translation: third-party authentication

C'est pas la branche la plus appropriée, mais ça gène mon debug de devoir scroller plus longtemps dans l'html des réponses à cause de la place que prennent les notifs.

api/admin.py

@@ -17,6 +17,15 @@ class ApiClientAdmin(admin.ModelAdmin):
         "owner__nick_name",
     )
     autocomplete_fields = ("owner", "groups", "client_permissions")
+    readonly_fields = ("hmac_key",)
+    actions = ("reset_hmac_key",)
+
+    @admin.action(permissions=["change"], description=_("Reset HMAC key"))
+    def reset_hmac_key(self, _request: HttpRequest, queryset: QuerySet[ApiClient]):
+        objs = list(queryset)
+        for obj in objs:
+            obj.reset_hmac(commit=False)
+        ApiClient.objects.bulk_update(objs, fields=["hmac_key"])
 
 
 @admin.register(ApiKey)

api/api.py

@@ -0,0 +1,16 @@
+from ninja_extra import ControllerBase, api_controller, route
+
+from api.auth import ApiKeyAuth
+from api.schemas import ApiClientSchema
+
+
+@api_controller("/client")
+class ApiClientController(ControllerBase):
+    @route.get(
+        "/me",
+        auth=[ApiKeyAuth()],
+        response=ApiClientSchema,
+        url_name="api-client-infos",
+    )
+    def get_client_info(self):
+        return self.context.request.auth

api/forms.py

@@ -0,0 +1,35 @@
+from django import forms
+from django.forms import HiddenInput
+from django.utils.translation import gettext_lazy as _
+
+
+class ThirdPartyAuthForm(forms.Form):
+    """Form to complete to authenticate on the sith from a third-party app.
+
+    For the form to be valid, the user approve the EULA (french: CGU)
+    and give its username from the third-party app.
+    """
+
+    cgu_accepted = forms.BooleanField(
+        required=True,
+        label=_("I have read and I accept the terms and conditions of use"),
+        error_messages={
+            "required": _("You must approve the terms and conditions of use.")
+        },
+    )
+    is_username_valid = forms.BooleanField(
+        required=True,
+        error_messages={"required": _("You must confirm that this is your username.")},
+    )
+    client_id = forms.IntegerField(widget=HiddenInput())
+    third_party_app = forms.CharField(widget=HiddenInput())
+    cgu_link = forms.URLField(widget=HiddenInput())
+    username = forms.CharField(widget=HiddenInput())
+    callback_url = forms.URLField(widget=HiddenInput())
+    signature = forms.CharField(widget=HiddenInput())
+
+    def __init__(self, *args, label_suffix: str = "", initial, **kwargs):
+        super().__init__(*args, label_suffix=label_suffix, initial=initial, **kwargs)
+        self.fields["is_username_valid"].label = _(
+            "I confirm that %(username)s is my username on %(app)s"
+        ) % {"username": initial.get("username"), "app": initial.get("third_party_app")}

api/migrations/0002_apiclient_hmac_key.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.3 on 2025-10-26 10:15
+
+from django.db import migrations, models
+
+import api.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("api", "0001_initial")]
+
+    operations = [
+        migrations.AddField(
+            model_name="apiclient",
+            name="hmac_key",
+            field=models.CharField(
+                default=api.models.get_hmac_key, max_length=128, verbose_name="HMAC Key"
+            ),
+        ),
+    ]

api/models.py

@@ -1,13 +1,20 @@
+import secrets
 from typing import Iterable
 
 from django.contrib.auth.models import Permission
 from django.db import models
+from django.db.models import Q
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import pgettext_lazy
 
 from core.models import Group, User
 
 
+def get_hmac_key():
+    return secrets.token_hex(64)
+
+
 class ApiClient(models.Model):
     name = models.CharField(_("name"), max_length=64)
     owner = models.ForeignKey(
@@ -26,11 +33,10 @@ class ApiClient(models.Model):
         help_text=_("Specific permissions for this api client."),
         related_name="clients",
     )
+    hmac_key = models.CharField(_("HMAC Key"), max_length=128, default=get_hmac_key)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
-    _perm_cache: set[str] | None = None
-
     class Meta:
         verbose_name = _("api client")
         verbose_name_plural = _("api clients")
@@ -38,33 +44,34 @@ class ApiClient(models.Model):
     def __str__(self):
         return self.name
 
+    @cached_property
+    def all_permissions(self) -> set[str]:
+        permissions = (
+            Permission.objects.filter(
+                Q(group__group__in=self.groups.all()) | Q(clients=self)
+            )
+            .values_list("content_type__app_label", "codename")
+            .order_by()
+        )
+        return {f"{content_type}.{name}" for content_type, name in permissions}
+
     def has_perm(self, perm: str):
         """Return True if the client has the specified permission."""
+        return perm in self.all_permissions
 
-        if self._perm_cache is None:
-            group_permissions = (
-                Permission.objects.filter(group__group__in=self.groups.all())
-                .values_list("content_type__app_label", "codename")
-                .order_by()
-            )
-            client_permissions = self.client_permissions.values_list(
-                "content_type__app_label", "codename"
-            ).order_by()
-            self._perm_cache = {
-                f"{content_type}.{name}"
-                for content_type, name in (*group_permissions, *client_permissions)
-            }
-        return perm in self._perm_cache
-
-    def has_perms(self, perm_list):
-        """
-        Return True if the client has each of the specified permissions. If
-        object is passed, check if the client has all required perms for it.
-        """
+    def has_perms(self, perm_list: Iterable[str]) -> bool:
+        """Return True if the client has each of the specified permissions."""
         if not isinstance(perm_list, Iterable) or isinstance(perm_list, str):
             raise ValueError("perm_list must be an iterable of permissions.")
         return all(self.has_perm(perm) for perm in perm_list)
 
+    def reset_hmac(self, *, commit: bool = True) -> str:
+        """Reset and return the HMAC key for this client."""
+        self.hmac_key = get_hmac_key()
+        if commit:
+            self.save()
+        return self.hmac_key
+
 
 class ApiKey(models.Model):
     PREFIX_LENGTH = 5

api/schemas.py

@@ -0,0 +1,14 @@
+from ninja import ModelSchema
+from pydantic import Field
+
+from api.models import ApiClient
+from core.schemas import SimpleUserSchema
+
+
+class ApiClientSchema(ModelSchema):
+    class Meta:
+        model = ApiClient
+        fields = ["id", "name"]
+
+    owner: SimpleUserSchema
+    permissions: list[str] = Field(alias="all_permissions")

api/templates/api/third_party/auth.jinja

@@ -0,0 +1,32 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  <form method="post">
+    {% csrf_token %}
+    <h3>{% trans %}Confidentiality{% endtrans %}</h3>
+    <p>
+      {% trans trimmed app=third_party_app %}
+        By ticking this box and clicking on the send button, you
+        acknowledge and agree to provide {{ app }} with your
+        first name, last name, nickname and any other information
+        that was the third party app was explicitly authorized to fetch
+        and that it must have acknowledged to you, in a complete and accurate manner.
+      {% endtrans %}
+    </p>
+    <p class="margin-bottom">
+      {% trans trimmed app=third_party_app, cgu_link=third_party_cgu, sith_cgu_link=sith_cgu %}
+        The privacy policies of <a href="{{ cgu_link }}">{{ app }}</a>
+        and of <a href="{{ sith_cgu_link }}">the Students' Association</a>
+        applies as soon as the form is submitted.
+      {% endtrans %}
+    </p>
+    <div class="row">{{ form.cgu_accepted }} {{ form.cgu_accepted.label_tag() }}</div>
+    <br>
+    <h3 class="margin-bottom">{% trans %}Confirmation of identity{% endtrans %}</h3>
+    <div class="row margin-bottom">
+      {{ form.is_username_valid }} {{ form.is_username_valid.label_tag() }}
+    </div>
+    {% for field in form.hidden_fields() %}{{ field }}{% endfor %}
+    <input type="submit" class="btn btn-blue">
+  </form>
+{% endblock %}

api/tests/test_admin.py

@@ -0,0 +1,24 @@
+import pytest
+from django.contrib.admin import AdminSite
+from django.http import HttpRequest
+from model_bakery import baker
+from pytest_django.asserts import assertNumQueries
+
+from api.admin import ApiClientAdmin
+from api.models import ApiClient
+
+
+@pytest.mark.django_db
+def test_reset_hmac_action():
+    client_admin = ApiClientAdmin(ApiClient, AdminSite())
+    api_clients = baker.make(ApiClient, _quantity=4, _bulk_create=True)
+    old_hmac_keys = [c.hmac_key for c in api_clients]
+    with assertNumQueries(2):
+        qs = ApiClient.objects.filter(id__in=[c.id for c in api_clients[2:4]])
+        client_admin.reset_hmac_key(HttpRequest(), qs)
+    for c in api_clients:
+        c.refresh_from_db()
+    assert api_clients[0].hmac_key == old_hmac_keys[0]
+    assert api_clients[1].hmac_key == old_hmac_keys[1]
+    assert api_clients[2].hmac_key != old_hmac_keys[2]
+    assert api_clients[3].hmac_key != old_hmac_keys[3]

api/tests/test_api_client_controller.py

@@ -0,0 +1,18 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+from api.schemas import ApiClientSchema
+
+
+@pytest.mark.django_db
+def test_api_client_controller(client: Client):
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    res = client.get(reverse("api:api-client-infos"), headers={"X-APIKey": key})
+    assert res.status_code == 200
+    assert res.json() == ApiClientSchema.from_orm(api_client).model_dump()

api/tests/test_client.py

@@ -0,0 +1,59 @@
+import pytest
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from api.models import ApiClient
+from core.models import Group
+
+
+class TestClientPermissions(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.api_client = baker.make(ApiClient)
+        cls.perms = baker.make(Permission, _quantity=10, _bulk_create=True)
+        cls.api_client.groups.set(
+            [
+                baker.make(Group, permissions=cls.perms[0:3]),
+                baker.make(Group, permissions=cls.perms[3:5]),
+            ]
+        )
+        cls.api_client.client_permissions.set(
+            [cls.perms[3], cls.perms[5], cls.perms[6], cls.perms[7]]
+        )
+
+    def test_all_permissions(self):
+        assert self.api_client.all_permissions == {
+            f"{p.content_type.app_label}.{p.codename}" for p in self.perms[0:8]
+        }
+
+    def test_has_perm(self):
+        assert self.api_client.has_perm(
+            f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}"
+        )
+        assert not self.api_client.has_perm(
+            f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}"
+        )
+
+    def test_has_perms(self):
+        assert self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[2].content_type.app_label}.{self.perms[2].codename}",
+            ]
+        )
+        assert not self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}",
+            ],
+        )
+
+
+@pytest.mark.django_db
+def test_reset_hmac_key():
+    client = baker.make(ApiClient)
+    original_key = client.hmac_key
+    client.reset_hmac(commit=True)
+    assert len(client.hmac_key) == len(original_key)
+    assert client.hmac_key != original_key

api/tests/test_third_party_auth.py

@@ -0,0 +1,111 @@
+from unittest import mock
+from unittest.mock import Mock
+
+from django.db.models import Max
+from django.test import TestCase
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from api.models import ApiClient, get_hmac_key
+from core.baker_recipes import subscriber_user
+from core.utils import hmac_hexdigest
+
+
+def mocked_post(*, ok: bool):
+    class MockedResponse(Mock):
+        @property
+        def ok(self):
+            return ok
+
+    def mocked():
+        return MockedResponse()
+
+    return mocked
+
+
+class TestThirdPartyAuth(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        cls.api_client = baker.make(ApiClient)
+
+    def setUp(self):
+        self.query = {
+            "client_id": self.api_client.id,
+            "third_party_app": "app",
+            "cgu_link": "https://foobar.fr/",
+            "username": "bibou",
+            "callback_url": "https://callback.fr/",
+        }
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        self.callback_data = {"user_id": self.user.id}
+        self.callback_data["signature"] = hmac_hexdigest(
+            self.api_client.hmac_key, self.callback_data
+        )
+
+    def test_auth_ok(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        with mock.patch("requests.post", new_callable=mocked_post(ok=True)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], data=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "success"}),
+        )
+
+    def test_callback_error(self):
+        """Test that the user see the failure page if the callback request failed."""
+        self.client.force_login(self.user)
+        with mock.patch("requests.post", new_callable=mocked_post(ok=False)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], data=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "failure"}),
+        )
+
+    def test_wrong_signature(self):
+        """Test that a 403 is raised if the signature of the query is wrong."""
+        self.client.force_login(subscriber_user.make())
+        new_key = get_hmac_key()
+        del self.query["signature"]
+        self.query["signature"] = hmac_hexdigest(new_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_cgu_not_accepted(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        res = self.client.post(reverse("api-link:third-party-auth"), data=self.query)
+        assert res.status_code == 200  # no redirect means invalid form
+        res = self.client.post(
+            reverse("api-link:third-party-auth"),
+            data={"cgu_accepted": False, "is_username_valid": False, **self.query},
+        )
+        assert res.status_code == 200
+
+    def test_invalid_client(self):
+        self.query["client_id"] = ApiClient.objects.aggregate(res=Max("id"))["res"] + 1
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_missing_parameter(self):
+        """Test that a 403 is raised if there is a missing parameter."""
+        del self.query["username"]
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403

api/urls.py

@@ -1,5 +1,9 @@
+from django.urls import path, register_converter
 from ninja_extra import NinjaExtraAPI
 
+from api.views import ThirdPartyAuthResultView, ThirdPartyAuthView
+from core.converters import ResultConverter
+
 api = NinjaExtraAPI(
     title="PICON",
     description="Portail Interactif de Communication avec les Outils Numériques",
@@ -8,3 +12,14 @@ api = NinjaExtraAPI(
     csrf=True,
 )
 api.auto_discover_controllers()
+
+register_converter(ResultConverter, "res")
+
+urlpatterns = [
+    path("auth/", ThirdPartyAuthView.as_view(), name="third-party-auth"),
+    path(
+        "auth/<res:result>/",
+        ThirdPartyAuthResultView.as_view(),
+        name="third-party-auth-result",
+    ),
+]

api/views.py

@@ -0,0 +1,129 @@
+import hmac
+from urllib.parse import unquote
+
+import pydantic
+import requests
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView, TemplateView
+from ninja import Schema
+from ninja_extra.shortcuts import get_object_or_none
+from pydantic import HttpUrl
+
+from api.forms import ThirdPartyAuthForm
+from api.models import ApiClient
+from core.models import SithFile
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+class ThirdPartyAuthParamsSchema(Schema):
+    client_id: int
+    third_party_app: str
+    cgu_link: HttpUrl
+    username: str
+    callback_url: HttpUrl
+    signature: str
+
+
+class ThirdPartyAuthView(LoginRequiredMixin, FormView):
+    form_class = ThirdPartyAuthForm
+    template_name = "api/third_party/auth.jinja"
+    success_url = reverse_lazy("core:index")
+
+    def parse_params(self) -> ThirdPartyAuthParamsSchema:
+        """Parse and check the authentication parameters.
+
+        Raises:
+            PermissionDenied: if the verification failed.
+        """
+        # This is here rather than in ThirdPartyAuthForm because
+        # the given parameters and their signature are checked during both
+        # POST (for obvious reasons) and GET (in order not to make
+        # the user fill a form just to get an error he won't understand)
+        params = self.request.GET or self.request.POST
+        params = {key: unquote(val) for key, val in params.items()}
+        try:
+            params = ThirdPartyAuthParamsSchema(**params)
+        except pydantic.ValidationError as e:
+            raise PermissionDenied("Wrong data format") from e
+        client: ApiClient = get_object_or_none(ApiClient, id=params.client_id)
+        if not client:
+            raise PermissionDenied
+        if not hmac.compare_digest(
+            hmac_hexdigest(client.hmac_key, params.model_dump(exclude={"signature"})),
+            params.signature,
+        ):
+            raise PermissionDenied("Bad signature")
+        return params
+
+    def dispatch(self, request, *args, **kwargs):
+        self.params = self.parse_params()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get(self, *args, **kwargs):
+        messages.warning(
+            self.request,
+            _(
+                "You are going to link your AE account and your %(app)s account. "
+                "Continue only if this page was opened from %(app)s."
+            )
+            % {"app": self.params.third_party_app},
+        )
+        return super().get(*args, **kwargs)
+
+    def get_initial(self):
+        return self.params.model_dump()
+
+    def form_valid(self, form):
+        client = ApiClient.objects.get(id=form.cleaned_data["client_id"])
+        user = UserProfileSchema.from_orm(self.request.user).model_dump()
+        data = {"user": user, "signature": hmac_hexdigest(client.hmac_key, user)}
+        response = requests.post(form.cleaned_data["callback_url"], data=data)
+        self.success_url = reverse(
+            "api-link:third-party-auth-result",
+            kwargs={"result": "success" if response.ok else "failure"},
+        )
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "third_party_app": self.params.third_party_app,
+            "third_party_cgu": self.params.cgu_link,
+            "sith_cgu": SithFile.objects.get(id=settings.SITH_CGU_FILE_ID),
+        }
+
+
+class ThirdPartyAuthResultView(LoginRequiredMixin, TemplateView):
+    """View that the user will see if its authentication on sith was successful.
+
+    This can show either a success or a failure message :
+    - success : everything is good, the user is successfully authenticated
+      and can close the page
+    - failure : the authentication has been processed on the sith side,
+      but the request to the callback url received an error.
+      In such a case, there is nothing much we can do but to advice
+      the user to contact the developers of the third-party app.
+    """
+
+    template_name = "core/base.jinja"
+    success_message = _(
+        "You have been successfully authenticated. You can now close this page."
+    )
+    error_message = _(
+        "Your authentication on the AE website was successful, "
+        "but an error happened during the interaction "
+        "with the third-party application. "
+        "Please contact the managers of the latter."
+    )
+
+    def get(self, request, *args, **kwargs):
+        if self.kwargs.get("result") == "success":
+            messages.success(request, self.success_message)
+        else:
+            messages.error(request, self.error_message)
+        return super().get(request, *args, **kwargs)

club/forms.py

@@ -252,7 +252,7 @@ class ClubAddMemberForm(ClubMemberForm):
         Board members can attribute roles lower than their own.
         Other users cannot attribute roles with this form
         """
-        if self.request_user.has_perm("club.add_subscription"):
+        if self.request_user.has_perm("club.add_membership"):
             return settings.SITH_CLUB_ROLES_ID["President"]
         membership = self.request_user_membership
         if membership is None or membership.role <= settings.SITH_MAXIMUM_FREE_ROLE:

club/views.py

@@ -31,11 +31,7 @@ from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import NON_FIELD_ERRORS, PermissionDenied, ValidationError
 from django.core.paginator import InvalidPage, Paginator
 from django.db.models import Q, Sum
-from django.http import (
-    Http404,
-    HttpResponseRedirect,
-    StreamingHttpResponse,
-)
+from django.http import Http404, HttpResponseRedirect, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone
@@ -55,12 +51,7 @@ from club.forms import (
     MailingForm,
     SellingsForm,
 )
-from club.models import (
-    Club,
-    Mailing,
-    MailingSubscription,
-    Membership,
-)
+from club.models import Club, Mailing, MailingSubscription, Membership
 from com.models import Poster
 from com.views import (
     PosterCreateBaseView,
@@ -68,9 +59,7 @@ from com.views import (
     PosterEditBaseView,
     PosterListBaseView,
 )
-from core.auth.mixins import (
-    CanEditMixin,
-)
+from core.auth.mixins import CanEditMixin
 from core.models import PageRev
 from core.views import DetailFormView, PageEditViewBase, UseFragmentsMixin
 from core.views.mixins import FragmentMixin, FragmentRenderer, TabedViewMixin

com/static/com/css/news-list.scss

@@ -83,7 +83,8 @@
     #links_content {
       overflow: auto;
       box-shadow: $shadow-color 1px 1px 1px;
-      height: 20em;
+      min-height: 20em;
+      padding-bottom: 1em;
 
       h4 {
         margin-left: 5px;

com/templates/com/macros.jinja

@@ -76,18 +76,20 @@
               It will stay hidden for other users until it has been published.
             {% endtrans %}
           </p>
-          {% if user.has_perm("com.moderate_news") %}
+          {%- if user.has_perm("com.moderate_news") -%}
             {# This is an additional query for each non-moderated news,
             but it will be executed only for admin users, and only one time
-            (if they do their job and moderated news as soon as they see them),
+            (if they do their job and moderate news as soon as they see them),
             so it's still reasonable #}
             <div
-              {% if news is integer or news is string %}
+              {% if news is integer or news is string -%}
                 x-data="{ nbEvents: 0 }"
                 x-init="nbEvents = await nbToPublish()"
-              {% else %}
+              {%- elif news.is_published -%}
+                x-data="{ nbEvents: 0 }"
+              {%- else -%}
                 x-data="{ nbEvents: {{ news.dates.count() }} }"
-              {% endif %}
+              {%- endif -%}
             >
               <template x-if="nbEvents > 1">
                 <div>

com/templates/com/news_list.jinja

@@ -205,6 +205,10 @@
               <i class="fa-solid fa-graduation-cap fa-xl"></i>
               <a href="{{ url("pedagogy:guide") }}">{% trans %}UV Guide{% endtrans %}</a>
             </li>
+            <li>
+              <i class="fa-solid fa-calendar-days fa-xl"></i>
+              <a href="{{ url("timetable:generator") }}">{% trans %}Timetable{% endtrans %}</a>
+            </li>
             <li>
               <i class="fa-solid fa-magnifying-glass fa-xl"></i>
               <a href="{{ url("matmat:search_clear") }}">{% trans %}Matmatronch{% endtrans %}</a>

core/converters.py

@@ -1,19 +1,16 @@
-class FourDigitYearConverter:
-    regex = "[0-9]{4}"
+from django.urls.converters import IntConverter, StringConverter
 
-    def to_python(self, value):
-        return int(value)
+
+class FourDigitYearConverter(IntConverter):
+    regex = "[0-9]{4}"
 
     def to_url(self, value):
         return str(value).zfill(4)
 
 
-class TwoDigitMonthConverter:
+class TwoDigitMonthConverter(IntConverter):
     regex = "[0-9]{2}"
 
-    def to_python(self, value):
-        return int(value)
-
     def to_url(self, value):
         return str(value).zfill(2)
 
@@ -28,3 +25,9 @@ class BooleanStringConverter:
 
     def to_url(self, value):
         return str(value)
+
+
+class ResultConverter(StringConverter):
+    """Converter whose regex match either "success" or "failure"."""
+
+    regex = "(success|failure)"

core/management/commands/populate.py

@@ -28,6 +28,7 @@ from typing import ClassVar, NamedTuple
 from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
+from django.core.files.base import ContentFile
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django.db import connection
@@ -104,13 +105,21 @@ class Command(BaseCommand):
         )
         self.profiles_root = SithFile.objects.create(name="profiles", owner=root)
         home_root = SithFile.objects.create(name="users", owner=root)
+        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
+        SithFile.objects.create(
+            name="CGU",
+            is_folder=False,
+            file=ContentFile(
+                content="Conditions générales d'utilisation", name="cgu.txt"
+            ),
+            owner=root,
+        )
 
         # Page needed for club creation
         p = Page(name=settings.SITH_CLUB_ROOT_PAGE)
         p.save(force_lock=True)
 
-        club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )

core/management/commands/populate_more.py

@@ -1,3 +1,4 @@
+import math
 import random
 from datetime import date, timedelta
 from datetime import timezone as tz
@@ -34,12 +35,17 @@ class Command(BaseCommand):
         super().__init__(*args, **kwargs)
         self.faker = Faker("fr_FR")
 
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-n", "--nb-users", help="Number of users to create", type=int, default=600
+        )
+
     def handle(self, *args, **options):
         if not settings.DEBUG:
             raise Exception("Never call this command in prod. Never.")
 
         self.stdout.write("Creating users...")
-        users = self.create_users()
+        users = self.create_users(options["nb_users"])
         subscribers = random.sample(users, k=int(0.8 * len(users)))
         self.stdout.write("Creating subscriptions...")
         self.create_subscriptions(subscribers)
@@ -78,7 +84,7 @@ class Command(BaseCommand):
         self.stdout.write("Creating products...")
         self.create_products()
         self.stdout.write("Creating sales and refills...")
-        sellers = random.sample(list(User.objects.all()), 100)
+        sellers = random.sample(users, len(users) // 10)
         self.create_sales(sellers)
         self.stdout.write("Creating permanences...")
         self.create_permanences(sellers)
@@ -87,7 +93,7 @@ class Command(BaseCommand):
 
         self.stdout.write("Done")
 
-    def create_users(self) -> list[User]:
+    def create_users(self, nb_users: int = 600) -> list[User]:
         password = make_password("plop")
         users = [
             User(
@@ -104,7 +110,7 @@ class Command(BaseCommand):
                 address=self.faker.address(),
                 password=password,
             )
-            for _ in range(600)
+            for _ in range(nb_users)
         ]
         # there may a duplicate or two
         # Not a problem, we will just have 599 users instead of 600
@@ -389,8 +395,9 @@ class Command(BaseCommand):
         Permanency.objects.bulk_create(perms)
 
     def create_forums(self):
-        forumers = random.sample(list(User.objects.all()), 100)
-        most_actives = random.sample(forumers, 10)
+        users = list(User.objects.all())
+        forumers = random.sample(users, math.ceil(len(users) / 10))
+        most_actives = random.sample(forumers, math.ceil(len(forumers) / 6))
         categories = list(Forum.objects.filter(is_category=True))
         new_forums = [
             Forum(name=self.faker.text(20), parent=random.choice(categories))

core/models.py

@@ -651,9 +651,6 @@ class User(AbstractUser):
 
 
 class AnonymousUser(AuthAnonymousUser):
-    def __init__(self):
-        super().__init__()
-
     @property
     def was_subscribed(self):
         return False
@@ -662,10 +659,6 @@ class AnonymousUser(AuthAnonymousUser):
     def is_subscribed(self):
         return False
 
-    @property
-    def subscribed(self):
-        return False
-
     @property
     def is_root(self):
         return False

core/static/bundled/alpine-index.js

@@ -1,9 +1,9 @@
-import { alpinePlugin } from "#core:utils/notifications";
+import { alpinePlugin as notificationPlugin } from "#core:utils/notifications";
 import sort from "@alpinejs/sort";
 import Alpine from "alpinejs";
 
 Alpine.plugin(sort);
-Alpine.magic("notifications", alpinePlugin);
+Alpine.magic("notifications", notificationPlugin);
 window.Alpine = Alpine;
 
 window.addEventListener("DOMContentLoaded", () => {

core/static/core/forms.scss

@@ -141,7 +141,6 @@ form {
   display: block;
   margin: calc(var(--nf-input-size) * 1.5) auto 10px;
   line-height: 1;
-  white-space: nowrap;
 
   .helptext {
     margin-top: .25rem;
@@ -154,10 +153,8 @@ form {
     margin-bottom: 1rem;
   }
 
-  .row {
-    label {
-      margin: unset;
-    }
+  .row > label {
+    margin: unset;
   }
 
   // ------------- LABEL

core/static/core/style.scss

@@ -503,6 +503,10 @@ th {
   text-align: center;
   padding: 5px 10px;
 
+  >input[type="checkbox"] {
+    padding: unset;
+  }
+
   >ul {
     margin-top: 0;
   }

core/templates/core/base/header.jinja

@@ -77,22 +77,22 @@
         <div class="notification" x-data="{display: false}" :class="{white: display}">
           <a href="#" @click.prevent="display = !display">
             <i :class="`fa-${display ? 'solid': 'regular'} fa-bell`" x-transition></i>
-            {% set notification_count = user.notifications.filter(viewed=False).count() %}
+            {% set notifications = user.notifications.filter(viewed=False).order_by("-date")|list %}
 
-            {% if notification_count > 0 %}
+            {%- if notifications|length > 0 -%}
               <span>
-                {% if notification_count < 100 %}
-                  {{ notification_count }}
-                {% else %}
-                  &nbsp;
-                {% endif %}
+                {% if notifications|length < 100 %}
+                  {{ notifications|length }}
+                {%- else -%}
+                  99+
+                {%- endif -%}
               </span>
             {% endif %}
           </a>
           <div id="header_notif" x-show="display" x-cloak x-transition @click.outside="display = false">
             <ul>
-              {% if user.notifications.filter(viewed=False).count() > 0 %}
-                {% for n in user.notifications.filter(viewed=False).order_by('-date') %}
+              {%- if notifications|length > 0 -%}
+                {%- for n in notifications -%}
                   <li>
                     <a href="{{ url("core:notification", notif_id=n.id) }}">
                       <div class="datetime">
@@ -108,10 +108,10 @@
                       </div>
                     </a>
                   </li>
-                {% endfor %}
-              {% else %}
+                {%- endfor -%}
+              {%- else -%}
                 <li class="empty-notification">{% trans %}You do not have any unread notification{% endtrans %}</li>
-              {% endif %}
+              {%- endif -%}
             </ul>
             <div class="options">
               <a href="{{ url('core:notification_list') }}">

core/templates/core/base/notifications.jinja

@@ -1,22 +1,19 @@
 <div id="quick-notifications"
      x-data="{
              messages: [
-             {% if messages %}
-               {% for message in messages %}
-                 {
-                 tag: '{{ message.tags }}',
-                 text: '{{ message }}',
-                 },
-               {% endfor %}
-             {% endif %}
+             {%- if messages -%}
+               {%- for message in messages -%}
+                 { tag: '{{ message.tags }}', text: '{{ message }}' },
+               {%- endfor -%}
+             {%- endif -%}
              ]
              }"
      @quick-notification-add="(e) => messages.push(e?.detail)"
      @quick-notification-delete="messages = []">
-  <template x-for="message in messages">
-    <div x-data="{show: true}" class="alert" :class="`alert-${message.tag}`" x-show="show" x-transition>
+  <template x-for="(message, index) in messages">
+    <div class="alert" :class="`alert-${message.tag}`" x-transition>
       <span class="alert-main" x-text="message.text"></span>
-      <span class="clickable" @click="show = false">
+      <span class="clickable" @click="messages = messages.filter((item, i) => i !== index)">
         <i class="fa fa-close"></i>
       </span>
     </div>

core/templates/core/macros.jinja

@@ -245,3 +245,26 @@
   <button type="button" onclick="checkbox_{{form_id}}(true);">{% trans %}Select All{% endtrans %}</button>
   <button type="button" onclick="checkbox_{{form_id}}(false);">{% trans %}Unselect All{% endtrans %}</button>
 {% endmacro %}
+
+{% macro update_notifications(messages, clear) %}
+  {# Update notification area from new messages sent by django backend
+     This is useful when performing fragment swaps to keep messages up to date
+     Without this, the fragment would need to take control of the notification area and
+     this would be an issue when having more than one fragment
+
+     Parameters:
+      messages: messages from django.contrib
+      clear   : optional boolean that controls if notifications should be cleared first. True is the default
+  #}
+  {% set clear = clear|default(true) %}
+  {% if messages %}
+    <div x-init="() => {
+                 {% if clear %}
+                   $notifications.clear()
+                 {% endif %}
+                 {% for message in messages %}
+                   $notifications.{{ message.tags }}('{{ message }}')
+                 {% endfor %}
+                 }"></div>
+  {% endif %}
+{% endmacro %}

core/templates/core/widgets/autocomplete_select.jinja

@@ -1,23 +1,25 @@
-{% for js in statics.js %}
-  <script-once type="module" src="{{ js }}"></script-once>
-{% endfor %}
-{% for css in statics.css %}
-  <link-once rel="stylesheet" type="text/css" href="{{ css }}" defer></link-once>
-{% endfor %}
-
-<{{ component }} name="{{ widget.name }}" {% include "django/forms/widgets/attrs.html" %}>
-{% for group_name, group_choices, group_index in widget.optgroups %}
-  {% if group_name %}
-    <optgroup label="{{ group_name }}">
-  {% endif %}
-  {% for widget in group_choices %}
-    {% include widget.template_name %}
+{% spaceless %}
+  {% for js in statics.js %}
+    <script-once type="module" src="{{ js }}"></script-once>
   {% endfor %}
-  {% if group_name %}
-    </optgroup>
+  {% for css in statics.css %}
+    <link-once rel="stylesheet" type="text/css" href="{{ css }}" defer></link-once>
+  {% endfor %}
+
+  <{{ component }} name="{{ widget.name }}" {% include "django/forms/widgets/attrs.html" %}>
+  {% for group_name, group_choices, group_index in widget.optgroups %}
+    {% if group_name %}
+      <optgroup label="{{ group_name }}">
+    {% endif %}
+    {% for widget in group_choices %}
+      {% include widget.template_name %}
+    {% endfor %}
+    {% if group_name %}
+      </optgroup>
+    {% endif %}
+  {% endfor %}
+  {% if initial %}
+    <slot style="display:none" name="initial">{{ initial }}</slot>
   {% endif %}
-{% endfor %}
-{% if initial %}
-  <slot style="display:none" name="initial">{{ initial }}</slot>
-{% endif %}
-</{{ component }}>
+  </{{ component }}>
+{% endspaceless %}

core/tests/test_commands.py

@@ -0,0 +1,13 @@
+import contextlib
+import os
+
+import pytest
+from django.core.management import call_command
+
+
+@pytest.mark.django_db
+def test_populate_more(settings):
+    """Just check that populate more doesn't crash"""
+    settings.DEBUG = True
+    with open(os.devnull, "w") as devnull, contextlib.redirect_stdout(devnull):
+        call_command("populate_more", "--nb-users", "50")

core/utils.py

@@ -12,22 +12,32 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from __future__ import annotations
 
+import hmac
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Final
+from typing import TYPE_CHECKING
+from urllib.parse import urlencode
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
-from django.core.files.uploadedfile import UploadedFile
-from django.http import HttpRequest
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
 
+if TYPE_CHECKING:
+    from _hashlib import HASH
+    from collections.abc import Buffer, Mapping, Sequence
+    from typing import Any, Callable, Final
+
+    from django.core.files.uploadedfile import UploadedFile
+    from django.http import HttpRequest
+
+
 RED_PIXEL_PNG: Final[bytes] = (
     b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52"
     b"\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90\x77\x53"
@@ -186,7 +196,7 @@ def exif_auto_rotate(image):
 
 def get_client_ip(request: HttpRequest) -> str | None:
     headers = (
-        "X_FORWARDED_FOR",  # Common header for proixes
+        "X_FORWARDED_FOR",  # Common header for proxies
         "FORWARDED",  # Standard header defined by RFC 7239.
         "REMOTE_ADDR",  # Default IP Address (direct connection)
     )
@@ -195,3 +205,30 @@ def get_client_ip(request: HttpRequest) -> str | None:
             return ip
 
     return None
+
+
+def hmac_hexdigest(
+    key: str | bytes,
+    data: Mapping[str, Any] | Sequence[tuple[str, Any]],
+    digest: str | Callable[[Buffer], HASH] = "sha256",
+) -> str:
+    """Return the hexdigest of the signature of the given data.
+
+    Args:
+        key: the HMAC key used for the signature
+        data: the data to sign
+        digest: a PEP247 hashing algorithm
+
+    Examples:
+        ```python
+        data = {
+            "foo": 5,
+            "bar": "somevalue",
+        }
+        hmac_key = secrets.token_hex(64)
+        signature = hmac_hexdigest(hmac_key, data, "sha512")
+        ```
+    """
+    if isinstance(key, str):
+        key = key.encode()
+    return hmac.digest(key, urlencode(data).encode(), digest).hex()

core/views/forms.py

@@ -115,7 +115,7 @@ class SelectUser(TextInput):
 
 def validate_future_timestamp(value: date | datetime):
     if value <= now():
-        raise ValueError(_("Ensure this timestamp is set in the future"))
+        raise ValidationError(_("Ensure this timestamp is set in the future"))
 
 
 class FutureDateTimeField(forms.DateTimeField):

counter/admin.py

@@ -22,6 +22,7 @@ from counter.models import (
     Counter,
     Customer,
     Eticket,
+    InvoiceCall,
     Permanency,
     Product,
     ProductType,
@@ -160,3 +161,11 @@ class CashRegisterSummaryAdmin(SearchModelAdmin):
 class EticketAdmin(SearchModelAdmin):
     list_display = ("product", "event_date", "event_title")
     search_fields = ("product__name", "event_title")
+
+
+@admin.register(InvoiceCall)
+class InvoiceCallAdmin(SearchModelAdmin):
+    list_display = ("club", "month", "is_validated")
+    search_fields = ("club__name",)
+    list_filter = (("club", admin.RelatedOnlyFieldListFilter),)
+    date_hierarchy = "month"

counter/forms.py

@@ -1,13 +1,26 @@
+import json
 import math
+import uuid
+from datetime import date
 
+from dateutil.relativedelta import relativedelta
 from django import forms
-from django.db.models import Q
+from django.db.models import Exists, OuterRef, Q
+from django.forms import BaseModelFormSet
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
+from django_celery_beat.models import ClockedSchedule
 from phonenumber_field.widgets import RegionalPhoneNumberWidget
 
+from club.models import Club
 from club.widgets.ajax_select import AutoCompleteSelectClub
 from core.models import User
-from core.views.forms import NFCTextInput, SelectDate, SelectDateTime
+from core.views.forms import (
+    FutureDateTimeField,
+    NFCTextInput,
+    SelectDate,
+    SelectDateTime,
+)
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
     AutoCompleteSelectMultipleGroup,
@@ -19,10 +32,14 @@ from counter.models import (
     Counter,
     Customer,
     Eticket,
+    InvoiceCall,
     Product,
     Refilling,
     ReturnableProduct,
+    ScheduledProductAction,
+    Selling,
     StudentCard,
+    get_product_actions,
 )
 from counter.widgets.ajax_select import (
     AutoCompleteSelectMultipleCounter,
@@ -158,7 +175,101 @@ class CounterEditForm(forms.ModelForm):
         }
 
 
-class ProductEditForm(forms.ModelForm):
+class ScheduledProductActionForm(forms.ModelForm):
+    """Form for automatic product archiving.
+
+    The `save` method will update or create tasks using celery-beat.
+    """
+
+    required_css_class = "required"
+    prefix = "scheduled"
+
+    class Meta:
+        model = ScheduledProductAction
+        fields = ["task"]
+        widgets = {"task": forms.RadioSelect(choices=get_product_actions)}
+        labels = {"task": _("Action")}
+        help_texts = {"task": ""}
+
+    trigger_at = FutureDateTimeField(
+        label=_("Date and time of action"), widget=SelectDateTime
+    )
+    counters = forms.ModelMultipleChoiceField(
+        label=_("New counters"),
+        help_text=_("The selected counters will replace the current ones"),
+        required=False,
+        widget=AutoCompleteSelectMultipleCounter,
+        queryset=Counter.objects.all(),
+    )
+
+    def __init__(self, *args, product: Product, **kwargs):
+        self.product = product
+        super().__init__(*args, **kwargs)
+        if not self.instance._state.adding:
+            self.fields["trigger_at"].initial = self.instance.clocked.clocked_time
+            self.fields["counters"].initial = json.loads(self.instance.kwargs).get(
+                "counters"
+            )
+
+    def clean(self):
+        if not self.changed_data or "trigger_at" in self.errors:
+            return super().clean()
+        if "trigger_at" in self.changed_data:
+            if not self.instance.clocked_id:
+                self.instance.clocked = ClockedSchedule(
+                    clocked_time=self.cleaned_data["trigger_at"]
+                )
+            else:
+                self.instance.clocked.clocked_time = self.cleaned_data["trigger_at"]
+            self.instance.clocked.save()
+        task_kwargs = {"product_id": self.product.id}
+        if (
+            self.cleaned_data["task"] == "counter.tasks.change_counters"
+            and "counters" in self.changed_data
+        ):
+            task_kwargs["counters"] = [c.id for c in self.cleaned_data["counters"]]
+        self.instance.product = self.product
+        self.instance.kwargs = json.dumps(task_kwargs)
+        self.instance.name = (
+            f"{self.cleaned_data['task']} - {self.product} - {uuid.uuid4()}"
+        )
+        return super().clean()
+
+
+class BaseScheduledProductActionFormSet(BaseModelFormSet):
+    def __init__(self, *args, product: Product, **kwargs):
+        if product.id:
+            queryset = (
+                product.scheduled_actions.filter(
+                    enabled=True, clocked__clocked_time__gt=now()
+                )
+                .order_by("clocked__clocked_time")
+                .select_related("clocked")
+            )
+        else:
+            queryset = ScheduledProductAction.objects.none()
+        form_kwargs = {"product": product}
+        super().__init__(*args, queryset=queryset, form_kwargs=form_kwargs, **kwargs)
+
+    def delete_existing(self, obj: ScheduledProductAction, commit: bool = True):  # noqa FBT001
+        clocked = obj.clocked
+        super().delete_existing(obj, commit=commit)
+        if commit:
+            clocked.delete()
+
+
+ScheduledProductActionFormSet = forms.modelformset_factory(
+    ScheduledProductAction,
+    ScheduledProductActionForm,
+    formset=BaseScheduledProductActionFormSet,
+    absolute_max=None,
+    can_delete=True,
+    can_delete_extra=False,
+    extra=2,
+)
+
+
+class ProductForm(forms.ModelForm):
     error_css_class = "error"
     required_css_class = "required"
 
@@ -199,22 +310,21 @@ class ProductEditForm(forms.ModelForm):
         queryset=Counter.objects.all(),
     )
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self, *args, instance=None, **kwargs):
+        super().__init__(*args, instance=instance, **kwargs)
         if self.instance.id:
             self.fields["counters"].initial = self.instance.counters.all()
+        self.action_formset = ScheduledProductActionFormSet(
+            *args, product=self.instance, **kwargs
+        )
+
+    def is_valid(self):
+        return super().is_valid() and self.action_formset.is_valid()
 
     def save(self, *args, **kwargs):
         ret = super().save(*args, **kwargs)
-        if self.fields["counters"].initial:
-            # Remove the product from all counter it was added to
-            # It will then only be added to selected counters
-            for counter in self.fields["counters"].initial:
-                counter.products.remove(self.instance)
-                counter.save()
-        for counter in self.cleaned_data["counters"]:
-            counter.products.add(self.instance)
-            counter.save()
+        self.instance.counters.set(self.cleaned_data["counters"])
+        self.action_formset.save()
         return ret
 
 
@@ -266,7 +376,7 @@ class CloseCustomerAccountForm(forms.Form):
     )
 
 
-class ProductForm(forms.Form):
+class BasketProductForm(forms.Form):
     quantity = forms.IntegerField(min_value=1, required=True)
     id = forms.IntegerField(min_value=0, required=True)
 
@@ -371,5 +481,50 @@ class BaseBasketForm(forms.BaseFormSet):
 
 
 BasketForm = forms.formset_factory(
-    ProductForm, formset=BaseBasketForm, absolute_max=None, min_num=1
+    BasketProductForm, formset=BaseBasketForm, absolute_max=None, min_num=1
 )
+
+
+class InvoiceCallForm(forms.Form):
+    def __init__(self, *args, month: date, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.month = month
+        self.clubs = list(
+            Club.objects.filter(
+                Exists(
+                    Selling.objects.filter(
+                        club=OuterRef("pk"),
+                        date__gte=month,
+                        date__lte=month + relativedelta(months=1),
+                    )
+                )
+            ).annotate(
+                validated_invoice=Exists(
+                    InvoiceCall.objects.filter(
+                        club=OuterRef("pk"), month=month, is_validated=True
+                    )
+                )
+            )
+        )
+        self.fields = {
+            str(club.id): forms.BooleanField(
+                required=False, initial=club.validated_invoice
+            )
+            for club in self.clubs
+        }
+
+    def save(self):
+        invoice_calls = [
+            InvoiceCall(
+                month=self.month,
+                club_id=club.id,
+                is_validated=self.cleaned_data.get(str(club.id), False),
+            )
+            for club in self.clubs
+        ]
+        InvoiceCall.objects.bulk_create(
+            invoice_calls,
+            update_conflicts=True,
+            update_fields=["is_validated"],
+            unique_fields=["month", "club"],
+        )

counter/migrations/0032_scheduledproductaction.py

@@ -0,0 +1,40 @@
+# Generated by Django 5.2.3 on 2025-09-14 11:29
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("counter", "0031_alter_counter_options"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ScheduledProductAction",
+            fields=[
+                (
+                    "periodictask_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="django_celery_beat.periodictask",
+                    ),
+                ),
+                (
+                    "product",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="scheduled_actions",
+                        to="counter.product",
+                    ),
+                ),
+            ],
+            options={"verbose_name": "Product scheduled action"},
+            bases=("django_celery_beat.periodictask",),
+        ),
+    ]

counter/migrations/0033_invoicecall.py

@@ -0,0 +1,51 @@
+# Generated by Django 5.2.3 on 2025-10-15 21:54
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import counter.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("club", "0014_alter_club_options_rename_unix_name_club_slug_name_and_more"),
+        ("counter", "0032_scheduledproductaction"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="InvoiceCall",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "is_validated",
+                    models.BooleanField(default=False, verbose_name="is validated"),
+                ),
+                ("month", counter.models.MonthField(verbose_name="invoice date")),
+                (
+                    "club",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="club.club"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Invoice call",
+                "verbose_name_plural": "Invoice calls",
+                "constraints": [
+                    models.UniqueConstraint(
+                        fields=("club", "month"),
+                        name="counter_invoicecall_unique_club_month",
+                    )
+                ],
+            },
+        ),
+    ]

counter/models.py

@@ -15,6 +15,7 @@
 from __future__ import annotations
 
 import base64
+import contextlib
 import os
 import random
 import string
@@ -34,6 +35,7 @@ from django.urls import reverse
 from django.utils import timezone
 from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
+from django_celery_beat.models import PeriodicTask
 from django_countries.fields import CountryField
 from ordered_model.models import OrderedModel
 from phonenumber_field.modelfields import PhoneNumberField
@@ -445,7 +447,8 @@ class Product(models.Model):
         buying_groups = list(self.buying_groups.all())
         if not buying_groups:
             return True
-        return any(user.is_in_group(pk=group.id) for group in buying_groups)
+        res = any(user.is_in_group(pk=group.id) for group in buying_groups)
+        return res
 
     @property
     def profit(self):
@@ -479,7 +482,7 @@ class CounterQuerySet(models.QuerySet):
         return self.annotate(has_annotated_barman=Exists(subquery))
 
     def annotate_is_open(self) -> Self:
-        """Annotate tue queryset with the `is_open` field.
+        """Annotate the queryset with the `is_open` field.
 
         For each counter, if `is_open=True`, then the counter is currently opened.
         Else the counter is closed.
@@ -1357,3 +1360,85 @@ class ReturnableProductBalance(models.Model):
             f"return balance of {self.customer} "
             f"for {self.returnable.product_id} : {self.balance}"
         )
+
+
+def get_product_actions():
+    return [
+        ("counter.tasks.archive_product", _("Archiving")),
+        ("counter.tasks.change_counters", _("Counters change")),
+    ]
+
+
+class ScheduledProductAction(PeriodicTask):
+    """Extension of celery-beat tasks dedicated to perform actions on Product."""
+
+    product = models.ForeignKey(
+        Product, related_name="scheduled_actions", on_delete=models.CASCADE
+    )
+
+    class Meta:
+        verbose_name = _("Product scheduled action")
+
+    def __init__(self, *args, **kwargs):
+        self._meta.get_field("task").choices = get_product_actions()
+        super().__init__(*args, **kwargs)
+
+    def full_clean(self, *args, **kwargs):
+        self.one_off = True  # A product action should occur one time only
+        return super().full_clean(*args, **kwargs)
+
+    def clean_clocked(self):
+        if not self.clocked:
+            raise ValidationError(_("Product actions must declare a clocked schedule."))
+
+    def validate_unique(self, *args, **kwargs):
+        # The checks done in PeriodicTask.validate_unique aren't
+        # adapted in the case of scheduled product action,
+        # so we skip it and execute directly Model.validate_unique
+        return super(PeriodicTask, self).validate_unique(*args, **kwargs)
+
+
+class MonthField(models.DateField):
+    description = _("Year + month field (day forced to 1)")
+    default_error_messages = {
+        "invalid": _(
+            "“%(value)s” value has an invalid date format. It must be "
+            "in YYYY-MM format."
+        ),
+        "invalid_date": _(
+            "“%(value)s” value has the correct format (YYYY-MM) "
+            "but it is an invalid date."
+        ),
+    }
+
+    def to_python(self, value):
+        if isinstance(value, str):
+            with contextlib.suppress(ValueError):
+                # If the string is given as YYYY-mm, try to parse it.
+                # If it fails, it means that the string may be in the form YYYY-mm-dd
+                # or in an invalid format.
+                # Whatever the case, we let Django deal with it
+                # and raise an error if needed
+                value = datetime.strptime(value, "%Y-%m")
+        value = super().to_python(value)
+        if value is None:
+            return None
+        return value.replace(day=1)
+
+
+class InvoiceCall(models.Model):
+    is_validated = models.BooleanField(verbose_name=_("is validated"), default=False)
+    club = models.ForeignKey(Club, on_delete=models.CASCADE)
+    month = MonthField(verbose_name=_("invoice date"))
+
+    class Meta:
+        verbose_name = _("Invoice call")
+        verbose_name_plural = _("Invoice calls")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["club", "month"], name="counter_invoicecall_unique_club_month"
+            )
+        ]
+
+    def __str__(self):
+        return f"invoice call of {self.month} made by {self.club}"

counter/static/counter/css/counter-click.scss

@@ -39,6 +39,7 @@
   flex: auto;
   margin: 0.2em;
   width: 20%;
+  min-width: 350px;
 
   ul {
     list-style-type: none;

counter/tasks.py

@@ -0,0 +1,19 @@
+# Create your tasks here
+
+from celery import shared_task
+
+from counter.models import Counter, Product
+
+
+@shared_task
+def archive_product(*, product_id: int, **kwargs):
+    product = Product.objects.get(id=product_id)
+    product.archived = True
+    product.save()
+
+
+@shared_task
+def change_counters(*, product_id: int, counters: list[int], **kwargs):
+    product = Product.objects.get(id=product_id)
+    counters = Counter.objects.filter(id__in=counters)
+    product.counters.set(counters)

counter/templates/counter/counter_click.jinja

@@ -67,13 +67,13 @@
                 <option value="FIN">{% trans %}Confirm (FIN){% endtrans %}</option>
                 <option value="ANN">{% trans %}Cancel (ANN){% endtrans %}</option>
               </optgroup>
-              {% for category in categories.keys() %}
+              {%- for category in categories.keys() -%}
                 <optgroup label="{{ category }}">
-                  {% for product in categories[category] %}
+                  {%- for product in categories[category] -%}
                     <option value="{{ product.id }}">{{ product }}</option>
-                  {% endfor %}
+                  {%- endfor -%}
                 </optgroup>
-              {% endfor %}
+              {%- endfor -%}
             </counter-product-select>
 
             <input type="submit" value="{% trans %}Go{% endtrans %}"/>

counter/templates/counter/invoices_call.jinja

@@ -4,35 +4,49 @@
   {% trans %}Invoices call{% endtrans %}
 {% endblock %}
 
+{% block notifications %}{# Notifications are moved below #}{% endblock %}
+
 {% block content %}
   <h3>{% trans date=start_date|date("F Y") %}Invoices call for {{ date }}{% endtrans %}</h3>
-  <p>{% trans %}Choose another month: {% endtrans %}</p>
   <form method="get" action="">
-    <select name="month">
+    <label for="id_form_other_month">{% trans %}Choose another month: {% endtrans %}</label>
+    <select name="month" id="id_form_other_month">
       {% for m in months %}
         <option value="{{ m|date("Y-m") }}">{{ m|date("Y-m") }}</option>
       {% endfor %}
     </select>
     <input type="submit" value="{% trans %}Go{% endtrans %}" />
   </form>
+
   <br>
   <p>{% trans %}CB Payments{% endtrans %} : {{ sum_cb }} €</p>
   <br>
-  <table>
-    <thead>
-      <td>{% trans %}Club{% endtrans %}</td>
-      <td>{% trans %}Sum{% endtrans %}</td>
-    </thead>
-    <tbody>
-      {% for i in sums %}
+
+  {% include "core/base/notifications.jinja" %}
+
+  <form method="post" action="">
+    {% csrf_token %}
+    <table>
+      <thead>
         <tr>
-          <td>{{ i['club__name'] }}</td>
-          <td>{{ i['selling_sum'] }} €</td>
+          <td>{% trans %}Club{% endtrans %}</td>
+          <td>{% trans %}Sum{% endtrans %}</td>
+          <td>{% trans %}Validated{% endtrans %}</td>
         </tr>
-      {% endfor %}
-    </tbody>
-  </table>
-{% endblock %}
-
-
-
+      </thead>
+      <tbody>
+        {% for invoice in invoices %}
+          <tr>
+            <td>{{ invoice.club__name }}</td>
+            <td>{{ "%.2f"|format(invoice.selling_sum) }} €</td>
+            <td>
+              {{ form[invoice.club_id|string] }}
+            </td>
+          </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+    <input type="hidden" name="month" value="{{ start_date|date('Y-m') }}">
+    <button type="submit">{% trans %}Save{% endtrans %}</button>
+  </form>
+{% endblock %}

counter/templates/counter/product_form.jinja

@@ -0,0 +1,56 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  {% if object %}
+    <h2>{% trans name=object %}Edit product {{ name }}{% endtrans %}</h2>
+  {% else %}
+    <h2>{% trans %}Product creation{% endtrans %}</h2>
+  {% endif %}
+  <form method="post">
+    {% csrf_token %}
+    {{ form.as_p() }}
+
+    <br />
+
+    <h3>{% trans %}Automatic actions{% endtrans %}</h3>
+
+    <p class="margin-bottom">
+      <em>
+        {%- trans trimmed -%}
+          Automatic actions allows to schedule product changes
+          ahead of time.
+        {%- endtrans -%}
+      </em>
+    </p>
+
+    {{ form.action_formset.management_form }}
+    {%- for action_form in form.action_formset.forms -%}
+      <fieldset x-data="{action: '{{ action_form.task.initial }}'}">
+        {{ action_form.non_field_errors() }}
+        <div class="row gap-2x margin-bottom">
+          <div>
+            {{ action_form.task.errors }}
+            {{ action_form.task.label_tag() }}
+            {{ action_form.task|add_attr("x-model=action") }}
+          </div>
+          <div>{{ action_form.trigger_at.as_field_group() }}</div>
+        </div>
+        <div x-show="action==='counter.tasks.change_counters'" class="margin-bottom">
+          {{ action_form.counters.as_field_group() }}
+        </div>
+        {%- if action_form.DELETE -%}
+          <div class="row gap">
+            {{ action_form.DELETE.as_field_group() }}
+          </div>
+        {%- endif -%}
+        {%- for field in action_form.hidden_fields() -%}
+          {{ field }}
+        {%- endfor -%}
+      </fieldset>
+      {%- if not loop.last -%}
+        <hr class="margin-bottom">
+      {%- endif -%}
+    {%- endfor -%}
+    <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
+  </form>
+{% endblock %}

counter/tests/test_auto_actions.py

@@ -0,0 +1,116 @@
+import json
+from datetime import timedelta
+
+import pytest
+from django.conf import settings
+from django.test import Client
+from django.urls import reverse
+from django.utils.timezone import now
+from django_celery_beat.models import ClockedSchedule
+from model_bakery import baker
+
+from core.models import Group, User
+from counter.baker_recipes import counter_recipe, product_recipe
+from counter.forms import ScheduledProductActionForm, ScheduledProductActionFormSet
+from counter.models import ScheduledProductAction
+
+
+@pytest.mark.django_db
+def test_edit_product(client: Client):
+    client.force_login(
+        baker.make(
+            User, groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)]
+        )
+    )
+    product = product_recipe.make()
+    url = reverse("counter:product_edit", kwargs={"product_id": product.id})
+    res = client.get(url)
+    assert res.status_code == 200
+
+    res = client.post(url, data={})
+    # This is actually a failure, but we just want to check that
+    # we don't have a 403 or a 500.
+    # The actual behaviour will be tested directly on the form.
+    assert res.status_code == 200
+
+
+@pytest.mark.django_db
+class TestProductActionForm:
+    def test_single_form_archive(self):
+        product = product_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        form = ScheduledProductActionForm(
+            product=product,
+            data={
+                "scheduled-task": "counter.tasks.archive_product",
+                "scheduled-trigger_at": trigger_at,
+            },
+        )
+        assert form.is_valid()
+        instance = form.save()
+        assert instance.clocked.clocked_time == trigger_at
+        assert instance.enabled is True
+        assert instance.one_off is True
+        assert instance.task == "counter.tasks.archive_product"
+        assert instance.kwargs == json.dumps({"product_id": product.id})
+
+    def test_single_form_change_counters(self):
+        product = product_recipe.make()
+        counter = counter_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        form = ScheduledProductActionForm(
+            product=product,
+            data={
+                "scheduled-task": "counter.tasks.change_counters",
+                "scheduled-trigger_at": trigger_at,
+                "scheduled-counters": [counter.id],
+            },
+        )
+        assert form.is_valid()
+        instance = form.save()
+        instance.refresh_from_db()
+        assert instance.clocked.clocked_time == trigger_at
+        assert instance.enabled is True
+        assert instance.one_off is True
+        assert instance.task == "counter.tasks.change_counters"
+        assert instance.kwargs == json.dumps(
+            {"product_id": product.id, "counters": [counter.id]}
+        )
+
+    def test_delete(self):
+        product = product_recipe.make()
+        clocked = baker.make(ClockedSchedule, clocked_time=now() + timedelta(minutes=2))
+        task = baker.make(
+            ScheduledProductAction,
+            product=product,
+            one_off=True,
+            clocked=clocked,
+            task="counter.tasks.archive_product",
+        )
+        formset = ScheduledProductActionFormSet(product=product)
+        formset.delete_existing(task)
+        assert not ScheduledProductAction.objects.filter(id=task.id).exists()
+        assert not ClockedSchedule.objects.filter(id=clocked.id).exists()
+
+
+@pytest.mark.django_db
+class TestProductActionFormSet:
+    def test_ok(self):
+        product = product_recipe.make()
+        counter = counter_recipe.make()
+        trigger_at = now() + timedelta(minutes=10)
+        formset = ScheduledProductActionFormSet(
+            product=product,
+            data={
+                "form-TOTAL_FORMS": "2",
+                "form-INITIAL_FORMS": "0",
+                "form-0-task": "counter.tasks.archive_product",
+                "form-0-trigger_at": trigger_at,
+                "form-1-task": "counter.tasks.change_counters",
+                "form-1-trigger_at": trigger_at,
+                "form-1-counters": [counter.id],
+            },
+        )
+        assert formset.is_valid()
+        formset.save()
+        assert ScheduledProductAction.objects.filter(product=product).count() == 2

counter/tests/test_invoices.py

@@ -0,0 +1,76 @@
+from datetime import date, datetime
+
+import pytest
+from dateutil.relativedelta import relativedelta
+from django.contrib.auth.models import Permission
+from django.core.exceptions import ValidationError
+from django.test import Client
+from django.urls import reverse
+from django.utils.timezone import localdate
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from club.models import Club
+from core.models import User
+from counter.baker_recipes import sale_recipe
+from counter.forms import InvoiceCallForm
+from counter.models import Customer, InvoiceCall, Selling
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "month", [date(2025, 10, 20), "2025-10", datetime(2025, 10, 15, 12, 30)]
+)
+def test_invoice_date_with_date(month: date | datetime | str):
+    club = baker.make(Club)
+    invoice = InvoiceCall.objects.create(club=club, month=month)
+    invoice.refresh_from_db()
+    assert not invoice.is_validated
+    assert invoice.month == date(2025, 10, 1)
+
+
+@pytest.mark.django_db
+def test_invoice_call_invalid_month_string():
+    club = baker.make(Club)
+
+    with pytest.raises(ValidationError):
+        InvoiceCall.objects.create(club=club, month="2025-13")
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("query", [None, {"month": "2025-08"}])
+def test_invoice_call_view(client: Client, query: dict | None):
+    user = baker.make(
+        User,
+        user_permissions=[
+            *Permission.objects.filter(
+                codename__in=["view_invoicecall", "change_invoicecall"]
+            )
+        ],
+    )
+    client.force_login(user)
+    url = reverse("counter:invoices_call", query=query)
+    assert client.get(url).status_code == 200
+    assertRedirects(client.post(url), url)
+
+
+@pytest.mark.django_db
+def test_invoice_call_form():
+    Selling.objects.all().delete()
+    month = localdate() - relativedelta(months=1)
+    clubs = baker.make(Club, _quantity=2)
+    recipe = sale_recipe.extend(date=month, customer=baker.make(Customer, amount=10000))
+    recipe.make(club=clubs[0], quantity=2, unit_price=200)
+    recipe.make(club=clubs[0], quantity=3, unit_price=5)
+    recipe.make(club=clubs[1], quantity=20, unit_price=10)
+    form = InvoiceCallForm(
+        month=month, data={str(clubs[0].id): True, str(clubs[1].id): False}
+    )
+    assert form.is_valid()
+    form.save()
+    assert InvoiceCall.objects.filter(
+        club=clubs[0], month=month, is_validated=True
+    ).exists()
+    assert InvoiceCall.objects.filter(
+        club=clubs[1], month=month, is_validated=False
+    ).exists()

counter/tests/test_product.py

@@ -6,14 +6,16 @@ import pytest
 from django.conf import settings
 from django.core.cache import cache
 from django.core.files.uploadedfile import SimpleUploadedFile
-from django.test import Client
+from django.test import Client, TestCase
 from django.urls import reverse
 from model_bakery import baker
 from PIL import Image
-from pytest_django.asserts import assertNumQueries
+from pytest_django.asserts import assertNumQueries, assertRedirects
 
+from club.models import Club
 from core.baker_recipes import board_user, subscriber_user
 from core.models import Group, User
+from counter.forms import ProductForm
 from counter.models import Product, ProductType
 
 
@@ -84,3 +86,49 @@ def test_fetch_product_nb_queries(client: Client):
         # - 1 for the actual request
         # - 1 to prefetch the related buying_groups
         client.get(reverse("api:search_products_detailed"))
+
+
+class TestCreateProduct(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.product_type = baker.make(ProductType)
+        cls.club = baker.make(Club)
+        cls.data = {
+            "name": "foo",
+            "description": "bar",
+            "product_type": cls.product_type.id,
+            "club": cls.club.id,
+            "code": "FOO",
+            "purchase_price": 1.0,
+            "selling_price": 1.0,
+            "special_selling_price": 1.0,
+            "limit_age": 0,
+            "form-TOTAL_FORMS": 0,
+            "form-INITIAL_FORMS": 0,
+        }
+
+    def test_form(self):
+        form = ProductForm(data=self.data)
+        assert form.is_valid()
+        instance = form.save()
+        assert instance.club == self.club
+        assert instance.product_type == self.product_type
+        assert instance.name == "foo"
+        assert instance.selling_price == 1.0
+
+    def test_view(self):
+        self.client.force_login(
+            baker.make(
+                User,
+                groups=[Group.objects.get(id=settings.SITH_GROUP_COUNTER_ADMIN_ID)],
+            )
+        )
+        url = reverse("counter:new_product")
+        response = self.client.get(url)
+        assert response.status_code == 200
+        response = self.client.post(url, data=self.data)
+        assertRedirects(response, reverse("counter:product_list"))
+        product = Product.objects.last()
+        assert product.name == "foo"
+        assert product.club == self.club
+        assert product.product_type == self.product_type

counter/views/admin.py

@@ -32,7 +32,7 @@ from core.utils import get_semester_code, get_start_of_semester
 from counter.forms import (
     CloseCustomerAccountForm,
     CounterEditForm,
-    ProductEditForm,
+    ProductForm,
     ReturnableProductForm,
 )
 from counter.models import (
@@ -146,8 +146,8 @@ class ProductCreateView(CounterAdminTabsMixin, CounterAdminMixin, CreateView):
     """A create view for the admins."""
 
     model = Product
-    form_class = ProductEditForm
-    template_name = "core/create.jinja"
+    form_class = ProductForm
+    template_name = "counter/product_form.jinja"
     current_tab = "products"
 
 
@@ -155,9 +155,9 @@ class ProductEditView(CounterAdminTabsMixin, CounterAdminMixin, UpdateView):
     """An edit view for the admins."""
 
     model = Product
-    form_class = ProductEditForm
+    form_class = ProductForm
     pk_url_kwarg = "product_id"
-    template_name = "core/edit.jinja"
+    template_name = "counter/product_form.jinja"
     current_tab = "products"
 
 

counter/views/invoice.py

@@ -12,77 +12,81 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
-from datetime import datetime, timedelta
-from datetime import timezone as tz
+from datetime import datetime
+from urllib.parse import urlencode
 
-from django.db.models import F
-from django.utils import timezone
-from django.views.generic import TemplateView
+from dateutil.relativedelta import relativedelta
+from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import F, Sum
+from django.utils.timezone import localdate, make_aware
+from django.utils.translation import gettext_lazy as _
+from django.views.generic import FormView
 
-from counter.fields import CurrencyField
+from counter.forms import InvoiceCallForm
 from counter.models import Refilling, Selling
-from counter.views.mixins import CounterAdminMixin, CounterAdminTabsMixin
+from counter.views.mixins import CounterAdminTabsMixin
 
 
-class InvoiceCallView(CounterAdminTabsMixin, CounterAdminMixin, TemplateView):
+class InvoiceCallView(
+    CounterAdminTabsMixin, PermissionRequiredMixin, SuccessMessageMixin, FormView
+):
     template_name = "counter/invoices_call.jinja"
     current_tab = "invoices_call"
+    permission_required = ["counter.view_invoicecall", "counter.change_invoicecall"]
+    form_class = InvoiceCallForm
+    success_message = _("Invoice calls status has been updated.")
+
+    def get_month(self):
+        kwargs = self.request.GET or self.request.POST
+        if "month" in kwargs:
+            return make_aware(datetime.strptime(kwargs["month"], "%Y-%m"))
+        return localdate().replace(day=1) - relativedelta(months=1)
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"month": self.get_month()}
+
+    def form_valid(self, form):
+        form.save()
+        return super().form_valid(form)
+
+    def get_success_url(self):
+        # redirect to the month from which the request is originated
+        url = self.request.path
+        kwargs = self.request.GET or self.request.POST
+        if "month" in kwargs:
+            query = urlencode({"month": kwargs["month"]})
+            url += f"?{query}"
+        return url
 
     def get_context_data(self, **kwargs):
         """Add sums to the context."""
         kwargs = super().get_context_data(**kwargs)
         kwargs["months"] = Selling.objects.datetimes("date", "month", order="DESC")
-        if "month" in self.request.GET:
-            start_date = datetime.strptime(self.request.GET["month"], "%Y-%m")
-        else:
-            start_date = datetime(
-                year=timezone.now().year,
-                month=(timezone.now().month + 10) % 12 + 1,
-                day=1,
-            )
-        start_date = start_date.replace(tzinfo=tz.utc)
-        end_date = (start_date + timedelta(days=32)).replace(
-            day=1, hour=0, minute=0, microsecond=0
-        )
-        from django.db.models import Case, Sum, When
+        start_date = self.get_month()
+        end_date = start_date + relativedelta(months=1)
 
-        kwargs["sum_cb"] = sum(
-            [
-                r.amount
-                for r in Refilling.objects.filter(
-                    payment_method="CARD",
-                    is_validated=True,
-                    date__gte=start_date,
-                    date__lte=end_date,
-                )
-            ]
-        )
-        kwargs["sum_cb"] += sum(
-            [
-                s.quantity * s.unit_price
-                for s in Selling.objects.filter(
-                    payment_method="CARD",
-                    is_validated=True,
-                    date__gte=start_date,
-                    date__lte=end_date,
-                )
-            ]
+        kwargs["sum_cb"] = Refilling.objects.filter(
+            payment_method="CARD",
+            is_validated=True,
+            date__gte=start_date,
+            date__lte=end_date,
+        ).aggregate(res=Sum("amount", default=0))["res"]
+        kwargs["sum_cb"] += (
+            Selling.objects.filter(
+                payment_method="CARD",
+                is_validated=True,
+                date__gte=start_date,
+                date__lte=end_date,
+            )
+            .annotate(amount=F("unit_price") * F("quantity"))
+            .aggregate(res=Sum("amount", default=0))["res"]
         )
         kwargs["start_date"] = start_date
-        kwargs["sums"] = (
-            Selling.objects.values("club__name")
-            .annotate(
-                selling_sum=Sum(
-                    Case(
-                        When(
-                            date__gte=start_date,
-                            date__lt=end_date,
-                            then=F("unit_price") * F("quantity"),
-                        ),
-                        output_field=CurrencyField(),
-                    )
-                )
-            )
+        kwargs["invoices"] = (
+            Selling.objects.filter(date__gte=start_date, date__lt=end_date)
+            .values("club_id", "club__name")
+            .annotate(selling_sum=Sum(F("unit_price") * F("quantity")))
             .exclude(selling_sum=None)
             .order_by("-selling_sum")
         )

eboutic/converters.py

@@ -1,37 +0,0 @@
-#
-# Copyright 2022
-# - Maréchal <thgirod@hotmail.com
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-
-
-class PaymentResultConverter:
-    """Converter used for url mapping of the `eboutic.views.payment_result` view.
-
-    It's meant to build an url that can match
-    either `/eboutic/pay/success/` or `/eboutic/pay/failure/`
-    but nothing else.
-    """
-
-    regex = "(success|failure)"
-
-    def to_python(self, value):
-        return str(value)
-
-    def to_url(self, value):
-        return str(value)

eboutic/templates/eboutic/eboutic_billing_info.jinja

@@ -1,3 +1,5 @@
+{% from 'core/macros.jinja' import update_notifications %}
+
 <div id=billing-infos-fragment>
   <div
     class="collapse"
@@ -29,7 +31,6 @@
       >
     </form>
   </div>
-
   <br>
-  {% include "core/base/notifications.jinja" %}
+  {{ update_notifications(messages) }}
 </div>

eboutic/templates/eboutic/eboutic_checkout.jinja

@@ -1,7 +1,7 @@
 {% extends "core/base.jinja" %}
 
 {% block notifications %}
-  {# Notifications are moved inside the billing info fragment #}
+  {# Notifications are moved under the billing form #}
 {% endblock %}
 
 {% block title %}
@@ -60,6 +60,7 @@
       <div @htmx:after-request="fill">
         {{ billing_infos_form }}
       </div>
+      {% include "core/base/notifications.jinja" %}
       <form
         method="post"
         action="{{ settings.SITH_EBOUTIC_ET_URL }}"

eboutic/urls.py

@@ -24,7 +24,7 @@
 
 from django.urls import path, register_converter
 
-from eboutic.converters import PaymentResultConverter
+from core.converters import ResultConverter
 from eboutic.views import (
     BillingInfoFormFragment,
     EbouticCheckout,
@@ -34,7 +34,7 @@ from eboutic.views import (
     payment_result,
 )
 
-register_converter(PaymentResultConverter, "res")
+register_converter(ResultConverter, "res")
 
 urlpatterns = [
     # Subscription views

eboutic/views.py

@@ -48,7 +48,7 @@ from django_countries.fields import Country
 
 from core.auth.mixins import CanViewMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
-from counter.forms import BaseBasketForm, BillingInfoForm, ProductForm
+from counter.forms import BaseBasketForm, BasketProductForm, BillingInfoForm
 from counter.models import (
     BillingInfo,
     Customer,
@@ -78,7 +78,7 @@ class BaseEbouticBasketForm(BaseBasketForm):
 
 
 EbouticBasketForm = forms.formset_factory(
-    ProductForm, formset=BaseEbouticBasketForm, absolute_max=None, min_num=1
+    BasketProductForm, formset=BaseEbouticBasketForm, absolute_max=None, min_num=1
 )
 
 

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-26 17:36+0200\n"
+"POT-Creation-Date: 2025-10-26 16:47+0100\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -35,6 +35,10 @@ msgstr ""
 "True si gardé à jour par le biais d'un fournisseur externe de domains "
 "toxics, False sinon"
 
+#: api/admin.py
+msgid "Reset HMAC key"
+msgstr "Réinitialiser la clef HMAC"
+
 #: api/admin.py
 #, python-format
 msgid ""
@@ -48,6 +52,23 @@ msgstr ""
 msgid "Revoke selected API keys"
 msgstr "Révoquer les clefs d'API sélectionnées"
 
+#: api/forms.py
+msgid "I have read and I accept the terms and conditions of use"
+msgstr "J'ai lu et j'accepte les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must approve the terms and conditions of use."
+msgstr "Vous devez approuver les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must confirm that this is your username."
+msgstr "Vous devez confirmer que c'est bien votre nom d'utilisateur."
+
+#: api/forms.py
+#, python-format
+msgid "I confirm that %(username)s is my username on %(app)s"
+msgstr "Je confirme que %(username)s est mon nom d'utilisateur sur %(app)s"
+
 #: api/models.py club/models.py com/models.py counter/models.py forum/models.py
 msgid "name"
 msgstr "nom"
@@ -68,6 +89,10 @@ msgstr "permissions du client"
 msgid "Specific permissions for this api client."
 msgstr "Permissions spécifiques pour ce client d'API"
 
+#: api/models.py
+msgid "HMAC Key"
+msgstr "Clef HMAC"
+
 #: api/models.py
 msgid "api client"
 msgstr "client d'api"
@@ -97,6 +122,63 @@ msgstr "clef d'api"
 msgid "api keys"
 msgstr "clefs d'api"
 
+#: api/templates/api/third_party/auth.jinja
+msgid "Confidentiality"
+msgstr "Confidentialité"
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"By ticking this box and clicking on the send button, you acknowledge and "
+"agree to provide %(app)s with your first name, last name, nickname and any "
+"other information that was the third party app was explicitly authorized to "
+"fetch and that it must have acknowledged to you, in a complete and accurate "
+"manner."
+msgstr ""
+"En cochant cette case et en cliquant sur le bouton « Envoyer », vous "
+"reconnaissez et acceptez de fournir à %(app)s votre prénom, nom, pseudonyme "
+"et toute autre information que l'application tierce a été explicitement "
+"autorisée à récupérer et qu'elle doit vous avoir communiqué de manière "
+"complète et exacte."
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"The privacy policies of <a href=\"%(cgu_link)s\">%(app)s</a> and of <a "
+"href=\"%(sith_cgu_link)s\">the Students' Association</a> applies as soon as "
+"the form is submitted."
+msgstr ""
+"Les politiques de confidentialité de <a href=\"%(cgu_link)s\">%(app)s</a> et de <a "
+"href=\"%(sith_cgu_link)s\">l'Association des Etudiants</a> s'appliquent dès la soumission "
+"du formulaire."
+
+#: api/templates/api/third_party/auth.jinja
+msgid "Confirmation of identity"
+msgstr "Confirmation d'identité"
+
+#: api/views.py
+#, python-format
+msgid ""
+"You are going to link your AE account and your %(app)s account. Continue "
+"only if this page was opened from %(app)s."
+msgstr ""
+"Vous allez lier votre compte AE et votre compte %(app)s. Poursuivez "
+"uniquement si cette page a été ouverte depuis %(app)s."
+
+#: api/views.py
+msgid "You have been successfully authenticated. You can now close this page."
+msgstr "Vous avez été authentifié avec succès. Vous pouvez maintenant fermer cette page."
+
+#: api/views.py
+msgid ""
+"Your authentication on the AE website was successful, but an error happened "
+"during the interaction with the third-party application. Please contact the "
+"managers of the latter."
+msgstr ""
+"Votre authentification sur le site AE a fonctionné, mais une erreur est arrivée "
+"durant l'interaction avec l'application tierce. Veuillez contacter les responsables "
+"de cette dernière."
+
 #: club/forms.py
 msgid "Users to add"
 msgstr "Utilisateurs à ajouter"
@@ -117,7 +199,7 @@ msgstr "S'abonner"
 msgid "Remove"
 msgstr "Retirer"
 
-#: club/forms.py pedagogy/templates/pedagogy/moderation.jinja
+#: club/forms.py counter/forms.py pedagogy/templates/pedagogy/moderation.jinja
 msgid "Action"
 msgstr "Action"
 
@@ -556,6 +638,8 @@ msgstr ""
 #: core/templates/core/user_godfathers_tree.jinja
 #: core/templates/core/user_preferences.jinja
 #: counter/templates/counter/cash_register_summary.jinja
+#: counter/templates/counter/invoices_call.jinja
+#: counter/templates/counter/product_form.jinja
 #: forum/templates/forum/reply.jinja
 #: subscription/templates/subscription/fragments/creation_form.jinja
 #: trombi/templates/trombi/comment.jinja
@@ -688,15 +772,15 @@ msgstr "Vente"
 msgid "Mailing list"
 msgstr "Listes de diffusion"
 
+#: club/views.py
+msgid "You are now a member of this club."
+msgstr "Vous êtes maintenant membre de ce club."
+
 #: club/views.py
 #, python-format
 msgid "%(user)s has been added to club."
 msgstr "%(user)s a été ajouté au club."
 
-#: club/views.py
-msgid "You are now a member of this club."
-msgstr "Vous êtes maintenant membre de ce club."
-
 #: com/forms.py
 msgid "Format: 16:9 | Resolution: 1920x1080"
 msgstr "Format : 16:9 | Résolution : 1920x1080"
@@ -1061,6 +1145,10 @@ msgstr "Nos services"
 msgid "UV Guide"
 msgstr "Guide des UVs"
 
+#: com/templates/com/news_list.jinja
+msgid "Timetable"
+msgstr "Emploi du temps"
+
 #: com/templates/com/news_list.jinja core/templates/core/base/navbar.jinja
 msgid "Matmatronch"
 msgstr "Matmatronch"
@@ -2951,6 +3039,18 @@ msgstr "Cet UID est invalide"
 msgid "User not found"
 msgstr "Utilisateur non trouvé"
 
+#: counter/forms.py
+msgid "Date and time of action"
+msgstr "Date et heure de l'action"
+
+#: counter/forms.py
+msgid "New counters"
+msgstr "Nouveaux comptoirs"
+
+#: counter/forms.py
+msgid "The selected counters will replace the current ones"
+msgstr "Les comptoirs sélectionnés remplaceront les comptoirs actuels"
+
 #: counter/forms.py
 msgid ""
 "Describe the product. If it's an event's click, give some insights about it, "
@@ -3285,6 +3385,52 @@ msgid "The returnable product cannot be the same as the returned one"
 msgstr ""
 "Le produit consigné ne peut pas être le même que le produit de déconsigne"
 
+#: counter/models.py
+msgid "Archiving"
+msgstr "Archivage"
+
+#: counter/models.py
+msgid "Counters change"
+msgstr "Changement des comptoirs"
+
+#: counter/models.py
+msgid "Product scheduled action"
+msgstr "Actions sur produit planifiées"
+
+#: counter/models.py
+msgid "Product actions must declare a clocked schedule."
+msgstr "Les actions sur les produits doivent avoir un horaire planifié."
+
+#: counter/models.py
+msgid "Year + month field (day forced to 1)"
+msgstr "Champ Année + mois (jour forcé à 1)"
+
+#: counter/models.py
+#, python-format
+msgid ""
+"“%(value)s” value has an invalid date format. It must be in YYYY-MM format."
+msgstr ""
+"La valeur « %(value)s » a un format de date invalide. Ce doit être au format "
+"YYYY-MM."
+
+#: counter/models.py
+#, python-format
+msgid ""
+"“%(value)s” value has the correct format (YYYY-MM) but it is an invalid date."
+msgstr "La valeur « %(value)s » a le bon format, mais est une date invalide."
+
+#: counter/models.py
+msgid "invoice date"
+msgstr "date de la facture"
+
+#: counter/models.py
+msgid "Invoice call"
+msgstr "Appel à facture"
+
+#: counter/models.py
+msgid "Invoice calls"
+msgstr "Appels à facture"
+
 #: counter/templates/counter/activity.jinja
 #, python-format
 msgid "%(counter_name)s activity"
@@ -3515,6 +3661,10 @@ msgstr "Payements en Carte Bancaire"
 msgid "Sum"
 msgstr "Somme"
 
+#: counter/templates/counter/invoices_call.jinja
+msgid "Validated"
+msgstr "Validé"
+
 #: counter/templates/counter/last_ops.jinja
 #, python-format
 msgid "%(counter_name)s last operations"
@@ -3603,6 +3753,25 @@ msgstr ""
 "votre cotisation. Si vous ne renouvelez pas votre cotisation, il n'y aura "
 "aucune conséquence autre que le retrait de l'argent de votre compte."
 
+#: counter/templates/counter/product_form.jinja
+#, python-format
+msgid "Edit product %(name)s"
+msgstr "Édition du produit %(name)s"
+
+#: counter/templates/counter/product_form.jinja
+msgid "Product creation"
+msgstr "Création de produit"
+
+#: counter/templates/counter/product_form.jinja
+msgid "Automatic actions"
+msgstr "Actions automatiques"
+
+#: counter/templates/counter/product_form.jinja
+msgid "Automatic actions allows to schedule product changes ahead of time."
+msgstr ""
+"Les actions automatiques vous permettent de planifier des modifications du "
+"produit à l'avance."
+
 #: counter/templates/counter/product_list.jinja
 msgid "Product list"
 msgstr "Liste des produits"
@@ -3785,6 +3954,10 @@ msgstr "L'utilisateur n'est pas barman."
 msgid "Bad location, someone is already logged in somewhere else"
 msgstr "Mauvais comptoir, quelqu'un est déjà connecté ailleurs"
 
+#: counter/views/invoice.py
+msgid "Invoice calls status has been updated."
+msgstr "Le statut des appels à facture a été mis à jour."
+
 #: counter/views/mixins.py
 msgid "Cash summary"
 msgstr "Relevé de caisse"
@@ -5236,6 +5409,18 @@ msgstr "Membre existant"
 msgid "the groups that can create subscriptions"
 msgstr "les groupes pouvant créer des cotisations"
 
+#: timetable/templates/timetable/generator.jinja
+msgid "Timetable generator"
+msgstr "Générateur d'emploi du temps"
+
+#: timetable/templates/timetable/generator.jinja
+msgid "Generate"
+msgstr "Générer"
+
+#: timetable/templates/timetable/generator.jinja
+msgid "Save to PNG"
+msgstr "Sauver en PNG"
+
 #: trombi/models.py
 msgid "subscription deadline"
 msgstr "fin des inscriptions"

package-lock.json

@@ -29,6 +29,7 @@
         "d3-force-3d": "^3.0.5",
         "easymde": "^2.19.0",
         "glob": "^11.0.0",
+        "html2canvas": "^1.4.1",
         "htmx.org": "^2.0.3",
         "js-cookie": "^3.0.5",
         "lit-html": "^3.3.0",
@@ -3105,6 +3106,15 @@
         "@babel/core": "^7.4.0 || ^8.0.0-0 <8.0.0"
       }
     },
+    "node_modules/base64-arraybuffer": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/base64-arraybuffer/-/base64-arraybuffer-1.0.2.tgz",
+      "integrity": "sha512-I3yl4r9QB5ZRY3XuJVEPfc2XhZO6YweFPI+UovAzn+8/hb3oJ6lnysaFcjVpkCPfVWFUDvoZ8kmVDP7WyRtYtQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6.0"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -3493,6 +3503,15 @@
         "node": ">= 8"
       }
     },
+    "node_modules/css-line-break": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/css-line-break/-/css-line-break-2.1.0.tgz",
+      "integrity": "sha512-FHcKFCZcAha3LwfVBhCQbW2nCNbkZXn7KVUJcsT5/P8YmfsVja0FMPJr0B903j/E69HUphKiV9iQArX8SDYA4w==",
+      "license": "MIT",
+      "dependencies": {
+        "utrie": "^1.0.2"
+      }
+    },
     "node_modules/cytoscape": {
       "version": "3.33.1",
       "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.1.tgz",
@@ -4165,6 +4184,19 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/html2canvas": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/html2canvas/-/html2canvas-1.4.1.tgz",
+      "integrity": "sha512-fPU6BHNpsyIhr8yyMpTLLxAbkaK8ArIBcmZIRiBLiDhjeqvXolaEmDGmELFuX9I4xDcaKKcJl+TKZLqruBbmWA==",
+      "license": "MIT",
+      "dependencies": {
+        "css-line-break": "^2.1.0",
+        "text-segmentation": "^1.0.3"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
     "node_modules/htmx.org": {
       "version": "2.0.6",
       "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.6.tgz",
@@ -5454,6 +5486,15 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/text-segmentation": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/text-segmentation/-/text-segmentation-1.0.3.tgz",
+      "integrity": "sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw==",
+      "license": "MIT",
+      "dependencies": {
+        "utrie": "^1.0.2"
+      }
+    },
     "node_modules/three": {
       "version": "0.177.0",
       "resolved": "https://registry.npmjs.org/three/-/three-0.177.0.tgz",
@@ -5711,6 +5752,15 @@
         "browserslist": ">= 4.21.0"
       }
     },
+    "node_modules/utrie": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/utrie/-/utrie-1.0.2.tgz",
+      "integrity": "sha512-1MLa5ouZiOmQzUbjbu9VmjLzn1QLXBhwpUa7kdLUQK+KQ5KA9I1vk5U4YHe/X2Ch7PYnJfWuWT+VbuxbGwljhw==",
+      "license": "MIT",
+      "dependencies": {
+        "base64-arraybuffer": "^1.0.2"
+      }
+    },
     "node_modules/vite": {
       "version": "6.3.6",
       "resolved": "https://registry.npmjs.org/vite/-/vite-6.3.6.tgz",

package.json

@@ -59,6 +59,7 @@
     "d3-force-3d": "^3.0.5",
     "easymde": "^2.19.0",
     "glob": "^11.0.0",
+    "html2canvas": "^1.4.1",
     "htmx.org": "^2.0.3",
     "js-cookie": "^3.0.5",
     "lit-html": "^3.3.0",

sas/static/bundled/sas/user/pictures-index.ts

@@ -7,6 +7,7 @@ import {
 
 interface PagePictureConfig {
   userId: number;
+  nbPictures?: number;
 }
 
 interface Album {
@@ -20,11 +21,27 @@ document.addEventListener("alpine:init", () => {
     loading: true,
     albums: [] as Album[],
 
-    async init() {
+    async fetchPictures(): Promise<PictureSchema[]> {
+      const localStorageKey = `user${config.userId}Pictures`;
+      const localStorageInvalidationKey = `user${config.userId}PicturesNumber`;
+      const lastCachedNumber = localStorage.getItem(localStorageInvalidationKey);
+      if (
+        lastCachedNumber !== null &&
+        Number.parseInt(lastCachedNumber) === config.nbPictures
+      ) {
+        return JSON.parse(localStorage.getItem(localStorageKey));
+      }
       const pictures = await paginated(picturesFetchPictures, {
         // biome-ignore lint/style/useNamingConvention: from python api
         query: { users_identified: [config.userId] },
       } as PicturesFetchPicturesData);
+      localStorage.setItem(localStorageInvalidationKey, config.nbPictures.toString());
+      localStorage.setItem(localStorageKey, JSON.stringify(pictures));
+      return pictures;
+    },
+
+    async init() {
+      const pictures = await this.fetchPictures();
       const groupedAlbums = Object.groupBy(pictures, (i: PictureSchema) => i.album.id);
       this.albums = Object.values(groupedAlbums).map((pictures: PictureSchema[]) => {
         return {

sas/templates/sas/user_pictures.jinja

@@ -15,7 +15,7 @@
 {% endblock %}
 
 {% block content %}
-  <main x-data="user_pictures({ userId: {{ object.id }} })">
+  <main x-data="user_pictures({ userId: {{ object.id }}, nbPictures: {{ object.nb_pictures }} })">
     {% if user.id == object.id %}
       {{ download_button(_("Download all my pictures")) }}
     {% endif %}

sas/views.py

@@ -16,6 +16,7 @@ from typing import Any
 
 from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from django.db.models import Count, OuterRef, Subquery
 from django.http import Http404, HttpResponseRedirect
 from django.shortcuts import get_object_or_404
 from django.urls import reverse
@@ -36,7 +37,7 @@ from sas.forms import (
     PictureModerationRequestForm,
     PictureUploadForm,
 )
-from sas.models import Album, Picture
+from sas.models import Album, PeoplePictureRelation, Picture
 
 
 class AlbumCreateFragment(FragmentMixin, CreateView):
@@ -178,6 +179,13 @@ class UserPicturesView(UserTabsMixin, CanViewMixin, DetailView):
     context_object_name = "profile"
     template_name = "sas/user_pictures.jinja"
     current_tab = "pictures"
+    queryset = User.objects.annotate(
+        nb_pictures=Subquery(
+            PeoplePictureRelation.objects.filter(user=OuterRef("id"))
+            .values("user_id")
+            .values(count=Count("*"))
+        )
+    ).all()
 
 
 # Admin views

sith/settings.py

@@ -125,6 +125,7 @@ INSTALLED_APPS = (
     "pedagogy",
     "galaxy",
     "antispam",
+    "timetable",
     "api",
 )
 
@@ -405,6 +406,8 @@ SITH_FORUM_PAGE_LENGTH = 30
 SITH_SAS_ROOT_DIR_ID = env.int("SITH_SAS_ROOT_DIR_ID", default=4)
 SITH_SAS_IMAGES_PER_PAGE = 60
 
+SITH_CGU_FILE_ID = env.int("SITH_CGU_FILE_ID", default=5)
+
 SITH_PROFILE_DEPARTMENTS = [
     ("TC", _("TC")),
     ("IMSI", _("IMSI")),

sith/urls.py

@@ -34,6 +34,7 @@ urlpatterns = [
     path("", include(("core.urls", "core"), namespace="core")),
     path("sitemap.xml", cache_page(86400)(sitemap), {"sitemaps": sitemaps}),
     path("api/", api.urls),
+    path("api-link/", include(("api.urls", "api-link"), namespace="api-link")),
     path("rootplace/", include(("rootplace.urls", "rootplace"), namespace="rootplace")),
     path(
         "subscription/",
@@ -53,6 +54,7 @@ urlpatterns = [
     path("i18n/", include("django.conf.urls.i18n")),
     path("jsi18n/", JavaScriptCatalog.as_view(), name="javascript-catalog"),
     path("captcha/", include("captcha.urls")),
+    path("edt/", include(("timetable.urls", "timetable"), namespace="timetable")),
 ]
 
 if settings.DEBUG:

timetable/admin.py

@@ -0,0 +1 @@
+# Register your models here.

timetable/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class TimetableConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "timetable"

timetable/models.py

@@ -0,0 +1 @@
+# Create your models here.

timetable/static/bundled/timetable/generator-index.ts

@@ -0,0 +1,184 @@
+import html2canvas from "html2canvas";
+
+// see https://regex101.com/r/QHSaPM/2
+const TIMETABLE_ROW_RE: RegExp =
+  /^(?<ueCode>\w.+\w)\s+(?<courseType>[A-Z]{2}\d)\s+((?<weekGroup>[AB])\s+)?(?<weekday>(lundi)|(mardi)|(mercredi)|(jeudi)|(vendredi)|(samedi)|(dimanche))\s+(?<startHour>\d{2}:\d{2})\s+(?<endHour>\d{2}:\d{2})\s+[\dA-B]\s+((?<attendance>[\wé]*)\s+)?(?<room>\w+(?:, \w+)?)$/;
+
+const DEFAULT_TIMETABLE: string = `DS52\t\tCM1\t\tlundi\t08:00\t10:00\t1\tPrésentiel\tA113
+DS53\t\tCM1\t\tlundi\t10:15\t12:15\t1\tPrésentiel\tA101
+DS53\t\tTP1\t\tlundi\t13:00\t16:00\t1\tPrésentiel\tH010
+SO03\t\tCM1\t\tlundi\t16:15\t17:45\t1\tPrésentiel\tA103
+SO03\t\tTD1\t\tlundi\t17:45\t19:45\t1\tPrésentiel\tA103
+DS50\t\tTP1\t\tmardi\t08:00\t10:00\t1\tPrésentiel\tA216
+DS51\t\tCM1\t\tmardi\t10:15\t12:15\t1\tPrésentiel\tA216
+DS51\t\tTP1\t\tmardi\t14:00\t18:00\t1\tPrésentiel\tH010
+DS52\t\tTP2\tA\tjeudi\t08:00\t10:00\tA\tPrésentiel\tA110a, A110b
+DS52\t\tTD1\t\tjeudi\t10:15\t12:15\t1\tPrésentiel\tA110a, A110b
+LC02\t\tTP1\t\tjeudi\t15:00\t16:00\t1\tPrésentiel\tA209
+LC02\t\tTD1\t\tjeudi\t16:15\t18:15\t1\tPrésentiel\tA206`;
+
+type WeekDay =
+  | "lundi"
+  | "mardi"
+  | "mercredi"
+  | "jeudi"
+  | "vendredi"
+  | "samedi"
+  | "dimanche";
+
+const WEEKDAYS = [
+  "lundi",
+  "mardi",
+  "mercredi",
+  "jeudi",
+  "vendredi",
+  "samedi",
+  "dimanche",
+] as const;
+
+const SLOT_HEIGHT = 20 as const; // Each 15min has a height of 20px in the timetable
+const SLOT_WIDTH = 250 as const; // Each weekday ha a width of 400px in the timetable
+const MINUTES_PER_SLOT = 15 as const;
+
+interface TimetableSlot {
+  courseType: string;
+  room: string;
+  startHour: string;
+  endHour: string;
+  startSlot: number;
+  endSlot: number;
+  ueCode: string;
+  weekGroup?: string;
+  weekday: WeekDay;
+}
+
+function parseSlots(s: string): TimetableSlot[] {
+  return s
+    .split("\n")
+    .filter((s: string) => s.length > 0)
+    .map((row: string) => {
+      const parsed = TIMETABLE_ROW_RE.exec(row);
+      if (!parsed) {
+        throw new Error(`Couldn't parse row ${row}`);
+      }
+      const [startHour, startMin] = parsed.groups.startHour
+        .split(":")
+        .map((i) => Number.parseInt(i));
+      const [endHour, endMin] = parsed.groups.endHour
+        .split(":")
+        .map((i) => Number.parseInt(i));
+      return {
+        ...parsed.groups,
+        startSlot: Math.floor((startHour * 60 + startMin) / MINUTES_PER_SLOT),
+        endSlot: Math.floor((endHour * 60 + endMin) / MINUTES_PER_SLOT),
+      } as unknown as TimetableSlot;
+    });
+}
+
+document.addEventListener("alpine:init", () => {
+  Alpine.data("timetableGenerator", () => ({
+    content: DEFAULT_TIMETABLE,
+    error: "",
+    displayedWeekdays: [] as WeekDay[],
+    courses: [] as TimetableSlot[],
+    startSlot: 0,
+    endSlot: 0,
+    table: {
+      height: 0,
+      width: 0,
+    },
+
+    colors: {} as Record<string, string>,
+    colorPalette: [
+      "#27ae60",
+      "#2980b9",
+      "#c0392b",
+      "#7f8c8d",
+      "#f1c40f",
+      "#1abc9c",
+      "#95a5a6",
+      "#26C6DA",
+      "#c2185b",
+      "#e64a19",
+      "#1b5e20",
+    ],
+
+    generate() {
+      try {
+        this.courses = parseSlots(this.content);
+      } catch {
+        this.error = gettext(
+          "Wrong timetable format. Make sure you copied if from your student folder.",
+        );
+        return;
+      }
+
+      // color each UE
+      let colorIndex = 0;
+      for (const slot of this.courses) {
+        if (!this.colors[slot.ueCode]) {
+          this.colors[slot.ueCode] =
+            this.colorPalette[colorIndex % this.colorPalette.length];
+          colorIndex++;
+        }
+      }
+
+      this.displayedWeekdays = WEEKDAYS.filter((day) =>
+        this.courses.some((slot: TimetableSlot) => slot.weekday === day),
+      );
+      this.startSlot = this.courses.reduce(
+        (acc: number, curr: TimetableSlot) => Math.min(acc, curr.startSlot),
+        25 * 4,
+      );
+      this.endSlot = this.courses.reduce(
+        (acc: number, curr: TimetableSlot) => Math.max(acc, curr.endSlot),
+        1,
+      );
+      this.table.height = SLOT_HEIGHT * (this.endSlot - this.startSlot);
+      this.table.width = SLOT_WIDTH * this.displayedWeekdays.length;
+    },
+
+    getStyle(slot: TimetableSlot) {
+      const hasWeekGroup = slot.weekGroup !== undefined;
+      const width = hasWeekGroup ? SLOT_WIDTH / 2 : SLOT_WIDTH;
+      const leftOffset = slot.weekGroup === "B" ? SLOT_WIDTH / 2 : 0;
+      return {
+        height: `${(slot.endSlot - slot.startSlot) * SLOT_HEIGHT}px`,
+        width: `${width}px`,
+        top: `${(slot.startSlot - this.startSlot) * SLOT_HEIGHT}px`,
+        left: `${this.displayedWeekdays.indexOf(slot.weekday) * SLOT_WIDTH + leftOffset}px`,
+        backgroundColor: this.colors[slot.ueCode],
+      };
+    },
+
+    getHours(): [string, object][] {
+      let hour: number = Number.parseInt(
+        this.courses
+          .map((c: TimetableSlot) => c.startHour)
+          .reduce((res: string, hour: string) => (hour < res ? hour : res), "24:00")
+          .split(":")[0],
+      );
+      const res: [string, object][] = [];
+      for (let i = 0; i <= this.endSlot - this.startSlot; i += 60 / MINUTES_PER_SLOT) {
+        res.push([`${hour}:00`, { top: `${i * SLOT_HEIGHT}px` }]);
+        hour += 1;
+      }
+      return res;
+    },
+
+    getWidth() {
+      return this.displayedWeekdays.length * SLOT_WIDTH + 20;
+    },
+
+    async savePng() {
+      const elem = document.getElementById("timetable");
+      const img = (await html2canvas(elem)).toDataURL();
+      const downloadLink = document.createElement("a");
+      downloadLink.href = img;
+      downloadLink.download = "edt.png";
+      document.body.appendChild(downloadLink);
+      downloadLink.click();
+      downloadLink.remove();
+    },
+  }));
+});

timetable/static/timetable/css/generator.scss

@@ -0,0 +1,67 @@
+@import "core/static/core/colors";
+
+#timetable {
+  --hour-side-width: 60px;
+
+  display: block;
+  margin: 2em auto;
+  .header {
+    background-color: $white-color;
+    font-weight: bold;
+    box-shadow: none;
+    width: calc(100% - var(--hour-side-width) - 10px);
+    margin-left: var(--hour-side-width);
+    padding-left: 0;
+    display: flex;
+    flex-direction: row;
+    gap: 0;
+    span {
+      flex: 1;
+      text-align: center;
+    }
+  }
+  .content {
+    position: relative;
+  }
+  .hours {
+    position: absolute;
+    width: 40px;
+    left: 0;
+    top: -.5em;
+
+    .hour {
+      position: absolute;
+
+      .hour-bar {
+        content: "";
+        position: absolute;
+        height: 1px;
+        background: lightgray;
+        top: 50%;
+        left: 100%;
+        margin-left: 10px;
+      }
+    }
+  }
+  .courses {
+    position: absolute;
+    text-align: center;
+    top: 0;
+    left: var(--hour-side-width);
+
+    .slot {
+      background-color: cadetblue;
+      position: absolute;
+      display: flex;
+      flex-direction: column;
+      justify-content: center;
+
+      .course-type {
+        position: absolute;
+        top: 0;
+        right: 0;
+        padding: 10px;
+      }
+    }
+  }
+}

timetable/templates/timetable/generator.jinja

@@ -0,0 +1,68 @@
+{% extends 'core/base.jinja' %}
+
+{%- block additional_css -%}
+  <link rel="stylesheet" href="{{ static('timetable/css/generator.scss') }}">
+{%- endblock -%}
+
+{%- block additional_js -%}
+  <script type="module" src="{{ static('bundled/timetable/generator-index.ts') }}"></script>
+{%- endblock -%}
+
+{% block title %}
+  {% trans %}Timetable generator{% endtrans %}
+{% endblock %}
+
+{% block content %}
+  <div x-data="timetableGenerator">
+    <form @submit.prevent="generate()">
+      <h1>Générateur d'emploi du temps</h1>
+      <div class="alert alert-red" x-show="!!error" x-cloak>
+        <span class="alert-main" x-text="error"></span>
+      </div>
+      <div class="form-group">
+        <label for="timetable-input">Colle ton emploi du temps (sans l'entête)</label>
+        <textarea id="timetable-input" cols="30" rows="15" x-model="content"></textarea>
+      </div>
+      <input type="submit" class="btn btn-blue" value="{% trans %}Generate{% endtrans %}">
+    </form>
+    <div
+      id="timetable"
+      x-show="table.height > 0 && table.width > 0"
+      :style="{width: `${table.width+80}px`, height: `${table.height+40}px`}"
+    >
+      <div class="header">
+        <template x-for="weekday in displayedWeekdays">
+          <span x-text="weekday"></span>
+        </template>
+      </div>
+      <div class="content">
+        <div class="hours" :height="(endSlot - endSlot%4) - (startSlot - startSlot%4)">
+          <template x-for="[hour, style] in getHours()">
+            <div class="hour" :style="style">
+              <div x-text="hour"></div>
+              <div class="hour-bar" :style="{width: `${getWidth()}px`}"></div>
+            </div>
+          </template>
+        </div>
+        <div class="courses">
+          <template x-for="course in courses">
+            <div class="slot" :style="getStyle(course)">
+              <span class="course-type" x-text="course.courseType"></span>
+              <span x-text="course.ueCode"></span>
+              <span x-text="`${course.startHour} - ${course.endHour}`"></span>
+              <span x-text="(course.weekGroup ? `\nGroupe ${course.weekGroup}` : '')"></span>
+              <span x-text="course.room"></span>
+            </div>
+          </template>
+        </div>
+      </div>
+    </div>
+    <button
+      class="margin-bottom btn btn-blue"
+      @click="savePng"
+      x-show="table.height > 0 && table.width > 0"
+    >
+      {% trans %}Save to PNG{% endtrans %}
+    </button>
+  </div>
+{% endblock content %}

timetable/tests.py

@@ -0,0 +1 @@
+# Create your tests here.

timetable/urls.py

@@ -0,0 +1,5 @@
+from django.urls import path
+
+from timetable.views import GeneratorView
+
+urlpatterns = [path("", GeneratorView.as_view(), name="generator")]

timetable/views.py

@@ -0,0 +1,8 @@
+# Create your views here.
+from django.views.generic import TemplateView
+
+from core.auth.mixins import FormerSubscriberMixin
+
+
+class GeneratorView(FormerSubscriberMixin, TemplateView):
+    template_name = "timetable/generator.jinja"