Merge remote-tracking branch 'origin/master' into activity

# Conflicts:
#	note_kfet/urls.py
#	templates/base.html

apps/activity/admin.py

@@ -11,7 +11,7 @@ class ActivityAdmin(admin.ModelAdmin):
     Admin customisation for Activity
     """
     list_display = ('name', 'activity_type', 'organizer')
-    list_filter = ('activity_type', )
+    list_filter = ('activity_type',)
     search_fields = ['name', 'organizer__name']
 
     # Organize activities by start date

apps/activity/api/serializers.py

@@ -11,6 +11,7 @@ class ActivityTypeSerializer(serializers.ModelSerializer):
     REST API Serializer for Activity types.
     The djangorestframework plugin will analyse the model `ActivityType` and parse all fields in the API.
     """
+
     class Meta:
         model = ActivityType
         fields = '__all__'
@@ -21,6 +22,7 @@ class ActivitySerializer(serializers.ModelSerializer):
     REST API Serializer for Activities.
     The djangorestframework plugin will analyse the model `Activity` and parse all fields in the API.
     """
+
     class Meta:
         model = Activity
         fields = '__all__'
@@ -31,6 +33,7 @@ class GuestSerializer(serializers.ModelSerializer):
     REST API Serializer for Guests.
     The djangorestframework plugin will analyse the model `Guest` and parse all fields in the API.
     """
+
     class Meta:
         model = Guest
         fields = '__all__'

apps/activity/api/views.py

@@ -1,13 +1,15 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from rest_framework import viewsets
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import SearchFilter
+from api.viewsets import ReadProtectedModelViewSet
 
-from ..models import ActivityType, Activity, Guest
 from .serializers import ActivityTypeSerializer, ActivitySerializer, GuestSerializer
+from ..models import ActivityType, Activity, Guest
 
 
-class ActivityTypeViewSet(viewsets.ModelViewSet):
+class ActivityTypeViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `ActivityType` objects, serialize it to JSON with the given serializer,
@@ -15,9 +17,11 @@ class ActivityTypeViewSet(viewsets.ModelViewSet):
     """
     queryset = ActivityType.objects.all()
     serializer_class = ActivityTypeSerializer
+    filter_backends = [DjangoFilterBackend]
+    filterset_fields = ['name', 'can_invite', ]
 
 
-class ActivityViewSet(viewsets.ModelViewSet):
+class ActivityViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Activity` objects, serialize it to JSON with the given serializer,
@@ -25,9 +29,11 @@ class ActivityViewSet(viewsets.ModelViewSet):
     """
     queryset = Activity.objects.all()
     serializer_class = ActivitySerializer
+    filter_backends = [DjangoFilterBackend]
+    filterset_fields = ['name', 'description', 'activity_type', ]
 
 
-class GuestViewSet(viewsets.ModelViewSet):
+class GuestViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Guest` objects, serialize it to JSON with the given serializer,
@@ -35,3 +41,5 @@ class GuestViewSet(viewsets.ModelViewSet):
     """
     queryset = Guest.objects.all()
     serializer_class = GuestSerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$name', ]

apps/api/__init__.py

@@ -0,0 +1,4 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+default_app_config = 'api.apps.APIConfig'

apps/api/apps.py

@@ -0,0 +1,10 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.apps import AppConfig
+from django.utils.translation import gettext_lazy as _
+
+
+class APIConfig(AppConfig):
+    name = 'api'
+    verbose_name = _('API')

apps/api/urls.py

@@ -3,10 +3,18 @@
 
 from django.conf.urls import url, include
 from django.contrib.auth.models import User
-from rest_framework import routers, serializers, viewsets
+from django.contrib.contenttypes.models import ContentType
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework import routers, serializers
+from rest_framework.filters import SearchFilter
+from rest_framework.viewsets import ReadOnlyModelViewSet
 from activity.api.urls import register_activity_urls
+from api.viewsets import ReadProtectedModelViewSet
 from member.api.urls import register_members_urls
 from note.api.urls import register_note_urls
+from treasury.api.urls import register_treasury_urls
+from logs.api.urls import register_logs_urls
+from permission.api.urls import register_permission_urls
 
 
 class UserSerializer(serializers.ModelSerializer):
@@ -14,6 +22,7 @@ class UserSerializer(serializers.ModelSerializer):
     REST API Serializer for Users.
     The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
     """
+
     class Meta:
         model = User
         exclude = (
@@ -23,7 +32,18 @@ class UserSerializer(serializers.ModelSerializer):
         )
 
 
-class UserViewSet(viewsets.ModelViewSet):
+class ContentTypeSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Users.
+    The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = ContentType
+        fields = '__all__'
+
+
+class UserViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `User` objects, serialize it to JSON with the given serializer,
@@ -31,15 +51,33 @@ class UserViewSet(viewsets.ModelViewSet):
     """
     queryset = User.objects.all()
     serializer_class = UserSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['id', 'username', 'first_name', 'last_name', 'email', 'is_superuser', 'is_staff', 'is_active', ]
+    search_fields = ['$username', '$first_name', '$last_name', ]
+
+
+# This ViewSet is the only one that is accessible from all authenticated users!
+class ContentTypeViewSet(ReadOnlyModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `User` objects, serialize it to JSON with the given serializer,
+    then render it on /api/users/
+    """
+    queryset = ContentType.objects.all()
+    serializer_class = ContentTypeSerializer
 
 
 # Routers provide an easy way of automatically determining the URL conf.
 # Register each app API router and user viewset
 router = routers.DefaultRouter()
+router.register('models', ContentTypeViewSet)
 router.register('user', UserViewSet)
 register_members_urls(router, 'members')
 register_activity_urls(router, 'activity')
 register_note_urls(router, 'note')
+register_treasury_urls(router, 'treasury')
+register_permission_urls(router, 'permission')
+register_logs_urls(router, 'logs')
 
 app_name = 'api'
 

apps/api/viewsets.py

@@ -0,0 +1,31 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.contenttypes.models import ContentType
+from permission.backends import PermissionBackend
+from rest_framework import viewsets
+from note_kfet.middlewares import get_current_authenticated_user
+
+
+class ReadProtectedModelViewSet(viewsets.ModelViewSet):
+    """
+    Protect a ModelViewSet by filtering the objects that the user cannot see.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
+        user = get_current_authenticated_user()
+        self.queryset = model.objects.filter(PermissionBackend.filter_queryset(user, model, "view"))
+
+
+class ReadOnlyProtectedModelViewSet(viewsets.ReadOnlyModelViewSet):
+    """
+    Protect a ReadOnlyModelViewSet by filtering the objects that the user cannot see.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
+        user = get_current_authenticated_user()
+        self.queryset = model.objects.filter(PermissionBackend.filter_queryset(user, model, "view"))

apps/logs/__init__.py

@@ -0,0 +1,4 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+default_app_config = 'logs.apps.LogsConfig'

apps/logs/api/serializers.py

@@ -0,0 +1,19 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from rest_framework import serializers
+
+from ..models import Changelog
+
+
+class ChangelogSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Changelog types.
+    The djangorestframework plugin will analyse the model `Changelog` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = Changelog
+        fields = '__all__'
+        # noinspection PyProtectedMember
+        read_only_fields = [f.name for f in model._meta.get_fields()]  # Changelogs are read-only protected

apps/logs/api/urls.py

@@ -0,0 +1,11 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from .views import ChangelogViewSet
+
+
+def register_logs_urls(router, path):
+    """
+    Configure router for Activity REST API.
+    """
+    router.register(path, ChangelogViewSet)

apps/logs/api/views.py

@@ -0,0 +1,23 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import OrderingFilter
+from api.viewsets import ReadOnlyProtectedModelViewSet
+
+from .serializers import ChangelogSerializer
+from ..models import Changelog
+
+
+class ChangelogViewSet(ReadOnlyProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Changelog` objects, serialize it to JSON with the given serializer,
+    then render it on /api/logs/
+    """
+    queryset = Changelog.objects.all()
+    serializer_class = ChangelogSerializer
+    filter_backends = [DjangoFilterBackend, OrderingFilter]
+    filterset_fields = ['model', 'action', "instance_pk", 'user', 'ip', ]
+    ordering_fields = ['timestamp', ]
+    ordering = ['-timestamp', ]

apps/logs/apps.py

@@ -0,0 +1,18 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.apps import AppConfig
+from django.db.models.signals import pre_save, post_save, post_delete
+from django.utils.translation import gettext_lazy as _
+
+
+class LogsConfig(AppConfig):
+    name = 'logs'
+    verbose_name = _('Logs')
+
+    def ready(self):
+        # noinspection PyUnresolvedReferences
+        from . import signals
+        pre_save.connect(signals.pre_save_object)
+        post_save.connect(signals.save_object)
+        post_delete.connect(signals.delete_object)

apps/logs/models.py

@@ -0,0 +1,77 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.conf import settings
+from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import ValidationError
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+
+class Changelog(models.Model):
+    """
+    Store each modification in the database (except sessions and logging),
+    including creating, editing and deleting models.
+    """
+
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.PROTECT,
+        null=True,
+        verbose_name=_('user'),
+    )
+
+    ip = models.GenericIPAddressField(
+        null=True,
+        blank=True,
+        verbose_name=_("IP Address")
+    )
+
+    model = models.ForeignKey(
+        ContentType,
+        on_delete=models.PROTECT,
+        null=False,
+        blank=False,
+        verbose_name=_('model'),
+    )
+
+    instance_pk = models.CharField(
+        max_length=255,
+        null=False,
+        blank=False,
+        verbose_name=_('identifier'),
+    )
+
+    previous = models.TextField(
+        null=True,
+        verbose_name=_('previous data'),
+    )
+
+    data = models.TextField(
+        null=True,
+        verbose_name=_('new data'),
+    )
+
+    action = models.CharField(  # create, edit or delete
+        max_length=16,
+        null=False,
+        blank=False,
+        choices=[
+            ('create', _('create')),
+            ('edit', _('edit')),
+            ('delete', _('delete')),
+        ],
+        default='edit',
+        verbose_name=_('action'),
+    )
+
+    timestamp = models.DateTimeField(
+        null=False,
+        blank=False,
+        auto_now_add=True,
+        name='timestamp',
+        verbose_name=_('timestamp'),
+    )
+
+    def delete(self, using=None, keep_parents=False):
+        raise ValidationError(_("Logs cannot be destroyed."))

apps/logs/signals.py

@@ -0,0 +1,140 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.contenttypes.models import ContentType
+from rest_framework.renderers import JSONRenderer
+from rest_framework.serializers import ModelSerializer
+from note.models import NoteUser, Alias
+from note_kfet.middlewares import get_current_authenticated_user, get_current_ip
+
+from .models import Changelog
+
+import getpass
+
+
+# Ces modèles ne nécessitent pas de logs
+EXCLUDED = [
+    'admin.logentry',
+    'authtoken.token',
+    'cas_server.proxygrantingticket',
+    'cas_server.proxyticket',
+    'cas_server.serviceticket',
+    'cas_server.user',
+    'cas_server.userattributes',
+    'contenttypes.contenttype',
+    'logs.changelog',  # Never remove this line
+    'migrations.migration',
+    'note.note'  # We only store the subclasses
+    'note.transaction',
+    'sessions.session',
+]
+
+
+def pre_save_object(sender, instance, **kwargs):
+    """
+    Before a model get saved, we get the previous instance that is currently in the database
+    """
+    qs = sender.objects.filter(pk=instance.pk).all()
+    if qs.exists():
+        instance._previous = qs.get()
+    else:
+        instance._previous = None
+
+
+def save_object(sender, instance, **kwargs):
+    """
+    Each time a model is saved, an entry in the table `Changelog` is added in the database
+    in order to store each modification made
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    # noinspection PyProtectedMember
+    previous = instance._previous
+
+    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
+    user, ip = get_current_authenticated_user(), get_current_ip()
+
+    if user is None:
+        # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
+        # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
+        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
+        ip = "127.0.0.1"
+        username = Alias.normalize(getpass.getuser())
+        note = NoteUser.objects.filter(alias__normalized_name=username)
+        # if not note.exists():
+        #     print("WARNING: A model attempted to be saved in the DB, but the actor is unknown: " + username)
+        # else:
+        if note.exists():
+            user = note.get().user
+
+    # noinspection PyProtectedMember
+    if user is not None and instance._meta.label_lower == "auth.user" and previous:
+        # On n'enregistre pas les connexions
+        if instance.last_login != previous.last_login:
+            return
+
+    # On crée notre propre sérialiseur JSON pour pouvoir sauvegarder les modèles
+    class CustomSerializer(ModelSerializer):
+        class Meta:
+            model = instance.__class__
+            fields = '__all__'
+
+    previous_json = JSONRenderer().render(CustomSerializer(previous).data).decode("UTF-8") if previous else None
+    instance_json = JSONRenderer().render(CustomSerializer(instance).data).decode("UTF-8")
+
+    if previous_json == instance_json:
+        # Pas de log s'il n'y a pas de modification
+        return
+
+    Changelog.objects.create(user=user,
+                             ip=ip,
+                             model=ContentType.objects.get_for_model(instance),
+                             instance_pk=instance.pk,
+                             previous=previous_json,
+                             data=instance_json,
+                             action=("edit" if previous else "create")
+                             ).save()
+
+
+def delete_object(sender, instance, **kwargs):
+    """
+    Each time a model is deleted, an entry in the table `Changelog` is added in the database
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
+    user, ip = get_current_authenticated_user(), get_current_ip()
+
+    if user is None:
+        # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
+        # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
+        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
+        ip = "127.0.0.1"
+        username = Alias.normalize(getpass.getuser())
+        note = NoteUser.objects.filter(alias__normalized_name=username)
+        # if not note.exists():
+        #     print("WARNING: A model attempted to be saved in the DB, but the actor is unknown: " + username)
+        # else:
+        if note.exists():
+            user = note.get().user
+
+    # On crée notre propre sérialiseur JSON pour pouvoir sauvegarder les modèles
+    class CustomSerializer(ModelSerializer):
+        class Meta:
+            model = instance.__class__
+            fields = '__all__'
+
+    instance_json = JSONRenderer().render(CustomSerializer(instance).data).decode("UTF-8")
+
+    Changelog.objects.create(user=user,
+                             ip=ip,
+                             model=ContentType.objects.get_for_model(instance),
+                             instance_pk=instance.pk,
+                             previous=instance_json,
+                             data=None,
+                             action="delete"
+                             ).save()

apps/member/admin.py

@@ -18,9 +18,9 @@ class ProfileInline(admin.StackedInline):
 
 
 class CustomUserAdmin(UserAdmin):
-    inlines = (ProfileInline, )
+    inlines = (ProfileInline,)
     list_display = ('username', 'email', 'first_name', 'last_name', 'is_staff')
-    list_select_related = ('profile', )
+    list_select_related = ('profile',)
     form = ProfileForm
 
     def get_inline_instances(self, request, obj=None):

apps/member/api/serializers.py

@@ -11,9 +11,11 @@ class ProfileSerializer(serializers.ModelSerializer):
     REST API Serializer for Profiles.
     The djangorestframework plugin will analyse the model `Profile` and parse all fields in the API.
     """
+
     class Meta:
         model = Profile
         fields = '__all__'
+        read_only_fields = ('user', )
 
 
 class ClubSerializer(serializers.ModelSerializer):
@@ -21,6 +23,7 @@ class ClubSerializer(serializers.ModelSerializer):
     REST API Serializer for Clubs.
     The djangorestframework plugin will analyse the model `Club` and parse all fields in the API.
     """
+
     class Meta:
         model = Club
         fields = '__all__'
@@ -31,6 +34,7 @@ class RoleSerializer(serializers.ModelSerializer):
     REST API Serializer for Roles.
     The djangorestframework plugin will analyse the model `Role` and parse all fields in the API.
     """
+
     class Meta:
         model = Role
         fields = '__all__'
@@ -41,6 +45,7 @@ class MembershipSerializer(serializers.ModelSerializer):
     REST API Serializer for Memberships.
     The djangorestframework plugin will analyse the model `Memberships` and parse all fields in the API.
     """
+
     class Meta:
         model = Membership
         fields = '__all__'

apps/member/api/views.py

@@ -1,13 +1,14 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from rest_framework import viewsets
+from rest_framework.filters import SearchFilter
+from api.viewsets import ReadProtectedModelViewSet
 
-from ..models import Profile, Club, Role, Membership
 from .serializers import ProfileSerializer, ClubSerializer, RoleSerializer, MembershipSerializer
+from ..models import Profile, Club, Role, Membership
 
 
-class ProfileViewSet(viewsets.ModelViewSet):
+class ProfileViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Profile` objects, serialize it to JSON with the given serializer,
@@ -17,7 +18,7 @@ class ProfileViewSet(viewsets.ModelViewSet):
     serializer_class = ProfileSerializer
 
 
-class ClubViewSet(viewsets.ModelViewSet):
+class ClubViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Club` objects, serialize it to JSON with the given serializer,
@@ -25,9 +26,11 @@ class ClubViewSet(viewsets.ModelViewSet):
     """
     queryset = Club.objects.all()
     serializer_class = ClubSerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$name', ]
 
 
-class RoleViewSet(viewsets.ModelViewSet):
+class RoleViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Role` objects, serialize it to JSON with the given serializer,
@@ -35,9 +38,11 @@ class RoleViewSet(viewsets.ModelViewSet):
     """
     queryset = Role.objects.all()
     serializer_class = RoleSerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$name', ]
 
 
-class MembershipViewSet(viewsets.ModelViewSet):
+class MembershipViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Membership` objects, serialize it to JSON with the given serializer,

apps/member/apps.py

@@ -2,9 +2,22 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig
+from django.conf import settings
+from django.db.models.signals import post_save
 from django.utils.translation import gettext_lazy as _
 
+from .signals import save_user_profile
+
 
 class MemberConfig(AppConfig):
     name = 'member'
     verbose_name = _('member')
+
+    def ready(self):
+        """
+        Define app internal signals to interact with other apps
+        """
+        post_save.connect(
+            save_user_profile,
+            sender=settings.AUTH_USER_MODEL,
+        )

apps/member/filters.py

@@ -1,11 +1,11 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from django_filters import FilterSet, CharFilter
-from django.contrib.auth.models import User
-from django.db.models import CharField
 from crispy_forms.helper import FormHelper
 from crispy_forms.layout import Layout, Submit
+from django.contrib.auth.models import User
+from django.db.models import CharField
+from django_filters import FilterSet, CharFilter
 
 
 class UserFilter(FilterSet):

apps/member/fixtures/initial.json

@@ -5,7 +5,7 @@
         "fields": {
             "name": "BDE",
             "email": "tresorerie.bde@example.com",
-            "membership_fee": 5,
+            "membership_fee": 500,
             "membership_duration": "396 00:00:00",
             "membership_start": "213 00:00:00",
             "membership_end": "273 00:00:00"
@@ -17,7 +17,7 @@
         "fields": {
             "name": "Kfet",
             "email": "tresorerie.bde@example.com",
-            "membership_fee": 35,
+            "membership_fee": 3500,
             "membership_duration": "396 00:00:00",
             "membership_start": "213 00:00:00",
             "membership_end": "273 00:00:00"

apps/member/forms.py

@@ -1,23 +1,31 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+from crispy_forms.bootstrap import Div
+from crispy_forms.helper import FormHelper
+from crispy_forms.layout import Layout
 from dal import autocomplete
-from django.contrib.auth.forms import UserCreationForm
-from django.contrib.auth.models import User
 from django import forms
+from django.contrib.auth.forms import UserCreationForm, AuthenticationForm
+from django.contrib.auth.models import User
+from permission.models import PermissionMask
 
 from .models import Profile, Club, Membership
 
-from crispy_forms.helper import FormHelper
-from crispy_forms.bootstrap import Div
-from crispy_forms.layout import Layout
+
+class CustomAuthenticationForm(AuthenticationForm):
+    permission_mask = forms.ModelChoiceField(
+        label="Masque de permissions",
+        queryset=PermissionMask.objects.order_by("rank"),
+        empty_label=None,
+    )
 
 
 class SignUpForm(UserCreationForm):
-    def __init__(self,*args,**kwargs):
-        super().__init__(*args,**kwargs)
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
         self.fields['username'].widget.attrs.pop("autofocus", None)
-        self.fields['first_name'].widget.attrs.update({"autofocus":"autofocus"})
+        self.fields['first_name'].widget.attrs.update({"autofocus": "autofocus"})
 
     class Meta:
         model = User
@@ -28,6 +36,7 @@ class ProfileForm(forms.ModelForm):
     """
     A form for the extras field provided by the :model:`member.Profile` model.
     """
+
     class Meta:
         model = Profile
         fields = '__all__'
@@ -42,7 +51,7 @@ class ClubForm(forms.ModelForm):
 
 class AddMembersForm(forms.Form):
     class Meta:
-        fields = ('', )
+        fields = ('',)
 
 
 class MembershipForm(forms.ModelForm):
@@ -54,13 +63,13 @@ class MembershipForm(forms.ModelForm):
         # et récupère les noms d'utilisateur valides
         widgets = {
             'user':
-            autocomplete.ModelSelect2(
-                url='member:user_autocomplete',
-                attrs={
-                    'data-placeholder': 'Nom ...',
-                    'data-minimum-input-length': 1,
-                },
-            ),
+                autocomplete.ModelSelect2(
+                    url='member:user_autocomplete',
+                    attrs={
+                        'data-placeholder': 'Nom ...',
+                        'data-minimum-input-length': 1,
+                    },
+                ),
         }
 
 

apps/member/models.py

@@ -1,10 +1,12 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import datetime
+
 from django.conf import settings
 from django.db import models
-from django.utils.translation import gettext_lazy as _
 from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext_lazy as _
 
 
 class Profile(models.Model):
@@ -46,9 +48,10 @@ class Profile(models.Model):
     class Meta:
         verbose_name = _('user profile')
         verbose_name_plural = _('user profile')
+        indexes = [models.Index(fields=['user'])]
 
     def get_absolute_url(self):
-        return reverse('user_detail', args=(self.pk, ))
+        return reverse('user_detail', args=(self.pk,))
 
 
 class Club(models.Model):
@@ -97,7 +100,7 @@ class Club(models.Model):
         return self.name
 
     def get_absolute_url(self):
-        return reverse_lazy('member:club_detail', args=(self.pk, ))
+        return reverse_lazy('member:club_detail', args=(self.pk,))
 
 
 class Role(models.Model):
@@ -149,16 +152,13 @@ class Membership(models.Model):
         verbose_name=_('fee'),
     )
 
+    def valid(self):
+        if self.date_end is not None:
+            return self.date_start.toordinal() <= datetime.datetime.now().toordinal() < self.date_end.toordinal()
+        else:
+            return self.date_start.toordinal() <= datetime.datetime.now().toordinal()
+
     class Meta:
         verbose_name = _('membership')
         verbose_name_plural = _('memberships')
-
-
-# @receiver(post_save, sender=settings.AUTH_USER_MODEL)
-# def save_user_profile(instance, created, **_kwargs):
-#     """
-#     Hook to save an user profile when an user is updated
-#     """
-#     if created:
-#         Profile.objects.create(user=instance)
-#     instance.profile.save()
+        indexes = [models.Index(fields=['user'])]

apps/member/signals.py

@@ -1,2 +1,16 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
+
+def save_user_profile(instance, created, raw, **_kwargs):
+    """
+    Hook to create and save a profile when an user is updated if it is not registered with the signup form
+    """
+    if raw:
+        # When provisionning data, do not try to autocreate
+        return
+
+    if created:
+        from .models import Profile
+        Profile.objects.get_or_create(user=instance)
+    instance.profile.save()

apps/member/tables.py

@@ -17,6 +17,7 @@ class ClubTable(tables.Table):
         fields = ('id', 'name', 'email')
         row_attrs = {
             'class': 'table-row',
+            'id': lambda record: "row-" + str(record.pk),
             'data-href': lambda record: record.pk
         }
 

apps/member/urls.py

@@ -12,11 +12,15 @@ urlpatterns = [
     path('club/<int:pk>/', views.ClubDetailView.as_view(), name="club_detail"),
     path('club/<int:pk>/add_member/', views.ClubAddMemberView.as_view(), name="club_add_member"),
     path('club/create/', views.ClubCreateView.as_view(), name="club_create"),
+    path('club/<int:pk>/update', views.ClubUpdateView.as_view(), name="club_update"),
+    path('club/<int:pk>/update_pic', views.ClubPictureUpdateView.as_view(), name="club_update_pic"),
     path('user/', views.UserListView.as_view(), name="user_list"),
     path('user/<int:pk>', views.UserDetailView.as_view(), name="user_detail"),
     path('user/<int:pk>/update', views.UserUpdateView.as_view(), name="user_update_profile"),
+    path('user/<int:pk>/update_pic', views.ProfilePictureUpdateView.as_view(), name="user_update_pic"),
+    path('user/<int:pk>/aliases', views.AliasView.as_view(), name="user_alias"),
+    path('user/aliases/delete/<int:pk>', views.DeleteAliasView.as_view(), name="user_alias_delete"),
     path('manage-auth-token/', views.ManageAuthTokens.as_view(), name='auth_token'),
-
     # API for the user autocompleter
     path('user/user-autocomplete', views.UserAutocomplete.as_view(), name="user_autocomplete"),
 ]

apps/member/views.py

@@ -1,24 +1,44 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import io
+
+from PIL import Image
 from dal import autocomplete
+from django.conf import settings
+from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.shortcuts import redirect
-from django.utils.translation import gettext_lazy as _
-from django.views.generic import CreateView, DetailView, UpdateView, TemplateView
 from django.contrib.auth.models import User
-from django.urls import reverse_lazy
+from django.contrib.auth.views import LoginView
+from django.core.exceptions import ValidationError
 from django.db.models import Q
+from django.http import HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse_lazy
+from django.utils.translation import gettext_lazy as _
+from django.views.generic import CreateView, DetailView, UpdateView, TemplateView, DeleteView
+from django.views.generic.edit import FormMixin
 from django_tables2.views import SingleTableView
 from rest_framework.authtoken.models import Token
+from note.forms import AliasForm, ImageForm
 from note.models import Alias, NoteUser
 from note.models.transactions import Transaction
-from note.tables import HistoryTable
+from note.tables import HistoryTable, AliasTable
+from permission.backends import PermissionBackend
 
-from .models import Profile, Club, Membership
-from .forms import SignUpForm, ProfileForm, ClubForm, MembershipForm, MemberFormSet, FormSetHelper
-from .tables import ClubTable, UserTable
 from .filters import UserFilter, UserFilterFormHelper
+from .forms import SignUpForm, ProfileForm, ClubForm, MembershipForm, MemberFormSet, FormSetHelper, \
+    CustomAuthenticationForm
+from .models import Club, Membership
+from .tables import ClubTable, UserTable
+
+
+class CustomLoginView(LoginView):
+    form_class = CustomAuthenticationForm
+
+    def form_valid(self, form):
+        self.request.session['permission_mask'] = form.cleaned_data['permission_mask'].rank
+        return super().form_valid(form)
 
 
 class UserCreateView(CreateView):
@@ -40,10 +60,10 @@ class UserCreateView(CreateView):
     def form_valid(self, form):
         profile_form = ProfileForm(self.request.POST)
         if form.is_valid() and profile_form.is_valid():
-            user = form.save()
-            profile = profile_form.save(commit=False)
-            profile.user = user
-            profile.save()
+            user = form.save(commit=False)
+            user.profile = profile_form.save(commit=False)
+            user.save()
+            user.profile.save()
         return super().form_valid(form)
 
 
@@ -52,30 +72,25 @@ class UserUpdateView(LoginRequiredMixin, UpdateView):
     fields = ['first_name', 'last_name', 'username', 'email']
     template_name = 'member/profile_update.html'
     context_object_name = 'user_object'
-    second_form = ProfileForm
+    profile_form = ProfileForm
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        context["profile_form"] = self.second_form(
-            instance=context['user_object'].profile)
+        context['profile_form'] = self.profile_form(instance=context['user_object'].profile)
         context['title'] = _("Update Profile")
-
         return context
 
     def get_form(self, form_class=None):
         form = super().get_form(form_class)
         if 'username' not in form.data:
             return form
-
         new_username = form.data['username']
-
         # Si l'utilisateur cherche à modifier son pseudo, le nouveau pseudo ne doit pas être proche d'un alias existant
         note = NoteUser.objects.filter(
             alias__normalized_name=Alias.normalize(new_username))
         if note.exists() and note.get().user != self.object:
             form.add_error('username',
                            _("An alias with a similar name already exists."))
-
         return form
 
     def form_valid(self, form):
@@ -105,7 +120,7 @@ class UserUpdateView(LoginRequiredMixin, UpdateView):
             return reverse_lazy('member:user_detail',
                                 kwargs={'pk': kwargs['id']})
         else:
-            return reverse_lazy('member:user_detail', args=(self.object.id, ))
+            return reverse_lazy('member:user_detail', args=(self.object.id,))
 
 
 class UserDetailView(LoginRequiredMixin, DetailView):
@@ -116,11 +131,14 @@ class UserDetailView(LoginRequiredMixin, DetailView):
     context_object_name = "user_object"
     template_name = "member/profile_detail.html"
 
+    def get_queryset(self, **kwargs):
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, User, "view"))
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         user = context['user_object']
         history_list = \
-            Transaction.objects.all().filter(Q(source=user.note) | Q(destination=user.note))
+            Transaction.objects.all().filter(Q(source=user.note) | Q(destination=user.note)).order_by("-id")
         context['history_list'] = HistoryTable(history_list)
         club_list = \
             Membership.objects.all().filter(user=user).only("club")
@@ -143,7 +161,7 @@ class UserListView(LoginRequiredMixin, SingleTableView):
     formhelper_class = UserFilterFormHelper
 
     def get_queryset(self, **kwargs):
-        qs = super().get_queryset()
+        qs = super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, User, "view"))
         self.filter = self.filter_class(self.request.GET, queryset=qs)
         self.filter.form.helper = self.formhelper_class()
         return self.filter.qs
@@ -154,6 +172,110 @@ class UserListView(LoginRequiredMixin, SingleTableView):
         return context
 
 
+class AliasView(LoginRequiredMixin, FormMixin, DetailView):
+    model = User
+    template_name = 'member/profile_alias.html'
+    context_object_name = 'user_object'
+    form_class = AliasForm
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        note = context['user_object'].note
+        context["aliases"] = AliasTable(note.alias_set.all())
+        return context
+
+    def get_success_url(self):
+        return reverse_lazy('member:user_alias', kwargs={'pk': self.object.id})
+
+    def post(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        form = self.get_form()
+        if form.is_valid():
+            return self.form_valid(form)
+        else:
+            return self.form_invalid(form)
+
+    def form_valid(self, form):
+        alias = form.save(commit=False)
+        alias.note = self.object.note
+        alias.save()
+        return super().form_valid(form)
+
+
+class DeleteAliasView(LoginRequiredMixin, DeleteView):
+    model = Alias
+
+    def delete(self, request, *args, **kwargs):
+        try:
+            self.object = self.get_object()
+            self.object.delete()
+        except ValidationError as e:
+            # TODO: pass message to redirected view.
+            messages.error(self.request, str(e))
+        else:
+            messages.success(self.request, _("Alias successfully deleted"))
+        return HttpResponseRedirect(self.get_success_url())
+
+    def get_success_url(self):
+        return reverse_lazy('member:user_alias', kwargs={'pk': self.object.note.user.pk})
+
+    def get(self, request, *args, **kwargs):
+        return self.post(request, *args, **kwargs)
+
+
+class PictureUpdateView(LoginRequiredMixin, FormMixin, DetailView):
+    form_class = ImageForm
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context['form'] = self.form_class(self.request.POST, self.request.FILES)
+        return context
+
+    def get_success_url(self):
+        return reverse_lazy('member:user_detail', kwargs={'pk': self.object.id})
+
+    def post(self, request, *args, **kwargs):
+        form = self.get_form()
+        self.object = self.get_object()
+        if form.is_valid():
+            return self.form_valid(form)
+        else:
+            print('is_invalid')
+            print(form)
+            return self.form_invalid(form)
+
+    def form_valid(self, form):
+        image_field = form.cleaned_data['image']
+        x = form.cleaned_data['x']
+        y = form.cleaned_data['y']
+        w = form.cleaned_data['width']
+        h = form.cleaned_data['height']
+        # image crop and resize
+        image_file = io.BytesIO(image_field.read())
+        # ext = image_field.name.split('.')[-1].lower()
+        # TODO: support GIF format
+        image = Image.open(image_file)
+        image = image.crop((x, y, x + w, y + h))
+        image_clean = image.resize((settings.PIC_WIDTH,
+                                    settings.PIC_RATIO * settings.PIC_WIDTH),
+                                   Image.ANTIALIAS)
+        image_file = io.BytesIO()
+        image_clean.save(image_file, "PNG")
+        image_field.file = image_file
+        # renaming
+        filename = "{}_pic.png".format(self.object.note.pk)
+        image_field.name = filename
+        self.object.note.display_image = image_field
+        self.object.note.save()
+        return super().form_valid(form)
+
+
+class ProfilePictureUpdateView(PictureUpdateView):
+    model = User
+    template_name = 'member/profile_picture_update.html'
+    context_object_name = 'user_object'
+
+
 class ManageAuthTokens(LoginRequiredMixin, TemplateView):
     """
     Affiche le jeton d'authentification, et permet de le regénérer
@@ -181,6 +303,7 @@ class UserAutocomplete(autocomplete.Select2QuerySetView):
     """
     Auto complete users by usernames
     """
+
     def get_queryset(self):
         """
         Quand une personne cherche un utilisateur par pseudo, une requête est envoyée sur l'API dédiée à l'auto-complétion.
@@ -190,10 +313,10 @@ class UserAutocomplete(autocomplete.Select2QuerySetView):
         if not self.request.user.is_authenticated:
             return User.objects.none()
 
-        qs = User.objects.all()
+        qs = User.objects.filter(PermissionBackend.filter_queryset(self.request.user, User, "view")).all()
 
         if self.q:
-            qs = qs.filter(username__regex=self.q)
+            qs = qs.filter(username__regex="^" + self.q)
 
         return qs
 
@@ -209,10 +332,11 @@ class ClubCreateView(LoginRequiredMixin, CreateView):
     """
     model = Club
     form_class = ClubForm
+    success_url = reverse_lazy('member:club_list')
 
     def form_valid(self, form):
         return super().form_valid(form)
-
+    
 
 class ClubListView(LoginRequiredMixin, SingleTableView):
     """
@@ -221,15 +345,21 @@ class ClubListView(LoginRequiredMixin, SingleTableView):
     model = Club
     table_class = ClubTable
 
+    def get_queryset(self, **kwargs):
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, Club, "view"))
+
 
 class ClubDetailView(LoginRequiredMixin, DetailView):
     model = Club
     context_object_name = "club"
 
+    def get_queryset(self, **kwargs):
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, Club, "view"))
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         club = context["club"]
-        club_transactions =  \
+        club_transactions = \
             Transaction.objects.all().filter(Q(source=club.note) | Q(destination=club.note))
         context['history_list'] = HistoryTable(club_transactions)
         club_member = \
@@ -239,11 +369,33 @@ class ClubDetailView(LoginRequiredMixin, DetailView):
         return context
 
 
+class ClubUpdateView(LoginRequiredMixin, UpdateView):
+    model = Club
+    context_object_name = "club"
+    form_class = ClubForm
+    template_name = "member/club_form.html"
+    success_url = reverse_lazy("member:club_detail")
+
+
+class ClubPictureUpdateView(PictureUpdateView):
+    model = Club
+    template_name = 'member/club_picture_update.html'
+    context_object_name = 'club'
+
+    def get_success_url(self):
+        return reverse_lazy('member:club_detail', kwargs={'pk': self.object.id})
+
+
 class ClubAddMemberView(LoginRequiredMixin, CreateView):
     model = Membership
     form_class = MembershipForm
     template_name = 'member/add_members.html'
 
+    def get_queryset(self, **kwargs):
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, Membership, "view")
+                                             | PermissionBackend.filter_queryset(self.request.user, Membership,
+                                                                                 "change"))
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         context['formset'] = MemberFormSet()

apps/note/admin.py

@@ -8,7 +8,7 @@ from polymorphic.admin import PolymorphicChildModelAdmin, \
 
 from .models.notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
 from .models.transactions import Transaction, TemplateCategory, TransactionTemplate, \
-    TemplateTransaction, MembershipTransaction
+    RecurrentTransaction, MembershipTransaction
 
 
 class AliasInlines(admin.TabularInline):
@@ -47,11 +47,11 @@ class NoteClubAdmin(PolymorphicChildModelAdmin):
     """
     Child for a club note, see NoteAdmin
     """
-    inlines = (AliasInlines, )
+    inlines = (AliasInlines,)
 
     # We can't change club after creation or the balance
     readonly_fields = ('club', 'balance')
-    search_fields = ('club', )
+    search_fields = ('club',)
 
     def has_add_permission(self, request):
         """
@@ -71,7 +71,7 @@ class NoteSpecialAdmin(PolymorphicChildModelAdmin):
     """
     Child for a special note, see NoteAdmin
     """
-    readonly_fields = ('balance', )
+    readonly_fields = ('balance',)
 
 
 @admin.register(NoteUser)
@@ -79,7 +79,7 @@ class NoteUserAdmin(PolymorphicChildModelAdmin):
     """
     Child for an user note, see NoteAdmin
     """
-    inlines = (AliasInlines, )
+    inlines = (AliasInlines,)
 
     # We can't change user after creation or the balance
     readonly_fields = ('user', 'balance')
@@ -102,7 +102,7 @@ class TransactionAdmin(PolymorphicParentModelAdmin):
     """
     Admin customisation for Transaction
     """
-    child_models = (TemplateTransaction, MembershipTransaction)
+    child_models = (RecurrentTransaction, MembershipTransaction)
     list_display = ('created_at', 'poly_source', 'poly_destination',
                     'quantity', 'amount', 'valid')
     list_filter = ('valid',)
@@ -133,7 +133,7 @@ class TransactionAdmin(PolymorphicParentModelAdmin):
         Else the amount of money would not be transferred
         """
         if obj:  # user is editing an existing object
-            return 'created_at', 'source', 'destination', 'quantity',\
+            return 'created_at', 'source', 'destination', 'quantity', \
                    'amount'
         return []
 
@@ -143,9 +143,9 @@ class TransactionTemplateAdmin(admin.ModelAdmin):
     """
     Admin customisation for TransactionTemplate
     """
-    list_display = ('name', 'poly_destination', 'amount', 'category', 'display', )
+    list_display = ('name', 'poly_destination', 'amount', 'category', 'display',)
     list_filter = ('category', 'display')
-    autocomplete_fields = ('destination', )
+    autocomplete_fields = ('destination',)
 
     def poly_destination(self, obj):
         """
@@ -161,5 +161,5 @@ class TemplateCategoryAdmin(admin.ModelAdmin):
     """
     Admin customisation for TransactionTemplate
     """
-    list_display = ('name', )
-    list_filter = ('name', )
+    list_display = ('name',)
+    list_filter = ('name',)

apps/note/api/serializers.py

@@ -5,7 +5,8 @@ from rest_framework import serializers
 from rest_polymorphic.serializers import PolymorphicSerializer
 
 from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
-from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction
+from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
+    RecurrentTransaction, SpecialTransaction
 
 
 class NoteSerializer(serializers.ModelSerializer):
@@ -13,15 +14,11 @@ class NoteSerializer(serializers.ModelSerializer):
     REST API Serializer for Notes.
     The djangorestframework plugin will analyse the model `Note` and parse all fields in the API.
     """
+
     class Meta:
         model = Note
         fields = '__all__'
-        extra_kwargs = {
-            'url': {
-                'view_name': 'project-detail',
-                'lookup_field': 'pk'
-            },
-        }
+        read_only_fields = [f.name for f in model._meta.get_fields()]  # Notes are read-only protected
 
 
 class NoteClubSerializer(serializers.ModelSerializer):
@@ -29,9 +26,15 @@ class NoteClubSerializer(serializers.ModelSerializer):
     REST API Serializer for Club's notes.
     The djangorestframework plugin will analyse the model `NoteClub` and parse all fields in the API.
     """
+    name = serializers.SerializerMethodField()
+
     class Meta:
         model = NoteClub
         fields = '__all__'
+        read_only_fields = ('note', 'club', )
+
+    def get_name(self, obj):
+        return str(obj)
 
 
 class NoteSpecialSerializer(serializers.ModelSerializer):
@@ -39,9 +42,15 @@ class NoteSpecialSerializer(serializers.ModelSerializer):
     REST API Serializer for special notes.
     The djangorestframework plugin will analyse the model `NoteSpecial` and parse all fields in the API.
     """
+    name = serializers.SerializerMethodField()
+
     class Meta:
         model = NoteSpecial
         fields = '__all__'
+        read_only_fields = ('note', )
+
+    def get_name(self, obj):
+        return str(obj)
 
 
 class NoteUserSerializer(serializers.ModelSerializer):
@@ -49,9 +58,15 @@ class NoteUserSerializer(serializers.ModelSerializer):
     REST API Serializer for User's notes.
     The djangorestframework plugin will analyse the model `NoteUser` and parse all fields in the API.
     """
+    name = serializers.SerializerMethodField()
+
     class Meta:
         model = NoteUser
         fields = '__all__'
+        read_only_fields = ('note', 'user', )
+
+    def get_name(self, obj):
+        return str(obj)
 
 
 class AliasSerializer(serializers.ModelSerializer):
@@ -59,9 +74,11 @@ class AliasSerializer(serializers.ModelSerializer):
     REST API Serializer for Aliases.
     The djangorestframework plugin will analyse the model `Alias` and parse all fields in the API.
     """
+
     class Meta:
         model = Alias
         fields = '__all__'
+        read_only_fields = ('note', )
 
 
 class NotePolymorphicSerializer(PolymorphicSerializer):
@@ -72,12 +89,27 @@ class NotePolymorphicSerializer(PolymorphicSerializer):
         NoteSpecial: NoteSpecialSerializer
     }
 
+    class Meta:
+        model = Note
+
+
+class TemplateCategorySerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Transaction templates.
+    The djangorestframework plugin will analyse the model `TemplateCategory` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = TemplateCategory
+        fields = '__all__'
+
 
 class TransactionTemplateSerializer(serializers.ModelSerializer):
     """
     REST API Serializer for Transaction templates.
     The djangorestframework plugin will analyse the model `TransactionTemplate` and parse all fields in the API.
     """
+
     class Meta:
         model = TransactionTemplate
         fields = '__all__'
@@ -88,16 +120,52 @@ class TransactionSerializer(serializers.ModelSerializer):
     REST API Serializer for Transactions.
     The djangorestframework plugin will analyse the model `Transaction` and parse all fields in the API.
     """
+
     class Meta:
         model = Transaction
         fields = '__all__'
 
 
+class RecurrentTransactionSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Transactions.
+    The djangorestframework plugin will analyse the model `RecurrentTransaction` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = RecurrentTransaction
+        fields = '__all__'
+
+
 class MembershipTransactionSerializer(serializers.ModelSerializer):
     """
     REST API Serializer for Membership transactions.
     The djangorestframework plugin will analyse the model `MembershipTransaction` and parse all fields in the API.
     """
+
     class Meta:
         model = MembershipTransaction
         fields = '__all__'
+
+
+class SpecialTransactionSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Special transactions.
+    The djangorestframework plugin will analyse the model `SpecialTransaction` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = SpecialTransaction
+        fields = '__all__'
+
+
+class TransactionPolymorphicSerializer(PolymorphicSerializer):
+    model_serializer_mapping = {
+        Transaction: TransactionSerializer,
+        RecurrentTransaction: RecurrentTransactionSerializer,
+        MembershipTransaction: MembershipTransactionSerializer,
+        SpecialTransaction: SpecialTransactionSerializer,
+    }
+
+    class Meta:
+        model = Transaction

apps/note/api/urls.py

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import NotePolymorphicViewSet, AliasViewSet, \
-    TransactionViewSet, TransactionTemplateViewSet, MembershipTransactionViewSet
+    TemplateCategoryViewSet, TransactionViewSet, TransactionTemplateViewSet
 
 
 def register_note_urls(router, path):
@@ -12,6 +12,6 @@ def register_note_urls(router, path):
     router.register(path + '/note', NotePolymorphicViewSet)
     router.register(path + '/alias', AliasViewSet)
 
+    router.register(path + '/transaction/category', TemplateCategoryViewSet)
     router.register(path + '/transaction/transaction', TransactionViewSet)
     router.register(path + '/transaction/template', TransactionTemplateViewSet)
-    router.register(path + '/transaction/membership', MembershipTransactionViewSet)

apps/note/api/views.py

@@ -2,56 +2,18 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.db.models import Q
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import OrderingFilter, SearchFilter
+from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
 from rest_framework import viewsets
 
-from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
-from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction
-from .serializers import NoteSerializer, NotePolymorphicSerializer, NoteClubSerializer, NoteSpecialSerializer, \
-    NoteUserSerializer, AliasSerializer, \
-    TransactionTemplateSerializer, TransactionSerializer, MembershipTransactionSerializer
+from .serializers import NotePolymorphicSerializer, AliasSerializer, TemplateCategorySerializer, \
+    TransactionTemplateSerializer, TransactionPolymorphicSerializer
+from ..models.notes import Note, Alias
+from ..models.transactions import TransactionTemplate, Transaction, TemplateCategory
 
 
-class NoteViewSet(viewsets.ModelViewSet):
-    """
-    REST API View set.
-    The djangorestframework plugin will get all `Note` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/note/
-    """
-    queryset = Note.objects.all()
-    serializer_class = NoteSerializer
-
-
-class NoteClubViewSet(viewsets.ModelViewSet):
-    """
-    REST API View set.
-    The djangorestframework plugin will get all `NoteClub` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/club/
-    """
-    queryset = NoteClub.objects.all()
-    serializer_class = NoteClubSerializer
-
-
-class NoteSpecialViewSet(viewsets.ModelViewSet):
-    """
-    REST API View set.
-    The djangorestframework plugin will get all `NoteSpecial` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/special/
-    """
-    queryset = NoteSpecial.objects.all()
-    serializer_class = NoteSpecialSerializer
-
-
-class NoteUserViewSet(viewsets.ModelViewSet):
-    """
-    REST API View set.
-    The djangorestframework plugin will get all `NoteUser` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/user/
-    """
-    queryset = NoteUser.objects.all()
-    serializer_class = NoteUserSerializer
-
-
-class NotePolymorphicViewSet(viewsets.ModelViewSet):
+class NotePolymorphicViewSet(ReadOnlyProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Note` objects (with polymorhism), serialize it to JSON with the given serializer,
@@ -59,36 +21,27 @@ class NotePolymorphicViewSet(viewsets.ModelViewSet):
     """
     queryset = Note.objects.all()
     serializer_class = NotePolymorphicSerializer
+    filter_backends = [SearchFilter, OrderingFilter]
+    search_fields = ['$alias__normalized_name', '$alias__name', '$polymorphic_ctype__model', ]
+    ordering_fields = ['alias__name', 'alias__normalized_name']
 
     def get_queryset(self):
         """
         Parse query and apply filters.
         :return: The filtered set of requested notes
         """
-        queryset = Note.objects.all()
+        queryset = super().get_queryset()
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
-            Q(alias__name__regex=alias)
-            | Q(alias__normalized_name__regex=alias.lower()))
+            Q(alias__name__regex="^" + alias)
+            | Q(alias__normalized_name__regex="^" + Alias.normalize(alias))
+            | Q(alias__normalized_name__regex="^" + alias.lower()))
 
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(
-                    polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
-
-        return queryset
+        return queryset.distinct()
 
 
-class AliasViewSet(viewsets.ModelViewSet):
+class AliasViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Alias` objects, serialize it to JSON with the given serializer,
@@ -96,6 +49,9 @@ class AliasViewSet(viewsets.ModelViewSet):
     """
     queryset = Alias.objects.all()
     serializer_class = AliasSerializer
+    filter_backends = [SearchFilter, OrderingFilter]
+    search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
+    ordering_fields = ['name', 'normalized_name']
 
     def get_queryset(self):
         """
@@ -103,34 +59,29 @@ class AliasViewSet(viewsets.ModelViewSet):
         :return: The filtered set of requested aliases
         """
 
-        queryset = Alias.objects.all()
+        queryset = super().get_queryset()
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
-            Q(name__regex=alias) | Q(normalized_name__regex=alias.lower()))
-
-        note_id = self.request.query_params.get("note", None)
-        if note_id:
-            queryset = queryset.filter(id=note_id)
-
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
+            Q(name__regex="^" + alias)
+            | Q(normalized_name__regex="^" + Alias.normalize(alias))
+            | Q(normalized_name__regex="^" + alias.lower()))
 
         return queryset
 
 
+class TemplateCategoryViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `TemplateCategory` objects, serialize it to JSON with the given serializer,
+    then render it on /api/note/transaction/category/
+    """
+    queryset = TemplateCategory.objects.all()
+    serializer_class = TemplateCategorySerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$name', ]
+
+
 class TransactionTemplateViewSet(viewsets.ModelViewSet):
     """
     REST API View set.
@@ -139,23 +90,18 @@ class TransactionTemplateViewSet(viewsets.ModelViewSet):
     """
     queryset = TransactionTemplate.objects.all()
     serializer_class = TransactionTemplateSerializer
+    filter_backends = [SearchFilter, DjangoFilterBackend]
+    filterset_fields = ['name', 'amount', 'display', 'category', ]
+    search_fields = ['$name', ]
 
 
-class TransactionViewSet(viewsets.ModelViewSet):
+class TransactionViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Transaction` objects, serialize it to JSON with the given serializer,
     then render it on /api/note/transaction/transaction/
     """
     queryset = Transaction.objects.all()
-    serializer_class = TransactionSerializer
-
-
-class MembershipTransactionViewSet(viewsets.ModelViewSet):
-    """
-    REST API View set.
-    The djangorestframework plugin will get all `MembershipTransaction` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/transaction/membership/
-    """
-    queryset = MembershipTransaction.objects.all()
-    serializer_class = MembershipTransactionSerializer
+    serializer_class = TransactionPolymorphicSerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$reason', ]

apps/note/fixtures/initial.json

@@ -1,220 +1,244 @@
 [
-    {
-        "model": "note.note",
-        "pk": 1,
-        "fields": {
-            "polymorphic_ctype": 22,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:02:48.778Z"
-        }
-    },
-    {
-        "model": "note.note",
-        "pk": 2,
-        "fields": {
-            "polymorphic_ctype": 22,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:06:39.546Z"
-        }
-    },
-    {
-        "model": "note.note",
-        "pk": 3,
-        "fields": {
-            "polymorphic_ctype": 22,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:06:43.049Z"
-        }
-    },
-    {
-        "model": "note.note",
-        "pk": 4,
-        "fields": {
-            "polymorphic_ctype": 22,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:06:50.996Z"
-        }
-    },
-    {
-        "model": "note.note",
-        "pk": 5,
-        "fields": {
-            "polymorphic_ctype": 21,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:09:38.615Z"
-        }
-    },
-    {
-        "model": "note.note",
-        "pk": 6,
-        "fields": {
-            "polymorphic_ctype": 21,
-            "balance": 0,
-            "is_active": true,
-            "display_image": "",
-            "created_at": "2020-02-20T20:16:14.753Z"
-        }
-    },
-    {
-        "model": "note.notespecial",
-        "pk": 1,
-        "fields": {
-            "special_type": "Esp\u00e8ces"
-        }
-    },
-    {
-        "model": "note.notespecial",
-        "pk": 2,
-        "fields": {
-            "special_type": "Carte bancaire"
-        }
-    },
-    {
-        "model": "note.notespecial",
-        "pk": 3,
-        "fields": {
-            "special_type": "Ch\u00e8que"
-        }
-    },
-    {
-        "model": "note.notespecial",
-        "pk": 4,
-        "fields": {
-            "special_type": "Virement bancaire"
-        }
-    },
-    {
-        "model": "note.noteclub",
-        "pk": 5,
-        "fields": {
-            "club": 1
-        }
-    },
-    {
-        "model": "note.noteclub",
-        "pk": 6,
-        "fields": {
-            "club": 2
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 1,
-        "fields": {
-            "name": "Esp\u00e8ces",
-            "normalized_name": "especes",
-            "note": 1
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 2,
-        "fields": {
-            "name": "Carte bancaire",
-            "normalized_name": "cartebancaire",
-            "note": 2
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 3,
-        "fields": {
-            "name": "Ch\u00e8que",
-            "normalized_name": "cheque",
-            "note": 3
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 4,
-        "fields": {
-            "name": "Virement bancaire",
-            "normalized_name": "virementbancaire",
-            "note": 4
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 5,
-        "fields": {
-            "name": "BDE",
-            "normalized_name": "bde",
-            "note": 5
-        }
-    },
-    {
-        "model": "note.alias",
-        "pk": 6,
-        "fields": {
-            "name": "Kfet",
-            "normalized_name": "kfet",
-            "note": 6
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 1,
-        "fields": {
-            "name": "Soft"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 2,
-        "fields": {
-            "name": "Pulls"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 3,
-        "fields": {
-            "name": "Gala"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 4,
-        "fields": {
-            "name": "Clubs"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 5,
-        "fields": {
-            "name": "Bouffe"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 6,
-        "fields": {
-            "name": "BDA"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 7,
-        "fields": {
-            "name": "Autre"
-        }
-    },
-    {
-        "model": "note.templatecategory",
-        "pk": 8,
-        "fields": {
-            "name": "Alcool"
-        }
+  {
+    "model": "note.note",
+    "pk": 1,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "notespecial"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "",
+      "created_at": "2020-02-20T20:02:48.778Z"
     }
-]
+  },
+  {
+    "model": "note.note",
+    "pk": 2,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "notespecial"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "",
+      "created_at": "2020-02-20T20:06:39.546Z"
+    }
+  },
+  {
+    "model": "note.note",
+    "pk": 3,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "notespecial"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "",
+      "created_at": "2020-02-20T20:06:43.049Z"
+    }
+  },
+  {
+    "model": "note.note",
+    "pk": 4,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "notespecial"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "",
+      "created_at": "2020-02-20T20:06:50.996Z"
+    }
+  },
+  {
+    "model": "note.note",
+    "pk": 5,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "noteclub"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "pic/default.png",
+      "created_at": "2020-02-20T20:09:38.615Z"
+    }
+  },
+  {
+    "model": "note.note",
+    "pk": 6,
+    "fields": {
+      "polymorphic_ctype": [
+        "note",
+        "noteclub"
+      ],
+      "balance": 0,
+      "last_negative": null,
+      "is_active": true,
+      "display_image": "pic/default.png",
+      "created_at": "2020-02-20T20:16:14.753Z"
+    }
+  },
+  {
+    "model": "note.noteclub",
+    "pk": 5,
+    "fields": {
+      "club": 1
+    }
+  },
+  {
+    "model": "note.noteclub",
+    "pk": 6,
+    "fields": {
+      "club": 2
+    }
+  },
+  {
+    "model": "note.notespecial",
+    "pk": 1,
+    "fields": {
+      "special_type": "Esp\u00e8ces"
+    }
+  },
+  {
+    "model": "note.notespecial",
+    "pk": 2,
+    "fields": {
+      "special_type": "Carte bancaire"
+    }
+  },
+  {
+    "model": "note.notespecial",
+    "pk": 3,
+    "fields": {
+      "special_type": "Ch\u00e8que"
+    }
+  },
+  {
+    "model": "note.notespecial",
+    "pk": 4,
+    "fields": {
+      "special_type": "Virement bancaire"
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 1,
+    "fields": {
+      "name": "Esp\u00e8ces",
+      "normalized_name": "especes",
+      "note": 1
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 2,
+    "fields": {
+      "name": "Carte bancaire",
+      "normalized_name": "cartebancaire",
+      "note": 2
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 3,
+    "fields": {
+      "name": "Ch\u00e8que",
+      "normalized_name": "cheque",
+      "note": 3
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 4,
+    "fields": {
+      "name": "Virement bancaire",
+      "normalized_name": "virementbancaire",
+      "note": 4
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 5,
+    "fields": {
+      "name": "BDE",
+      "normalized_name": "bde",
+      "note": 5
+    }
+  },
+  {
+    "model": "note.alias",
+    "pk": 6,
+    "fields": {
+      "name": "Kfet",
+      "normalized_name": "kfet",
+      "note": 6
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 1,
+    "fields": {
+      "name": "Soft"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 2,
+    "fields": {
+      "name": "Pulls"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 3,
+    "fields": {
+      "name": "Gala"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 4,
+    "fields": {
+      "name": "Clubs"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 5,
+    "fields": {
+      "name": "Bouffe"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 6,
+    "fields": {
+      "name": "BDA"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 7,
+    "fields": {
+      "name": "Autre"
+    }
+  },
+  {
+    "model": "note.templatecategory",
+    "pk": 8,
+    "fields": {
+      "name": "Alcool"
+    }
+  }
+]

apps/note/forms.py

@@ -5,7 +5,29 @@ from dal import autocomplete
 from django import forms
 from django.utils.translation import gettext_lazy as _
 
-from .models import Transaction, TransactionTemplate, TemplateTransaction
+from .models import Alias
+from .models import TransactionTemplate
+
+
+class AliasForm(forms.ModelForm):
+    class Meta:
+        model = Alias
+        fields = ("name",)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["name"].label = False
+        self.fields["name"].widget.attrs = {"placeholder": _('New Alias')}
+
+
+class ImageForm(forms.Form):
+    image = forms.ImageField(required=False,
+                             label=_('select an image'),
+                             help_text=_('Maximal size: 2MB'))
+    x = forms.FloatField(widget=forms.HiddenInput())
+    y = forms.FloatField(widget=forms.HiddenInput())
+    width = forms.FloatField(widget=forms.HiddenInput())
+    height = forms.FloatField(widget=forms.HiddenInput())
 
 
 class TransactionTemplateForm(forms.ModelForm):
@@ -20,92 +42,11 @@ class TransactionTemplateForm(forms.ModelForm):
         # forward=(forward.Const('TYPE', 'note_type') où TYPE est dans {user, club, special}
         widgets = {
             'destination':
-            autocomplete.ModelSelect2(
-                url='note:note_autocomplete',
-                attrs={
-                    'data-placeholder': 'Note ...',
-                    'data-minimum-input-length': 1,
-                },
-            ),
-        }
-
-
-class TransactionForm(forms.ModelForm):
-    def save(self, commit=True):
-        super().save(commit)
-
-
-    def clean(self):
-        """
-        If the user has no right to transfer funds, then it will be the source of the transfer by default.
-        Transactions between a note and the same note are not authorized.
-        """
-
-        cleaned_data = super().clean()
-        if not "source" in cleaned_data: # TODO Replace it with "if %user has no right to transfer funds"
-            cleaned_data["source"] = self.user.note
-
-        if cleaned_data["source"].pk == cleaned_data["destination"].pk:
-            self.add_error("destination", _("Source and destination must be different."))
-
-        return cleaned_data
-
-
-    class Meta:
-        model = Transaction
-        fields = (
-            'source',
-            'destination',
-            'reason',
-            'amount',
-        )
-
-        # Voir ci-dessus
-        widgets = {
-            'source':
-            autocomplete.ModelSelect2(
-                url='note:note_autocomplete',
-                attrs={
-                    'data-placeholder': 'Note ...',
-                    'data-minimum-input-length': 1,
-                },
-            ),
-            'destination':
-            autocomplete.ModelSelect2(
-                url='note:note_autocomplete',
-                attrs={
-                    'data-placeholder': 'Note ...',
-                    'data-minimum-input-length': 1,
-                },
-            ),
-        }
-
-
-class ConsoForm(forms.ModelForm):
-    def save(self, commit=True):
-        button: TransactionTemplate = TransactionTemplate.objects.filter(
-            name=self.data['button']).get()
-        self.instance.destination = button.destination
-        self.instance.amount = button.amount
-        self.instance.reason = '{} ({})'.format(button.name, button.category)
-        self.instance.name = button.name
-        self.instance.category = button.category
-        super().save(commit)
-
-    class Meta:
-        model = TemplateTransaction
-        fields = ('source', )
-
-        # Le champ d'utilisateur est remplacé par un champ d'auto-complétion.
-        # Quand des lettres sont tapées, une requête est envoyée sur l'API d'auto-complétion
-        # et récupère les aliases de note valides
-        widgets = {
-            'source':
-            autocomplete.ModelSelect2(
-                url='note:note_autocomplete',
-                attrs={
-                    'data-placeholder': 'Note ...',
-                    'data-minimum-input-length': 1,
-                },
-            ),
+                autocomplete.ModelSelect2(
+                    url='note:note_autocomplete',
+                    attrs={
+                        'data-placeholder': 'Note ...',
+                        'data-minimum-input-length': 1,
+                    },
+                ),
         }

apps/note/models/__init__.py

@@ -3,12 +3,12 @@
 
 from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
 from .transactions import MembershipTransaction, Transaction, \
-    TemplateCategory, TransactionTemplate, TemplateTransaction
+    TemplateCategory, TransactionTemplate, RecurrentTransaction, SpecialTransaction
 
 __all__ = [
     # Notes
     'Alias', 'Note', 'NoteClub', 'NoteSpecial', 'NoteUser',
     # Transactions
     'MembershipTransaction', 'Transaction', 'TemplateCategory', 'TransactionTemplate',
-    'TemplateTransaction',
+    'RecurrentTransaction', 'SpecialTransaction',
 ]

apps/note/models/notes.py

@@ -9,6 +9,7 @@ from django.core.validators import RegexValidator
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from polymorphic.models import PolymorphicModel
+
 """
 Defines each note types
 """
@@ -27,7 +28,7 @@ class Note(PolymorphicModel):
         help_text=_('in centimes, money credited for this instance'),
         default=0,
     )
-    last_negative= models.DateTimeField(
+    last_negative = models.DateTimeField(
         verbose_name=_('last negative date'),
         help_text=_('last time the balance was negative'),
         null=True,
@@ -43,7 +44,10 @@ class Note(PolymorphicModel):
     display_image = models.ImageField(
         verbose_name=_('display image'),
         max_length=255,
-        blank=True,
+        blank=False,
+        null=False,
+        upload_to='pic/',
+        default='pic/default.png'
     )
     created_at = models.DateTimeField(
         verbose_name=_('created at'),
@@ -95,7 +99,7 @@ class Note(PolymorphicModel):
             # Alias exists, so check if it is linked to this note
             if aliases.first().note != self:
                 raise ValidationError(_('This alias is already taken.'),
-                                      code="same_alias",)
+                                      code="same_alias", )
         else:
             # Alias does not exist yet, so check if it can exist
             a = Alias(name=str(self))
@@ -205,6 +209,10 @@ class Alias(models.Model):
     class Meta:
         verbose_name = _("alias")
         verbose_name_plural = _("aliases")
+        indexes = [
+            models.Index(fields=['name']),
+            models.Index(fields=['normalized_name']),
+        ]
 
     def __str__(self):
         return self.name
@@ -219,14 +227,6 @@ class Alias(models.Model):
             if all(not unicodedata.category(char).startswith(cat)
                    for cat in {'M', 'P', 'Z', 'C'})).casefold()
 
-    def save(self, *args, **kwargs):
-        """
-        Handle normalized_name
-        """
-        self.normalized_name = Alias.normalize(self.name)
-        if len(self.normalized_name) < 256:
-            super().save(*args, **kwargs)
-
     def clean(self):
         normalized_name = Alias.normalize(self.name)
         if len(normalized_name) >= 255:
@@ -235,11 +235,12 @@ class Alias(models.Model):
         try:
             sim_alias = Alias.objects.get(normalized_name=normalized_name)
             if self != sim_alias:
-                raise ValidationError(_('An alias with a similar name already exists:'),
-                                       code="same_alias"
-                )
+                raise ValidationError(_('An alias with a similar name already exists: {} ').format(sim_alias),
+                                      code="same_alias"
+                                      )
         except Alias.DoesNotExist:
             pass
+        self.normalized_name = normalized_name
 
     def delete(self, using=None, keep_parents=False):
         if self.name == str(self.note):

apps/note/models/transactions.py

@@ -2,12 +2,12 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.db import models
+from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
-from django.urls import reverse
 from polymorphic.models import PolymorphicModel
 
-from .notes import Note, NoteClub
+from .notes import Note, NoteClub, NoteSpecial
 
 """
 Defines transactions
@@ -44,7 +44,7 @@ class TransactionTemplate(models.Model):
         verbose_name=_('name'),
         max_length=255,
         unique=True,
-        error_messages={'unique':_("A template with this name already exist")},
+        error_messages={'unique': _("A template with this name already exist")},
     )
     destination = models.ForeignKey(
         NoteClub,
@@ -63,11 +63,12 @@ class TransactionTemplate(models.Model):
         max_length=31,
     )
     display = models.BooleanField(
-        default = True,
+        default=True,
     )
     description = models.CharField(
         verbose_name=_('description'),
         max_length=255,
+        blank=True,
     )
 
     class Meta:
@@ -75,7 +76,7 @@ class TransactionTemplate(models.Model):
         verbose_name_plural = _("transaction templates")
 
     def get_absolute_url(self):
-        return reverse('note:template_update', args=(self.pk, ))
+        return reverse('note:template_update', args=(self.pk,))
 
 
 class Transaction(PolymorphicModel):
@@ -106,7 +107,10 @@ class Transaction(PolymorphicModel):
         verbose_name=_('quantity'),
         default=1,
     )
-    amount = models.PositiveIntegerField(verbose_name=_('amount'), )
+    amount = models.PositiveIntegerField(
+        verbose_name=_('amount'),
+    )
+
     reason = models.CharField(
         verbose_name=_('reason'),
         max_length=255,
@@ -119,6 +123,11 @@ class Transaction(PolymorphicModel):
     class Meta:
         verbose_name = _("transaction")
         verbose_name_plural = _("transactions")
+        indexes = [
+            models.Index(fields=['created_at']),
+            models.Index(fields=['source']),
+            models.Index(fields=['destination']),
+        ]
 
     def save(self, *args, **kwargs):
         """
@@ -127,6 +136,7 @@ class Transaction(PolymorphicModel):
 
         if self.source.pk == self.destination.pk:
             # When source == destination, no money is transfered
+            super().save(*args, **kwargs)
             return
 
         created = self.pk is None
@@ -142,20 +152,25 @@ class Transaction(PolymorphicModel):
             self.source.balance -= to_transfer
             self.destination.balance += to_transfer
 
+        # We save first the transaction, in case of the user has no right to transfer money
+        super().save(*args, **kwargs)
+
         # Save notes
         self.source.save()
         self.destination.save()
-        super().save(*args, **kwargs)
 
     @property
     def total(self):
         return self.amount * self.quantity
 
+    @property
+    def type(self):
+        return _('Transfer')
 
-class TemplateTransaction(Transaction):
+
+class RecurrentTransaction(Transaction):
     """
     Special type of :model:`note.Transaction` associated to a :model:`note.TransactionTemplate`.
-
     """
 
     template = models.ForeignKey(
@@ -168,6 +183,37 @@ class TemplateTransaction(Transaction):
         on_delete=models.PROTECT,
     )
 
+    @property
+    def type(self):
+        return _('Template')
+
+
+class SpecialTransaction(Transaction):
+    """
+    Special type of :model:`note.Transaction` associated to transactions with special notes
+    """
+
+    last_name = models.CharField(
+        max_length=255,
+        verbose_name=_("name"),
+    )
+
+    first_name = models.CharField(
+        max_length=255,
+        verbose_name=_("first_name"),
+    )
+
+    bank = models.CharField(
+        max_length=255,
+        verbose_name=_("bank"),
+        blank=True,
+    )
+
+    @property
+    def type(self):
+        return _('Credit') if isinstance(self.source, NoteSpecial) else _("Debit")
+
+
 class MembershipTransaction(Transaction):
     """
     Special type of :model:`note.Transaction` associated to a :model:`member.Membership`.
@@ -183,3 +229,7 @@ class MembershipTransaction(Transaction):
     class Meta:
         verbose_name = _("membership transaction")
         verbose_name_plural = _("membership transactions")
+
+    @property
+    def type(self):
+        return _('membership transaction')

apps/note/tables.py

@@ -1,26 +1,115 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import html
+
 import django_tables2 as tables
 from django.db.models import F
+from django_tables2.utils import A
+from django.utils.translation import gettext_lazy as _
 
-from .models.transactions import Transaction
+from .models.notes import Alias
+from .models.transactions import Transaction, TransactionTemplate
+from .templatetags.pretty_money import pretty_money
 
 
 class HistoryTable(tables.Table):
     class Meta:
         attrs = {
             'class':
-            'table table-condensed table-striped table-hover'
+                'table table-condensed table-striped table-hover'
         }
         model = Transaction
+        exclude = ("id", "polymorphic_ctype", )
         template_name = 'django_tables2/bootstrap4.html'
-        sequence = ('...', 'total', 'valid')
+        sequence = ('...', 'type', 'total', 'valid', )
+        orderable = False
+
+    type = tables.Column()
 
     total = tables.Column()  # will use Transaction.total() !!
 
+    valid = tables.Column(attrs={"td": {"id": lambda record: "validate_" + str(record.id),
+                                        "class": lambda record: str(record.valid).lower() + ' validate',
+                                        "onclick": lambda record: 'de_validate(' + str(record.id) + ', '
+                                                                  + str(record.valid).lower() + ')'}})
+
     def order_total(self, queryset, is_descending):
         # needed for rendering
         queryset = queryset.annotate(total=F('amount') * F('quantity')) \
             .order_by(('-' if is_descending else '') + 'total')
-        return (queryset, True)
+        return queryset, True
+
+    def render_amount(self, value):
+        return pretty_money(value)
+
+    def render_total(self, value):
+        return pretty_money(value)
+
+    def render_type(self, value):
+        return _(value)
+
+    # Django-tables escape strings. That's a wrong thing.
+    def render_reason(self, value):
+        return html.unescape(value)
+
+    def render_valid(self, value):
+        return "✔" if value else "✖"
+
+
+# function delete_button(id) provided in template file
+DELETE_TEMPLATE = """
+    <button id="{{ record.pk }}" class="btn btn-danger" onclick="delete_button(this.id)"> {{ delete_trans }}</button>
+"""
+
+
+class AliasTable(tables.Table):
+    class Meta:
+        attrs = {
+            'class':
+                'table table condensed table-striped table-hover'
+        }
+        model = Alias
+        fields = ('name',)
+        template_name = 'django_tables2/bootstrap4.html'
+
+    show_header = False
+    name = tables.Column(attrs={'td': {'class': 'text-center'}})
+    # delete = tables.TemplateColumn(template_code=delete_template,
+    #                                attrs={'td':{'class': 'col-sm-1'}})
+
+    delete = tables.LinkColumn('member:user_alias_delete',
+                               args=[A('pk')],
+                               attrs={
+                                   'td': {'class': 'col-sm-2'},
+                                   'a': {'class': 'btn btn-danger'}},
+                               text='delete', accessor='pk')
+
+
+class ButtonTable(tables.Table):
+    class Meta:
+        attrs = {
+            'class':
+                'table table-bordered condensed table-hover'
+        }
+        row_attrs = {
+            'class': lambda record: 'table-row ' + 'table-success' if record.display else 'table-danger',
+            'id': lambda record: "row-" + str(record.pk),
+            'data-href': lambda record: record.pk
+        }
+
+        model = TransactionTemplate
+
+    edit = tables.LinkColumn('note:template_update',
+                             args=[A('pk')],
+                             attrs={'td': {'class': 'col-sm-1'},
+                                    'a': {'class': 'btn btn-primary'}},
+                             text=_('edit'),
+                             accessor='pk')
+
+    delete = tables.TemplateColumn(template_code=DELETE_TEMPLATE,
+                                   extra_context={"delete_trans": _('delete')},
+                                   attrs={'td': {'class': 'col-sm-1'}})
+
+    def render_amount(self, value):
+        return pretty_money(value)

apps/note/templatetags/getenv.py

@@ -0,0 +1,14 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django import template
+
+import os
+
+
+def getenv(value):
+    return os.getenv(value)
+
+
+register = template.Library()
+register.filter('getenv', getenv)

apps/note/templatetags/pretty_money.py

@@ -11,12 +11,17 @@ def pretty_money(value):
             abs(value) // 100,
         )
     else:
-        return "{:s}{:d} € {:02d}".format(
+        return "{:s}{:d}.{:02d} €".format(
             "- " if value < 0 else "",
             abs(value) // 100,
             abs(value) % 100,
         )
 
 
+def cents_to_euros(value):
+    return "{:.02f}".format(value / 100) if value else ""
+
+
 register = template.Library()
 register.filter('pretty_money', pretty_money)
+register.filter('cents_to_euros', cents_to_euros)

apps/note/urls.py

@@ -8,7 +8,7 @@ from .models import Note
 
 app_name = 'note'
 urlpatterns = [
-    path('transfer/', views.TransactionCreate.as_view(), name='transfer'),
+    path('transfer/', views.TransactionCreateView.as_view(), name='transfer'),
     path('buttons/create/', views.TransactionTemplateCreateView.as_view(), name='template_create'),
     path('buttons/update/<int:pk>/', views.TransactionTemplateUpdateView.as_view(), name='template_update'),
     path('buttons/', views.TransactionTemplateListView.as_view(), name='template_list'),

apps/note/views.py

@@ -3,60 +3,60 @@
 
 from dal import autocomplete
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q
-from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import CreateView, ListView, UpdateView
+from django.views.generic import CreateView, UpdateView
+from django_tables2 import SingleTableView
+from django.urls import reverse_lazy
+from permission.backends import PermissionBackend
 
-from .models import Transaction, TransactionTemplate, Alias, TemplateTransaction
-from .forms import TransactionForm, TransactionTemplateForm, ConsoForm
+from .forms import TransactionTemplateForm
+from .models import Transaction, TransactionTemplate, Alias, RecurrentTransaction, NoteSpecial
+from .models.transactions import SpecialTransaction
+from .tables import HistoryTable, ButtonTable
 
 
-class TransactionCreate(LoginRequiredMixin, CreateView):
+class TransactionCreateView(LoginRequiredMixin, SingleTableView):
     """
-    Show transfer page
-
-    TODO: If user have sufficient rights, they can transfer from an other note
+    View for the creation of Transaction between two note which are not :models:`transactions.RecurrentTransaction`.
+    e.g. for donation/transfer between people and clubs or for credit/debit with :models:`note.NoteSpecial`
     """
+    template_name = "note/transaction_form.html"
+
     model = Transaction
-    form_class = TransactionForm
+    # Transaction history table
+    table_class = HistoryTable
+    table_pagination = {"per_page": 50}
+
+    def get_queryset(self):
+        return Transaction.objects.filter(PermissionBackend.filter_queryset(
+            self.request.user, Transaction, "view")
+        ).order_by("-id").all()[:50]
 
     def get_context_data(self, **kwargs):
         """
         Add some context variables in template such as page title
         """
         context = super().get_context_data(**kwargs)
-        context['title'] = _('Transfer money from your account '
-                             'to one or others')
-
-        context['no_cache'] = True
+        context['title'] = _('Transfer money')
+        context['polymorphic_ctype'] = ContentType.objects.get_for_model(Transaction).pk
+        context['special_polymorphic_ctype'] = ContentType.objects.get_for_model(SpecialTransaction).pk
+        context['special_types'] = NoteSpecial.objects.order_by("special_type").all()
 
         return context
 
-    def get_form(self, form_class=None):
-        """
-        If the user has no right to transfer funds, then it won't have the choice of the source of the transfer.
-        """
-        form = super().get_form(form_class)
-
-        if False:  # TODO: fix it with "if %user has no right to transfer funds"
-            del form.fields['source']
-            form.user = self.request.user
-
-        return form
-
-    def get_success_url(self):
-        return reverse('note:transfer')
-
 
 class NoteAutocomplete(autocomplete.Select2QuerySetView):
     """
-    Auto complete note by aliases
+    Auto complete note by aliases. Used in every search field for note
+    ex: :view:`ConsoView`, :view:`TransactionCreateView`
     """
+
     def get_queryset(self):
         """
-        Quand une personne cherche un alias, une requête est envoyée sur l'API dédiée à l'auto-complétion.
-        Cette fonction récupère la requête, et renvoie la liste filtrée des aliases.
+        When someone look for an :models:`note.Alias`, a query is sent to the dedicated API.
+        This function handles the result and return a filtered list of aliases.
         """
         #  Un utilisateur non connecté n'a accès à aucune information
         if not self.request.user.is_authenticated:
@@ -66,7 +66,7 @@ class NoteAutocomplete(autocomplete.Select2QuerySetView):
 
         # self.q est le paramètre de la recherche
         if self.q:
-            qs = qs.filter(Q(name__regex=self.q) | Q(normalized_name__regex=Alias.normalize(self.q)))\
+            qs = qs.filter(Q(name__regex="^" + self.q) | Q(normalized_name__regex="^" + Alias.normalize(self.q))) \
                 .order_by('normalized_name').distinct()
 
         # Filtrage par type de note (user, club, special)
@@ -85,6 +85,10 @@ class NoteAutocomplete(autocomplete.Select2QuerySetView):
         return qs
 
     def get_result_label(self, result):
+        """
+        Show the selected alias and the username associated
+        <Alias> (aka. <Username> )
+        """
         # Gère l'affichage de l'alias dans la recherche
         res = result.name
         note_name = str(result.note)
@@ -93,7 +97,9 @@ class NoteAutocomplete(autocomplete.Select2QuerySetView):
         return res
 
     def get_result_value(self, result):
-        # Le résultat renvoyé doit être l'identifiant de la note, et non de l'alias
+        """
+        The value used for the transactions will be the id of the Note.
+        """
         return str(result.note.pk)
 
 
@@ -103,14 +109,15 @@ class TransactionTemplateCreateView(LoginRequiredMixin, CreateView):
     """
     model = TransactionTemplate
     form_class = TransactionTemplateForm
+    success_url = reverse_lazy('note:template_list')
 
 
-class TransactionTemplateListView(LoginRequiredMixin, ListView):
+class TransactionTemplateListView(LoginRequiredMixin, SingleTableView):
     """
     List TransactionsTemplates
     """
     model = TransactionTemplate
-    form_class = TransactionTemplateForm
+    table_class = ButtonTable
 
 
 class TransactionTemplateUpdateView(LoginRequiredMixin, UpdateView):
@@ -118,33 +125,40 @@ class TransactionTemplateUpdateView(LoginRequiredMixin, UpdateView):
     """
     model = TransactionTemplate
     form_class = TransactionTemplateForm
+    success_url = reverse_lazy('note:template_list')
 
 
-class ConsoView(LoginRequiredMixin, CreateView):
+class ConsoView(LoginRequiredMixin, SingleTableView):
     """
-    Consume
+    The Magic View that make people pay their beer and burgers.
+    (Most of the magic happens in the dark world of Javascript see consos.js)
     """
-    model = TemplateTransaction
     template_name = "note/conso_form.html"
-    form_class = ConsoForm
+
+    # Transaction history table
+    table_class = HistoryTable
+    table_pagination = {"per_page": 50}
+
+    def get_queryset(self):
+        return Transaction.objects.filter(
+            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
+        ).order_by("-id").all()[:50]
 
     def get_context_data(self, **kwargs):
         """
         Add some context variables in template such as page title
         """
         context = super().get_context_data(**kwargs)
-        context['transaction_templates'] = TransactionTemplate.objects.filter(display=True) \
-            .order_by('category')
-        context['title'] = _("Consommations")
+        from django.db.models import Count
+        buttons = TransactionTemplate.objects.filter(
+            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
+        ).filter(display=True).annotate(clicks=Count('recurrenttransaction')).order_by('category__name', 'name')
+        context['transaction_templates'] = buttons
+        context['most_used'] = buttons.order_by('-clicks', 'name')[:10]
+        context['title'] = _("Consumptions")
+        context['polymorphic_ctype'] = ContentType.objects.get_for_model(RecurrentTransaction).pk
 
         # select2 compatibility
         context['no_cache'] = True
 
         return context
-
-    def get_success_url(self):
-        """
-        When clicking a button, reload the same page
-        """
-        return reverse('note:consos')
-

apps/permission/__init__.py

@@ -0,0 +1,4 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+default_app_config = 'permission.apps.PermissionConfig'

apps/permission/admin.py

@@ -0,0 +1,30 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-lateré
+
+from django.contrib import admin
+
+from .models import Permission, PermissionMask, RolePermissions
+
+
+@admin.register(PermissionMask)
+class PermissionMaskAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for PermissionMask
+    """
+    list_display = ('description', 'rank', )
+
+
+@admin.register(Permission)
+class PermissionAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for Permission
+    """
+    list_display = ('type', 'model', 'field', 'mask', 'description', )
+
+
+@admin.register(RolePermissions)
+class RolePermissionsAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for RolePermissions
+    """
+    list_display = ('role', )

apps/permission/api/serializers.py

@@ -0,0 +1,17 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from rest_framework import serializers
+
+from ..models import Permission
+
+
+class PermissionSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Permission types.
+    The djangorestframework plugin will analyse the model `Permission` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = Permission
+        fields = '__all__'

apps/permission/api/urls.py

@@ -0,0 +1,11 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from .views import PermissionViewSet
+
+
+def register_permission_urls(router, path):
+    """
+    Configure router for permission REST API.
+    """
+    router.register(path, PermissionViewSet)

apps/permission/api/views.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django_filters.rest_framework import DjangoFilterBackend
+from api.viewsets import ReadOnlyProtectedModelViewSet
+
+from .serializers import PermissionSerializer
+from ..models import Permission
+
+
+class PermissionViewSet(ReadOnlyProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Changelog` objects, serialize it to JSON with the given serializer,
+    then render it on /api/logs/
+    """
+    queryset = Permission.objects.all()
+    serializer_class = PermissionSerializer
+    filter_backends = [DjangoFilterBackend]
+    filterset_fields = ['model', 'type', ]

apps/permission/apps.py

@@ -0,0 +1,14 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.apps import AppConfig
+from django.db.models.signals import pre_save, pre_delete
+
+
+class PermissionConfig(AppConfig):
+    name = 'permission'
+
+    def ready(self):
+        from . import signals
+        pre_save.connect(signals.pre_save_object)
+        pre_delete.connect(signals.pre_delete_object)

apps/permission/backends.py

@@ -0,0 +1,116 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth.models import User, AnonymousUser
+from django.contrib.contenttypes.models import ContentType
+from django.db.models import Q, F
+from note.models import Note, NoteUser, NoteClub, NoteSpecial
+from note_kfet.middlewares import get_current_session
+from member.models import Membership, Club
+
+from .models import Permission
+
+
+class PermissionBackend(ModelBackend):
+    """
+    Manage permissions of users
+    """
+    supports_object_permissions = True
+    supports_anonymous_user = False
+    supports_inactive_user = False
+
+    @staticmethod
+    def permissions(user, model, type):
+        """
+        List all permissions of the given user that applies to a given model and a give type
+        :param user: The owner of the permissions
+        :param model: The model that the permissions shoud apply
+        :param type: The type of the permissions: view, change, add or delete
+        :return: A generator of the requested permissions
+        """
+        for permission in Permission.objects.annotate(club=F("rolepermissions__role__membership__club")) \
+                .filter(
+            rolepermissions__role__membership__user=user,
+            model__app_label=model.app_label,  # For polymorphic models, we don't filter on model type
+            type=type,
+        ).all():
+            if not isinstance(model, permission.model.__class__):
+                continue
+
+            club = Club.objects.get(pk=permission.club)
+            permission = permission.about(
+                user=user,
+                club=club,
+                User=User,
+                Club=Club,
+                Membership=Membership,
+                Note=Note,
+                NoteUser=NoteUser,
+                NoteClub=NoteClub,
+                NoteSpecial=NoteSpecial,
+                F=F,
+                Q=Q
+            )
+            if permission.mask.rank <= get_current_session().get("permission_mask", 0):
+                yield permission
+
+    @staticmethod
+    def filter_queryset(user, model, t, field=None):
+        """
+        Filter a queryset by considering the permissions of a given user.
+        :param user: The owner of the permissions that are fetched
+        :param model: The concerned model of the queryset
+        :param t: The type of modification (view, add, change, delete)
+        :param field: The field of the model to test, if concerned
+        :return: A query that corresponds to the filter to give to a queryset
+        """
+
+        if user is None or isinstance(user, AnonymousUser):
+            # Anonymous users can't do anything
+            return Q(pk=-1)
+
+        if user.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
+            # Superusers have all rights
+            return Q()
+
+        if not isinstance(model, ContentType):
+            model = ContentType.objects.get_for_model(model)
+
+        # Never satisfied
+        query = Q(pk=-1)
+        perms = PermissionBackend.permissions(user, model, t)
+        for perm in perms:
+            if perm.field and field != perm.field:
+                continue
+            if perm.type != t or perm.model != model:
+                continue
+            perm.update_query()
+            query = query | perm.query
+        return query
+
+    def has_perm(self, user_obj, perm, obj=None):
+        if user_obj is None or isinstance(user_obj, AnonymousUser):
+            return False
+
+        if user_obj.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
+            return True
+
+        if obj is None:
+            return True
+
+        perm = perm.split('.')[-1].split('_', 2)
+        perm_type = perm[0]
+        perm_field = perm[2] if len(perm) == 3 else None
+        ct = ContentType.objects.get_for_model(obj)
+        if any(permission.applies(obj, perm_type, perm_field)
+               for permission in self.permissions(user_obj, ct, perm_type)):
+            return True
+        return False
+
+    def has_module_perms(self, user_obj, app_label):
+        return False
+
+    def get_all_permissions(self, user_obj, obj=None):
+        ct = ContentType.objects.get_for_model(obj)
+        return list(self.permissions(user_obj, ct, "view"))

apps/permission/fixtures/initial.json

@@ -0,0 +1,653 @@
+[
+  {
+    "model": "member.role",
+    "pk": 1,
+    "fields": {
+      "name": "Adh\u00e9rent BDE"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 2,
+    "fields": {
+      "name": "Adh\u00e9rent Kfet"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 3,
+    "fields": {
+      "name": "Pr\u00e9sident\u00b7e BDE"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 4,
+    "fields": {
+      "name": "Tr\u00e9sorier\u00b7\u00e8re BDE"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 5,
+    "fields": {
+      "name": "Respo info"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 6,
+    "fields": {
+      "name": "GC Kfet"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 7,
+    "fields": {
+      "name": "Pr\u00e9sident\u00b7e de club"
+    }
+  },
+  {
+    "model": "member.role",
+    "pk": 8,
+    "fields": {
+      "name": "Tr\u00e9sorier\u00b7\u00e8re de club"
+    }
+  },
+  {
+    "model": "permission.permissionmask",
+    "pk": 1,
+    "fields": {
+      "rank": 0,
+      "description": "Droits basiques"
+    }
+  },
+  {
+    "model": "permission.permissionmask",
+    "pk": 2,
+    "fields": {
+      "rank": 1,
+      "description": "Droits note seulement"
+    }
+  },
+  {
+    "model": "permission.permissionmask",
+    "pk": 3,
+    "fields": {
+      "rank": 42,
+      "description": "Tous mes droits"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 1,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View our User object"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 2,
+    "fields": {
+      "model": [
+        "member",
+        "profile"
+      ],
+      "query": "{\"user\": [\"user\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View our profile"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 3,
+    "fields": {
+      "model": [
+        "note",
+        "noteuser"
+      ],
+      "query": "{\"pk\": [\"user\", \"note\", \"pk\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View our own note"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 4,
+    "fields": {
+      "model": [
+        "authtoken",
+        "token"
+      ],
+      "query": "{\"user\": [\"user\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View our API token"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 5,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "[\"OR\", {\"source\": [\"user\", \"note\"]}, {\"destination\": [\"user\", \"note\"]}]",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View our own transactions"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 6,
+    "fields": {
+      "model": [
+        "note",
+        "alias"
+      ],
+      "query": "[\"OR\", {\"note__in\": [\"NoteUser\", \"objects\", [\"filter\", {\"user__membership__club__name\": \"Kfet\"}], [\"all\"]]}, {\"note__in\": [\"NoteClub\", \"objects\", [\"all\"]]}]",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View aliases of clubs and members of Kfet club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 7,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "last_login",
+      "description": "Change myself's last login"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 8,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "username",
+      "description": "Change myself's username"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 9,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "first_name",
+      "description": "Change myself's first name"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 10,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "last_name",
+      "description": "Change myself's last name"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 11,
+    "fields": {
+      "model": [
+        "auth",
+        "user"
+      ],
+      "query": "{\"pk\": [\"user\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "email",
+      "description": "Change myself's email"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 12,
+    "fields": {
+      "model": [
+        "authtoken",
+        "token"
+      ],
+      "query": "{\"user\": [\"user\"]}",
+      "type": "delete",
+      "mask": 1,
+      "field": "",
+      "description": "Delete API Token"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 13,
+    "fields": {
+      "model": [
+        "authtoken",
+        "token"
+      ],
+      "query": "{\"user\": [\"user\"]}",
+      "type": "add",
+      "mask": 1,
+      "field": "",
+      "description": "Create API Token"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 14,
+    "fields": {
+      "model": [
+        "note",
+        "alias"
+      ],
+      "query": "{\"note\": [\"user\", \"note\"]}",
+      "type": "delete",
+      "mask": 1,
+      "field": "",
+      "description": "Remove alias"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 15,
+    "fields": {
+      "model": [
+        "note",
+        "alias"
+      ],
+      "query": "{\"note\": [\"user\", \"note\"]}",
+      "type": "add",
+      "mask": 1,
+      "field": "",
+      "description": "Add alias"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 16,
+    "fields": {
+      "model": [
+        "note",
+        "noteuser"
+      ],
+      "query": "{\"pk\": [\"user\", \"note\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "display_image",
+      "description": "Change myself's display image"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 17,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "[\"AND\", {\"source\": [\"user\", \"note\"]}, {\"amount__lte\": [\"user\", \"note\", \"balance\"]}]",
+      "type": "add",
+      "mask": 1,
+      "field": "",
+      "description": "Transfer from myself's note"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 18,
+    "fields": {
+      "model": [
+        "note",
+        "note"
+      ],
+      "query": "{}",
+      "type": "change",
+      "mask": 1,
+      "field": "balance",
+      "description": "Update a note balance with a transaction"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 19,
+    "fields": {
+      "model": [
+        "note",
+        "note"
+      ],
+      "query": "[\"OR\", {\"pk\": [\"club\", \"note\", \"pk\"]}, {\"pk__in\": [\"NoteUser\", \"objects\", [\"filter\", {\"user__membership__club\": [\"club\"]}], [\"all\"]]}]",
+      "type": "view",
+      "mask": 2,
+      "field": "",
+      "description": "View notes of club members"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 20,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "[\"AND\", [\"OR\", {\"source\": [\"club\", \"note\"]}, {\"destination\": [\"club\", \"note\"]}], {\"amount__lte\": {\"F\": [\"ADD\", [\"F\", \"source__balance\"], 5000]}}]",
+      "type": "add",
+      "mask": 2,
+      "field": "",
+      "description": "Create transactions with a club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 21,
+    "fields": {
+      "model": [
+        "note",
+        "recurrenttransaction"
+      ],
+      "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"amount__lte\": {\"F\": [\"ADD\", [\"F\", \"source__balance\"], 5000]}}]",
+      "type": "add",
+      "mask": 2,
+      "field": "",
+      "description": "Create transactions from buttons with a club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 22,
+    "fields": {
+      "model": [
+        "member",
+        "club"
+      ],
+      "query": "{\"pk\": [\"club\", \"pk\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View club infos"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 23,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "{}",
+      "type": "change",
+      "mask": 1,
+      "field": "valid",
+      "description": "Update validation status of a transaction"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 24,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "{}",
+      "type": "view",
+      "mask": 2,
+      "field": "",
+      "description": "View all transactions"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 25,
+    "fields": {
+      "model": [
+        "note",
+        "notespecial"
+      ],
+      "query": "{}",
+      "type": "view",
+      "mask": 2,
+      "field": "",
+      "description": "Display credit/debit interface"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 26,
+    "fields": {
+      "model": [
+        "note",
+        "specialtransaction"
+      ],
+      "query": "{}",
+      "type": "add",
+      "mask": 2,
+      "field": "",
+      "description": "Create credit/debit transaction"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 27,
+    "fields": {
+      "model": [
+        "note",
+        "templatecategory"
+      ],
+      "query": "{}",
+      "type": "view",
+      "mask": 2,
+      "field": "",
+      "description": "View button categories"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 28,
+    "fields": {
+      "model": [
+        "note",
+        "templatecategory"
+      ],
+      "query": "{}",
+      "type": "change",
+      "mask": 3,
+      "field": "",
+      "description": "Change button category"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 29,
+    "fields": {
+      "model": [
+        "note",
+        "templatecategory"
+      ],
+      "query": "{}",
+      "type": "add",
+      "mask": 3,
+      "field": "",
+      "description": "Add button category"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 30,
+    "fields": {
+      "model": [
+        "note",
+        "transactiontemplate"
+      ],
+      "query": "{}",
+      "type": "view",
+      "mask": 2,
+      "field": "",
+      "description": "View buttons"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 31,
+    "fields": {
+      "model": [
+        "note",
+        "transactiontemplate"
+      ],
+      "query": "{}",
+      "type": "add",
+      "mask": 3,
+      "field": "",
+      "description": "Add buttons"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 32,
+    "fields": {
+      "model": [
+        "note",
+        "transactiontemplate"
+      ],
+      "query": "{}",
+      "type": "change",
+      "mask": 3,
+      "field": "",
+      "description": "Update buttons"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 33,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "{}",
+      "type": "add",
+      "mask": 2,
+      "field": "",
+      "description": "Create any transaction"
+    }
+  },
+  {
+    "model": "permission.rolepermissions",
+    "pk": 1,
+    "fields": {
+      "role": 1,
+      "permissions": [
+        1,
+        2,
+        7,
+        8,
+        9,
+        10,
+        11
+      ]
+    }
+  },
+  {
+    "model": "permission.rolepermissions",
+    "pk": 2,
+    "fields": {
+      "role": 2,
+      "permissions": [
+        1,
+        2,
+        3,
+        4,
+        5,
+        6,
+        7,
+        8,
+        9,
+        10,
+        11,
+        12,
+        13,
+        14,
+        15,
+        16,
+        17,
+        18
+      ]
+    }
+  },
+  {
+    "model": "permission.rolepermissions",
+    "pk": 3,
+    "fields": {
+      "role": 8,
+      "permissions": [
+        19,
+        20,
+        21,
+        22
+      ]
+    }
+  },
+  {
+    "model": "permission.rolepermissions",
+    "pk": 4,
+    "fields": {
+      "role": 4,
+      "permissions": [
+        23,
+        24,
+        25,
+        26,
+        27,
+        28,
+        29,
+        30,
+        31,
+        32,
+        33
+      ]
+    }
+  }
+]

apps/permission/models.py

@@ -0,0 +1,282 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import functools
+import json
+import operator
+
+from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import ValidationError
+from django.db import models
+from django.db.models import F, Q, Model
+from django.utils.translation import gettext_lazy as _
+from member.models import Role
+
+
+class InstancedPermission:
+
+    def __init__(self, model, query, type, field, mask, **kwargs):
+        self.model = model
+        self.raw_query = query
+        self.query = None
+        self.type = type
+        self.field = field
+        self.mask = mask
+        self.kwargs = kwargs
+
+    def applies(self, obj, permission_type, field_name=None):
+        """
+        Returns True if the permission applies to
+        the field `field_name` object `obj`
+        """
+
+        if not isinstance(obj, self.model.model_class()):
+            # The permission does not apply to the model
+            return False
+
+        if self.type == 'add':
+            if permission_type == self.type:
+                self.update_query()
+
+                # Don't increase indexes
+                obj.pk = 0
+                # Force insertion, no data verification, no trigger
+                Model.save(obj, force_insert=True)
+                ret = obj in self.model.model_class().objects.filter(self.query).all()
+                # Delete testing object
+                Model.delete(obj)
+                return ret
+
+        if permission_type == self.type:
+            if self.field and field_name != self.field:
+                return False
+            self.update_query()
+            return obj in self.model.model_class().objects.filter(self.query).all()
+        else:
+            return False
+
+    def update_query(self):
+        """
+        The query is not analysed in a first time. It is analysed at most once if needed.
+        :return:
+        """
+        if not self.query:
+            # noinspection PyProtectedMember
+            self.query = Permission._about(self.raw_query, **self.kwargs)
+
+    def __repr__(self):
+        if self.field:
+            return _("Can {type} {model}.{field} in {query}").format(type=self.type, model=self.model, field=self.field, query=self.query)
+        else:
+            return _("Can {type} {model} in {query}").format(type=self.type, model=self.model, query=self.query)
+
+    def __str__(self):
+        return self.__repr__()
+
+
+class PermissionMask(models.Model):
+    """
+    Permissions that are hidden behind a mask
+    """
+
+    rank = models.PositiveSmallIntegerField(
+        unique=True,
+        verbose_name=_('rank'),
+    )
+
+    description = models.CharField(
+        max_length=255,
+        unique=True,
+        verbose_name=_('description'),
+    )
+
+    def __str__(self):
+        return self.description
+
+
+class Permission(models.Model):
+
+    PERMISSION_TYPES = [
+        ('add', 'add'),
+        ('view', 'view'),
+        ('change', 'change'),
+        ('delete', 'delete')
+    ]
+
+    model = models.ForeignKey(ContentType, on_delete=models.CASCADE, related_name='+')
+
+    # A json encoded Q object with the following grammar
+    #  query -> [] | {}  (the empty query representing all objects)
+    #  query -> ["AND", query, …]            AND multiple queries
+    #         | ["OR", query, …]             OR multiple queries
+    #         | ["NOT", query]               Opposite of query
+    #  query -> {key: value, …}              A list of fields and values of a Q object
+    #  key   -> string                       A field name
+    #  value -> int | string | bool | null   Literal values
+    #         | [parameter, …]               A parameter. See compute_param for more details.
+    #         | {"F": oper}                  An F object
+    #  oper  -> [string, …]                  A parameter. See compute_param for more details.
+    #         | ["ADD", oper, …]             Sum multiple F objects or literal
+    #         | ["SUB", oper, oper]          Substract two F objects or literal
+    #         | ["MUL", oper, …]             Multiply F objects or literals
+    #         | int | string | bool | null   Literal values
+    #         | ["F", string]                A field
+    #
+    # Examples:
+    #  Q(is_superuser=True)  := {"is_superuser": true}
+    #  ~Q(is_superuser=True) := ["NOT", {"is_superuser": true}]
+    query = models.TextField()
+
+    type = models.CharField(max_length=15, choices=PERMISSION_TYPES)
+
+    mask = models.ForeignKey(
+        PermissionMask,
+        on_delete=models.PROTECT,
+    )
+
+    field = models.CharField(max_length=255, blank=True)
+
+    description = models.CharField(max_length=255, blank=True)
+
+    class Meta:
+        unique_together = ('model', 'query', 'type', 'field')
+
+    def clean(self):
+        self.query = json.dumps(json.loads(self.query))
+        if self.field and self.type not in {'view', 'change'}:
+            raise ValidationError(_("Specifying field applies only to view and change permission types."))
+
+    def save(self, **kwargs):
+        self.full_clean()
+        super().save()
+
+    @staticmethod
+    def compute_f(oper, **kwargs):
+        if isinstance(oper, list):
+            if oper[0] == 'ADD':
+                return functools.reduce(operator.add, [Permission.compute_f(oper, **kwargs) for oper in oper[1:]])
+            elif oper[0] == 'SUB':
+                return Permission.compute_f(oper[1], **kwargs) - Permission.compute_f(oper[2], **kwargs)
+            elif oper[0] == 'MUL':
+                return functools.reduce(operator.mul, [Permission.compute_f(oper, **kwargs) for oper in oper[1:]])
+            elif oper[0] == 'F':
+                return F(oper[1])
+            else:
+                field = kwargs[oper[0]]
+                for i in range(1, len(oper)):
+                    field = getattr(field, oper[i])
+                return field
+        else:
+            return oper
+
+    @staticmethod
+    def compute_param(value, **kwargs):
+        """
+        A parameter is given by a list. The first argument is the name of the parameter.
+        The parameters are the user, the club, and some classes (Note, ...)
+        If there are more arguments in the list, then attributes are queried.
+        For example, ["user", "note", "balance"] will return the balance of the note of the user.
+        If an argument is a list, then this is interpreted with a function call:
+            First argument is the name of the function, next arguments are parameters, and if there is a dict,
+            then the dict is given as kwargs.
+            For example: NoteUser.objects.filter(user__memberships__club__name="Kfet").all() is translated by:
+            ["NoteUser", "objects", ["filter", {"user__memberships__club__name": "Kfet"}], ["all"]]
+        """
+
+        if not isinstance(value, list):
+            return value
+
+        field = kwargs[value[0]]
+        for i in range(1, len(value)):
+            if isinstance(value[i], list):
+                if value[i][0] in kwargs:
+                    field = Permission.compute_param(value[i], **kwargs)
+                    continue
+
+                field = getattr(field, value[i][0])
+                params = []
+                call_kwargs = {}
+                for j in range(1, len(value[i])):
+                    param = Permission.compute_param(value[i][j], **kwargs)
+                    if isinstance(param, dict):
+                        for key in param:
+                            val = Permission.compute_param(param[key], **kwargs)
+                            call_kwargs[key] = val
+                    else:
+                        params.append(param)
+                field = field(*params, **call_kwargs)
+            else:
+                field = getattr(field, value[i])
+        return field
+
+    @staticmethod
+    def _about(query, **kwargs):
+        """
+        Translate JSON query into a Q query.
+        :param query: The JSON query
+        :param kwargs: Additional params
+        :return: A Q object
+        """
+        if len(query) == 0:
+            # The query is either [] or {} and
+            # applies to all objects of the model
+            # to represent this we return a trivial request
+            return Q(pk=F("pk"))
+        if isinstance(query, list):
+            if query[0] == 'AND':
+                return functools.reduce(operator.and_, [Permission._about(query, **kwargs) for query in query[1:]])
+            elif query[0] == 'OR':
+                return functools.reduce(operator.or_, [Permission._about(query, **kwargs) for query in query[1:]])
+            elif query[0] == 'NOT':
+                return ~Permission._about(query[1], **kwargs)
+            else:
+                return Q(pk=F("pk"))
+        elif isinstance(query, dict):
+            q_kwargs = {}
+            for key in query:
+                value = query[key]
+                if isinstance(value, list):
+                    # It is a parameter we query its return value
+                    q_kwargs[key] = Permission.compute_param(value, **kwargs)
+                elif isinstance(value, dict):
+                    # It is an F object
+                    q_kwargs[key] = Permission.compute_f(value['F'], **kwargs)
+                else:
+                    q_kwargs[key] = value
+            return Q(**q_kwargs)
+        else:
+            # TODO: find a better way to crash here
+            raise Exception("query {} is wrong".format(query))
+
+    def about(self, **kwargs):
+        """
+        Return an InstancedPermission with the parameters
+        replaced by their values and the query interpreted
+        """
+        query = json.loads(self.query)
+        # query = self._about(query, **kwargs)
+        return InstancedPermission(self.model, query, self.type, self.field, self.mask, **kwargs)
+
+    def __str__(self):
+        if self.field:
+            return _("Can {type} {model}.{field} in {query}").format(type=self.type, model=self.model, field=self.field, query=self.query)
+        else:
+            return _("Can {type} {model} in {query}").format(type=self.type, model=self.model, query=self.query)
+
+
+class RolePermissions(models.Model):
+    """
+    Permissions associated with a Role
+    """
+    role = models.ForeignKey(
+        Role,
+        on_delete=models.PROTECT,
+        related_name='+',
+        verbose_name=_('role'),
+    )
+    permissions = models.ManyToManyField(
+        Permission,
+    )
+
+    def __str__(self):
+        return str(self.role)

apps/permission/permissions.py

@@ -0,0 +1,65 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from rest_framework.permissions import DjangoObjectPermissions
+
+from .backends import PermissionBackend
+
+SAFE_METHODS = ('HEAD', 'OPTIONS', )
+
+
+class StrongDjangoObjectPermissions(DjangoObjectPermissions):
+    """
+    Default DjangoObjectPermissions grant view permission to all.
+    This is a simple patch of this class that controls view access.
+    """
+
+    perms_map = {
+        'GET': ['%(app_label)s.view_%(model_name)s'],
+        'OPTIONS': [],
+        'HEAD': [],
+        'POST': ['%(app_label)s.add_%(model_name)s'],
+        'PUT': ['%(app_label)s.change_%(model_name)s'],
+        'PATCH': ['%(app_label)s.change_%(model_name)s'],
+        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+    }
+
+    def get_required_object_permissions(self, method, model_cls):
+        kwargs = {
+            'app_label': model_cls._meta.app_label,
+            'model_name': model_cls._meta.model_name
+        }
+
+        if method not in self.perms_map:
+            from rest_framework import exceptions
+            raise exceptions.MethodNotAllowed(method)
+
+        return [perm % kwargs for perm in self.perms_map[method]]
+
+    def has_object_permission(self, request, view, obj):
+        # authentication checks have already executed via has_permission
+        queryset = self._queryset(view)
+        model_cls = queryset.model
+        user = request.user
+
+        perms = self.get_required_object_permissions(request.method, model_cls)
+        # if not user.has_perms(perms, obj):
+        if not all(PermissionBackend().has_perm(user, perm, obj) for perm in perms):
+            # If the user does not have permissions we need to determine if
+            # they have read permissions to see 403, or not, and simply see
+            # a 404 response.
+            from django.http import Http404
+
+            if request.method in SAFE_METHODS:
+                # Read permissions already checked and failed, no need
+                # to make another lookup.
+                raise Http404
+
+            read_perms = self.get_required_object_permissions('GET', model_cls)
+            if not user.has_perms(read_perms, obj):
+                raise Http404
+
+            # Has read permissions.
+            return False
+
+        return True

apps/permission/signals.py

@@ -0,0 +1,105 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.core.exceptions import PermissionDenied
+from django.db.models.signals import pre_save, pre_delete, post_save, post_delete
+from logs import signals as logs_signals
+from note_kfet.middlewares import get_current_authenticated_user
+from permission.backends import PermissionBackend
+
+
+EXCLUDED = [
+    'cas_server.proxygrantingticket',
+    'cas_server.proxyticket',
+    'cas_server.serviceticket',
+    'cas_server.user',
+    'cas_server.userattributes',
+    'contenttypes.contenttype',
+    'logs.changelog',
+    'migrations.migration',
+    'sessions.session',
+]
+
+
+def pre_save_object(sender, instance, **kwargs):
+    """
+    Before a model get saved, we check the permissions
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    user = get_current_authenticated_user()
+    if user is None:
+        # Action performed on shell is always granted
+        return
+
+    qs = sender.objects.filter(pk=instance.pk).all()
+    model_name_full = instance._meta.label_lower.split(".")
+    app_label = model_name_full[0]
+    model_name = model_name_full[1]
+
+    if qs.exists():
+        # We check if the user can change the model
+
+        # If the user has all right on a model, then OK
+        if PermissionBackend().has_perm(user, app_label + ".change_" + model_name, instance):
+            return
+
+        # In the other case, we check if he/she has the right to change one field
+        previous = qs.get()
+        for field in instance._meta.fields:
+            field_name = field.name
+            old_value = getattr(previous, field.name)
+            new_value = getattr(instance, field.name)
+            # If the field wasn't modified, no need to check the permissions
+            if old_value == new_value:
+                continue
+            if not PermissionBackend().has_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
+                raise PermissionDenied
+    else:
+        # We check if the user can add the model
+
+        # While checking permissions, the object will be inserted in the DB, then removed.
+        # We disable temporary the connectors
+        pre_save.disconnect(pre_save_object)
+        pre_delete.disconnect(pre_delete_object)
+        # We disable also logs connectors
+        pre_save.disconnect(logs_signals.pre_save_object)
+        post_save.disconnect(logs_signals.save_object)
+        post_delete.disconnect(logs_signals.delete_object)
+
+        # We check if the user has right to add the object
+        has_perm = PermissionBackend().has_perm(user, app_label + ".add_" + model_name, instance)
+
+        # Then we reconnect all
+        pre_save.connect(pre_save_object)
+        pre_delete.connect(pre_delete_object)
+        pre_save.connect(logs_signals.pre_save_object)
+        post_save.connect(logs_signals.save_object)
+        post_delete.connect(logs_signals.delete_object)
+
+        if not has_perm:
+            raise PermissionDenied
+
+
+def pre_delete_object(sender, instance, **kwargs):
+    """
+    Before a model get deleted, we check the permissions
+    """
+    # noinspection PyProtectedMember
+    if instance._meta.label_lower in EXCLUDED:
+        return
+
+    user = get_current_authenticated_user()
+    if user is None:
+        # Action performed on shell is always granted
+        return
+
+    model_name_full = instance._meta.label_lower.split(".")
+    app_label = model_name_full[0]
+    model_name = model_name_full[1]
+
+    # We check if the user has rights to delete the object
+    if not PermissionBackend().has_perm(user, app_label + ".delete_" + model_name, instance):
+        raise PermissionDenied

apps/permission/templatetags/perms.py

@@ -0,0 +1,53 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.contenttypes.models import ContentType
+from django.template.defaultfilters import stringfilter
+from django import template
+from note_kfet.middlewares import get_current_authenticated_user, get_current_session
+from permission.backends import PermissionBackend
+
+
+@stringfilter
+def not_empty_model_list(model_name):
+    """
+    Return True if and only if the current user has right to see any object of the given model.
+    """
+    user = get_current_authenticated_user()
+    session = get_current_session()
+    if user is None:
+        return False
+    elif user.is_superuser and session.get("permission_mask", 0) >= 42:
+        return True
+    if session.get("not_empty_model_list_" + model_name, None):
+        return session.get("not_empty_model_list_" + model_name, None) == 1
+    spl = model_name.split(".")
+    ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
+    qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(user, ct, "view")).all()
+    session["not_empty_model_list_" + model_name] = 1 if qs.exists() else 2
+    return session.get("not_empty_model_list_" + model_name) == 1
+
+
+@stringfilter
+def not_empty_model_change_list(model_name):
+    """
+    Return True if and only if the current user has right to change any object of the given model.
+    """
+    user = get_current_authenticated_user()
+    session = get_current_session()
+    if user is None:
+        return False
+    elif user.is_superuser and session.get("permission_mask", 0) >= 42:
+        return True
+    if session.get("not_empty_model_change_list_" + model_name, None):
+        return session.get("not_empty_model_change_list_" + model_name, None) == 1
+    spl = model_name.split(".")
+    ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
+    qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(user, ct, "change"))
+    session["not_empty_model_change_list_" + model_name] = 1 if qs.exists() else 2
+    return session.get("not_empty_model_change_list_" + model_name) == 1
+
+
+register = template.Library()
+register.filter('not_empty_model_list', not_empty_model_list)
+register.filter('not_empty_model_change_list', not_empty_model_change_list)

apps/treasury/__init__.py

@@ -0,0 +1,4 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+default_app_config = 'treasury.apps.TreasuryConfig'

apps/treasury/admin.py

@@ -0,0 +1,27 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-lateré
+
+from django.contrib import admin
+
+from .models import RemittanceType, Remittance
+
+
+@admin.register(RemittanceType)
+class RemittanceTypeAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for RemiitanceType
+    """
+    list_display = ('note', )
+
+
+@admin.register(Remittance)
+class RemittanceAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for Remittance
+    """
+    list_display = ('remittance_type', 'date', 'comment', 'count', 'amount', 'closed', )
+
+    def has_change_permission(self, request, obj=None):
+        if not obj:
+            return True
+        return not obj.closed and super().has_change_permission(request, obj)

apps/treasury/api/serializers.py

@@ -0,0 +1,62 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from rest_framework import serializers
+from note.api.serializers import SpecialTransactionSerializer
+
+from ..models import Invoice, Product, RemittanceType, Remittance
+
+
+class ProductSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Product types.
+    The djangorestframework plugin will analyse the model `Product` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = Product
+        fields = '__all__'
+
+
+class InvoiceSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Invoice types.
+    The djangorestframework plugin will analyse the model `Invoice` and parse all fields in the API.
+    """
+    class Meta:
+        model = Invoice
+        fields = '__all__'
+        read_only_fields = ('bde',)
+
+    products = serializers.SerializerMethodField()
+
+    def get_products(self, obj):
+        return serializers.ListSerializer(child=ProductSerializer())\
+            .to_representation(Product.objects.filter(invoice=obj).all())
+
+
+class RemittanceTypeSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for RemittanceType types.
+    The djangorestframework plugin will analyse the model `RemittanceType` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = RemittanceType
+        fields = '__all__'
+
+
+class RemittanceSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Remittance types.
+    The djangorestframework plugin will analyse the model `Remittance` and parse all fields in the API.
+    """
+
+    transactions = serializers.SerializerMethodField()
+
+    class Meta:
+        model = Remittance
+        fields = '__all__'
+
+    def get_transactions(self, obj):
+        return serializers.ListSerializer(child=SpecialTransactionSerializer()).to_representation(obj.transactions)

apps/treasury/api/urls.py

@@ -0,0 +1,14 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from .views import InvoiceViewSet, ProductViewSet, RemittanceViewSet, RemittanceTypeViewSet
+
+
+def register_treasury_urls(router, path):
+    """
+    Configure router for treasury REST API.
+    """
+    router.register(path + '/invoice', InvoiceViewSet)
+    router.register(path + '/product', ProductViewSet)
+    router.register(path + '/remittance_type', RemittanceTypeViewSet)
+    router.register(path + '/remittance', RemittanceViewSet)

apps/treasury/api/views.py

@@ -0,0 +1,53 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import SearchFilter
+from api.viewsets import ReadProtectedModelViewSet
+
+from .serializers import InvoiceSerializer, ProductSerializer, RemittanceTypeSerializer, RemittanceSerializer
+from ..models import Invoice, Product, RemittanceType, Remittance
+
+
+class InvoiceViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Invoice` objects, serialize it to JSON with the given serializer,
+    then render it on /api/treasury/invoice/
+    """
+    queryset = Invoice.objects.all()
+    serializer_class = InvoiceSerializer
+    filter_backends = [DjangoFilterBackend]
+    filterset_fields = ['bde', ]
+
+
+class ProductViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Product` objects, serialize it to JSON with the given serializer,
+    then render it on /api/treasury/product/
+    """
+    queryset = Product.objects.all()
+    serializer_class = ProductSerializer
+    filter_backends = [SearchFilter]
+    search_fields = ['$designation', ]
+
+
+class RemittanceTypeViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `RemittanceType` objects, serialize it to JSON with the given serializer
+    then render it on /api/treasury/remittance_type/
+    """
+    queryset = RemittanceType.objects.all()
+    serializer_class = RemittanceTypeSerializer
+
+
+class RemittanceViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Remittance` objects, serialize it to JSON with the given serializer,
+    then render it on /api/treasury/remittance/
+    """
+    queryset = Remittance.objects.all()
+    serializer_class = RemittanceSerializer

apps/treasury/apps.py

@@ -0,0 +1,33 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.apps import AppConfig
+from django.db.models import Q
+from django.db.models.signals import post_save, post_migrate
+from django.utils.translation import gettext_lazy as _
+
+
+class TreasuryConfig(AppConfig):
+    name = 'treasury'
+    verbose_name = _('Treasury')
+
+    def ready(self):
+        """
+        Define app internal signals to interact with other apps
+        """
+
+        from . import signals
+        from note.models import SpecialTransaction, NoteSpecial
+        from treasury.models import SpecialTransactionProxy
+        post_save.connect(signals.save_special_transaction, sender=SpecialTransaction)
+
+        def setup_specialtransactions_proxies(**kwargs):
+            # If the treasury app was disabled for any reason during a certain amount of time,
+            # we ensure that each special transaction is linked to a proxy
+            for transaction in SpecialTransaction.objects.filter(
+                    source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
+                    specialtransactionproxy=None,
+            ):
+                SpecialTransactionProxy.objects.create(transaction=transaction, remittance=None)
+
+        post_migrate.connect(setup_specialtransactions_proxies, sender=SpecialTransactionProxy)

apps/treasury/fixtures/initial.json

@@ -0,0 +1,9 @@
+[
+  {
+    "model": "treasury.remittancetype",
+    "pk": 1,
+    "fields": {
+      "note": 3
+    }
+  }
+]

apps/treasury/forms.py

@@ -0,0 +1,156 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import datetime
+
+from crispy_forms.helper import FormHelper
+from crispy_forms.layout import Submit
+from django import forms
+from django.utils.translation import gettext_lazy as _
+
+from .models import Invoice, Product, Remittance, SpecialTransactionProxy
+
+
+class InvoiceForm(forms.ModelForm):
+    """
+    Create and generate invoices.
+    """
+
+    # Django forms don't support date fields. We have to add it manually
+    date = forms.DateField(
+        initial=datetime.date.today,
+        widget=forms.TextInput(attrs={'type': 'date'})
+    )
+
+    def clean_date(self):
+        self.instance.date = self.data.get("date")
+
+    class Meta:
+        model = Invoice
+        exclude = ('bde', )
+
+
+# Add a subform per product in the invoice form, and manage correctly the link between the invoice and
+# its products. The FormSet will search automatically the ForeignKey in the Product model.
+ProductFormSet = forms.inlineformset_factory(
+    Invoice,
+    Product,
+    fields='__all__',
+    extra=1,
+)
+
+
+class ProductFormSetHelper(FormHelper):
+    """
+    Specify some template informations for the product form.
+    """
+
+    def __init__(self, form=None):
+        super().__init__(form)
+        self.form_tag = False
+        self.form_method = 'POST'
+        self.form_class = 'form-inline'
+        self.template = 'bootstrap4/table_inline_formset.html'
+
+
+class RemittanceForm(forms.ModelForm):
+    """
+    Create remittances.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self.helper = FormHelper()
+
+        # We can't update the type of the remittance once created.
+        if self.instance.pk:
+            self.fields["remittance_type"].disabled = True
+            self.fields["remittance_type"].required = False
+
+        # We display the submit button iff the remittance is open,
+        # the close button iff it is open and has a linked transaction
+        if not self.instance.closed:
+            self.helper.add_input(Submit('submit', _("Submit"), attr={'class': 'btn btn-block btn-primary'}))
+            if self.instance.transactions:
+                self.helper.add_input(Submit("close", _("Close"), css_class='btn btn-success'))
+        else:
+            # If the remittance is closed, we can't change anything
+            self.fields["comment"].disabled = True
+            self.fields["comment"].required = False
+
+    def clean(self):
+        # We can't update anything if the remittance is already closed.
+        if self.instance.closed:
+            self.add_error("comment", _("Remittance is already closed."))
+
+        cleaned_data = super().clean()
+
+        if self.instance.pk and cleaned_data.get("remittance_type") != self.instance.remittance_type:
+            self.add_error("remittance_type", _("You can't change the type of the remittance."))
+
+        # The close button is manually handled
+        if "close" in self.data:
+            self.instance.closed = True
+            self.cleaned_data["closed"] = True
+
+        return cleaned_data
+
+    class Meta:
+        model = Remittance
+        fields = ('remittance_type', 'comment',)
+
+
+class LinkTransactionToRemittanceForm(forms.ModelForm):
+    """
+    Attach a special transaction to a remittance.
+    """
+
+    # Since we use a proxy model for special transactions, we add manually the fields related to the transaction
+    last_name = forms.CharField(label=_("Last name"))
+
+    first_name = forms.Field(label=_("First name"))
+
+    bank = forms.Field(label=_("Bank"))
+
+    amount = forms.IntegerField(label=_("Amount"), min_value=0)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.helper = FormHelper()
+        # Add submit button
+        self.helper.add_input(Submit('submit', _("Submit"), attr={'class': 'btn btn-block btn-primary'}))
+
+        self.fields["remittance"].queryset = Remittance.objects.filter(closed=False)
+
+    def clean_last_name(self):
+        """
+        Replace the first name in the information of the transaction.
+        """
+        self.instance.transaction.last_name = self.data.get("last_name")
+        self.instance.transaction.clean()
+
+    def clean_first_name(self):
+        """
+        Replace the last name in the information of the transaction.
+        """
+        self.instance.transaction.first_name = self.data.get("first_name")
+        self.instance.transaction.clean()
+
+    def clean_bank(self):
+        """
+        Replace the bank in the information of the transaction.
+        """
+        self.instance.transaction.bank = self.data.get("bank")
+        self.instance.transaction.clean()
+
+    def clean_amount(self):
+        """
+        Replace the amount of the transaction.
+        """
+        self.instance.transaction.amount = self.data.get("amount")
+        self.instance.transaction.clean()
+
+    class Meta:
+        model = SpecialTransactionProxy
+        fields = ('remittance', )

apps/treasury/models.py

@@ -0,0 +1,189 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.core.exceptions import ValidationError
+from django.db import models
+from django.db.models import Q
+from django.utils.translation import gettext_lazy as _
+from note.models import NoteSpecial, SpecialTransaction
+
+
+class Invoice(models.Model):
+    """
+    An invoice model that can generates a true invoice.
+    """
+
+    id = models.PositiveIntegerField(
+        primary_key=True,
+        verbose_name=_("Invoice identifier"),
+    )
+
+    bde = models.CharField(
+        max_length=32,
+        default='Saperlistpopette.png',
+        choices=(
+            ('Saperlistpopette.png', 'Saper[list]popette'),
+            ('Finalist.png', 'Fina[list]'),
+            ('Listorique.png', '[List]orique'),
+            ('Satellist.png', 'Satel[list]'),
+            ('Monopolist.png', 'Monopo[list]'),
+            ('Kataclist.png', 'Katac[list]'),
+        ),
+        verbose_name=_("BDE"),
+    )
+
+    object = models.CharField(
+        max_length=255,
+        verbose_name=_("Object"),
+    )
+
+    description = models.TextField(
+        verbose_name=_("Description")
+    )
+
+    name = models.CharField(
+        max_length=255,
+        verbose_name=_("Name"),
+    )
+
+    address = models.TextField(
+        verbose_name=_("Address"),
+    )
+
+    date = models.DateField(
+        auto_now_add=True,
+        verbose_name=_("Place"),
+    )
+
+    acquitted = models.BooleanField(
+        verbose_name=_("Acquitted"),
+    )
+
+
+class Product(models.Model):
+    """
+    Product that appears on an invoice.
+    """
+
+    invoice = models.ForeignKey(
+        Invoice,
+        on_delete=models.PROTECT,
+    )
+
+    designation = models.CharField(
+        max_length=255,
+        verbose_name=_("Designation"),
+    )
+
+    quantity = models.PositiveIntegerField(
+        verbose_name=_("Quantity")
+    )
+
+    amount = models.IntegerField(
+        verbose_name=_("Unit price")
+    )
+
+    @property
+    def amount_euros(self):
+        return self.amount / 100
+
+    @property
+    def total(self):
+        return self.quantity * self.amount
+
+    @property
+    def total_euros(self):
+        return self.total / 100
+
+
+class RemittanceType(models.Model):
+    """
+    Store what kind of remittances can be stored.
+    """
+
+    note = models.OneToOneField(
+        NoteSpecial,
+        on_delete=models.CASCADE,
+    )
+
+    def __str__(self):
+        return str(self.note)
+
+
+class Remittance(models.Model):
+    """
+    Treasurers want to regroup checks or bank transfers in bank remittances.
+    """
+
+    date = models.DateTimeField(
+        auto_now_add=True,
+        verbose_name=_("Date"),
+    )
+
+    remittance_type = models.ForeignKey(
+        RemittanceType,
+        on_delete=models.PROTECT,
+        verbose_name=_("Type"),
+    )
+
+    comment = models.CharField(
+        max_length=255,
+        verbose_name=_("Comment"),
+    )
+
+    closed = models.BooleanField(
+        default=False,
+        verbose_name=_("Closed"),
+    )
+
+    @property
+    def transactions(self):
+        """
+        :return: Transactions linked to this remittance.
+        """
+        if not self.pk:
+            return SpecialTransaction.objects.none()
+        return SpecialTransaction.objects.filter(specialtransactionproxy__remittance=self)
+
+    def count(self):
+        """
+        Linked transactions count.
+        """
+        return self.transactions.count()
+
+    @property
+    def amount(self):
+        """
+        Total amount of the remittance.
+        """
+        return sum(transaction.total for transaction in self.transactions.all())
+
+    def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
+        # Check if all transactions have the right type.
+        if self.transactions.filter(~Q(source=self.remittance_type.note)).exists():
+            raise ValidationError("All transactions in a remittance must have the same type")
+
+        return super().save(force_insert, force_update, using, update_fields)
+
+    def __str__(self):
+        return _("Remittance #{:d}: {}").format(self.id, self.comment, )
+
+
+class SpecialTransactionProxy(models.Model):
+    """
+    In order to keep modularity, we don't that the Note app depends on the treasury app.
+    That's why we create a proxy in this app, to link special transactions and remittances.
+    If it isn't very clean, that makes what we want.
+    """
+
+    transaction = models.OneToOneField(
+        SpecialTransaction,
+        on_delete=models.CASCADE,
+    )
+
+    remittance = models.ForeignKey(
+        Remittance,
+        on_delete=models.PROTECT,
+        null=True,
+        verbose_name=_("Remittance"),
+    )

apps/treasury/signals.py

@@ -0,0 +1,12 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from treasury.models import SpecialTransactionProxy, RemittanceType
+
+
+def save_special_transaction(instance, created, **kwargs):
+    """
+    When a special transaction is created, we create its linked proxy
+    """
+    if created and RemittanceType.objects.filter(note=instance.source).exists():
+        SpecialTransactionProxy.objects.create(transaction=instance, remittance=None).save()

apps/treasury/tables.py

@@ -0,0 +1,103 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import django_tables2 as tables
+from django.utils.translation import gettext_lazy as _
+from django_tables2 import A
+from note.models import SpecialTransaction
+from note.templatetags.pretty_money import pretty_money
+
+from .models import Invoice, Remittance
+
+
+class InvoiceTable(tables.Table):
+    """
+    List all invoices.
+    """
+    id = tables.LinkColumn("treasury:invoice_update",
+                           args=[A("pk")],
+                           text=lambda record: _("Invoice #{:d}").format(record.id), )
+
+    invoice = tables.LinkColumn("treasury:invoice_render",
+                                verbose_name=_("Invoice"),
+                                args=[A("pk")],
+                                accessor="pk",
+                                text="",
+                                attrs={
+                                    'a': {'class': 'fa fa-file-pdf-o'},
+                                    'td': {'data-turbolinks': 'false'}
+                                })
+
+    class Meta:
+        attrs = {
+            'class': 'table table-condensed table-striped table-hover'
+        }
+        model = Invoice
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('id', 'name', 'object', 'acquitted', 'invoice',)
+
+
+class RemittanceTable(tables.Table):
+    """
+    List all remittances.
+    """
+
+    count = tables.Column(verbose_name=_("Transaction count"))
+
+    amount = tables.Column(verbose_name=_("Amount"))
+
+    view = tables.LinkColumn("treasury:remittance_update",
+                             verbose_name=_("View"),
+                             args=[A("pk")],
+                             text=_("View"),
+                             attrs={
+                                 'a': {'class': 'btn btn-primary'}
+                             }, )
+
+    def render_amount(self, value):
+        return pretty_money(value)
+
+    class Meta:
+        attrs = {
+            'class': 'table table-condensed table-striped table-hover'
+        }
+        model = Remittance
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('id', 'date', 'remittance_type', 'comment', 'count', 'amount', 'view',)
+
+
+class SpecialTransactionTable(tables.Table):
+    """
+    List special credit transactions that are (or not, following the queryset) attached to a remittance.
+    """
+
+    # Display add and remove buttons. Use the `exclude` field to select what is needed.
+    remittance_add = tables.LinkColumn("treasury:link_transaction",
+                                       verbose_name=_("Remittance"),
+                                       args=[A("specialtransactionproxy.pk")],
+                                       text=_("Add"),
+                                       attrs={
+                                           'a': {'class': 'btn btn-primary'}
+                                       }, )
+
+    remittance_remove = tables.LinkColumn("treasury:unlink_transaction",
+                                          verbose_name=_("Remittance"),
+                                          args=[A("specialtransactionproxy.pk")],
+                                          text=_("Remove"),
+                                          attrs={
+                                              'a': {'class': 'btn btn-primary btn-danger'}
+                                          }, )
+
+    def render_id(self, record):
+        return record.specialtransactionproxy.pk
+
+    def render_amount(self, value):
+        return pretty_money(value)
+
+    class Meta:
+        attrs = {
+            'class': 'table table-condensed table-striped table-hover'
+        }
+        model = SpecialTransaction
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('id', 'source', 'destination', 'last_name', 'first_name', 'bank', 'amount', 'reason',)

apps/treasury/urls.py

@@ -0,0 +1,24 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.urls import path
+
+from .views import InvoiceCreateView, InvoiceListView, InvoiceUpdateView, InvoiceRenderView, RemittanceListView,\
+    RemittanceCreateView, RemittanceUpdateView, LinkTransactionToRemittanceView, UnlinkTransactionToRemittanceView
+
+app_name = 'treasury'
+urlpatterns = [
+    # Invoice app paths
+    path('invoice/', InvoiceListView.as_view(), name='invoice_list'),
+    path('invoice/create/', InvoiceCreateView.as_view(), name='invoice_create'),
+    path('invoice/<int:pk>/', InvoiceUpdateView.as_view(), name='invoice_update'),
+    path('invoice/render/<int:pk>/', InvoiceRenderView.as_view(), name='invoice_render'),
+
+    # Remittance app paths
+    path('remittance/', RemittanceListView.as_view(), name='remittance_list'),
+    path('remittance/create/', RemittanceCreateView.as_view(), name='remittance_create'),
+    path('remittance/<int:pk>/', RemittanceUpdateView.as_view(), name='remittance_update'),
+    path('remittance/link_transaction/<int:pk>/', LinkTransactionToRemittanceView.as_view(), name='link_transaction'),
+    path('remittance/unlink_transaction/<int:pk>/', UnlinkTransactionToRemittanceView.as_view(),
+         name='unlink_transaction'),
+]

apps/treasury/views.py

@@ -0,0 +1,316 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import os
+import shutil
+import subprocess
+from tempfile import mkdtemp
+
+from crispy_forms.helper import FormHelper
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import ValidationError
+from django.db.models import Q
+from django.http import HttpResponse
+from django.shortcuts import redirect
+from django.template.loader import render_to_string
+from django.urls import reverse_lazy
+from django.views.generic import CreateView, UpdateView
+from django.views.generic.base import View, TemplateView
+from django_tables2 import SingleTableView
+from note.models import SpecialTransaction, NoteSpecial
+from note_kfet.settings.base import BASE_DIR
+
+from .forms import InvoiceForm, ProductFormSet, ProductFormSetHelper, RemittanceForm, LinkTransactionToRemittanceForm
+from .models import Invoice, Product, Remittance, SpecialTransactionProxy
+from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable
+
+
+class InvoiceCreateView(LoginRequiredMixin, CreateView):
+    """
+    Create Invoice
+    """
+    model = Invoice
+    form_class = InvoiceForm
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        form = context['form']
+        form.helper = FormHelper()
+        # Remove form tag on the generation of the form in the template (already present on the template)
+        form.helper.form_tag = False
+        # The formset handles the set of the products
+        form_set = ProductFormSet(instance=form.instance)
+        context['formset'] = form_set
+        context['helper'] = ProductFormSetHelper()
+        context['no_cache'] = True
+
+        return context
+
+    def form_valid(self, form):
+        ret = super().form_valid(form)
+
+        kwargs = {}
+
+        # The user type amounts in cents. We convert it in euros.
+        for key in self.request.POST:
+            value = self.request.POST[key]
+            if key.endswith("amount") and value:
+                kwargs[key] = str(int(100 * float(value)))
+            elif value:
+                kwargs[key] = value
+
+        # For each product, we save it
+        formset = ProductFormSet(kwargs, instance=form.instance)
+        if formset.is_valid():
+            for f in formset:
+                # We don't save the product if the designation is not entered, ie. if the line is empty
+                if f.is_valid() and f.instance.designation:
+                    f.save()
+                    f.instance.save()
+                else:
+                    f.instance = None
+
+        return ret
+
+    def get_success_url(self):
+        return reverse_lazy('treasury:invoice_list')
+
+
+class InvoiceListView(LoginRequiredMixin, SingleTableView):
+    """
+    List existing Invoices
+    """
+    model = Invoice
+    table_class = InvoiceTable
+
+
+class InvoiceUpdateView(LoginRequiredMixin, UpdateView):
+    """
+    Create Invoice
+    """
+    model = Invoice
+    form_class = InvoiceForm
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        form = context['form']
+        form.helper = FormHelper()
+        # Remove form tag on the generation of the form in the template (already present on the template)
+        form.helper.form_tag = False
+        # Fill the intial value for the date field, with the initial date of the model instance
+        form.fields['date'].initial = form.instance.date
+        # The formset handles the set of the products
+        form_set = ProductFormSet(instance=form.instance)
+        context['formset'] = form_set
+        context['helper'] = ProductFormSetHelper()
+        context['no_cache'] = True
+
+        return context
+
+    def form_valid(self, form):
+        ret = super().form_valid(form)
+
+        kwargs = {}
+        # The user type amounts in cents. We convert it in euros.
+        for key in self.request.POST:
+            value = self.request.POST[key]
+            if key.endswith("amount") and value:
+                kwargs[key] = str(int(100 * float(value)))
+            elif value:
+                kwargs[key] = value
+
+        formset = ProductFormSet(kwargs, instance=form.instance)
+        saved = []
+        # For each product, we save it
+        if formset.is_valid():
+            for f in formset:
+                # We don't save the product if the designation is not entered, ie. if the line is empty
+                if f.is_valid() and f.instance.designation:
+                    f.save()
+                    f.instance.save()
+                    saved.append(f.instance.pk)
+                else:
+                    f.instance = None
+            # Remove old products that weren't given in the form
+            Product.objects.filter(~Q(pk__in=saved), invoice=form.instance).delete()
+
+        return ret
+
+    def get_success_url(self):
+        return reverse_lazy('treasury:invoice_list')
+
+
+class InvoiceRenderView(LoginRequiredMixin, View):
+    """
+    Render Invoice as a generated PDF with the given information and a LaTeX template
+    """
+
+    def get(self, request, **kwargs):
+        pk = kwargs["pk"]
+        invoice = Invoice.objects.get(pk=pk)
+        products = Product.objects.filter(invoice=invoice).all()
+
+        # Informations of the BDE. Should be updated when the school will move.
+        invoice.place = "Cachan"
+        invoice.my_name = "BDE ENS Cachan"
+        invoice.my_address_street = "61 avenue du Président Wilson"
+        invoice.my_city = "94230 Cachan"
+        invoice.bank_code = 30003
+        invoice.desk_code = 3894
+        invoice.account_number = 37280662
+        invoice.rib_key = 14
+        invoice.bic = "SOGEFRPP"
+
+        # Replace line breaks with the LaTeX equivalent
+        invoice.description = invoice.description.replace("\r", "").replace("\n", "\\\\ ")
+        invoice.address = invoice.address.replace("\r", "").replace("\n", "\\\\ ")
+        # Fill the template with the information
+        tex = render_to_string("treasury/invoice_sample.tex", dict(obj=invoice, products=products))
+
+        try:
+            os.mkdir(BASE_DIR + "/tmp")
+        except FileExistsError:
+            pass
+        # We render the file in a temporary directory
+        tmp_dir = mkdtemp(prefix=BASE_DIR + "/tmp/")
+
+        try:
+            with open("{}/invoice-{:d}.tex".format(tmp_dir, pk), "wb") as f:
+                f.write(tex.encode("UTF-8"))
+            del tex
+
+            # The file has to be rendered twice
+            for _ in range(2):
+                error = subprocess.Popen(
+                    ["pdflatex", "invoice-{}.tex".format(pk)],
+                    cwd=tmp_dir,
+                    stdin=open(os.devnull, "r"),
+                    stderr=open(os.devnull, "wb"),
+                    stdout=open(os.devnull, "wb"),
+                ).wait()
+
+                if error:
+                    raise IOError("An error attempted while generating a invoice (code=" + str(error) + ")")
+
+            # Display the generated pdf as a HTTP Response
+            pdf = open("{}/invoice-{}.pdf".format(tmp_dir, pk), 'rb').read()
+            response = HttpResponse(pdf, content_type="application/pdf")
+            response['Content-Disposition'] = "inline;filename=invoice-{:d}.pdf".format(pk)
+        except IOError as e:
+            raise e
+        finally:
+            # Delete all temporary files
+            shutil.rmtree(tmp_dir)
+
+        return response
+
+
+class RemittanceCreateView(LoginRequiredMixin, CreateView):
+    """
+    Create Remittance
+    """
+    model = Remittance
+    form_class = RemittanceForm
+
+    def get_success_url(self):
+        return reverse_lazy('treasury:remittance_list')
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+
+        ctx["table"] = RemittanceTable(data=Remittance.objects.all())
+        ctx["special_transactions"] = SpecialTransactionTable(data=SpecialTransaction.objects.none())
+
+        return ctx
+
+
+class RemittanceListView(LoginRequiredMixin, TemplateView):
+    """
+    List existing Remittances
+    """
+    template_name = "treasury/remittance_list.html"
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+
+        ctx["opened_remittances"] = RemittanceTable(data=Remittance.objects.filter(closed=False).all())
+        ctx["closed_remittances"] = RemittanceTable(data=Remittance.objects.filter(closed=True).reverse().all())
+
+        ctx["special_transactions_no_remittance"] = SpecialTransactionTable(
+            data=SpecialTransaction.objects.filter(source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
+                                                   specialtransactionproxy__remittance=None).all(),
+            exclude=('remittance_remove', ))
+        ctx["special_transactions_with_remittance"] = SpecialTransactionTable(
+            data=SpecialTransaction.objects.filter(source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
+                                                   specialtransactionproxy__remittance__closed=False).all(),
+            exclude=('remittance_add', ))
+
+        return ctx
+
+
+class RemittanceUpdateView(LoginRequiredMixin, UpdateView):
+    """
+    Update Remittance
+    """
+    model = Remittance
+    form_class = RemittanceForm
+
+    def get_success_url(self):
+        return reverse_lazy('treasury:remittance_list')
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+
+        ctx["table"] = RemittanceTable(data=Remittance.objects.all())
+        data = SpecialTransaction.objects.filter(specialtransactionproxy__remittance=self.object).all()
+        ctx["special_transactions"] = SpecialTransactionTable(
+            data=data,
+            exclude=('remittance_add', 'remittance_remove', ) if self.object.closed else ('remittance_add', ))
+
+        return ctx
+
+
+class LinkTransactionToRemittanceView(LoginRequiredMixin, UpdateView):
+    """
+    Attach a special transaction to a remittance
+    """
+
+    model = SpecialTransactionProxy
+    form_class = LinkTransactionToRemittanceForm
+
+    def get_success_url(self):
+        return reverse_lazy('treasury:remittance_list')
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+
+        form = ctx["form"]
+        form.fields["last_name"].initial = self.object.transaction.last_name
+        form.fields["first_name"].initial = self.object.transaction.first_name
+        form.fields["bank"].initial = self.object.transaction.bank
+        form.fields["amount"].initial = self.object.transaction.amount
+        form.fields["remittance"].queryset = form.fields["remittance"] \
+            .queryset.filter(remittance_type__note=self.object.transaction.source)
+
+        return ctx
+
+
+class UnlinkTransactionToRemittanceView(LoginRequiredMixin, View):
+    """
+    Unlink a special transaction and its remittance
+    """
+
+    def get(self, *args, **kwargs):
+        pk = kwargs["pk"]
+        transaction = SpecialTransactionProxy.objects.get(pk=pk)
+
+        # The remittance must be open (or inexistant)
+        if transaction.remittance and transaction.remittance.closed:
+            raise ValidationError("Remittance is already closed.")
+
+        transaction.remittance = None
+        transaction.save()
+
+        return redirect('treasury:remittance_list')