api is in snake_case
+        path: { relation_id: identification.id },
+      });
+      if (!res.error && Array.isArray(this.currentPicture.identifications)) {
+        this.currentPicture.identifications =
+          this.currentPicture.identifications.filter(
+            (i: IdentifiedUserSchema) => i.id !== identification.id,
+          );
+      }
+    },
+  }));
 });

sas/templates/sas/picture.jinja

@@ -17,10 +17,8 @@
 
 {% from "sas/macros.jinja" import print_path %}
 
-{% set user_is_sas_admin = user.is_root or user.is_in_group(pk = settings.SITH_GROUP_SAS_ADMIN_ID) %}
-
 {% block content %}
-  <main x-data="picture_viewer">
+  <main x-data="picture_viewer(config)">
     <code>
       <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album) }} <span x-text="currentPicture.name"></span>
     </code>
@@ -50,15 +48,13 @@
               It will be hidden to other users until it has been moderated.
             {% endtrans %}
           </p>
-          {% if user_is_sas_admin %}
+          {% if user.has_perm("sas.moderate_sasfile") %}
             <template x-if="currentPicture.asked_for_removal">
               <div>
                 <h5>{% trans %}The following issues have been raised:{% endtrans %}</h5>
                 <template x-for="req in (currentPicture.moderationRequests ?? [])" :key="req.id">
                   <div>
-                    <h6
-                      x-text="`${req.author.first_name} ${req.author.last_name}`"
-                    ></h6>
+                    <h6 x-text="`${req.author.first_name} ${req.author.last_name}`"></h6>
                     <i x-text="Intl.DateTimeFormat(
                                '{{ LANGUAGE_CODE }}',
                                {dateStyle: 'long', timeStyle: 'short'}
@@ -70,7 +66,7 @@
             </template>
           {% endif %}
         </div>
-        {% if user_is_sas_admin %}
+        {% if user.has_perm("sas.moderate_sasfile") %}
           <div class="alert-aside">
             <button class="btn btn-blue" @click="moderatePicture()">
               {% trans %}Moderate{% endtrans %}
@@ -204,16 +200,13 @@
 {% endblock %}
 
 {% block script %}
-  {{ super() }}
   <script>
-    window.addEventListener("DOMContentLoaded", () => {
-      loadViewer({
-        albumId: {{ album.id }} ,
-        albumUrl: "{{ album.get_absolute_url() }}",
-        firstPictureId: {{ picture.id }},  {# id of the first picture to show after page load #}
-        userId: {{ user.id }},
-        userIsSasAdmin: {{ user_is_sas_admin|tojson }}
-      });
-    })
+    const config = {
+      albumId: {{ album.id }},
+      albumUrl: "{{ album.get_absolute_url() }}",
+      firstPictureId: {{ picture.id }},  {# id of the first picture to show after page load #}
+      userId: {{ user.id }},
+      userCanModerate: {{ user.has_perm("sas.moderate_sasfile")|tojson }}
+    }
   </script>
 {% endblock %}

sas/tests/test_views.py

@@ -161,16 +161,22 @@ class TestSasModeration(TestCase):
         assert len(res.context_data["pictures"]) == 1
         assert res.context_data["pictures"][0] == self.to_moderate
 
-        res = self.client.post(
-            reverse("sas:moderation"),
-            data={"album_id": self.to_moderate.id, "picture_id": self.to_moderate.id},
-        )
-
     def test_moderation_page_forbidden(self):
         self.client.force_login(self.simple_user)
         res = self.client.get(reverse("sas:moderation"))
         assert res.status_code == 403
 
+    def test_moderate_album(self):
+        self.client.force_login(self.moderator)
+        url = reverse("sas:moderation")
+        album = baker.make(
+            Album, is_moderated=False, parent_id=settings.SITH_SAS_ROOT_DIR_ID
+        )
+        res = self.client.post(url, data={"album_id": album.id, "moderate": ""})
+        assertRedirects(res, url)
+        album.refresh_from_db()
+        assert album.is_moderated
+
     def test_moderate_picture(self):
         self.client.force_login(self.moderator)
         res = self.client.get(

sas/views.py

@@ -15,10 +15,10 @@
 from typing import Any
 
 from django.conf import settings
-from django.core.exceptions import PermissionDenied
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.db.models import Count, OuterRef, Subquery
 from django.http import Http404, HttpResponseRedirect
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.safestring import SafeString
 from django.views.generic import CreateView, DetailView, TemplateView
@@ -191,26 +191,21 @@ class UserPicturesView(UserTabsMixin, CanViewMixin, DetailView):
 # Admin views
 
 
-class ModerationView(TemplateView):
+class ModerationView(PermissionRequiredMixin, TemplateView):
     template_name = "sas/moderation.jinja"
-
-    def get(self, request, *args, **kwargs):
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            return super().get(request, *args, **kwargs)
-        raise PermissionDenied
+    permission_required = "sas.moderate_sasfile"
 
     def post(self, request, *args, **kwargs):
         if "album_id" not in request.POST:
             raise Http404
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            album = get_object_or_404(Album, pk=request.POST["album_id"])
-            if "moderate" in request.POST:
-                album.moderator = request.user
-                album.is_moderated = True
-                album.save()
-            elif "delete" in request.POST:
-                album.delete()
-        return super().get(request, *args, **kwargs)
+        album = get_object_or_404(Album, pk=request.POST["album_id"])
+        if "moderate" in request.POST:
+            album.moderator = request.user
+            album.is_moderated = True
+            album.save()
+        elif "delete" in request.POST:
+            album.delete()
+        return redirect(self.request.path)
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)

sith/settings.py

@@ -355,7 +355,6 @@ SITH_TWITTER = "@ae_utbm"
 # AE configuration
 SITH_MAIN_CLUB_ID = env.int("SITH_MAIN_CLUB_ID", default=1)
 SITH_PDF_CLUB_ID = env.int("SITH_PDF_CLUB_ID", default=2)
-SITH_LAUNDERETTE_CLUB_ID = env.int("SITH_LAUNDERETTE_CLUB_ID", default=84)
 
 # Main root for club pages
 SITH_CLUB_ROOT_PAGE = "clubs"
@@ -483,13 +482,6 @@ SITH_LOG_OPERATION_TYPE = [
 
 SITH_PEDAGOGY_UTBM_API = "https://extranet1.utbm.fr/gpedago/api/guide"
 
-SITH_ECOCUP_CONS = env.int("SITH_ECOCUP_CONS", default=1151)
-
-SITH_ECOCUP_DECO = env.int("SITH_ECOCUP_DECO", default=1152)
-
-# The limit is the maximum difference between cons and deco possible for a customer
-SITH_ECOCUP_LIMIT = 3
-
 # Defines pagination for cash summary
 SITH_COUNTER_CASH_SUMMARY_LENGTH = 50
 
@@ -512,7 +504,6 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = env.int(
 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = env.int(
     "SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS", default=2
 )
-SITH_PRODUCTTYPE_SUBSCRIPTION = env.int("SITH_PRODUCTTYPE_SUBSCRIPTION", default=2)
 
 # Number of weeks before the end of a subscription when the subscriber can resubscribe
 SITH_SUBSCRIPTION_END = 10
@@ -551,27 +542,27 @@ SITH_SUBSCRIPTIONS = {
     # Discount subscriptions
     "un-semestre-reduction": {
         "name": _("One semester (-20%)"),
-        "price": 12,
+        "price": 16,
         "duration": 1,
     },
     "deux-semestres-reduction": {
         "name": _("Two semesters (-20%)"),
-        "price": 22,
+        "price": 28,
         "duration": 2,
     },
     "cursus-tronc-commun-reduction": {
         "name": _("Common core cursus (-20%)"),
-        "price": 36,
+        "price": 48,
         "duration": 4,
     },
     "cursus-branche-reduction": {
         "name": _("Branch cursus (-20%)"),
-        "price": 36,
+        "price": 48,
         "duration": 6,
     },
     "cursus-alternant-reduction": {
         "name": _("Alternating cursus (-20%)"),
-        "price": 24,
+        "price": 28,
         "duration": 6,
     },
     # CA special offer

subscription/templates/subscription/subscription.jinja

@@ -6,14 +6,8 @@
   {% trans %}New subscription{% endtrans %}
 {% endblock %}
 
-{# The following statics are bundled with our autocomplete select.
-   However, if one tries to swap a form by another, then the urls in script-once
-   and link-once disappear.
-   So we give them here.
-   If the aforementioned bug is resolved, you can remove this. #}
 {% block additional_js %}
   <script type="module" src="{{ static('bundled/core/components/tabs-index.ts') }}"></script>
-  <script type="module" src="{{ static("bundled/core/components/ajax-select-index.ts") }}"></script>
   <script
     type="module"
     src="{{ static("bundled/subscription/creation-form-existing-user-index.ts") }}"
@@ -21,8 +15,6 @@
 {% endblock %}
 {% block additional_css %}
   <link rel="stylesheet" href="{{ static("core/components/tabs.scss") }}">
-  <link rel="stylesheet" href="{{ static("bundled/core/components/ajax-select-index.css") }}">
-  <link rel="stylesheet" href="{{ static("core/components/ajax-select.scss") }}">
   <link rel="stylesheet" href="{{ static("subscription/css/subscription.scss") }}">
 {% endblock %}
 

vite.config.mts

@@ -1,14 +1,17 @@
-// biome-ignore lint/correctness/noNodejsModules: this is backend side
 import { parse, resolve } from "node:path";
 import inject from "@rollup/plugin-inject";
 import { glob } from "glob";
-import type { Rollup } from "vite";
-import { type AliasOptions, defineConfig, type UserConfig } from "vite";
+import { visualizer } from "rollup-plugin-visualizer";
+import {
+  type AliasOptions,
+  defineConfig,
+  type PluginOption,
+  type Rollup,
+  type UserConfig,
+} from "vite";
 import tsconfig from "./tsconfig.json";
 
 const outDir = resolve(__dirname, "./staticfiles/generated/bundled");
-const vendored = resolve(outDir, "vendored");
-const nodeModules = resolve(__dirname, "node_modules");
 const collectedFiles = glob.sync(
   "./!(static)/static/bundled/**/*?(-)index.?(m)[j|t]s?(x)",
 );
@@ -42,7 +45,6 @@ function getRelativeAssetPath(path: string): string {
   return relativePath.join("/");
 }
 
-// biome-ignore lint/style/noDefaultExport: this is recommended by documentation
 export default defineConfig((config: UserConfig) => {
   return {
     base: "/static/bundled/",
@@ -86,6 +88,7 @@ export default defineConfig((config: UserConfig) => {
         Alpine: "alpinejs",
         htmx: "htmx.org",
       }),
+      visualizer({ filename: ".bundle-size-report.html" }) as PluginOption,
     ],
   } satisfies UserConfig;
 });