typo

new default year

See merge request bde/nk20!217

.gitignore

@@ -42,11 +42,13 @@ map.json
 backups/
 /static/
 /media/
+/tmp/
 
 # Virtualenv
 env/
 venv/
 db.sqlite3
+shell.nix
 
 # ansibles customs host
 ansible/host_vars/*.yaml

README.md

@@ -1,8 +1,8 @@
 # NoteKfet 2020
 
 [![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0.txt)
-[![pipeline status](https://gitlab.crans.org/bde/nk20/badges/master/pipeline.svg)](https://gitlab.crans.org/bde/nk20/commits/master)
+[![pipeline status](https://gitlab.crans.org/bde/nk20/badges/main/pipeline.svg)](https://gitlab.crans.org/bde/nk20/commits/main)
-[![coverage report](https://gitlab.crans.org/bde/nk20/badges/master/coverage.svg)](https://gitlab.crans.org/bde/nk20/commits/master)
+[![coverage report](https://gitlab.crans.org/bde/nk20/badges/main/coverage.svg)](https://gitlab.crans.org/bde/nk20/commits/main)
 
 ## Table des matières
 

ansible/base.yml

@@ -7,7 +7,7 @@
       prompt: "Password of the database (leave it blank to skip database init)"
       private: yes
   vars:
-    mirror: mirror.crans.org
+    mirror: eclats.crans.org
   roles:
     - 1-apt-basic
     - 2-nk20

ansible/host_vars/bde-nk20-beta.adh.crans.org.yml

@@ -1,6 +0,0 @@
----
-note:
-  server_name: note-beta.crans.org
-  git_branch: beta
-  cron_enabled: false
-  email: notekfet2020@lists.crans.org

ansible/host_vars/bde-note-dev.adh.crans.org.yml

@@ -2,5 +2,6 @@
 note:
   server_name: note-dev.crans.org
   git_branch: beta
+  serve_static: false
   cron_enabled: false
   email: notekfet2020@lists.crans.org

ansible/host_vars/bde-note.adh.crans.org.yml

@@ -1,6 +1,7 @@
 ---
 note:
   server_name: note.crans.org
-  git_branch: master
+  git_branch: main
+  serve_static: true
   cron_enabled: true
   email: notekfet2020@lists.crans.org

ansible/hosts_example

@@ -1,6 +1,5 @@
 [dev]
 bde-note-dev.adh.crans.org
-bde-nk20-beta.adh.crans.org
 
 [prod]
 bde-note.adh.crans.org

ansible/roles/1-apt-basic/tasks/main.yml

@@ -1,14 +1,15 @@
 ---
-- name: Add buster-backports to apt sources
+- name: Add buster-backports to apt sources if needed
   apt_repository:
     repo: deb http://{{ mirror }}/debian buster-backports main
     state: present
-  when: ansible_facts['distribution'] == "Debian"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version | int == 10
 
 - name: Install note_kfet APT dependencies
   apt:
     update_cache: true
-    default_release: "{{ 'buster-backports' if ansible_facts['distribution'] == 'Debian' }}"
     install_recommends: false
     name:
       # Common tools

ansible/roles/5-nginx/templates/nginx_note.conf

@@ -41,6 +41,7 @@ server {
     # max upload size
     client_max_body_size 75M;   # adjust to taste
 
+{% if note.serve_static %}
     # Django media
     location /media  {
         alias /var/www/note_kfet/media;  # your Django project's media files - amend as required
@@ -50,6 +51,7 @@ server {
         alias /var/www/note_kfet/static; # your Django project's static files - amend as required
     }
 
+{% endif %}
     location /doc {
         alias /var/www/documentation;    # The documentation of the project
     }

apps/activity/fixtures/initial.json

@@ -6,7 +6,7 @@
             "name": "Pot",
             "manage_entries": true,
             "can_invite": true,
-            "guest_entry_fee": 500
+            "guest_entry_fee": 1000
         }
     },
     {
@@ -28,5 +28,25 @@
             "can_invite": false,
             "guest_entry_fee": 0
         }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 5,
+        "fields": {
+            "name": "Soir\u00e9e avec entrées",
+            "manage_entries": true,
+            "can_invite": false,
+            "guest_entry_fee": 0
+        }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 7,
+        "fields": {
+            "name": "Soir\u00e9e avec invitations",
+            "manage_entries": true,
+            "can_invite": true,
+            "guest_entry_fee": 0
+        }
     }
 ]

apps/activity/forms.py

@@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
 from member.models import Club
 from note.models import Note, NoteUser
 from note_kfet.inputs import Autocomplete, DateTimePickerInput
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
 from .models import Activity, Guest
@@ -24,10 +24,16 @@ class ActivityForm(forms.ModelForm):
         self.fields["attendees_club"].initial = Club.objects.get(name="Kfet")
         self.fields["attendees_club"].widget.attrs["placeholder"] = "Kfet"
         clubs = list(Club.objects.filter(PermissionBackend
-                                         .filter_queryset(get_current_authenticated_user(), Club, "view")).all())
+                                         .filter_queryset(get_current_request(), Club, "view")).all())
         shuffle(clubs)
         self.fields["organizer"].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
 
+    def clean_organizer(self):
+        organizer = self.cleaned_data['organizer']
+        if not organizer.note.is_active:
+            self.add_error('organiser', _('The note of this club is inactive.'))
+        return organizer
+
     def clean_date_end(self):
         date_end = self.cleaned_data["date_end"]
         date_start = self.cleaned_data["date_start"]

apps/activity/tables.py

@@ -1,7 +1,9 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from django.utils import timezone
-from django.utils.html import format_html
+from django.utils.html import escape
+from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
 import django_tables2 as tables
 from django_tables2 import A
@@ -52,8 +54,8 @@ class GuestTable(tables.Table):
     def render_entry(self, record):
         if record.has_entry:
             return str(_("Entered on ") + str(_("{:%Y-%m-%d %H:%M:%S}").format(record.entry.time, )))
-        return format_html('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
+        return mark_safe('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
-                           '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
+                         '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
 
 
 def get_row_class(record):
@@ -91,7 +93,7 @@ class EntryTable(tables.Table):
         if hasattr(record, 'username'):
             username = record.username
             if username != value:
-                return format_html(value + " <em>aka.</em> " + username)
+                return mark_safe(escape(value) + " <em>aka.</em> " + escape(username))
         return value
 
     def render_balance(self, value):

apps/activity/templates/activity/activity_entry.html

@@ -63,7 +63,12 @@ SPDX-License-Identifier: GPL-3.0-or-later
         refreshBalance();
     }
 
-    alias_obj.keyup(reloadTable);
+    alias_obj.keyup(function(event) {
+        let code = event.originalEvent.keyCode
+        if (65 <= code <= 122 || code === 13) {
+            debounce(reloadTable)()
+        }
+    });
 
     $(document).ready(init);
 

apps/activity/views.py

@@ -66,21 +66,19 @@ class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView
     ordering = ('-date_start',)
     extra_context = {"title": _("Activities")}
 
-    def get_queryset(self):
+    def get_queryset(self, **kwargs):
-        return super().get_queryset().distinct()
+        return super().get_queryset(**kwargs).distinct()
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
 
         upcoming_activities = Activity.objects.filter(date_end__gt=timezone.now())
         context['upcoming'] = ActivityTable(
-            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")),
+            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request, Activity, "view")),
             prefix='upcoming-',
         )
 
-        started_activities = Activity.objects\
+        started_activities = self.get_queryset().filter(open=True, valid=True).distinct().all()
-            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
-            .filter(open=True, valid=True).all()
         context["started_activities"] = started_activities
 
         return context
@@ -98,7 +96,7 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data()
 
         table = GuestTable(data=Guest.objects.filter(activity=self.object)
-                           .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view")))
+                           .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")))
         context["guests"] = table
 
         context["activity_started"] = timezone.now() > timezone.localtime(self.object.date_start)
@@ -144,15 +142,15 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
 
     def get_form(self, form_class=None):
         form = super().get_form(form_class)
-        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
+        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
-            .get(pk=self.kwargs["pk"])
+            .filter(pk=self.kwargs["pk"]).first()
         form.fields["inviter"].initial = self.request.user.note
         return form
 
     @transaction.atomic
     def form_valid(self, form):
         form.instance.activity = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")).get(pk=self.kwargs["pk"])
+            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
         return super().form_valid(form)
 
     def get_success_url(self, **kwargs):
@@ -170,10 +168,13 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         Don't display the entry interface if the user has no right to see it (no right to add an entry for itself),
         it is closed or doesn't manage entries.
         """
+        if not self.request.user.is_authenticated:
+            return self.handle_no_permission()
+
         activity = Activity.objects.get(pk=self.kwargs["pk"])
 
         sample_entry = Entry(activity=activity, note=self.request.user.note)
-        if not PermissionBackend.check_perm(self.request.user, "activity.add_entry", sample_entry):
+        if not PermissionBackend.check_perm(self.request, "activity.add_entry", sample_entry):
             raise PermissionDenied(_("You are not allowed to display the entry interface for this activity."))
 
         if not activity.activity_type.manage_entries:
@@ -191,8 +192,8 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         guest_qs = Guest.objects\
             .annotate(balance=F("inviter__balance"), note_name=F("inviter__user__username"))\
             .filter(activity=activity)\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request, Guest, "view"))\
-            .order_by('last_name', 'first_name').distinct()
+            .order_by('last_name', 'first_name')
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
@@ -206,7 +207,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
             )
         else:
             guest_qs = guest_qs.none()
-        return guest_qs
+        return guest_qs.distinct()
 
     def get_invited_note(self, activity):
         """
@@ -230,7 +231,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         )
 
         # Filter with permission backend
-        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))
+        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request, Alias, "view"))
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
@@ -256,7 +257,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         """
         context = super().get_context_data(**kwargs)
 
-        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
+        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
             .distinct().get(pk=self.kwargs["pk"])
         context["activity"] = activity
 
@@ -281,9 +282,9 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         context["notespecial_ctype"] = ContentType.objects.get_for_model(NoteSpecial).pk
 
         activities_open = Activity.objects.filter(open=True).filter(
-            PermissionBackend.filter_queryset(self.request.user, Activity, "view")).distinct().all()
+            PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
         context["activities_open"] = [a for a in activities_open
-                                      if PermissionBackend.check_perm(self.request.user,
+                                      if PermissionBackend.check_perm(self.request,
                                                                       "activity.add_entry",
                                                                       Entry(activity=a, note=self.request.user.note,))]
 

apps/api/pagination.py

@@ -0,0 +1,5 @@
+from rest_framework.pagination import PageNumberPagination
+
+
+class CustomPagination(PageNumberPagination):
+    page_size_query_param = 'page_size'

apps/api/serializers.py

@@ -7,8 +7,11 @@ from django.contrib.auth.models import User
 from django.utils import timezone
 from rest_framework import serializers
 from member.api.serializers import ProfileSerializer, MembershipSerializer
+from member.models import Membership
 from note.api.serializers import NoteSerializer
 from note.models import Alias
+from note_kfet.middlewares import get_current_request
+from permission.backends import PermissionBackend
 
 
 class UserSerializer(serializers.ModelSerializer):
@@ -45,18 +48,30 @@ class OAuthSerializer(serializers.ModelSerializer):
     """
     normalized_name = serializers.SerializerMethodField()
 
-    profile = ProfileSerializer()
+    profile = serializers.SerializerMethodField()
 
-    note = NoteSerializer()
+    note = serializers.SerializerMethodField()
 
     memberships = serializers.SerializerMethodField()
 
     def get_normalized_name(self, obj):
         return Alias.normalize(obj.username)
 
+    def get_profile(self, obj):
+        # Display the profile of the user only if we have rights to see it.
+        return ProfileSerializer().to_representation(obj.profile) \
+            if PermissionBackend.check_perm(get_current_request(), 'member.view_profile', obj.profile) else None
+
+    def get_note(self, obj):
+        # Display the note of the user only if we have rights to see it.
+        return NoteSerializer().to_representation(obj.note) \
+            if PermissionBackend.check_perm(get_current_request(), 'note.view_note', obj.note) else None
+
     def get_memberships(self, obj):
+        # Display only memberships that we are allowed to see.
         return serializers.ListSerializer(child=MembershipSerializer()).to_representation(
-            obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now()))
+            obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now())
+                           .filter(PermissionBackend.filter_queryset(get_current_request(), Membership, 'view')))
 
     class Meta:
         model = User

apps/api/viewsets.py

@@ -9,7 +9,6 @@ from django.contrib.auth.models import User
 from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
-from note_kfet.middlewares import get_current_session
 from note.models import Alias
 
 from .serializers import UserSerializer, ContentTypeSerializer
@@ -25,9 +24,7 @@ class ReadProtectedModelViewSet(ModelViewSet):
         self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
 
     def get_queryset(self):
-        user = self.request.user
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
 
 
 class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
@@ -40,9 +37,7 @@ class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
         self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
 
     def get_queryset(self):
-        user = self.request.user
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
 
 
 class UserViewSet(ReadProtectedModelViewSet):

apps/logs/signals.py

@@ -5,7 +5,7 @@ from django.contrib.contenttypes.models import ContentType
 from rest_framework.renderers import JSONRenderer
 from rest_framework.serializers import ModelSerializer
 from note.models import NoteUser, Alias
-from note_kfet.middlewares import get_current_authenticated_user, get_current_ip
+from note_kfet.middlewares import get_current_request
 
 from .models import Changelog
 
@@ -57,9 +57,9 @@ def save_object(sender, instance, **kwargs):
     previous = instance._previous
 
     # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    user, ip = get_current_authenticated_user(), get_current_ip()
+    request = get_current_request()
 
-    if user is None:
+    if request is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
         # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@@ -71,9 +71,23 @@ def save_object(sender, instance, **kwargs):
         # else:
         if note.exists():
             user = note.get().user
+        else:
+            user = None
+    else:
+        user = request.user
+        if 'HTTP_X_REAL_IP' in request.META:
+            ip = request.META.get('HTTP_X_REAL_IP')
+        elif 'HTTP_X_FORWARDED_FOR' in request.META:
+            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
+        else:
+            ip = request.META.get('REMOTE_ADDR')
+
+        if not user.is_authenticated:
+            # For registration and OAuth2 purposes
+            user = None
 
     # noinspection PyProtectedMember
-    if user is not None and instance._meta.label_lower == "auth.user" and previous:
+    if request is not None and instance._meta.label_lower == "auth.user" and previous:
         # On n'enregistre pas les connexions
         if instance.last_login != previous.last_login:
             return
@@ -121,9 +135,9 @@ def delete_object(sender, instance, **kwargs):
         return
 
     # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    user, ip = get_current_authenticated_user(), get_current_ip()
+    request = get_current_request()
 
-    if user is None:
+    if request is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
         # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@@ -135,6 +149,20 @@ def delete_object(sender, instance, **kwargs):
         # else:
         if note.exists():
             user = note.get().user
+        else:
+            user = None
+    else:
+        user = request.user
+        if 'HTTP_X_REAL_IP' in request.META:
+            ip = request.META.get('HTTP_X_REAL_IP')
+        elif 'HTTP_X_FORWARDED_FOR' in request.META:
+            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
+        else:
+            ip = request.META.get('REMOTE_ADDR')
+
+        if not user.is_authenticated:
+            # For registration and OAuth2 purposes
+            user = None
 
     # On crée notre propre sérialiseur JSON pour pouvoir sauvegarder les modèles
     class CustomSerializer(ModelSerializer):

apps/member/forms.py

@@ -47,6 +47,13 @@ class ProfileForm(forms.ModelForm):
 
     last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last report date"))
 
+    VSS_charter_read = forms.BooleanField(
+        required=True,
+        label=_("Anti-VSS (<em>Violences Sexistes et Sexuelles</em>) charter read and approved"),
+        help_text=_("Tick after having read and accepted the anti-VSS charter \
+        <a href=https://perso.crans.org/club-bde/Charte-anti-VSS.pdf target=_blank> available here in pdf</a>")
+    )
+
     def clean_promotion(self):
         promotion = self.cleaned_data["promotion"]
         if promotion > timezone.now().year:

apps/member/hashers.py

@@ -2,11 +2,13 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import hashlib
+from collections import OrderedDict
 
 from django.conf import settings
-from django.contrib.auth.hashers import PBKDF2PasswordHasher
+from django.contrib.auth.hashers import PBKDF2PasswordHasher, mask_hash
 from django.utils.crypto import constant_time_compare
-from note_kfet.middlewares import get_current_authenticated_user, get_current_session
+from django.utils.translation import gettext_lazy as _
+from note_kfet.middlewares import get_current_request
 
 
 class CustomNK15Hasher(PBKDF2PasswordHasher):
@@ -24,16 +26,22 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):
 
     def must_update(self, encoded):
         if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # Don't change their password.
+            request = get_current_request()
+            current_user = request.user
             if current_user is not None and current_user.is_superuser:
                 return False
         return True
 
     def verify(self, password, encoded):
         if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # If a superuser is already connected, let him/her log in as another person.
+            request = get_current_request()
+            current_user = request.user
             if current_user is not None and current_user.is_superuser\
-                    and get_current_session().get("permission_mask", -1) >= 42:
+                    and request.session.get("permission_mask", -1) >= 42:
                 return True
 
         if '|' in encoded:
@@ -41,6 +49,18 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):
             return constant_time_compare(hashlib.sha256((salt + password).encode("utf-8")).hexdigest(), db_hashed_pass)
         return super().verify(password, encoded)
 
+    def safe_summary(self, encoded):
+        # Displayed information in Django Admin.
+        if '|' in encoded:
+            salt, db_hashed_pass = encoded.split('$')[2].split('|')
+            return OrderedDict([
+                (_('algorithm'), 'custom_nk15'),
+                (_('iterations'), '1'),
+                (_('salt'), mask_hash(salt)),
+                (_('hash'), mask_hash(db_hashed_pass)),
+            ])
+        return super().safe_summary(encoded)
+
 
 class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
     """
@@ -51,8 +71,11 @@ class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
 
     def verify(self, password, encoded):
         if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # If a superuser is already connected, let him/her log in as another person.
+            request = get_current_request()
+            current_user = request.user
             if current_user is not None and current_user.is_superuser\
-                    and get_current_session().get("permission_mask", -1) >= 42:
+                    and request.session.get("permission_mask", -1) >= 42:
                 return True
         return super().verify(password, encoded)

apps/member/migrations/0003_create_bde_and_kfet.py

@@ -19,8 +19,8 @@ def create_bde_and_kfet(apps, schema_editor):
         membership_fee_paid=500,
         membership_fee_unpaid=500,
         membership_duration=396,
-        membership_start="2020-08-01",
+        membership_start="2021-08-01",
-        membership_end="2021-09-30",
+        membership_end="2022-09-30",
     )
     Club.objects.get_or_create(
         id=2,
@@ -31,8 +31,8 @@ def create_bde_and_kfet(apps, schema_editor):
         membership_fee_paid=3500,
         membership_fee_unpaid=3500,
         membership_duration=396,
-        membership_start="2020-08-01",
+        membership_start="2021-08-01",
-        membership_end="2021-09-30",
+        membership_end="2022-09-30",
     )
 
     NoteClub.objects.get_or_create(

apps/member/migrations/0008_auto_20211005_1544.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.24 on 2021-10-05 13:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0007_auto_20210313_1235'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='department',
+            field=models.CharField(choices=[('A0', 'Informatics (A0)'), ('A1', 'Mathematics (A1)'), ('A2', 'Physics (A2)'), ("A'2", "Applied physics (A'2)"), ("A''2", "Chemistry (A''2)"), ('A3', 'Biology (A3)'), ('B1234', 'SAPHIRE (B1234)'), ('B1', 'Mechanics (B1)'), ('B2', 'Civil engineering (B2)'), ('B3', 'Mechanical engineering (B3)'), ('B4', 'EEA (B4)'), ('C', 'Design (C)'), ('D2', 'Economy-management (D2)'), ('D3', 'Social sciences (D3)'), ('E', 'English (E)'), ('EXT', 'External (EXT)')], max_length=8, verbose_name='department'),
+        ),
+    ]

apps/member/migrations/0009_auto_20220904_2325.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.26 on 2022-09-04 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0008_auto_20211005_1544'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2022, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]

apps/member/migrations/0010_new_default_year.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-23 21:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0009_auto_20220904_2325'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2023, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]

apps/member/migrations/0011_profile_vss_charter_read.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-31 09:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0010_new_default_year'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='profile',
+            name='VSS_charter_read',
+            field=models.BooleanField(default=False, verbose_name='VSS charter read'),
+        ),
+    ]

apps/member/models.py

@@ -57,7 +57,7 @@ class Profile(models.Model):
             ('A1', _("Mathematics (A1)")),
             ('A2', _("Physics (A2)")),
             ("A'2", _("Applied physics (A'2)")),
-            ('A''2', _("Chemistry (A''2)")),
+            ("A''2", _("Chemistry (A''2)")),
             ('A3', _("Biology (A3)")),
             ('B1234', _("SAPHIRE (B1234)")),
             ('B1', _("Mechanics (B1)")),
@@ -74,7 +74,7 @@ class Profile(models.Model):
 
     promotion = models.PositiveSmallIntegerField(
         null=True,
-        default=datetime.date.today().year,
+        default=datetime.date.today().year if datetime.date.today().month >= 8 else datetime.date.today().year - 1,
         verbose_name=_("promotion"),
         help_text=_("Year of entry to the school (None if not ENS student)"),
     )
@@ -134,6 +134,11 @@ class Profile(models.Model):
         default=False,
     )
 
+    VSS_charter_read = models.BooleanField(
+        verbose_name=_("VSS charter read"),
+        default=False
+    )
+
     @property
     def ens_year(self):
         """
@@ -258,16 +263,18 @@ class Club(models.Model):
         This function is called each time the club detail view is displayed.
         Update the year of the membership dates.
         """
-        if not self.membership_start:
+        if not self.membership_start or not self.membership_end:
             return
 
         today = datetime.date.today()
 
-        if (today - self.membership_start).days >= 365:
+        while (today - self.membership_start).days >= 365:
-            self.membership_start = datetime.date(self.membership_start.year + 1,
+            if self.membership_start:
-                                                  self.membership_start.month, self.membership_start.day)
+                self.membership_start = datetime.date(self.membership_start.year + 1,
-            self.membership_end = datetime.date(self.membership_end.year + 1,
+                                                      self.membership_start.month, self.membership_start.day)
-                                                self.membership_end.month, self.membership_end.day)
+            if self.membership_end:
+                self.membership_end = datetime.date(self.membership_end.year + 1,
+                                                    self.membership_end.month, self.membership_end.day)
             self._force_save = True
             self.save(force_update=True)
 
@@ -413,6 +420,12 @@ class Membership(models.Model):
         """
         Calculate fee and end date before saving the membership and creating the transaction if needed.
         """
+        # Ensure that club membership dates are valid
+        old_membership_start = self.club.membership_start
+        self.club.update_membership_dates()
+        if self.club.membership_start != old_membership_start:
+            self.club.save()
+
         created = not self.pk
         if not created:
             for role in self.roles.all():

apps/member/static/member/js/trust.js

@@ -0,0 +1,53 @@
+/**
+ * On form submit, create a new friendship
+ */
+function create_trust (e) {
+  // Do not submit HTML form
+  e.preventDefault()
+
+  // Get data and send to API
+  const formData = new FormData(e.target)
+  $.getJSON('/api/note/alias/'+formData.get('trusted') + '/',
+    function (trusted_alias) {
+      if ((trusted_alias.note == formData.get('trusting')))
+      {
+         addMsg(gettext("You can't add yourself as a friend"), "danger")
+         return
+      }
+      $.post('/api/note/trust/', {
+        csrfmiddlewaretoken: formData.get('csrfmiddlewaretoken'),
+        trusting: formData.get('trusting'),
+        trusted: trusted_alias.note
+      }).done(function () {
+        // Reload table
+        $('#trust_table').load(location.pathname + ' #trust_table')
+        addMsg(gettext('Friendship successfully added'), 'success')
+      }).fail(function (xhr, _textStatus, _error) {
+        errMsg(xhr.responseJSON)
+      })
+    }).fail(function (xhr, _textStatus, _error) {
+        errMsg(xhr.responseJSON)
+    })
+}
+
+/**
+ * On click of "delete", delete the alias
+ * @param button_id:Integer Alias id to remove
+ */
+function delete_button (button_id) {
+  $.ajax({
+    url: '/api/note/trust/' + button_id + '/',
+    method: 'DELETE',
+    headers: { 'X-CSRFTOKEN': CSRF_TOKEN }
+  }).done(function () {
+    addMsg(gettext('Friendship successfully deleted'), 'success')
+    $('#trust_table').load(location.pathname + ' #trust_table')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+$(document).ready(function () {
+  // Attach event
+  document.getElementById('form_trust').addEventListener('submit', create_trust)
+})

apps/member/tables.py

@@ -9,7 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from django.urls import reverse_lazy
 from django.utils.html import format_html
 from note.templatetags.pretty_money import pretty_money
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
 from .models import Club, Membership
@@ -31,7 +31,8 @@ class ClubTable(tables.Table):
         row_attrs = {
             'class': 'table-row',
             'id': lambda record: "row-" + str(record.pk),
-            'data-href': lambda record: record.pk
+            'data-href': lambda record: record.pk,
+            'style': 'cursor:pointer',
         }
 
 
@@ -51,19 +52,19 @@ class UserTable(tables.Table):
     def render_email(self, record, value):
         # Replace the email by a dash if the user can't see the profile detail
         # Replace also the URL
-        if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
+        if not PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile):
             value = "—"
             record.email = value
         return value
 
     def render_section(self, record, value):
         return value \
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
+            if PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile) \
             else "—"
 
     def render_balance(self, record, value):
         return pretty_money(value)\
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
+            if PermissionBackend.check_perm(get_current_request(), "note.view_note", record.note) else "—"
 
     class Meta:
         attrs = {
@@ -74,7 +75,8 @@ class UserTable(tables.Table):
         model = User
         row_attrs = {
             'class': 'table-row',
-            'data-href': lambda record: record.pk
+            'data-href': lambda record: record.pk,
+            'style': 'cursor:pointer',
         }
 
 
@@ -93,7 +95,7 @@ class MembershipTable(tables.Table):
     def render_user(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.username
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
 
@@ -102,7 +104,7 @@ class MembershipTable(tables.Table):
     def render_club(self, value):
         # If the user has the right, link the displayed club with the page of its detail.
         s = value.name
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_club", value):
+        if PermissionBackend.check_perm(get_current_request(), "member.view_club", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:club_detail', kwargs={"pk": value.pk}), name=s)
 
@@ -118,7 +120,7 @@ class MembershipTable(tables.Table):
                     club=record.club,
                     user=record.user,
                     date_start__gte=record.club.membership_start,
-                    date_end__lte=record.club.membership_end,
+                    date_end__lte=record.club.membership_end or date(9999, 12, 31),
             ).exists():  # If the renew is not yet performed
                 empty_membership = Membership(
                     club=record.club,
@@ -127,7 +129,7 @@ class MembershipTable(tables.Table):
                     date_end=date.today(),
                     fee=0,
                 )
-                if PermissionBackend.check_perm(get_current_authenticated_user(),
+                if PermissionBackend.check_perm(get_current_request(),
                                                 "member.add_membership", empty_membership):  # If the user has right
                     renew_url = reverse_lazy('member:club_renew_membership',
                                              kwargs={"pk": record.pk})
@@ -142,7 +144,7 @@ class MembershipTable(tables.Table):
         # If the user has the right to manage the roles, display the link to manage them
         roles = record.roles.all()
         s = ", ".join(str(role) for role in roles)
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.change_membership_roles", record):
+        if PermissionBackend.check_perm(get_current_request(), "member.change_membership_roles", record):
             s = format_html("<a href='" + str(reverse_lazy("member:club_manage_roles", kwargs={"pk": record.pk}))
                             + "'>" + s + "</a>")
         return s
@@ -165,7 +167,7 @@ class ClubManagerTable(tables.Table):
     def render_user(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.username
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
 

apps/member/templates/member/includes/profile_info.html

@@ -25,6 +25,14 @@
         </a>
     </dd>
 
+    <dt class="col-xl-6">{% trans 'friendships'|capfirst %}</dt>
+    <dd class="col-xl-6">
+        <a class="badge badge-secondary" href="{% url 'member:user_trust' user_object.pk %}">
+            <i class="fa fa-edit"></i>
+            {% trans 'Manage friendships' %} ({{ user_object.note.trusting.all|length }})
+        </a>
+    </dd>
+
     {% if "member.view_profile"|has_perm:user_object.profile %}
         <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
         <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
@@ -39,13 +47,13 @@
         <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
         <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
 
-        {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
-        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
-        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
-
         <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
         <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
-        {% endif %}
+    {% endif %}
+
+    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
     {% endif %}
 </dl>
 

apps/member/templates/member/manage_auth_tokens.html

@@ -5,32 +5,98 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% load i18n %}
 
 {% block content %}
-<div class="alert alert-info">
+<div class="row mt-4">
-    <h4>À quoi sert un jeton d'authentification ?</h4>
+    <div class="col-xl-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <h3>{% trans "Token authentication" %}</h3>
+            </div>
+            <div class="card-body">
+                <div class="alert alert-info">
+                    <h4>À quoi sert un jeton d'authentification ?</h4>
 
-    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a>.<br />
+                    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a> via votre propre compte
-    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
+                    depuis un client externe.<br />
-    pour pouvoir vous identifier.<br /><br />
+                    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
+                    pour pouvoir vous identifier.<br /><br />
 
-    Une documentation de l'API arrivera ultérieurement.
+                    La documentation de l'API est disponible ici :
+                    <a href="/doc/api/">{{ request.scheme }}://{{ request.get_host }}/doc/api/</a>.
+                </div>
+
+                <div class="alert alert-info">
+                    <strong>{%trans  'Token' %} :</strong>
+                    {% if 'show' in request.GET %}
+                    {{ token.key }} (<a href="?">cacher</a>)
+                    {% else %}
+                    <em>caché</em> (<a href="?show">montrer</a>)
+                    {% endif %}
+                    <br />
+                    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
+                </div>
+
+                <div class="alert alert-warning">
+                    <strong>{% trans "Warning" %} :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
+                </div>
+            </div>
+            <div class="card-footer text-center">
+                <a href="?regenerate">
+                    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
+                </a>
+            </div>
+        </div>
+    </div>
+
+    <div class="col-xl-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <h3>{% trans "OAuth2 authentication" %}</h3>
+            </div>
+            <div class="card-header">
+                <div class="alert alert-info">
+                    <p>
+                        La Note Kfet implémente également le protocole <a href="https://oauth.net/2/">OAuth2</a>, afin de
+                        permettre à des applications tierces d'interagir avec la Note en récoltant des informations
+                        (de connexion par exemple) voir en permettant des modifications à distance, par exemple lorsqu'il
+                        s'agit d'avoir un site marchand sur lequel faire des transactions via la Note Kfet.
+                    </p>
+
+                    <p>
+                        L'usage de ce protocole est recommandé pour tout usage non personnel, car permet de mieux cibler
+                        les droits dont on a besoin, en restreignant leur usage par jeton généré.
+                    </p>
+
+                    <p>
+                        La documentation vis-à-vis de l'usage de ce protocole est disponible ici :
+                        <a href="/doc/external_services/oauth2/">{{ request.scheme }}://{{ request.get_host }}/doc/external_services/oauth2/</a>.
+                    </p>
+                </div>
+
+                Liste des URL à communiquer à votre application :
+
+                <ul>
+                    <li>
+                        {% trans "Authorization:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:authorize' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:token' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Revoke Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:revoke-token' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Introspect Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:introspect' %}</a>
+                    </li>
+                </ul>
+            </div>
+            <div class="card-footer text-center">
+                <a class="btn btn-primary" href="{% url 'oauth2_provider:list' %}">{% trans "Show my applications" %}</a>
+            </div>
+        </div>
+    </div>
 </div>
-
-<div class="alert alert-info">
-    <strong>{%trans  'Token' %} :</strong>
-    {% if 'show' in request.GET %}
-    {{ token.key }} (<a href="?">cacher</a>)
-    {% else %}
-    <em>caché</em> (<a href="?show">montrer</a>)
-    {% endif %}
-    <br />
-    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
-</div>
-
-<div class="alert alert-warning">
-    <strong>Attention :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
-</div>
-
-<a href="?regenerate">
-    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
-</a>
 {% endblock %}

apps/member/templates/member/profile_trust.html

@@ -0,0 +1,41 @@
+{% extends "member/base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load static django_tables2 i18n %}
+
+{% block profile_content %}
+<div class="card bg-light mb-3">
+    <h3 class="card-header text-center">
+        {% trans "Note friendships" %}
+    </h3>
+    <div class="card-body">
+        {% if can_create %}
+            <form class="input-group" method="POST" id="form_trust">
+                {% csrf_token %}
+                <input type="hidden" name="trusting" value="{{ object.note.pk }}">
+                {%include "autocomplete_model.html" %}
+                <div class="input-group-append">
+                    <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
+                </div>
+            </form>
+        {% endif %}
+    </div>
+    {% render_table trusting %}
+</div>
+
+<div class="alert alert-warning card">
+    {% blocktrans trimmed %}
+        Adding someone as a friend enables them to initiate transactions coming
+        from your account (while keeping your balance positive). This is
+        designed to simplify using note kfet transfers to transfer money between
+        users. The intent is that one person can make all transfers for a group of
+        friends without needing additional rights among them.
+    {% endblocktrans %}
+</div>
+{% endblock %}
+
+{% block extrajavascript %}
+<script src="{% static "member/js/trust.js" %}"></script>
+<script src="{% static "js/autocomplete_model.js" %}"></script>
+{% endblock%}

apps/member/tests/test_memberships.py

@@ -183,7 +183,7 @@ class TestMemberships(TestCase):
                 club = Club.objects.get(name="Kfet")
             else:
                 club = Club.objects.create(
-                    name="Second club " + ("with BDE" if bde_parent else "without BDE"),
+                    name="Second club without BDE",
                     parent_club=None,
                     email="newclub@example.com",
                     require_memberships=True,
@@ -335,6 +335,7 @@ class TestMemberships(TestCase):
             ml_sports_registration=True,
             ml_art_registration=True,
             report_frequency=7,
+            VSS_charter_read=True
         ))
         self.assertRedirects(response, self.user.profile.get_absolute_url(), 302, 200)
         self.assertTrue(User.objects.filter(username="toto changed").exists())

apps/member/urls.py

@@ -23,5 +23,6 @@ urlpatterns = [
     path('user/<int:pk>/update/', views.UserUpdateView.as_view(), name="user_update_profile"),
     path('user/<int:pk>/update_pic/', views.ProfilePictureUpdateView.as_view(), name="user_update_pic"),
     path('user/<int:pk>/aliases/', views.ProfileAliasView.as_view(), name="user_alias"),
+    path('user/<int:pk>/trust', views.ProfileTrustView.as_view(), name="user_trust"),
     path('manage-auth-token/', views.ManageAuthTokens.as_view(), name='auth_token'),
 ]

apps/member/views.py

@@ -8,6 +8,7 @@ from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.models import User
 from django.contrib.auth.views import LoginView
+from django.contrib.contenttypes.models import ContentType
 from django.db import transaction
 from django.db.models import Q, F
 from django.shortcuts import redirect
@@ -18,10 +19,10 @@ from django.views.generic import DetailView, UpdateView, TemplateView
 from django.views.generic.edit import FormMixin
 from django_tables2.views import SingleTableView
 from rest_framework.authtoken.models import Token
-from note.models import Alias, NoteUser
+from note.models import Alias, NoteClub, NoteUser, Trust
 from note.models.transactions import Transaction, SpecialTransaction
-from note.tables import HistoryTable, AliasTable
+from note.tables import HistoryTable, AliasTable, TrustTable
-from note_kfet.middlewares import _set_current_user_and_ip
+from note_kfet.middlewares import _set_current_request
 from permission.backends import PermissionBackend
 from permission.models import Role
 from permission.views import ProtectQuerysetMixin, ProtectedCreateView
@@ -41,7 +42,8 @@ class CustomLoginView(LoginView):
     @transaction.atomic
     def form_valid(self, form):
         logout(self.request)
-        _set_current_user_and_ip(form.get_user(), self.request.session, None)
+        self.request.user = form.get_user()
+        _set_current_request(self.request)
         self.request.session['permission_mask'] = form.cleaned_data['permission_mask'].rank
         return super().form_valid(form)
 
@@ -70,7 +72,7 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         form.fields['email'].required = True
         form.fields['email'].help_text = _("This address must be valid.")
 
-        if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
+        if PermissionBackend.check_perm(self.request, "member.change_profile", context['user_object'].profile):
             context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
                                                         data=self.request.POST if self.request.POST else None)
             if not self.object.profile.report_frequency:
@@ -153,13 +155,13 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         history_list = \
             Transaction.objects.all().filter(Q(source=user.note) | Q(destination=user.note))\
             .order_by("-created_at")\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))
+            .filter(PermissionBackend.filter_queryset(self.request, Transaction, "view"))
         history_table = HistoryTable(history_list, prefix='transaction-')
         history_table.paginate(per_page=20, page=self.request.GET.get("transaction-page", 1))
         context['history_list'] = history_table
 
         club_list = Membership.objects.filter(user=user, date_end__gte=date.today() - timedelta(days=15))\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Membership, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request, Membership, "view"))\
             .order_by("club__name", "-date_start")
         # Display only the most recent membership
         club_list = club_list.distinct("club__name")\
@@ -173,24 +175,23 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
             modified_note = NoteUser.objects.get(pk=user.note.pk)
             # Don't log these tests
             modified_note._no_signal = True
-            modified_note.is_active = True
+            modified_note.is_active = False
             modified_note.inactivity_reason = 'manual'
             context["can_lock_note"] = user.note.is_active and PermissionBackend\
-                                           .check_perm(self.request.user, "note.change_noteuser_is_active",
+                                           .check_perm(self.request, "note.change_noteuser_is_active", modified_note)
-                                                       modified_note)
             old_note = NoteUser.objects.select_for_update().get(pk=user.note.pk)
             modified_note.inactivity_reason = 'forced'
             modified_note._force_save = True
             modified_note.save()
             context["can_force_lock"] = user.note.is_active and PermissionBackend\
-                .check_perm(self.request.user, "note.change_note_is_active", modified_note)
+                .check_perm(self.request, "note.change_noteuser_is_active", modified_note)
             old_note._force_save = True
             old_note._no_signal = True
             old_note.save()
             modified_note.refresh_from_db()
             modified_note.is_active = True
             context["can_unlock_note"] = not user.note.is_active and PermissionBackend\
-                .check_perm(self.request.user, "note.change_note_is_active", modified_note)
+                .check_perm(self.request, "note.change_noteuser_is_active", modified_note)
 
         return context
 
@@ -237,12 +238,45 @@ class UserListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        pre_registered_users = User.objects.filter(PermissionBackend.filter_queryset(self.request.user, User, "view"))\
+        pre_registered_users = User.objects.filter(PermissionBackend.filter_queryset(self.request, User, "view"))\
             .filter(profile__registration_valid=False)
         context["can_manage_registrations"] = pre_registered_users.exists()
         return context
 
 
+class ProfileTrustView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+    """
+    View and manage user trust relationships
+    """
+    model = User
+    template_name = 'member/profile_trust.html'
+    context_object_name = 'user_object'
+    extra_context = {"title": _("Note friendships")}
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        note = context['object'].note
+        context["trusting"] = TrustTable(
+            note.trusting.filter(PermissionBackend.filter_queryset(self.request, Trust, "view")).distinct().all())
+        context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_trust", Trust(
+            trusting=context["object"].note,
+            trusted=context["object"].note
+        ))
+        context["widget"] = {
+            "name": "trusted",
+            "attrs": {
+                "model_pk": ContentType.objects.get_for_model(Alias).pk,
+                "class": "autocomplete form-control",
+                "id": "trusted",
+                "resetable": True,
+                "api_url": "/api/note/alias/?note__polymorphic_ctype__model=noteuser",
+                "name_field": "name",
+                "placeholder": ""
+            }
+        }
+        return context
+
+
 class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     """
     View and manage user aliases.
@@ -256,8 +290,9 @@ class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
         context["aliases"] = AliasTable(
-            note.alias.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
+            note.alias.filter(PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct()
-        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
+            .order_by('normalized_name').all())
+        context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
             normalized_name="",
@@ -382,7 +417,7 @@ class ClubListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        context["can_add_club"] = PermissionBackend.check_perm(self.request.user, "member.add_club", Club(
+        context["can_add_club"] = PermissionBackend.check_perm(self.request, "member.add_club", Club(
             name="",
             email="club@example.com",
         ))
@@ -403,9 +438,12 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         """
         context = super().get_context_data(**kwargs)
 
-        club = context["club"]
+        club = self.object
-        if PermissionBackend.check_perm(self.request.user, "member.change_club_membership_start", club):
+        context["note"] = club.note
+
+        if PermissionBackend.check_perm(self.request, "member.change_club_membership_start", club):
             club.update_membership_dates()
+
         # managers list
         managers = Membership.objects.filter(club=self.object, roles__name="Bureau de club",
                                              date_start__lte=date.today(), date_end__gte=date.today())\
@@ -413,7 +451,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context["managers"] = ClubManagerTable(data=managers, prefix="managers-")
         # transaction history
         club_transactions = Transaction.objects.all().filter(Q(source=club.note) | Q(destination=club.note))\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request, Transaction, "view"))\
             .order_by('-created_at')
         history_table = HistoryTable(club_transactions, prefix="history-")
         history_table.paginate(per_page=20, page=self.request.GET.get('history-page', 1))
@@ -422,7 +460,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         club_member = Membership.objects.filter(
             club=club,
             date_end__gte=date.today() - timedelta(days=15),
-        ).filter(PermissionBackend.filter_queryset(self.request.user, Membership, "view"))\
+        ).filter(PermissionBackend.filter_queryset(self.request, Membership, "view"))\
             .order_by("user__username", "-date_start")
         # Display only the most recent membership
         club_member = club_member.distinct("user__username")\
@@ -443,6 +481,29 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context["can_add_members"] = PermissionBackend()\
             .has_perm(self.request.user, "member.add_membership", empty_membership)
 
+        # Check permissions to see if the authenticated user can lock/unlock the note
+        with transaction.atomic():
+            modified_note = NoteClub.objects.get(pk=club.note.pk)
+            # Don't log these tests
+            modified_note._no_signal = True
+            modified_note.is_active = False
+            modified_note.inactivity_reason = 'manual'
+            context["can_lock_note"] = club.note.is_active and PermissionBackend \
+                .check_perm(self.request, "note.change_noteclub_is_active", modified_note)
+            old_note = NoteClub.objects.select_for_update().get(pk=club.note.pk)
+            modified_note.inactivity_reason = 'forced'
+            modified_note._force_save = True
+            modified_note.save()
+            context["can_force_lock"] = club.note.is_active and PermissionBackend \
+                .check_perm(self.request, "note.change_noteclub_is_active", modified_note)
+            old_note._force_save = True
+            old_note._no_signal = True
+            old_note.save()
+            modified_note.refresh_from_db()
+            modified_note.is_active = True
+            context["can_unlock_note"] = not club.note.is_active and PermissionBackend \
+                .check_perm(self.request, "note.change_noteclub_is_active", modified_note)
+
         return context
 
 
@@ -459,8 +520,8 @@ class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
         context["aliases"] = AliasTable(note.alias.filter(
-            PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
+            PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct().all())
-        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
+        context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
             normalized_name="",
@@ -535,7 +596,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         form = context['form']
 
         if "club_pk" in self.kwargs:  # We create a new membership.
-            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request.user, Club, "view"))\
+            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request, Club, "view"))\
                 .get(pk=self.kwargs["club_pk"], weiclub=None)
             form.fields['credit_amount'].initial = club.membership_fee_paid
             # Ensure that the user is member of the parent club and all its the family tree.
@@ -655,8 +716,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         if club.name != "Kfet" and club.parent_club and not Membership.objects.filter(
                 user=form.instance.user,
                 club=club.parent_club,
-                date_start__lte=timezone.now(),
+                date_start__gte=club.parent_club.membership_start,
-                date_end__gte=club.parent_club.membership_end,
         ).exists():
             form.add_error('user', _('User is not a member of the parent club') + ' ' + club.parent_club.name)
             error = True
@@ -684,7 +744,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         """
         # Get the club that is concerned by the membership
         if "club_pk" in self.kwargs:  # get from url of new membership
-            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request.user, Club, "view")) \
+            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request, Club, "view")) \
                 .get(pk=self.kwargs["club_pk"])
             user = form.instance.user
             old_membership = None
@@ -693,6 +753,10 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
             club = old_membership.club
             user = old_membership.user
 
+        # Update club membership date
+        if PermissionBackend.check_perm(self.request, "member.change_club_membership_start", club):
+            club.update_membership_dates()
+
         form.instance.club = club
 
         # Get form data
@@ -868,7 +932,7 @@ class ClubMembersListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableV
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         club = Club.objects.filter(
-            PermissionBackend.filter_queryset(self.request.user, Club, "view")
+            PermissionBackend.filter_queryset(self.request, Club, "view")
         ).get(pk=self.kwargs["pk"])
         context["club"] = club
 

apps/note/api/serializers.py

@@ -8,11 +8,11 @@ from rest_framework.exceptions import ValidationError
 from rest_polymorphic.serializers import PolymorphicSerializer
 from member.api.serializers import MembershipSerializer
 from member.models import Membership
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 from rest_framework.utils import model_meta
 
-from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
+from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias, Trust
 from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
     RecurrentTransaction, SpecialTransaction
 
@@ -77,6 +77,22 @@ class NoteUserSerializer(serializers.ModelSerializer):
         return str(obj)
 
 
+class TrustSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Trusts.
+    The djangorestframework plugin will analyse the model `Trust` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = Trust
+        fields = '__all__'
+
+    def validate(self, attrs):
+        instance = Trust(**attrs)
+        instance.clean()
+        return attrs
+
+
 class AliasSerializer(serializers.ModelSerializer):
     """
     REST API Serializer for Aliases.
@@ -126,7 +142,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
         """
         # If the user has no right to see the note, then we only display the note identifier
         return NotePolymorphicSerializer().to_representation(obj.note)\
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", obj.note)\
+            if PermissionBackend.check_perm(get_current_request(), "note.view_note", obj.note)\
             else dict(
             id=obj.note.id,
             name=str(obj.note),
@@ -142,7 +158,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
     def get_membership(self, obj):
         if isinstance(obj.note, NoteUser):
             memberships = Membership.objects.filter(
-                PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter(
+                PermissionBackend.filter_queryset(get_current_request(), Membership, "view")).filter(
                 user=obj.note.user,
                 club=2,  # Kfet
             ).order_by("-date_start")

apps/note/api/urls.py

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import NotePolymorphicViewSet, AliasViewSet, ConsumerViewSet, \
-    TemplateCategoryViewSet, TransactionViewSet, TransactionTemplateViewSet
+    TemplateCategoryViewSet, TransactionViewSet, TransactionTemplateViewSet, \
+    TrustViewSet
 
 
 def register_note_urls(router, path):
@@ -11,6 +12,7 @@ def register_note_urls(router, path):
     """
     router.register(path + '/note', NotePolymorphicViewSet)
     router.register(path + '/alias', AliasViewSet)
+    router.register(path + '/trust', TrustViewSet)
     router.register(path + '/consumer', ConsumerViewSet)
 
     router.register(path + '/transaction/category', TemplateCategoryViewSet)

apps/note/api/views.py

@@ -1,5 +1,6 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+import re
 
 from django.conf import settings
 from django.db.models import Q
@@ -10,12 +11,12 @@ from rest_framework import viewsets
 from rest_framework.response import Response
 from rest_framework import status
 from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
-from note_kfet.middlewares import get_current_session
 from permission.backends import PermissionBackend
 
 from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer,\
-    TemplateCategorySerializer, TransactionTemplateSerializer, TransactionPolymorphicSerializer
+    TemplateCategorySerializer, TransactionTemplateSerializer, TransactionPolymorphicSerializer, \
-from ..models.notes import Note, Alias, NoteUser, NoteClub, NoteSpecial
+    TrustSerializer
+from ..models.notes import Note, Alias, NoteUser, NoteClub, NoteSpecial, Trust
 from ..models.transactions import TransactionTemplate, Transaction, TemplateCategory
 
 
@@ -40,12 +41,11 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
         Parse query and apply filters.
         :return: The filtered set of requested notes
         """
-        user = self.request.user
+        queryset = self.queryset.filter(PermissionBackend.filter_queryset(self.request, Note, "view")
-        get_current_session().setdefault("permission_mask", 42)
+                                        | PermissionBackend.filter_queryset(self.request, NoteUser, "view")
-        queryset = self.queryset.filter(PermissionBackend.filter_queryset(user, Note, "view")
+                                        | PermissionBackend.filter_queryset(self.request, NoteClub, "view")
-                                        | PermissionBackend.filter_queryset(user, NoteUser, "view")
+                                        | PermissionBackend.filter_queryset(self.request, NoteSpecial, "view"))\
-                                        | PermissionBackend.filter_queryset(user, NoteClub, "view")
+            .distinct()
-                                        | PermissionBackend.filter_queryset(user, NoteSpecial, "view")).distinct()
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
@@ -57,17 +57,48 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
         return queryset.order_by("id")
 
 
+class TrustViewSet(ReadProtectedModelViewSet):
+    """
+    REST Trust View set.
+    The djangorestframework plugin will get all `Trust` objects, serialize it to JSON with the given serializer,
+    then render it on /api/note/trust/
+    """
+    queryset = Trust.objects
+    serializer_class = TrustSerializer
+    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    search_fields = ['$trusting__alias__name', '$trusting__alias__normalized_name',
+                     '$trusted__alias__name', '$trusted__alias__normalized_name']
+    filterset_fields = ['trusting', 'trusting__noteuser__user', 'trusted', 'trusted__noteuser__user']
+    ordering_fields = ['trusting', 'trusted', ]
+
+    def get_serializer_class(self):
+        serializer_class = self.serializer_class
+        if self.request.method in ['PUT', 'PATCH']:
+            # trust relationship can't change people involved
+            serializer_class.Meta.read_only_fields = ('trusting', 'trusting',)
+        return serializer_class
+
+    def destroy(self, request, *args, **kwargs):
+        instance = self.get_object()
+        try:
+            self.perform_destroy(instance)
+        except ValidationError as e:
+            return Response({e.code: str(e)}, status.HTTP_400_BAD_REQUEST)
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
+
 class AliasViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Alias` objects, serialize it to JSON with the given serializer,
-    then render it on /api/aliases/
+    then render it on /api/note/aliases/
     """
     queryset = Alias.objects
     serializer_class = AliasSerializer
     filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
-    filterset_fields = ['note', 'note__noteuser__user', 'note__noteclub__club', 'note__polymorphic_ctype__model', ]
+    filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
+                        'note__noteclub__club', 'note__polymorphic_ctype__model', ]
     ordering_fields = ['name', 'normalized_name', ]
 
     def get_serializer_class(self):
@@ -118,7 +149,8 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
     serializer_class = ConsumerSerializer
     filter_backends = [SearchFilter, OrderingFilter, DjangoFilterBackend]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
-    filterset_fields = ['note', 'note__noteuser__user', 'note__noteclub__club', 'note__polymorphic_ctype__model', ]
+    filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
+                        'note__noteclub__club', 'note__polymorphic_ctype__model', ]
     ordering_fields = ['name', 'normalized_name', ]
 
     def get_queryset(self):
@@ -133,23 +165,31 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
             if settings.DATABASES[queryset.db]["ENGINE"] == 'django.db.backends.postgresql' else queryset
 
         alias = self.request.query_params.get("alias", None)
+        # Check if this is a valid regex. If not, we won't check regex
+        try:
+            re.compile(alias)
+            valid_regex = True
+        except (re.error, TypeError):
+            valid_regex = False
+        suffix = '__iregex' if valid_regex else '__istartswith'
+        alias_prefix = '^' if valid_regex else ''
         queryset = queryset.prefetch_related('note')
 
         if alias:
             # We match first an alias if it is matched without normalization,
             # then if the normalized pattern matches a normalized alias.
             queryset = queryset.filter(
-                name__iregex="^" + alias
+                **{f'name{suffix}': alias_prefix + alias}
             ).union(
                 queryset.filter(
-                    Q(normalized_name__iregex="^" + Alias.normalize(alias))
+                    Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
-                    & ~Q(name__iregex="^" + alias)
+                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
                 ),
                 all=True).union(
                 queryset.filter(
-                    Q(normalized_name__iregex="^" + alias.lower())
+                    Q(**{f'normalized_name{suffix}': alias_prefix + alias.lower()})
-                    & ~Q(normalized_name__iregex="^" + Alias.normalize(alias))
+                    & ~Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
-                    & ~Q(name__iregex="^" + alias)
+                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
                 ),
                 all=True)
 
@@ -205,7 +245,5 @@ class TransactionViewSet(ReadProtectedModelViewSet):
     ordering_fields = ['created_at', 'amount', ]
 
     def get_queryset(self):
-        user = self.request.user
+        return self.model.objects.filter(PermissionBackend.filter_queryset(self.request, self.model, "view"))\
-        get_current_session().setdefault("permission_mask", 42)
-        return self.model.objects.filter(PermissionBackend.filter_queryset(user, self.model, "view"))\
             .order_by("created_at", "id")

apps/note/migrations/0006_trust.py

@@ -0,0 +1,27 @@
+# Generated by Django 2.2.24 on 2021-09-05 19:16
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('note', '0005_auto_20210313_1235'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Trust',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('trusted', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='trusted', to='note.Note', verbose_name='trusted')),
+                ('trusting', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='trusting', to='note.Note', verbose_name='trusting')),
+            ],
+            options={
+                'verbose_name': 'frienship',
+                'verbose_name_plural': 'friendships',
+                'unique_together': {('trusting', 'trusted')},
+            },
+        ),
+    ]

apps/note/models/__init__.py

@@ -1,13 +1,13 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
+from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser, Trust
 from .transactions import MembershipTransaction, Transaction, \
     TemplateCategory, TransactionTemplate, RecurrentTransaction, SpecialTransaction
 
 __all__ = [
     # Notes
-    'Alias', 'Note', 'NoteClub', 'NoteSpecial', 'NoteUser',
+    'Alias', 'Trust', 'Note', 'NoteClub', 'NoteSpecial', 'NoteUser',
     # Transactions
     'MembershipTransaction', 'Transaction', 'TemplateCategory', 'TransactionTemplate',
     'RecurrentTransaction', 'SpecialTransaction',

apps/note/models/notes.py

@@ -217,6 +217,38 @@ class NoteSpecial(Note):
         return self.special_type
 
 
+class Trust(models.Model):
+    """
+    A one-sided trust relationship bertween two users
+
+    If another user considers you as your friend, you can transfer money from
+    them
+    """
+
+    trusting = models.ForeignKey(
+        Note,
+        on_delete=models.CASCADE,
+        related_name='trusting',
+        verbose_name=_('trusting')
+    )
+
+    trusted = models.ForeignKey(
+        Note,
+        on_delete=models.CASCADE,
+        related_name='trusted',
+        verbose_name=_('trusted')
+    )
+
+    class Meta:
+        verbose_name = _("frienship")
+        verbose_name_plural = _("friendships")
+        unique_together = ("trusting", "trusted")
+
+    def __str__(self):
+        return _("Friendship between {trusting} and {trusted}").format(
+            trusting=str(self.trusting), trusted=str(self.trusted))
+
+
 class Alias(models.Model):
     """
     points toward  a :model:`note.NoteUser` or :model;`note.NoteClub` instance.

apps/note/models/transactions.py

@@ -325,8 +325,8 @@ class SpecialTransaction(Transaction):
     def clean(self):
         # SpecialTransaction are only possible with NoteSpecial object
         if self.is_credit() == self.is_debit():
-            raise(ValidationError(_("A special transaction is only possible between a"
+            raise ValidationError(_("A special transaction is only possible between a"
-                                    " Note associated to a payment method and a User or a Club")))
+                                    " Note associated to a payment method and a User or a Club"))
 
     @transaction.atomic
     def save(self, *args, **kwargs):

apps/note/static/note/js/consos.js

@@ -221,7 +221,7 @@ function consume (source, source_alias, dest, quantity, amount, reason, type, ca
     .done(function () {
       if (!isNaN(source.balance)) {
         const newBalance = source.balance - quantity * amount
-        if (newBalance <= -5000) {
+        if (newBalance <= -2000) {
           addMsg(interpolate(gettext('Warning, the transaction from the note %s succeed, ' +
               'but the emitter note %s is very negative.'), [source_alias, source_alias]), 'danger', 30000)
         } else if (newBalance < 0) {

apps/note/static/note/js/transfer.js

@@ -222,6 +222,13 @@ $(document).ready(function () {
   })
 })
 
+// Make transfer when pressing Enter on the amount section
+$('#amount, #reason, #last_name, #first_name, #bank').keypress((event) => {
+  if (event.originalEvent.charCode === 13) {
+    $('#btn_transfer').click()
+  }
+})
+
 $('#btn_transfer').click(function () {
   if (LOCK) { return }
 
@@ -307,7 +314,7 @@ $('#btn_transfer').click(function () {
 
           if (!isNaN(source.note.balance)) {
             const newBalance = source.note.balance - source.quantity * dest.quantity * amount
-            if (newBalance <= -5000) {
+            if (newBalance <= -2000) {
               addMsg(interpolate(gettext('Warning, the transaction of %s from the note %s to the note %s succeed, but the emitter note %s is very negative.'),
                   [pretty_money(source.quantity * dest.quantity * amount), source.name, dest.name, source.name]), 'danger', 10000)
               reset()
@@ -348,14 +355,14 @@ $('#btn_transfer').click(function () {
               destination_alias: dest.name
             }).done(function () {
             addMsg(interpolate(gettext('Transfer of %s from %s to %s failed: %s'),
-                [pretty_money(source.quantity * dest.quantity * amount), source.name, + dest.name, gettext('insufficient funds')]), 'danger', 10000)
+                [pretty_money(source.quantity * dest.quantity * amount), source.name, dest.name, gettext('insufficient funds')]), 'danger', 10000)
             reset()
           }).fail(function (err) {
             const errObj = JSON.parse(err.responseText)
             let error = errObj.detail ? errObj.detail : errObj.non_field_errors
             if (!error) { error = err.responseText }
             addMsg(interpolate(gettext('Transfer of %s from %s to %s failed: %s'),
-                [pretty_money(source.quantity * dest.quantity * amount), source.name, + dest.name, error]), 'danger')
+                [pretty_money(source.quantity * dest.quantity * amount), source.name, dest.name, error]), 'danger')
             LOCK = false
           })
         })

apps/note/tables.py

@@ -4,13 +4,13 @@
 import html
 
 import django_tables2 as tables
-from django.utils.html import format_html
+from django.utils.html import format_html, mark_safe
 from django_tables2.utils import A
 from django.utils.translation import gettext_lazy as _
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
-from .models.notes import Alias
+from .models.notes import Alias, Trust
 from .models.transactions import Transaction, TransactionTemplate
 from .templatetags.pretty_money import pretty_money
 
@@ -88,16 +88,16 @@ class HistoryTable(tables.Table):
                 "class": lambda record:
                 str(record.valid).lower()
                 + (' validate' if record.source.is_active and record.destination.is_active and PermissionBackend
-                   .check_perm(get_current_authenticated_user(), "note.change_transaction_invalidity_reason", record)
+                   .check_perm(get_current_request(), "note.change_transaction_invalidity_reason", record)
                    else ''),
                 "data-toggle": "tooltip",
                 "title": lambda record: (_("Click to invalidate") if record.valid else _("Click to validate"))
-                if PermissionBackend.check_perm(get_current_authenticated_user(),
+                if PermissionBackend.check_perm(get_current_request(),
                                                 "note.change_transaction_invalidity_reason", record)
                 and record.source.is_active and record.destination.is_active else None,
                 "onclick": lambda record: 'de_validate(' + str(record.id) + ', ' + str(record.valid).lower()
                                           + ', "' + str(record.__class__.__name__) + '")'
-                if PermissionBackend.check_perm(get_current_authenticated_user(),
+                if PermissionBackend.check_perm(get_current_request(),
                                                 "note.change_transaction_invalidity_reason", record)
                 and record.source.is_active and record.destination.is_active else None,
                 "onmouseover": lambda record: '$("#invalidity_reason_'
@@ -126,7 +126,7 @@ class HistoryTable(tables.Table):
         When the validation status is hovered, an input field is displayed to let the user specify an invalidity reason
         """
         has_perm = PermissionBackend \
-            .check_perm(get_current_authenticated_user(), "note.change_transaction_invalidity_reason", record)
+            .check_perm(get_current_request(), "note.change_transaction_invalidity_reason", record)
 
         val = "✔" if value else "✖"
 
@@ -148,6 +148,31 @@ DELETE_TEMPLATE = """
 """
 
 
+class TrustTable(tables.Table):
+    class Meta:
+        attrs = {
+            'class': 'table table condensed table-striped',
+            'id': "trust_table"
+        }
+        model = Trust
+        fields = ("trusted",)
+        template_name = 'django_tables2/bootstrap4.html'
+
+    show_header = False
+    trusted = tables.Column(attrs={'td': {'class': 'text_center'}})
+
+    delete_col = tables.TemplateColumn(
+        template_code=DELETE_TEMPLATE,
+        extra_context={"delete_trans": _('delete')},
+        attrs={
+            'td': {
+                'class': lambda record: 'col-sm-1'
+                + (' d-none' if not PermissionBackend.check_perm(
+                    get_current_request(), "note.delete_trust", record)
+                   else '')}},
+        verbose_name=_("Delete"),)
+
+
 class AliasTable(tables.Table):
     class Meta:
         attrs = {
@@ -165,7 +190,7 @@ class AliasTable(tables.Table):
                                        extra_context={"delete_trans": _('delete')},
                                        attrs={'td': {'class': lambda record: 'col-sm-1' + (
                                            ' d-none' if not PermissionBackend.check_perm(
-                                               get_current_authenticated_user(), "note.delete_alias",
+                                               get_current_request(), "note.delete_alias",
                                                record) else '')}}, verbose_name=_("Delete"), )
 
 
@@ -197,6 +222,17 @@ class ButtonTable(tables.Table):
         verbose_name=_("Edit"),
     )
 
+    hideshow = tables.Column(
+        verbose_name=_("Hide/Show"),
+        accessor="pk",
+        attrs={
+            'td': {
+                'class': 'col-sm-1',
+                'id': lambda record: "hideshow_" + str(record.pk),
+            }
+        },
+    )
+
     delete_col = tables.TemplateColumn(template_code=DELETE_TEMPLATE,
                                        extra_context={"delete_trans": _('delete')},
                                        attrs={'td': {'class': 'col-sm-1'}},
@@ -204,3 +240,16 @@ class ButtonTable(tables.Table):
 
     def render_amount(self, value):
         return pretty_money(value)
+
+    def order_category(self, queryset, is_descending):
+        return queryset.order_by(f"{'-' if is_descending else ''}category__name"), True
+
+    def render_hideshow(self, record):
+        val = '<button id="'
+        val += str(record.pk)
+        val += '" class="btn btn-secondary btn-sm" \
+            onclick="hideshow(' + str(record.id) + ',' + \
+            str(record.display).lower() + ')">'
+        val += str(_("Hide/Show"))
+        val += '</button>'
+        return mark_safe(val)

apps/note/templates/note/transaction_form.html

@@ -10,21 +10,25 @@ SPDX-License-Identifier: GPL-2.0-or-later
 {# bandeau transfert/crédit/débit/activité #}
     <div class="row">
         <div class="col-xl-12">
-            <div class="btn-group btn-group-toggle btn-block" data-toggle="buttons">
+            <div class="btn-group btn-block">
-                <label for="type_transfer" class="btn btn-sm btn-outline-primary active">
+                <div class="btn-group btn-group-toggle btn-block" data-toggle="buttons">
-                    <input type="radio" name="transaction_type" id="type_transfer">
+                    <label for="type_transfer" class="btn btn-sm btn-outline-primary active">
-                    {% trans "Transfer" %}
+                        <input type="radio" name="transaction_type" id="type_transfer">
-                </label>
+                        {% trans "Transfer" %}
-                {% if "note.notespecial"|not_empty_model_list %}
-                    <label for="type_credit" class="btn btn-sm btn-outline-primary">
-                        <input type="radio" name="transaction_type" id="type_credit">
-                        {% trans "Credit" %}
                     </label>
-                    <label for="type_debit" class="btn btn-sm btn-outline-primary">
+                    {% if "note.notespecial"|not_empty_model_list %}
-                        <input type="radio" name="transaction_type" id="type_debit">
+                        <label for="type_credit" class="btn btn-sm btn-outline-primary">
-                        {% trans "Debit" %}
+                            <input type="radio" name="transaction_type" id="type_credit">
-                    </label>
+                            {% trans "Credit" %}
-                {% endif %}
+                        </label>
+                        <label for="type_debit" class="btn btn-sm btn-outline-primary">
+                            <input type="radio" name="transaction_type" id="type_debit">
+                            {% trans "Debit" %}
+                        </label>
+                    {% endif %}
+                </div>
+
+                {# Add shortcuts for opened activites if necessary #}
                 {% for activity in activities_open %}
                     <a href="{% url "activity:activity_entry" pk=activity.pk %}" class="btn btn-sm btn-outline-primary">
                         {% trans "Entries" %} {{ activity.name }}

apps/note/templates/note/transactiontemplate_list.html

@@ -31,29 +31,29 @@ SPDX-License-Identifier: GPL-3.0-or-later
 
 {% block extrajavascript %}
 <script type="text/javascript">
+    function refreshMatchedWords() {
+        $("tr").each(function() {
+            let pattern = $('#search_field').val();
+            if (pattern) {
+                $(this).find("td:eq(0), td:eq(1), td:eq(3), td:eq(6)").each(function () {
+                    $(this).html($(this).text().replace(new RegExp(pattern, 'i'), "<mark>$&</mark>"));
+                });
+            }
+        });
+    }
+
+    function reloadTable() {
+        let pattern = $('#search_field').val();
+        $("#buttons_table").load(location.pathname + "?search=" + pattern.replace(" ", "%20") + " #buttons_table", refreshMatchedWords);
+    }
+
     $(document).ready(function() {
         let searchbar_obj = $("#search_field");
         let timer_on = false;
         let timer;
 
-        function refreshMatchedWords() {
-            $("tr").each(function() {
-                let pattern = searchbar_obj.val();
-                if (pattern) {
-                    $(this).find("td:eq(0), td:eq(1), td:eq(3), td:eq(6)").each(function () {
-                        $(this).html($(this).text().replace(new RegExp(pattern, 'i'), "<mark>$&</mark>"));
-                    });
-                }
-            });
-        }
-
         refreshMatchedWords();
 
-        function reloadTable() {
-            let pattern = searchbar_obj.val();
-            $("#buttons_table").load(location.pathname + "?search=" + pattern.replace(" ", "%20") + " #buttons_table", refreshMatchedWords);
-        }
-
         searchbar_obj.keyup(function() {
             if (timer_on)
                 clearTimeout(timer);
@@ -77,5 +77,28 @@ SPDX-License-Identifier: GPL-3.0-or-later
               addMsg('{% trans "Unable to delete button "%} #' + button_id, 'danger')
           });
      }
+
+    // on click of button "hide/show", call the API
+    function hideshow(id, displayed) {
+            $.ajax({
+                url: '/api/note/transaction/template/' + id + '/',
+                type: 'PATCH',
+                dataType: 'json',
+                headers: {
+                    'X-CSRFTOKEN': CSRF_TOKEN
+                },
+                data: {
+                    display: !displayed
+                },
+                success: function() {
+                    if(displayed)
+                        addMsg("{% trans "Button hidden"%}", 'success', 1000)
+                    else addMsg("{% trans "Button displayed"%}", 'success', 1000)
+                    reloadTable()
+                },
+                error: function (err) {
+                    addMsg("{% trans "An error occured"%}", 'danger')
+                }})
+        }
 </script>
 {% endblock %}

apps/note/views.py

@@ -38,7 +38,7 @@ class TransactionCreateView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTabl
     def get_queryset(self, **kwargs):
         # retrieves only Transaction that user has the right to see.
         return Transaction.objects.filter(
-            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
+            PermissionBackend.filter_queryset(self.request, Transaction, "view")
         ).order_by("-created_at").all()[:20]
 
     def get_context_data(self, **kwargs):
@@ -47,16 +47,16 @@ class TransactionCreateView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTabl
         context['polymorphic_ctype'] = ContentType.objects.get_for_model(Transaction).pk
         context['special_polymorphic_ctype'] = ContentType.objects.get_for_model(SpecialTransaction).pk
         context['special_types'] = NoteSpecial.objects\
-            .filter(PermissionBackend.filter_queryset(self.request.user, NoteSpecial, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request, NoteSpecial, "view"))\
             .order_by("special_type").all()
 
         # Add a shortcut for entry page for open activities
         if "activity" in settings.INSTALLED_APPS:
             from activity.models import Activity
-            activities_open = Activity.objects.filter(open=True).filter(
+            activities_open = Activity.objects.filter(open=True, activity_type__manage_entries=True).filter(
-                PermissionBackend.filter_queryset(self.request.user, Activity, "view")).distinct().all()
+                PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
             context["activities_open"] = [a for a in activities_open
-                                          if PermissionBackend.check_perm(self.request.user,
+                                          if PermissionBackend.check_perm(self.request,
                                                                           "activity.add_entry",
                                                                           Entry(activity=a,
                                                                                 note=self.request.user.note, ))]
@@ -90,9 +90,9 @@ class TransactionTemplateListView(ProtectQuerysetMixin, LoginRequiredMixin, Sing
         if "search" in self.request.GET:
             pattern = self.request.GET["search"]
             qs = qs.filter(
-                Q(name__iregex="^" + pattern)
+                Q(name__iregex=pattern)
-                | Q(destination__club__name__iregex="^" + pattern)
+                | Q(destination__club__name__iregex=pattern)
-                | Q(category__name__iregex="^" + pattern)
+                | Q(category__name__iregex=pattern)
                 | Q(description__iregex=pattern)
             )
 
@@ -159,7 +159,7 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
             return self.handle_no_permission()
 
         templates = TransactionTemplate.objects.filter(
-            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
+            PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
         )
         if not templates.exists():
             raise PermissionDenied(_("You can't see any button."))
@@ -170,7 +170,7 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         restrict to the transaction history the user can see.
         """
         return Transaction.objects.filter(
-            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
+            PermissionBackend.filter_queryset(self.request, Transaction, "view")
         ).order_by("-created_at").all()[:20]
 
     def get_context_data(self, **kwargs):
@@ -180,13 +180,13 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         # for each category, find which transaction templates the user can see.
         for category in categories:
             category.templates_filtered = category.templates.filter(
-                PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
+                PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
             ).filter(display=True).order_by('name').all()
 
         context['categories'] = [cat for cat in categories if cat.templates_filtered]
         # some transactiontemplate are put forward to find them easily
         context['highlighted'] = TransactionTemplate.objects.filter(highlighted=True).filter(
-            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
+            PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
         ).order_by('name').all()
         context['polymorphic_ctype'] = ContentType.objects.get_for_model(RecurrentTransaction).pk
 
@@ -209,7 +209,7 @@ class TransactionSearchView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView
         data = form.cleaned_data if form.is_valid() else {}
 
         transactions = Transaction.objects.annotate(total_amount=F("quantity") * F("amount")).filter(
-            PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))\
+            PermissionBackend.filter_queryset(self.request, Transaction, "view"))\
             .filter(Q(source=self.object) | Q(destination=self.object)).order_by('-created_at')
 
         if "source" in data and data["source"]:

apps/permission/backends.py

@@ -4,12 +4,12 @@
 from datetime import date
 
 from django.contrib.auth.backends import ModelBackend
-from django.contrib.auth.models import User, AnonymousUser
+from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q, F
 from django.utils import timezone
 from note.models import Note, NoteUser, NoteClub, NoteSpecial
-from note_kfet.middlewares import get_current_session
+from note_kfet.middlewares import get_current_request
 from member.models import Membership, Club
 
 from .decorators import memoize
@@ -26,14 +26,31 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def get_raw_permissions(user, t):
+    def get_raw_permissions(request, t):
         """
         Query permissions of a certain type for a user, then memoize it.
-        :param user: The owner of the permissions
+        :param request: The current request
         :param t: The type of the permissions: view, change, add or delete
         :return: The queryset of the permissions of the user (memoized) grouped by clubs
         """
-        if isinstance(user, AnonymousUser):
+        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+            # OAuth2 Authentication
+            user = request.auth.user
+
+            def permission_filter(membership_obj):
+                query = Q(pk=-1)
+                for scope in request.auth.scope.split(' '):
+                    permission_id, club_id = scope.split('_')
+                    if int(club_id) == membership_obj.club_id:
+                        query |= Q(pk=permission_id)
+                return query
+        else:
+            user = request.user
+
+            def permission_filter(membership_obj):
+                return Q(mask__rank__lte=request.session.get("permission_mask", 42))
+
+        if user.is_anonymous:
             # Unauthenticated users have no permissions
             return Permission.objects.none()
 
@@ -43,7 +60,7 @@ class PermissionBackend(ModelBackend):
 
         for membership in memberships:
             for role in membership.roles.all():
-                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
+                for perm in role.permissions.filter(permission_filter(membership), type=t).all():
                     if not perm.permanent:
                         if membership.date_start > date.today() or membership.date_end < date.today():
                             continue
@@ -52,16 +69,22 @@ class PermissionBackend(ModelBackend):
         return perms
 
     @staticmethod
-    def permissions(user, model, type):
+    def permissions(request, model, type):
         """
         List all permissions of the given user that applies to a given model and a give type
-        :param user: The owner of the permissions
+        :param request: The current request
         :param model: The model that the permissions shoud apply
         :param type: The type of the permissions: view, change, add or delete
         :return: A generator of the requested permissions
         """
 
-        for permission in PermissionBackend.get_raw_permissions(user, type):
+        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+            # OAuth2 Authentication
+            user = request.auth.user
+        else:
+            user = request.user
+
+        for permission in PermissionBackend.get_raw_permissions(request, type):
             if not isinstance(model.model_class()(), permission.model.model_class()) or not permission.membership:
                 continue
 
@@ -88,20 +111,26 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def filter_queryset(user, model, t, field=None):
+    def filter_queryset(request, model, t, field=None):
         """
         Filter a queryset by considering the permissions of a given user.
-        :param user: The owner of the permissions that are fetched
+        :param request: The current request
         :param model: The concerned model of the queryset
         :param t: The type of modification (view, add, change, delete)
         :param field: The field of the model to test, if concerned
         :return: A query that corresponds to the filter to give to a queryset
         """
-        if user is None or isinstance(user, AnonymousUser):
+        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+            # OAuth2 Authentication
+            user = request.auth.user
+        else:
+            user = request.user
+
+        if user is None or user.is_anonymous:
             # Anonymous users can't do anything
             return Q(pk=-1)
 
-        if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
+        if user.is_superuser and request.session.get("permission_mask", -1) >= 42:
             # Superusers have all rights
             return Q()
 
@@ -110,7 +139,7 @@ class PermissionBackend(ModelBackend):
 
         # Never satisfied
         query = Q(pk=-1)
-        perms = PermissionBackend.permissions(user, model, t)
+        perms = PermissionBackend.permissions(request, model, t)
         for perm in perms:
             if perm.field and field != perm.field:
                 continue
@@ -122,7 +151,7 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def check_perm(user_obj, perm, obj=None):
+    def check_perm(request, perm, obj=None):
         """
         Check is the given user has the permission over a given object.
         The result is then memoized.
@@ -130,10 +159,19 @@ class PermissionBackend(ModelBackend):
         primary key, the result is not memoized. Moreover, the right could change
         (e.g. for a transaction, the balance of the user could change)
         """
-        if user_obj is None or isinstance(user_obj, AnonymousUser):
+        # Requested by a shell
+        if request is None:
             return False
 
-        sess = get_current_session()
+        user_obj = request.user
+        sess = request.session
+
+        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+            # OAuth2 Authentication
+            user_obj = request.auth.user
+
+        if user_obj is None or user_obj.is_anonymous:
+            return False
 
         if user_obj.is_superuser and sess.get("permission_mask", -1) >= 42:
             return True
@@ -147,16 +185,19 @@ class PermissionBackend(ModelBackend):
 
         ct = ContentType.objects.get_for_model(obj)
         if any(permission.applies(obj, perm_type, perm_field)
-               for permission in PermissionBackend.permissions(user_obj, ct, perm_type)):
+               for permission in PermissionBackend.permissions(request, ct, perm_type)):
             return True
         return False
 
     def has_perm(self, user_obj, perm, obj=None):
-        return PermissionBackend.check_perm(user_obj, perm, obj)
+        # Warning: this does not check that user_obj has the permission,
+        # but if the current request has the permission.
+        # This function is implemented for backward compatibility, and should not be used.
+        return PermissionBackend.check_perm(get_current_request(), perm, obj)
 
     def has_module_perms(self, user_obj, app_label):
         return False
 
     def get_all_permissions(self, user_obj, obj=None):
         ct = ContentType.objects.get_for_model(obj)
-        return list(self.permissions(user_obj, ct, "view"))
+        return list(self.permissions(get_current_request(), ct, "view"))

apps/permission/decorators.py

@@ -5,7 +5,7 @@ from functools import lru_cache
 from time import time
 
 from django.contrib.sessions.models import Session
-from note_kfet.middlewares import get_current_session
+from note_kfet.middlewares import get_current_request
 
 
 def memoize(f):
@@ -48,11 +48,11 @@ def memoize(f):
             last_collect = time()
 
         # If there is no session, then we don't memoize anything.
-        sess = get_current_session()
+        request = get_current_request()
-        if sess is None or sess.session_key is None:
+        if request is None or request.session is None or request.session.session_key is None:
             return f(*args, **kwargs)
 
-        sess_key = sess.session_key
+        sess_key = request.session.session_key
         if sess_key not in sess_funs:
             # lru_cache makes the job of memoization
             # We store only the 512 latest data per session. It has to be enough.

apps/permission/migrations/0002_club_not_required.py

@@ -0,0 +1,19 @@
+# Generated by Django 2.2.28 on 2023-07-24 10:15
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('permission', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='role',
+            name='for_club',
+            field=models.ForeignKey(blank=True, default=None, null=True, on_delete=django.db.models.deletion.PROTECT, to='member.Club', verbose_name='for club'),
+        ),
+    ]

apps/permission/models.py

@@ -339,6 +339,7 @@ class Role(models.Model):
         "member.Club",
         verbose_name=_("for club"),
         on_delete=models.PROTECT,
+        blank=True,
         null=True,
         default=None,
     )

apps/permission/permissions.py

@@ -45,7 +45,7 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
 
         perms = self.get_required_object_permissions(request.method, model_cls)
         # if not user.has_perms(perms, obj):
-        if not all(PermissionBackend.check_perm(user, perm, obj) for perm in perms):
+        if not all(PermissionBackend.check_perm(request, perm, obj) for perm in perms):
             # If the user does not have permissions we need to determine if
             # they have read permissions to see 403, or not, and simply see
             # a 404 response.

apps/permission/scopes.py

@@ -0,0 +1,57 @@
+# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+from oauth2_provider.oauth2_validators import OAuth2Validator
+from oauth2_provider.scopes import BaseScopes
+from member.models import Club
+from note_kfet.middlewares import get_current_request
+
+from .backends import PermissionBackend
+from .models import Permission
+
+
+class PermissionScopes(BaseScopes):
+    """
+    An OAuth2 scope is defined by a permission object and a club.
+    A token will have a subset of permissions from the owner of the application,
+    and can be useful to make queries through the API with limited privileges.
+    """
+
+    def get_all_scopes(self):
+        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+                for p in Permission.objects.all() for club in Club.objects.all()}
+
+    def get_available_scopes(self, application=None, request=None, *args, **kwargs):
+        if not application:
+            return []
+        return [f"{p.id}_{p.membership.club.id}"
+                for t in Permission.PERMISSION_TYPES
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+
+    def get_default_scopes(self, application=None, request=None, *args, **kwargs):
+        if not application:
+            return []
+        return [f"{p.id}_{p.membership.club.id}"
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+
+
+class PermissionOAuth2Validator(OAuth2Validator):
+    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        User can request as many scope as he wants, including invalid scopes,
+        but it will have only the permissions he has.
+
+        This allows clients to request more permission to get finally a
+        subset of permissions.
+        """
+
+        valid_scopes = set()
+
+        for t in Permission.PERMISSION_TYPES:
+            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
+                scope = f"{p.id}_{p.membership.club.id}"
+                if scope in scopes:
+                    valid_scopes.add(scope)
+
+        request.scopes = valid_scopes
+
+        return valid_scopes

apps/permission/signals.py

@@ -3,7 +3,7 @@
 
 from django.core.exceptions import PermissionDenied
 from django.utils.translation import gettext_lazy as _
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
 
@@ -16,6 +16,9 @@ EXCLUDED = [
     'contenttypes.contenttype',
     'logs.changelog',
     'migrations.migration',
+    'oauth2_provider.accesstoken',
+    'oauth2_provider.grant',
+    'oauth2_provider.refreshtoken',
     'sessions.session',
 ]
 
@@ -31,8 +34,8 @@ def pre_save_object(sender, instance, **kwargs):
     if hasattr(instance, "_force_save") or hasattr(instance, "_no_signal"):
         return
 
-    user = get_current_authenticated_user()
+    request = get_current_request()
-    if user is None:
+    if request is None:
         # Action performed on shell is always granted
         return
 
@@ -45,7 +48,7 @@ def pre_save_object(sender, instance, **kwargs):
         # We check if the user can change the model
 
         # If the user has all right on a model, then OK
-        if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):
+        if PermissionBackend.check_perm(request, app_label + ".change_" + model_name, instance):
             return
 
         # In the other case, we check if he/she has the right to change one field
@@ -58,7 +61,14 @@ def pre_save_object(sender, instance, **kwargs):
             # If the field wasn't modified, no need to check the permissions
             if old_value == new_value:
                 continue
-            if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
+
+            if app_label == 'auth' and model_name == 'user' and field.name == 'password' and request.user.is_anonymous:
+                # We must ignore password changes from anonymous users since it can be done by people that forgot
+                # their password. We trust password change form.
+                continue
+
+            if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
+                                                instance):
                 raise PermissionDenied(
                     _("You don't have the permission to change the field {field} on this instance of model"
                       " {app_label}.{model_name}.")
@@ -66,7 +76,7 @@ def pre_save_object(sender, instance, **kwargs):
                 )
     else:
         # We check if the user has right to add the object
-        has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)
+        has_perm = PermissionBackend.check_perm(request, app_label + ".add_" + model_name, instance)
 
         if not has_perm:
             raise PermissionDenied(
@@ -87,8 +97,8 @@ def pre_delete_object(instance, **kwargs):
         # Don't check permissions on force-deleted objects
         return
 
-    user = get_current_authenticated_user()
+    request = get_current_request()
-    if user is None:
+    if request is None:
         # Action performed on shell is always granted
         return
 
@@ -97,7 +107,7 @@ def pre_delete_object(instance, **kwargs):
     model_name = model_name_full[1]
 
     # We check if the user has rights to delete the object
-    if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):
+    if not PermissionBackend.check_perm(request, app_label + ".delete_" + model_name, instance):
         raise PermissionDenied(
             _("You don't have the permission to delete this instance of model {app_label}.{model_name}.")
             .format(app_label=app_label, model_name=model_name))

apps/permission/tables.py

@@ -8,7 +8,7 @@ from django.urls import reverse_lazy
 from django.utils.html import format_html
 from django_tables2 import A
 from member.models import Membership
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
 
@@ -20,7 +20,7 @@ class RightsTable(tables.Table):
     def render_user(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.username
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
         return s
@@ -28,7 +28,7 @@ class RightsTable(tables.Table):
     def render_club(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.name
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_club", value):
+        if PermissionBackend.check_perm(get_current_request(), "member.view_club", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:club_detail', kwargs={"pk": value.pk}), name=s)
 
@@ -42,7 +42,7 @@ class RightsTable(tables.Table):
                                      | Q(name="Bureau de club"))
                                      & Q(weirole__isnull=True))).all()
         s = ", ".join(str(role) for role in roles)
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.change_membership_roles", record):
+        if PermissionBackend.check_perm(get_current_request(), "member.change_membership_roles", record):
             s = format_html("<a href='" + str(reverse_lazy("member:club_manage_roles", kwargs={"pk": record.pk}))
                             + "'>" + s + "</a>")
         return s

apps/permission/templates/permission/scopes.html

@@ -0,0 +1,73 @@
+{% extends "base.html" %}
+
+{% load i18n %}
+
+{% block content %}
+    <div class="card">
+        <div class="card-header text-center">
+            <h2>{% trans "Available scopes" %}</h2>
+        </div>
+        <div class="card-body">
+            <div class="accordion" id="accordionApps">
+                {% for app, app_scopes in scopes.items %}
+                    <div class="card">
+                        <div class="card-header" id="app-{{ app.name|slugify }}-title">
+                            <a class="text-decoration-none collapsed" href="#" data-toggle="collapse"
+                               data-target="#app-{{ app.name|slugify }}" aria-expanded="false"
+                               aria-controls="app-{{ app.name|slugify }}">
+                                {{ app.name }}
+                            </a>
+                        </div>
+                        <div class="collapse" id="app-{{ app.name|slugify }}" aria-labelledby="app-{{ app.name|slugify }}" data-target="#accordionApps">
+                            <div class="card-body">
+                                {% for scope_id, scope_desc in app_scopes.items %}
+                                    <div class="form-group">
+                                        <label class="form-check-label" for="scope-{{ app.name|slugify }}-{{ scope_id }}">
+                                            <input type="checkbox" id="scope-{{ app.name|slugify }}-{{ scope_id }}"
+                                                   name="scope-{{ app.name|slugify }}" class="checkboxinput form-check-input" value="{{ scope_id }}">
+                                            {{ scope_desc }}
+                                        </label>
+                                    </div>
+                                {% endfor %}
+                                <p id="url-{{ app.name|slugify }}">
+                                    <a href="{% url 'oauth2_provider:authorize' %}?client_id={{ app.client_id }}&response_type=code" target="_blank">
+                                        {{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:authorize' %}?client_id={{ app.client_id }}&response_type=code
+                                    </a>
+                                </p>
+                            </div>
+                        </div>
+                    </div>
+                {% empty %}
+                    <p>
+                        {% trans "No applications defined" %}.
+                        <a href="{% url 'oauth2_provider:register' %}">{% trans "Click here" %}</a> {% trans "if you want to register a new one" %}.
+                    </p>
+                {% endfor %}
+            </div>
+        </div>
+    </div>
+{% endblock %}
+
+{% block extrajavascript %}
+    <script>
+        {% for app in scopes.keys %}
+            for (let element of document.getElementsByName("scope-{{ app.name|slugify }}")) {
+                element.onchange = function (event) {
+                    let scope = ""
+                    for (let element of document.getElementsByName("scope-{{ app.name|slugify }}")) {
+                        if (element.checked) {
+                            scope += element.value + " "
+                        }
+                    }
+
+                    scope = scope.substr(0, scope.length - 1)
+
+                    document.getElementById("url-{{ app.name|slugify }}").innerHTML = 'Scopes : ' + scope
+                        + '<br><a href="{% url 'oauth2_provider:authorize' %}?client_id={{ app.client_id }}&response_type=code&scope='+ scope.replaceAll(' ', '%20')
+                        + '" target="_blank">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:authorize' %}?client_id={{ app.client_id }}&response_type=code&scope='
+                        + scope.replaceAll(' ', '%20') + '</a>'
+                }
+            }
+        {% endfor %}
+    </script>
+{% endblock %}

apps/permission/templatetags/perms.py

@@ -1,12 +1,12 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from django.contrib.auth.models import AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.template.defaultfilters import stringfilter
 from django import template
-from note_kfet.middlewares import get_current_authenticated_user, get_current_session
+from note_kfet.middlewares import get_current_request
-from permission.backends import PermissionBackend
+
+from ..backends import PermissionBackend
 
 
 @stringfilter
@@ -14,9 +14,10 @@ def not_empty_model_list(model_name):
     """
     Return True if and only if the current user has right to see any object of the given model.
     """
-    user = get_current_authenticated_user()
+    request = get_current_request()
-    session = get_current_session()
+    user = request.user
-    if user is None or isinstance(user, AnonymousUser):
+    session = request.session
+    if user is None or not user.is_authenticated:
         return False
     elif user.is_superuser and session.get("permission_mask", -1) >= 42:
         return True
@@ -29,11 +30,12 @@ def model_list(model_name, t="view", fetch=True):
     """
     Return the queryset of all visible instances of the given model.
     """
-    user = get_current_authenticated_user()
+    request = get_current_request()
+    user = request.user
     spl = model_name.split(".")
     ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
-    qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(user, ct, t))
+    qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(request, ct, t))
-    if user is None or isinstance(user, AnonymousUser):
+    if user is None or not user.is_authenticated:
         return qs.none()
     if fetch:
         qs = qs.all()
@@ -49,7 +51,7 @@ def model_list_length(model_name, t="view"):
 
 
 def has_perm(perm, obj):
-    return PermissionBackend.check_perm(get_current_authenticated_user(), perm, obj)
+    return PermissionBackend.check_perm(get_current_request(), perm, obj)
 
 
 register = template.Library()

apps/permission/tests/test_oauth2.py

@@ -0,0 +1,94 @@
+# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.urls import reverse
+from django.utils import timezone
+from django.utils.crypto import get_random_string
+from member.models import Membership, Club
+from note.models import NoteUser
+from oauth2_provider.models import Application, AccessToken
+
+from ..models import Role, Permission
+
+
+class OAuth2TestCase(TestCase):
+    fixtures = ('initial', )
+
+    def setUp(self):
+        self.user = User.objects.create(
+            username="toto",
+        )
+        self.application = Application.objects.create(
+            name="Test",
+            client_type=Application.CLIENT_PUBLIC,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            user=self.user,
+        )
+
+    def test_oauth2_access(self):
+        """
+        Create a simple OAuth2 access token that only has the right to see data of the current user
+        and check that this token has required access, and nothing more.
+        """
+
+        bde = Club.objects.get(name="BDE")
+        view_user_perm = Permission.objects.get(pk=1)  # View own user detail
+
+        # Create access token that has access to our own user detail
+        token = AccessToken.objects.create(
+            user=self.user,
+            application=self.application,
+            scope=f"{view_user_perm.pk}_{bde.pk}",
+            token=get_random_string(64),
+            expires=timezone.now() + timedelta(days=365),
+        )
+
+        # No access without token
+        resp = self.client.get(f'/api/user/{self.user.pk}/')
+        self.assertEqual(resp.status_code, 403)
+
+        # Valid token but user has no membership, so the query is not returning the user object
+        resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 404)
+
+        # Create membership to validate permissions
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=bde.pk)
+        membership.roles.add(Role.objects.get(name="Adhérent BDE"))
+        membership.save()
+
+        # User is now a member and can now see its own user detail
+        resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 200)
+
+        # Token is not granted to see profile detail
+        resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',
+                               **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 404)
+
+    def test_scopes(self):
+        """
+        Ensure that the scopes page is loading.
+        """
+        self.client.force_login(self.user)
+
+        resp = self.client.get(reverse('permission:scopes'))
+        self.assertEqual(resp.status_code, 200)
+        self.assertIn(self.application, resp.context['scopes'])
+        self.assertNotIn('1_1', resp.context['scopes'][self.application])  # The user has not this permission
+
+        # Create membership to validate permissions
+        bde = Club.objects.get(name="BDE")
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=bde.pk)
+        membership.roles.add(Role.objects.get(name="Adhérent BDE"))
+        membership.save()
+
+        resp = self.client.get(reverse('permission:scopes'))
+        self.assertEqual(resp.status_code, 200)
+        self.assertIn(self.application, resp.context['scopes'])
+        self.assertIn('1_1', resp.context['scopes'][self.application])  # Now the user has this permission

apps/permission/urls.py

@@ -1,10 +1,17 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+from django.conf import settings
 from django.urls import path
-from permission.views import RightsView
+
+from .views import RightsView, ScopesView
 
 app_name = 'permission'
 urlpatterns = [
-    path('rights', RightsView.as_view(), name="rights"),
+    path('rights/', RightsView.as_view(), name="rights"),
 ]
+
+if "oauth2_provider" in settings.INSTALLED_APPS:
+    urlpatterns += [
+        path('scopes/', ScopesView.as_view(), name="scopes"),
+    ]

apps/permission/views.py

@@ -1,6 +1,6 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
+from collections import OrderedDict
 from datetime import date
 
 from django.contrib.auth.mixins import LoginRequiredMixin
@@ -28,7 +28,7 @@ class ProtectQuerysetMixin:
     """
     def get_queryset(self, filter_permissions=True, **kwargs):
         qs = super().get_queryset(**kwargs)
-        return qs.filter(PermissionBackend.filter_queryset(self.request.user, qs.model, "view")).distinct()\
+        return qs.filter(PermissionBackend.filter_queryset(self.request, qs.model, "view")).distinct()\
             if filter_permissions else qs
 
     def get_object(self, queryset=None):
@@ -53,7 +53,7 @@ class ProtectQuerysetMixin:
         # We could also delete the field, but some views might be affected.
         meta = form.instance._meta
         for key in form.base_fields:
-            if not PermissionBackend.check_perm(self.request.user,
+            if not PermissionBackend.check_perm(self.request,
                                                 f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
                 form.fields[key].widget = HiddenInput()
 
@@ -101,7 +101,7 @@ class ProtectedCreateView(LoginRequiredMixin, CreateView):
         # noinspection PyProtectedMember
         app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()
         perm = app_label + ".add_" + model_name
-        if not PermissionBackend.check_perm(request.user, perm, self.get_sample_object()):
+        if not PermissionBackend.check_perm(request, perm, self.get_sample_object()):
             raise PermissionDenied(_("You don't have the permission to add an instance of model "
                                      "{app_label}.{model_name}.").format(app_label=app_label, model_name=model_name))
         return super().dispatch(request, *args, **kwargs)
@@ -143,3 +143,26 @@ class RightsView(TemplateView):
                                                    prefix="superusers-")
 
         return context
+
+
+class ScopesView(LoginRequiredMixin, TemplateView):
+    template_name = "permission/scopes.html"
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        from oauth2_provider.models import Application
+        from .scopes import PermissionScopes
+
+        scopes = PermissionScopes()
+        context["scopes"] = {}
+        all_scopes = scopes.get_all_scopes()
+        for app in Application.objects.filter(user=self.request.user).all():
+            available_scopes = scopes.get_available_scopes(app)
+            context["scopes"][app] = OrderedDict()
+            items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
+            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            for k, v in items:
+                context["scopes"][app][k] = v
+
+        return context

apps/registration/forms.py

@@ -5,6 +5,7 @@ from django import forms
 from django.contrib.auth.forms import UserCreationForm
 from django.contrib.auth.models import User
 from django.utils.translation import gettext_lazy as _
+from member.models import Club
 from note.models import NoteSpecial, Alias
 from note_kfet.inputs import AmountInput
 
@@ -44,13 +45,14 @@ class SignUpForm(UserCreationForm):
         fields = ('first_name', 'last_name', 'username', 'email', )
 
 
-class DeclareSogeAccountOpenedForm(forms.Form):
+# class DeclareSogeAccountOpenedForm(forms.Form):
-    soge_account = forms.BooleanField(
+#     soge_account = forms.BooleanField(
-        label=_("I declare that I opened a bank account in the Société générale with the BDE partnership."),
+#         label=_("I declare that I opened or I will open soon a bank account in the Société générale with the BDE "
-        help_text=_("Warning: this engages you to open your bank account. If you finally decides to don't open your "
+#                 "partnership."),
-                    "account, you will have to pay the BDE membership."),
+#         help_text=_("Warning: this engages you to open your bank account. If you finally decides to don't open your "
-        required=False,
+#                     "account, you will have to pay the BDE membership."),
-    )
+#         required=False,
+#     )
 
 
 class WEISignupForm(forms.Form):
@@ -66,11 +68,11 @@ class ValidationForm(forms.Form):
     """
     Validate the inscription of the new users and pay memberships.
     """
-    soge = forms.BooleanField(
+#    soge = forms.BooleanField(
-        label=_("Inscription paid by Société Générale"),
+#        label=_("Inscription paid by Société Générale"),
-        required=False,
+#        required=False,
-        help_text=_("Check this case if the Société Générale paid the inscription."),
+#        help_text=_("Check this case if the Société Générale paid the inscription."),
-    )
+#    )
 
     credit_type = forms.ModelChoiceField(
         queryset=NoteSpecial.objects,
@@ -113,3 +115,12 @@ class ValidationForm(forms.Form):
         required=False,
         initial=True,
     )
+
+    # If the bda exists
+    if Club.objects.filter(name__iexact="bda").exists():
+        # The user can join the bda club at the inscription
+        join_bda = forms.BooleanField(
+            label=_("Join BDA Club"),
+            required=False,
+            initial=True,
+        )

apps/registration/templates/registration/future_profile_detail.html

@@ -57,11 +57,13 @@ SPDX-License-Identifier: GPL-3.0-or-later
                         <h4> {% trans "Validate account" %}</h4>
                     </div>
 
+                    {% comment "Soge not for membership (only WEI)" %}
                     {% if declare_soge_account %}
                         <div class="alert alert-info">
                         {% trans "The user declared that he/she opened a bank account in the Société générale." %}
                         </div>
                     {% endif %}
+                    {% endcomment %}
 
                     <div class="card-body" id="profile_infos">
                         {% csrf_token %}
@@ -76,6 +78,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
     </div>
 {% endblock %}
 
+{% comment "Soge not for membership (only WEI)" %}
 {% block extrajavascript %}
     <script>
         soge_field = $("#id_soge");
@@ -118,3 +121,4 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {% endif %}
     </script>
 {% endblock %}
+{% endcomment %}

apps/registration/tests/test_registration.py

@@ -48,6 +48,7 @@ class TestSignup(TestCase):
             ml_events_registration="en",
             ml_sport_registration=True,
             ml_art_registration=True,
+            VSS_charter_read=True
         ))
         self.assertRedirects(response, reverse("registration:email_validation_sent"), 302, 200)
         self.assertTrue(User.objects.filter(username="toto").exists())
@@ -105,6 +106,7 @@ class TestSignup(TestCase):
             ml_events_registration="en",
             ml_sport_registration=True,
             ml_art_registration=True,
+            VSS_charter_read=True
         ))
         self.assertTrue(response.status_code, 200)
 
@@ -124,6 +126,7 @@ class TestSignup(TestCase):
             ml_events_registration="en",
             ml_sport_registration=True,
             ml_art_registration=True,
+            VSS_charter_read=True
         ))
         self.assertTrue(response.status_code, 200)
 
@@ -143,6 +146,27 @@ class TestSignup(TestCase):
             ml_events_registration="en",
             ml_sport_registration=True,
             ml_art_registration=True,
+            VSS_charter_read=True
+        ))
+        self.assertTrue(response.status_code, 200)
+
+        # The VSS charter is not read
+        response = self.client.post(reverse("registration:signup"), dict(
+            first_name="Toto",
+            last_name="TOTO",
+            username="Ihaveanotherusername",
+            email="othertoto@example.com",
+            password1="toto1234",
+            password2="toto1234",
+            phone_number="+33123456789",
+            department="EXT",
+            promotion=Club.objects.get(name="BDE").membership_start.year,
+            address="Earth",
+            paid=False,
+            ml_events_registration="en",
+            ml_sport_registration=True,
+            ml_art_registration=True,
+            VSS_charter_read=False
         ))
         self.assertTrue(response.status_code, 200)
 
@@ -190,7 +214,7 @@ class TestValidateRegistration(TestCase):
 
         # BDE Membership is mandatory
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Chèque").id,
             credit_amount=4200,
             last_name="TOTO",
@@ -204,7 +228,7 @@ class TestValidateRegistration(TestCase):
 
         # Same
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type="",
             credit_amount=0,
             last_name="TOTO",
@@ -218,7 +242,7 @@ class TestValidateRegistration(TestCase):
 
         # The BDE membership is not free
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Espèces").id,
             credit_amount=0,
             last_name="TOTO",
@@ -232,7 +256,7 @@ class TestValidateRegistration(TestCase):
 
         # Last and first names are required for a credit
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Chèque").id,
             credit_amount=4000,
             last_name="",
@@ -249,7 +273,7 @@ class TestValidateRegistration(TestCase):
         self.user.username = "admïntoto"
         self.user.save()
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Chèque").id,
             credit_amount=500,
             last_name="TOTO",
@@ -275,7 +299,7 @@ class TestValidateRegistration(TestCase):
         self.user.profile.save()
 
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Chèque").id,
             credit_amount=500,
             last_name="TOTO",
@@ -290,6 +314,7 @@ class TestValidateRegistration(TestCase):
         self.assertTrue(NoteUser.objects.filter(user=self.user).exists())
         self.assertTrue(Membership.objects.filter(club__name="BDE", user=self.user).exists())
         self.assertFalse(Membership.objects.filter(club__name="Kfet", user=self.user).exists())
+        self.assertFalse(Membership.objects.filter(club__name__iexact="BDA", user=self.user).exists())
         self.assertFalse(SogeCredit.objects.filter(user=self.user).exists())
         self.assertEqual(Transaction.objects.filter(
             Q(source=self.user.note) | Q(destination=self.user.note)).count(), 2)
@@ -311,7 +336,7 @@ class TestValidateRegistration(TestCase):
         self.user.profile.save()
 
         response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=False,
+            # soge=False,
             credit_type=NoteSpecial.objects.get(special_type="Espèces").id,
             credit_amount=4000,
             last_name="TOTO",
@@ -326,6 +351,7 @@ class TestValidateRegistration(TestCase):
         self.assertTrue(NoteUser.objects.filter(user=self.user).exists())
         self.assertTrue(Membership.objects.filter(club__name="BDE", user=self.user).exists())
         self.assertTrue(Membership.objects.filter(club__name="Kfet", user=self.user).exists())
+        self.assertFalse(Membership.objects.filter(club__name__iexact="BDA", user=self.user).exists())
         self.assertFalse(SogeCredit.objects.filter(user=self.user).exists())
         self.assertEqual(Transaction.objects.filter(
             Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)
@@ -333,42 +359,43 @@ class TestValidateRegistration(TestCase):
         response = self.client.get(self.user.profile.get_absolute_url())
         self.assertEqual(response.status_code, 200)
 
-    def test_validate_kfet_registration_with_soge(self):
+#    def test_validate_kfet_registration_with_soge(self):
-        """
+#        """
-        The user joins the BDE and the Kfet, but the membership is paid by the Société générale.
+#        The user joins the BDE and the Kfet, but the membership is paid by the Société générale.
-        """
+#        """
-        response = self.client.get(reverse("registration:future_user_detail", args=(self.user.pk,)))
+#        response = self.client.get(reverse("registration:future_user_detail", args=(self.user.pk,)))
-        self.assertEqual(response.status_code, 200)
+#        self.assertEqual(response.status_code, 200)
-
+#
-        response = self.client.get(self.user.profile.get_absolute_url())
+#        response = self.client.get(self.user.profile.get_absolute_url())
-        self.assertEqual(response.status_code, 404)
+#        self.assertEqual(response.status_code, 404)
-
+#
-        self.user.profile.email_confirmed = True
+#        self.user.profile.email_confirmed = True
-        self.user.profile.save()
+#        self.user.profile.save()
-
+#
-        response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
+#        response = self.client.post(reverse("registration:future_user_detail", args=(self.user.pk,)), data=dict(
-            soge=True,
+#            soge=True,
-            credit_type=NoteSpecial.objects.get(special_type="Espèces").id,
+#            credit_type=NoteSpecial.objects.get(special_type="Espèces").id,
-            credit_amount=4000,
+#            credit_amount=4000,
-            last_name="TOTO",
+#            last_name="TOTO",
-            first_name="Toto",
+#            first_name="Toto",
-            bank="Société générale",
+#            bank="Société générale",
-            join_bde=True,
+#            join_bde=True,
-            join_kfet=True,
+#            join_kfet=True,
-        ))
+#        ))
-        self.assertRedirects(response, self.user.profile.get_absolute_url(), 302, 200)
+#        self.assertRedirects(response, self.user.profile.get_absolute_url(), 302, 200)
-        self.user.profile.refresh_from_db()
+#        self.user.profile.refresh_from_db()
-        self.assertTrue(self.user.profile.registration_valid)
+#        self.assertTrue(self.user.profile.registration_valid)
-        self.assertTrue(NoteUser.objects.filter(user=self.user).exists())
+#        self.assertTrue(NoteUser.objects.filter(user=self.user).exists())
-        self.assertTrue(Membership.objects.filter(club__name="BDE", user=self.user).exists())
+#        self.assertTrue(Membership.objects.filter(club__name="BDE", user=self.user).exists())
-        self.assertTrue(Membership.objects.filter(club__name="Kfet", user=self.user).exists())
+#        self.assertTrue(Membership.objects.filter(club__name="Kfet", user=self.user).exists())
-        self.assertTrue(SogeCredit.objects.filter(user=self.user).exists())
+#        self.assertFalse(Membership.objects.filter(club__name__iexact="BDA", user=self.user).exists())
-        self.assertEqual(Transaction.objects.filter(
+#        self.assertTrue(SogeCredit.objects.filter(user=self.user).exists())
-            Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)
+#        self.assertEqual(Transaction.objects.filter(
-        self.assertFalse(Transaction.objects.filter(valid=True).exists())
+#            Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)
-
+#        self.assertFalse(Transaction.objects.filter(valid=True).exists())
-        response = self.client.get(self.user.profile.get_absolute_url())
+#
-        self.assertEqual(response.status_code, 200)
+#        response = self.client.get(self.user.profile.get_absolute_url())
+#        self.assertEqual(response.status_code, 200)
 
     def test_invalidate_registration(self):
         """

apps/registration/views.py

@@ -24,7 +24,8 @@ from permission.models import Role
 from permission.views import ProtectQuerysetMixin
 from treasury.models import SogeCredit
 
-from .forms import SignUpForm, ValidationForm, DeclareSogeAccountOpenedForm
+# from .forms import SignUpForm, ValidationForm, DeclareSogeAccountOpenedForm
+from .forms import SignUpForm, ValidationForm
 from .tables import FutureUserTable
 from .tokens import email_validation_token
 
@@ -42,7 +43,7 @@ class UserCreateView(CreateView):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         context["profile_form"] = self.second_form(self.request.POST if self.request.POST else None)
-        context["soge_form"] = DeclareSogeAccountOpenedForm(self.request.POST if self.request.POST else None)
+#        context["soge_form"] = DeclareSogeAccountOpenedForm(self.request.POST if self.request.POST else None)
         del context["profile_form"].fields["section"]
         del context["profile_form"].fields["report_frequency"]
         del context["profile_form"].fields["last_report"]
@@ -66,23 +67,28 @@ class UserCreateView(CreateView):
         profile_form.instance.user = user
         profile = profile_form.save(commit=False)
         user.profile = profile
+        user._force_save = True
         user.save()
         user.refresh_from_db()
         profile.user = user
+        profile._force_save = True
         profile.save()
 
         user.profile.send_email_validation_link()
 
-        soge_form = DeclareSogeAccountOpenedForm(self.request.POST)
+#        soge_form = DeclareSogeAccountOpenedForm(self.request.POST)
-        if "soge_account" in soge_form.data and soge_form.data["soge_account"]:
+#        if "soge_account" in soge_form.data and soge_form.data["soge_account"]:
-            # If the user declares that a bank account got opened, prepare the soge credit to warn treasurers
+#            # If the user declares that a bank account got opened, prepare the soge credit to warn treasurers
-            soge_credit = SogeCredit(user=user)
+#            soge_credit = SogeCredit(user=user)
-            soge_credit._force_save = True
+#            soge_credit._force_save = True
-            soge_credit.save()
+#            soge_credit.save()
 
         return super().form_valid(form)
 
     def get_success_url(self):
+        # Direct access to validation menu if we have the right to validate it
+        if PermissionBackend.check_perm(self.request, 'auth.view_user', self.object):
+            return reverse_lazy('registration:future_user_detail', args=(self.object.pk,))
         return reverse_lazy('registration:email_validation_sent')
 
 
@@ -110,7 +116,9 @@ class UserValidateView(TemplateView):
             self.validlink = True
             user.is_active = user.profile.registration_valid or user.is_superuser
             user.profile.email_confirmed = True
+            user._force_save = True
             user.save()
+            user.profile._force_save = True
             user.profile.save()
         return self.render_to_response(self.get_context_data(), status=200 if self.validlink else 400)
 
@@ -230,12 +238,12 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
         fee += bde.membership_fee_paid if user.profile.paid else bde.membership_fee_unpaid
         kfet = Club.objects.get(name="Kfet")
         fee += kfet.membership_fee_paid if user.profile.paid else kfet.membership_fee_unpaid
-        # In 2020, for COVID-19 reasons, the BDE offered 80 € to each new member that opens a Sogé account,
+        if Club.objects.filter(name__iexact="BDA").exists():
-        # since there is no WEI.
+            bda = Club.objects.get(name__iexact="BDA")
-        fee += 8000
+            fee += bda.membership_fee_paid if user.profile.paid else bda.membership_fee_unpaid
         ctx["total_fee"] = "{:.02f}".format(fee / 100, )
 
-        ctx["declare_soge_account"] = SogeCredit.objects.filter(user=user).exists()
+#        ctx["declare_soge_account"] = SogeCredit.objects.filter(user=user).exists()
 
         return ctx
 
@@ -258,8 +266,13 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
             form.add_error(None, _("An alias with a similar name already exists."))
             return self.form_invalid(form)
 
+        # Check if BDA exist to propose membership at regisration
+        bda_exists = False
+        if Club.objects.filter(name__iexact="BDA").exists():
+            bda_exists = True
+
         # Get form data
-        soge = form.cleaned_data["soge"]
+#        soge = form.cleaned_data["soge"]
         credit_type = form.cleaned_data["credit_type"]
         credit_amount = form.cleaned_data["credit_amount"]
         last_name = form.cleaned_data["last_name"]
@@ -267,11 +280,13 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
         bank = form.cleaned_data["bank"]
         join_bde = form.cleaned_data["join_bde"]
         join_kfet = form.cleaned_data["join_kfet"]
+        if bda_exists:
+            join_bda = form.cleaned_data["join_bda"]
 
-        if soge:
+#        if soge:
-            # If Société Générale pays the inscription, the user automatically joins the two clubs.
+#            # If Société Générale pays the inscription, the user automatically joins the two clubs.
-            join_bde = True
+#            join_bde = True
-            join_kfet = True
+#            join_kfet = True
 
         if not join_bde:
             # This software belongs to the BDE.
@@ -288,15 +303,21 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
         kfet_fee = kfet.membership_fee_paid if user.profile.paid else kfet.membership_fee_unpaid
         # Add extra fee for the full membership
         fee += kfet_fee if join_kfet else 0
+        if bda_exists:
+            bda = Club.objects.get(name__iexact="BDA")
+            bda_fee = bda.membership_fee_paid if user.profile.paid else bda.membership_fee_unpaid
+            # Add extra fee for the bda membership
+            fee += bda_fee if join_bda else 0
 
-        # If the bank pays, then we don't credit now. Treasurers will validate the transaction
+#        # If the bank pays, then we don't credit now. Treasurers will validate the transaction
-        # and credit the note later.
+#        # and credit the note later.
-        credit_type = None if soge else credit_type
+#        credit_type = None if soge else credit_type
 
         # If the user does not select any payment method, then no credit will be performed.
         credit_amount = 0 if credit_type is None else credit_amount
 
-        if fee > credit_amount and not soge:
+#        if fee > credit_amount and not soge:
+        if fee > credit_amount:
             # Check if the user credits enough money
             form.add_error('credit_type',
                            _("The entered amount is not enough for the memberships, should be at least {}")
@@ -316,12 +337,12 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
         user.profile.save()
         user.refresh_from_db()
 
-        if not soge and SogeCredit.objects.filter(user=user).exists():
+#        if not soge and SogeCredit.objects.filter(user=user).exists():
-            # If the user declared that a bank account was opened but in the validation form the SoGé case was
+#            # If the user declared that a bank account was opened but in the validation form the SoGé case was
-            # unchecked, delete the associated credit
+#            # unchecked, delete the associated credit
-            soge_credit = SogeCredit.objects.get(user=user)
+#            soge_credit = SogeCredit.objects.get(user=user)
-            soge_credit._force_delete = True
+#            soge_credit._force_delete = True
-            soge_credit.delete()
+#            soge_credit.delete()
 
         if credit_type is not None and credit_amount > 0:
             # Credit the note
@@ -330,7 +351,8 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
                 destination=user.note,
                 quantity=1,
                 amount=credit_amount,
-                reason="Crédit " + ("Société générale" if soge else credit_type.special_type) + " (Inscription)",
+                reason="Crédit " + credit_type.special_type + " (Inscription)",
+                # reason="Crédit " + ("Société générale" if soge else credit_type.special_type) + " (Inscription)",
                 last_name=last_name,
                 first_name=first_name,
                 bank=bank,
@@ -344,8 +366,8 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
                 user=user,
                 fee=bde_fee,
             )
-            if soge:
+#            if soge:
-                membership._soge = True
+#                membership._soge = True
             membership.save()
             membership.refresh_from_db()
             membership.roles.add(Role.objects.get(name="Adhérent BDE"))
@@ -358,17 +380,29 @@ class FutureUserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin,
                 user=user,
                 fee=kfet_fee,
             )
-            if soge:
+#            if soge:
-                membership._soge = True
+#                membership._soge = True
             membership.save()
             membership.refresh_from_db()
             membership.roles.add(Role.objects.get(name="Adhérent Kfet"))
             membership.save()
 
-        if soge:
+        if bda_exists and join_bda:
-            soge_credit = SogeCredit.objects.get(user=user)
+            # Create membership for the user to the BDA starting today
-            # Update the credit transaction amount
+            membership = Membership(
-            soge_credit.save()
+                club=bda,
+                user=user,
+                fee=bda_fee,
+            )
+            membership.save()
+            membership.refresh_from_db()
+            membership.roles.add(Role.objects.get(name="Membre de club"))
+            membership.save()
+
+#        if soge:
+#            soge_credit = SogeCredit.objects.get(user=user)
+#            # Update the credit transaction amount
+#            soge_credit.save()
 
         return ret
 
@@ -387,7 +421,7 @@ class FutureUserInvalidateView(ProtectQuerysetMixin, LoginRequiredMixin, View):
         Delete the pre-registered user which id is given in the URL.
         """
         user = User.objects.filter(profile__registration_valid=False)\
-            .filter(PermissionBackend.filter_queryset(request.user, User, "change", "is_valid"))\
+            .filter(PermissionBackend.filter_queryset(request, User, "change", "is_valid"))\
             .get(pk=self.kwargs["pk"])
         # Delete associated soge credits before
         SogeCredit.objects.filter(user=user).delete()

apps/treasury/api/serializers.py

@@ -1,6 +1,6 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
+from django.db import transaction
 from rest_framework import serializers
 from note.api.serializers import SpecialTransactionSerializer
 
@@ -68,6 +68,14 @@ class SogeCreditSerializer(serializers.ModelSerializer):
     The djangorestframework plugin will analyse the model `SogeCredit` and parse all fields in the API.
     """
 
+    @transaction.atomic
+    def save(self, **kwargs):
+        # Update soge transactions after creating a credit
+        instance = super().save(**kwargs)
+        instance.update_transactions()
+        instance.save()
+        return instance
+
     class Meta:
         model = SogeCredit
         fields = '__all__'

apps/treasury/forms.py

@@ -4,11 +4,12 @@
 from crispy_forms.helper import FormHelper
 from crispy_forms.layout import Submit
 from django import forms
+from django.contrib.auth.models import User
 from django.db import transaction
 from django.utils.translation import gettext_lazy as _
-from note_kfet.inputs import AmountInput
+from note_kfet.inputs import AmountInput, Autocomplete
 
-from .models import Invoice, Product, Remittance, SpecialTransactionProxy
+from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeCredit
 
 
 class InvoiceForm(forms.ModelForm):
@@ -161,3 +162,19 @@ class LinkTransactionToRemittanceForm(forms.ModelForm):
     class Meta:
         model = SpecialTransactionProxy
         fields = ('remittance', )
+
+
+class SogeCreditForm(forms.ModelForm):
+    class Meta:
+        model = SogeCredit
+        fields = ('user', )
+        widgets = {
+            "user": Autocomplete(
+                User,
+                attrs={
+                    'api_url': '/api/user/',
+                    'name_field': 'username',
+                    'placeholder': 'Nom ...',
+                },
+            ),
+        }

apps/treasury/migrations/0004_auto_20211005_1544.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.24 on 2021-10-05 13:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('treasury', '0003_auto_20210321_1034'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='sogecredit',
+            name='transactions',
+            field=models.ManyToManyField(blank=True, related_name='_sogecredit_transactions_+', to='note.MembershipTransaction', verbose_name='membership transactions'),
+        ),
+    ]

apps/treasury/migrations/0005_auto_20230129_2348.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-01-29 22:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('treasury', '0004_auto_20211005_1544'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='invoice',
+            name='bde',
+            field=models.CharField(choices=[('TotalistSpies', 'Tota[list]Spies'), ('Saperlistpopette', 'Saper[list]popette'), ('Finalist', 'Fina[list]'), ('Listorique', '[List]orique'), ('Satellist', 'Satel[list]'), ('Monopolist', 'Monopo[list]'), ('Kataclist', 'Katac[list]')], default='TotalistSpies', max_length=32, verbose_name='BDE'),
+        ),
+    ]

apps/treasury/migrations/0006_auto_20230414_1651.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-04-14 14:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('treasury', '0005_auto_20230129_2348'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='invoice',
+            name='bde',
+            field=models.CharField(choices=[('SecretStorlist', 'SecretStor[list]'), ('TotalistSpies', 'Tota[list]Spies'), ('Saperlistpopette', 'Saper[list]popette'), ('Finalist', 'Fina[list]'), ('Listorique', '[List]orique'), ('Satellist', 'Satel[list]'), ('Monopolist', 'Monopo[list]'), ('Kataclist', 'Katac[list]')], default='SecretStorlist', max_length=32, verbose_name='BDE'),
+        ),
+    ]

apps/treasury/models.py

@@ -1,8 +1,8 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2023 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
 from datetime import date
 
+from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
 from django.core.validators import MinValueValidator
@@ -11,6 +11,8 @@ from django.db.models import Q
 from django.template.loader import render_to_string
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
+# from member.models import Club, Membership # Club unused because of disabled soge
+from member.models import Membership
 from note.models import NoteSpecial, SpecialTransaction, MembershipTransaction, NoteUser
 
 
@@ -26,8 +28,10 @@ class Invoice(models.Model):
 
     bde = models.CharField(
         max_length=32,
-        default='Saperlistpopette',
+        default='SecretStorlist',
         choices=(
+            ('SecretStorlist', 'SecretStor[list]'),
+            ('TotalistSpies', 'Tota[list]Spies'),
             ('Saperlistpopette', 'Saper[list]popette'),
             ('Finalist', 'Fina[list]'),
             ('Listorique', '[List]orique'),
@@ -93,7 +97,7 @@ class Invoice(models.Model):
         products = self.products.all()
 
         self.place = "Gif-sur-Yvette"
-        self.my_name = "BDE ENS Cachan"
+        self.my_name = "BDE ENS Paris Saclay"
         self.my_address_street = "4 avenue des Sciences"
         self.my_city = "91190 Gif-sur-Yvette"
         self.bank_code = 30003
@@ -286,6 +290,7 @@ class SogeCredit(models.Model):
     transactions = models.ManyToManyField(
         MembershipTransaction,
         related_name="+",
+        blank=True,
         verbose_name=_("membership transactions"),
     )
 
@@ -302,8 +307,56 @@ class SogeCredit(models.Model):
 
     @property
     def amount(self):
-        return self.credit_transaction.total if self.valid \
+        if self.valid:
-            else sum(transaction.total for transaction in self.transactions.all()) + 8000
+            return self.credit_transaction.total
+        amount = sum(transaction.total for transaction in self.transactions.all())
+        if 'wei' in settings.INSTALLED_APPS:
+            from wei.models import WEIMembership
+            if not WEIMembership.objects\
+                    .filter(club__weiclub__year=self.credit_transaction.created_at.year, user=self.user).exists():
+                # 80 € for people that don't go to WEI
+                amount += 8000
+        return amount
+
+    def update_transactions(self):
+        """
+        The Sogé credit may be created after the user already paid its memberships.
+        We query transactions and update the credit, if it is unvalid.
+        """
+        if self.valid or not self.pk:
+            return
+
+# Soge do not pay BDE and kfet memberships since 2022
+#        bde = Club.objects.get(name="BDE")
+#        kfet = Club.objects.get(name="Kfet")
+#        bde_qs = Membership.objects.filter(user=self.user, club=bde, date_start__gte=bde.membership_start)
+#        kfet_qs = Membership.objects.filter(user=self.user, club=kfet, date_start__gte=kfet.membership_start)
+
+#        if bde_qs.exists():
+#            m = bde_qs.get()
+#            if MembershipTransaction.objects.filter(membership=m).exists():  # non-free membership
+#                if m.transaction not in self.transactions.all():
+#                    self.transactions.add(m.transaction)
+#
+#        if kfet_qs.exists():
+#            m = kfet_qs.get()
+#            if MembershipTransaction.objects.filter(membership=m).exists():  # non-free membership
+#                if m.transaction not in self.transactions.all():
+#                    self.transactions.add(m.transaction)
+
+        if 'wei' in settings.INSTALLED_APPS:
+            from wei.models import WEIClub
+            wei = WEIClub.objects.order_by('-year').first()
+            wei_qs = Membership.objects.filter(user=self.user, club=wei, date_start__gte=wei.membership_start)
+            if wei_qs.exists():
+                m = wei_qs.get()
+                if MembershipTransaction.objects.filter(membership=m).exists():  # non-free membership
+                    if m.transaction not in self.transactions.all():
+                        self.transactions.add(m.transaction)
+
+        for tr in self.transactions.all():
+            tr.valid = False
+            tr.save()
 
     def invalidate(self):
         """
@@ -335,7 +388,6 @@ class SogeCredit(models.Model):
         for tr in self.transactions.all():
             tr.valid = True
             tr._force_save = True
-            tr.created_at = timezone.now()
             tr.save()
 
     @transaction.atomic
@@ -365,7 +417,8 @@ class SogeCredit(models.Model):
             self.credit_transaction.amount = self.amount
             self.credit_transaction._force_save = True
             self.credit_transaction.save()
-        super().save(*args, **kwargs)
+
+        return super().save(*args, **kwargs)
 
     def delete(self, **kwargs):
         """
@@ -383,15 +436,15 @@ class SogeCredit(models.Model):
         for tr in self.transactions.all():
             tr._force_save = True
             tr.valid = True
-            tr.created_at = timezone.now()
             tr.save()
         if self.credit_transaction:
             # If the soge credit is deleted while the user is not validated yet,
             # there is not credit transaction.
-            # There is a credit transaction iff the user declares that no bank account
+            # There is a credit transaction if the user declares that no bank account
             # was opened after the validation of the account.
             self.credit_transaction.valid = False
             self.credit_transaction.reason += " (invalide)"
+            self.credit_transaction._force_save = True
             self.credit_transaction.save()
         super().delete(**kwargs)
 

apps/treasury/templates/treasury/invoice_sample.tex

@@ -105,8 +105,8 @@
 
 \renewcommand{\headrulewidth}{0pt}
 \cfoot{
-    \small{\MonNom  ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)6 89 88 56 50\newline
+    \small{\MonNom  ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)7 78 17 22 34\newline
-     Site web : bde.ens-cachan.fr ~--~ E-mail : tresorerie.bde@lists.crans.org \newline Numéro SIRET : 399 485 838 00011
+     Site web : bde.ens-cachan.fr ~--~ E-mail : tresorerie.bde@lists.crans.org \newline Numéro SIRET : 399 485 838 00029
     }
 }
 

apps/treasury/templates/treasury/sogecredit_list.html

@@ -3,6 +3,7 @@
 SPDX-License-Identifier: GPL-3.0-or-later
 {% endcomment %}
 {% load render_table from django_tables2 %}
+{% load crispy_forms_filters %}
 {% load i18n %}
 
 {% block content %}
@@ -27,7 +28,12 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {{ title }}
     </h3>
     <div class="card-body">
-        <input id="searchbar" type="text" class="form-control" placeholder="Nom/prénom/note ...">
+        <div class="input-group">
+            <input id="searchbar" type="text" class="form-control" placeholder="Nom/prénom/note ...">
+            <div class="input-group-append">
+                <button id="add_sogecredit" class="btn btn-success" data-toggle="modal" data-target="#add-sogecredit-modal">{% trans "Add" %}</button>
+            </div>
+        </div>
         <div class="form-check">
             <label for="invalid_only" class="form-check-label">
                 <input id="invalid_only" name="invalid_only" type="checkbox" class="checkboxinput form-check-input" checked>
@@ -47,28 +53,65 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {% endif %}
     </div>
 </div>
+
+{# Popup to add new Soge credits manually if needed #}
+<div class="modal fade" id="add-sogecredit-modal" tabindex="-1" role="dialog" aria-labelledby="addSogeCredit"
+     aria-hidden="true">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h5 class="modal-title" id="lockNote">{% trans "Add credit from the Société générale" %}</h5>
+                <button type="button" class="close btn-modal" data-dismiss="modal" aria-label="Close">
+                    <span aria-hidden="true">&times;</span>
+                </button>
+            </div>
+            <div class="modal-body">
+                {{ form|crispy }}
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary btn-modal" data-dismiss="modal">{% trans "Close" %}</button>
+                <button type="button" class="btn btn-success btn-modal" data-dismiss="modal" onclick="addSogeCredit()">{% trans "Add" %}</button>
+            </div>
+        </div>
+    </div>
+</div>
 {% endblock %}
 
 {% block extrajavascript %}
 <script type="text/javascript">
-    $(document).ready(function () {
+    let old_pattern = null;
-        let old_pattern = null;
+    let searchbar_obj = $("#searchbar");
-        let searchbar_obj = $("#searchbar");
+    let invalid_only_obj = $("#invalid_only");
-        let invalid_only_obj = $("#invalid_only");
 
-        function reloadTable() {
+    function reloadTable() {
-            let pattern = searchbar_obj.val();
+        let pattern = searchbar_obj.val();
 
-            $("#credits_table").load(location.pathname + "?search=" + pattern.replace(" ", "%20") + (
+        $("#credits_table").load(location.pathname + "?search=" + pattern.replace(" ", "%20") + (
-                invalid_only_obj.is(':checked') ? "" : "&valid=1") + " #credits_table");
+            invalid_only_obj.is(':checked') ? "" : "&valid=1") + " #credits_table");
 
-            $(".table-row").click(function () {
+        $(".table-row").click(function () {
-                window.document.location = $(this).data("href");
+            window.document.location = $(this).data("href");
-            });
+        });
-        }
+    }
 
-        searchbar_obj.keyup(reloadTable);
+    searchbar_obj.keyup(reloadTable);
-        invalid_only_obj.change(reloadTable);
+    invalid_only_obj.change(reloadTable);
-    });
+
+    function addSogeCredit() {
+        let user_pk = $('#id_user_pk').val()
+        if (!user_pk)
+            return
+
+        $.post('/api/treasury/soge_credit/?format=json', {
+            csrfmiddlewaretoken: CSRF_TOKEN,
+            user: user_pk,
+        }).done(function() {
+            addMsg("{% trans "Credit successfully registered" %}", 'success', 10000)
+            reloadTable()
+        }).fail(function (xhr) {
+            errMsg(xhr.responseJSON, 30000)
+            reloadTable()
+        })
+    }
 </script>
 {% endblock %}

apps/treasury/views.py

@@ -25,7 +25,8 @@ from note_kfet.settings.base import BASE_DIR
 from permission.backends import PermissionBackend
 from permission.views import ProtectQuerysetMixin, ProtectedCreateView
 
-from .forms import InvoiceForm, ProductFormSet, ProductFormSetHelper, RemittanceForm, LinkTransactionToRemittanceForm
+from .forms import InvoiceForm, ProductFormSet, ProductFormSetHelper, RemittanceForm, \
+    LinkTransactionToRemittanceForm, SogeCreditForm
 from .models import Invoice, Product, Remittance, SpecialTransactionProxy, SogeCredit
 from .tables import InvoiceTable, RemittanceTable, SpecialTransactionTable, SogeCreditTable
 
@@ -107,7 +108,7 @@ class InvoiceListView(LoginRequiredMixin, SingleTableView):
             name="",
             address="",
         )
-        if not PermissionBackend.check_perm(self.request.user, "treasury.add_invoice", sample_invoice):
+        if not PermissionBackend.check_perm(self.request, "treasury.view_invoice", sample_invoice):
             raise PermissionDenied(_("You are not able to see the treasury interface."))
         return super().dispatch(request, *args, **kwargs)
 
@@ -194,7 +195,7 @@ class InvoiceRenderView(LoginRequiredMixin, View):
 
     def get(self, request, **kwargs):
         pk = kwargs["pk"]
-        invoice = Invoice.objects.filter(PermissionBackend.filter_queryset(request.user, Invoice, "view")).get(pk=pk)
+        invoice = Invoice.objects.filter(PermissionBackend.filter_queryset(request, Invoice, "view")).get(pk=pk)
         tex = invoice.tex
 
         try:
@@ -259,7 +260,7 @@ class RemittanceCreateView(ProtectQuerysetMixin, ProtectedCreateView):
 
         context["table"] = RemittanceTable(
             data=Remittance.objects.filter(
-                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all())
+                PermissionBackend.filter_queryset(self.request, Remittance, "view")).all())
         context["special_transactions"] = SpecialTransactionTable(data=SpecialTransaction.objects.none())
 
         return context
@@ -281,7 +282,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
             remittance_type_id=1,
             comment="",
         )
-        if not PermissionBackend.check_perm(self.request.user, "treasury.add_remittance", sample_remittance):
+        if not PermissionBackend.check_perm(self.request, "treasury.add_remittance", sample_remittance):
             raise PermissionDenied(_("You are not able to see the treasury interface."))
         return super().dispatch(request, *args, **kwargs)
 
@@ -290,7 +291,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
 
         opened_remittances = RemittanceTable(
             data=Remittance.objects.filter(closed=False).filter(
-                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all(),
+                PermissionBackend.filter_queryset(self.request, Remittance, "view")).all(),
             prefix="opened-remittances-",
         )
         opened_remittances.paginate(page=self.request.GET.get("opened-remittances-page", 1), per_page=10)
@@ -298,7 +299,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
 
         closed_remittances = RemittanceTable(
             data=Remittance.objects.filter(closed=True).filter(
-                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all(),
+                PermissionBackend.filter_queryset(self.request, Remittance, "view")).all(),
             prefix="closed-remittances-",
         )
         closed_remittances.paginate(page=self.request.GET.get("closed-remittances-page", 1), per_page=10)
@@ -307,7 +308,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
         no_remittance_tr = SpecialTransactionTable(
             data=SpecialTransaction.objects.filter(source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
                                                    specialtransactionproxy__remittance=None).filter(
-                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all(),
+                PermissionBackend.filter_queryset(self.request, Remittance, "view")).all(),
             exclude=('remittance_remove', ),
             prefix="no-remittance-",
         )
@@ -317,7 +318,7 @@ class RemittanceListView(LoginRequiredMixin, TemplateView):
         with_remittance_tr = SpecialTransactionTable(
             data=SpecialTransaction.objects.filter(source__in=NoteSpecial.objects.filter(~Q(remittancetype=None)),
                                                    specialtransactionproxy__remittance__closed=False).filter(
-                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all(),
+                PermissionBackend.filter_queryset(self.request, Remittance, "view")).all(),
             exclude=('remittance_add', ),
             prefix="with-remittance-",
         )
@@ -342,7 +343,7 @@ class RemittanceUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView)
         context = super().get_context_data(**kwargs)
 
         data = SpecialTransaction.objects.filter(specialtransactionproxy__remittance=self.object).filter(
-            PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all()
+            PermissionBackend.filter_queryset(self.request, Remittance, "view")).all()
         context["special_transactions"] = SpecialTransactionTable(
             data=data,
             exclude=('remittance_add', 'remittance_remove', ) if self.object.closed else ('remittance_add', ))
@@ -433,6 +434,11 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
 
         return qs
 
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context['form'] = SogeCreditForm(self.request.POST or None)
+        return context
+
 
 class SogeCreditManageView(LoginRequiredMixin, ProtectQuerysetMixin, BaseFormView, DetailView):
     """

apps/wei/forms/__init__.py

@@ -1,10 +1,10 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from .registration import WEIForm, WEIRegistrationForm, WEIMembershipForm, BusForm, BusTeamForm
+from .registration import WEIForm, WEIRegistrationForm, WEIMembership1AForm, WEIMembershipForm, BusForm, BusTeamForm
 from .surveys import WEISurvey, WEISurveyInformation, WEISurveyAlgorithm, CurrentSurvey
 
 __all__ = [
-    'WEIForm', 'WEIRegistrationForm', 'WEIMembershipForm', 'BusForm', 'BusTeamForm',
+    'WEIForm', 'WEIRegistrationForm', 'WEIMembership1AForm', 'WEIMembershipForm', 'BusForm', 'BusTeamForm',
     'WEISurvey', 'WEISurveyInformation', 'WEISurveyAlgorithm', 'CurrentSurvey',
 ]

apps/wei/forms/registration.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2023 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django import forms
@@ -6,7 +6,7 @@ from django.contrib.auth.models import User
 from django.db.models import Q
 from django.forms import CheckboxSelectMultiple
 from django.utils.translation import gettext_lazy as _
-from note.models import NoteSpecial
+from note.models import NoteSpecial, NoteUser
 from note_kfet.inputs import AmountInput, DatePickerInput, Autocomplete, ColorWidget
 
 from ..models import WEIClub, WEIRegistration, Bus, BusTeam, WEIMembership, WEIRole
@@ -27,9 +27,18 @@ class WEIForm(forms.ModelForm):
 
 
 class WEIRegistrationForm(forms.ModelForm):
+    def clean(self):
+        cleaned_data = super().clean()
+
+        if 'user' in cleaned_data:
+            if not NoteUser.objects.filter(user=cleaned_data['user']).exists():
+                self.add_error('user', _("The selected user is not validated. Please validate its account first"))
+
+        return cleaned_data
+
     class Meta:
         model = WEIRegistration
-        exclude = ('wei', )
+        exclude = ('wei', 'clothing_cut')
         widgets = {
             "user": Autocomplete(
                 User,
@@ -39,8 +48,7 @@ class WEIRegistrationForm(forms.ModelForm):
                     'placeholder': 'Nom ...',
                 },
             ),
-            "birth_date": DatePickerInput(options={'defaultDate': '2000-01-01',
+            "birth_date": DatePickerInput(options={'minDate': '1900-01-01',
-                                                   'minDate': '1900-01-01',
                                                    'maxDate': '2100-01-01'}),
         }
 
@@ -109,7 +117,8 @@ class WEIMembershipForm(forms.ModelForm):
 
     def clean(self):
         cleaned_data = super().clean()
-        if cleaned_data["team"] is not None and cleaned_data["team"].bus != cleaned_data["bus"]:
+        if 'team' in cleaned_data and cleaned_data["team"] is not None \
+                and cleaned_data["team"].bus != cleaned_data["bus"]:
             self.add_error('bus', _("This team doesn't belong to the given bus."))
         return cleaned_data
 
@@ -135,10 +144,24 @@ class WEIMembershipForm(forms.ModelForm):
         }
 
 
+class WEIMembership1AForm(WEIMembershipForm):
+    """
+    Used to confirm registrations of first year members without choosing a bus now.
+    """
+    roles = None
+
+    def clean(self):
+        return super(forms.ModelForm, self).clean()
+
+    class Meta:
+        model = WEIMembership
+        fields = ('credit_type', 'credit_amount', 'last_name', 'first_name', 'bank',)
+
+
 class BusForm(forms.ModelForm):
     class Meta:
         model = Bus
-        exclude = ('information_json',)
+        fields = '__all__'
         widgets = {
             "wei": Autocomplete(
                 WEIClub,

apps/wei/forms/surveys/__init__.py

@@ -2,11 +2,11 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .base import WEISurvey, WEISurveyInformation, WEISurveyAlgorithm
-from .wei2021 import WEISurvey2021
+from .wei2023 import WEISurvey2023
 
 
 __all__ = [
     'WEISurvey', 'WEISurveyInformation', 'WEISurveyAlgorithm', 'CurrentSurvey',
 ]
 
-CurrentSurvey = WEISurvey2021
+CurrentSurvey = WEISurvey2023

apps/wei/forms/surveys/base.py

@@ -1,12 +1,12 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from typing import Optional
+from typing import Optional, List
 
 from django.db.models import QuerySet
 from django.forms import Form
 
-from ...models import WEIClub, WEIRegistration, Bus
+from ...models import WEIClub, WEIRegistration, Bus, WEIMembership
 
 
 class WEISurveyInformation:
@@ -50,6 +50,20 @@ class WEIBusInformation:
         self.bus.information = d
         self.bus.save()
 
+    def free_seats(self, surveys: List["WEISurvey"] = None, quotas=None):
+        if not quotas:
+            size = self.bus.size
+            already_occupied = WEIMembership.objects.filter(bus=self.bus).count()
+            quotas = {self.bus: size - already_occupied}
+
+        quota = quotas[self.bus]
+        valid_surveys = sum(1 for survey in surveys if survey.information.valid
+                            and survey.information.get_selected_bus() == self.bus) if surveys else 0
+        return quota - valid_surveys
+
+    def has_free_seats(self, surveys=None, quotas=None):
+        return self.free_seats(surveys, quotas) > 0
+
 
 class WEISurveyAlgorithm:
     """
@@ -76,14 +90,20 @@ class WEISurveyAlgorithm:
         """
         Queryset of all first year registrations
         """
-        return WEIRegistration.objects.filter(wei__year=cls.get_survey_class().get_year(), first_year=True)
+        if not hasattr(cls, '_registrations'):
+            cls._registrations = WEIRegistration.objects.filter(wei__year=cls.get_survey_class().get_year(),
+                                                                first_year=True).all()
+
+        return cls._registrations
 
     @classmethod
     def get_buses(cls) -> QuerySet:
         """
         Queryset of all buses of the associated wei.
         """
-        return Bus.objects.filter(wei__year=cls.get_survey_class().get_year())
+        if not hasattr(cls, '_buses'):
+            cls._buses = Bus.objects.filter(wei__year=cls.get_survey_class().get_year(), size__gt=0).all()
+        return cls._buses
 
     @classmethod
     def get_bus_information(cls, bus):
@@ -125,7 +145,10 @@ class WEISurvey:
         """
         The WEI associated to this kind of survey.
         """
-        return WEIClub.objects.get(year=cls.get_year())
+        if not hasattr(cls, '_wei'):
+            cls._wei = WEIClub.objects.get(year=cls.get_year())
+
+        return cls._wei
 
     @classmethod
     def get_survey_information_class(cls):
@@ -192,3 +215,23 @@ class WEISurvey:
         self.information.selected_bus_pk = bus.pk
         self.information.selected_bus_name = bus.name
         self.information.valid = True
+
+    def free(self) -> None:
+        """
+        Unselect the select bus.
+        """
+        self.information.selected_bus_pk = None
+        self.information.selected_bus_name = None
+        self.information.valid = False
+
+    @classmethod
+    def clear_cache(cls):
+        """
+        Clear stored information.
+        """
+        if hasattr(cls, '_wei'):
+            del cls._wei
+        if hasattr(cls.get_algorithm_class(), '_registrations'):
+            del cls.get_algorithm_class()._registrations
+        if hasattr(cls.get_algorithm_class(), '_buses'):
+            del cls.get_algorithm_class()._buses

apps/wei/forms/surveys/wei2021.py

@@ -1,23 +1,28 @@
 # Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 import time
+from functools import lru_cache
 from random import Random
 
 from django import forms
 from django.db import transaction
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 
 from .base import WEISurvey, WEISurveyInformation, WEISurveyAlgorithm, WEIBusInformation
-from ...models import Bus
+from ...models import WEIMembership
 
-
+WORDS = [
-# TODO: Use new words
+    '13 organisé', '3ième mi temps', 'Années 2000', 'Apéro', 'BBQ', 'BP', 'Beauf', 'Binge drinking', 'Bon enfant',
-WORDS = ['Rap', 'Retro', 'DJ', 'Rock', 'Jazz', 'Chansons Populaires', 'Chansons Paillardes', 'Pop', 'Fanfare',
+    'Cartouche', 'Catacombes', 'Chansons paillardes', 'Chansons populaires', 'Chanteur', 'Chartreuse', 'Chill',
-         'Biere', 'Pastis', 'Vodka', 'Cocktails', 'Eau', 'Sirop', 'Jus de fruit', 'Binge Drinking', 'Rhum',
+    'Core', 'DJ', 'Dancefloor', 'Danse', 'David Guetta', 'Disco', 'Eau de vie', 'Électro', 'Escalade', 'Familial',
-         'Eau de vie', 'Apéro', 'Morning beer', 'Huit-six', 'Jeux de societé', 'Jeux de cartes', 'Danse', 'Karaoké',
+    'Fanfare', 'Fracassage', 'Féria', 'Hard rock', 'Hoeggarden', 'House', 'Huit-six', 'IPA', 'Inclusif', 'Inferno',
-         'Bière Pong', 'Poker', 'Loup Garou', 'Films', "Jeux d'alcool", 'Sport', 'Rangées de cul', 'Chips', 'BBQ',
+    'Introverti', 'Jager bomb', 'Jazz', 'Jeux d\'alcool', 'Jeux de rôles', 'Jeux vidéo', 'Jul', 'Jus de fruit',
-         'Kebab', 'Saucisse', 'Vegan', 'Vege', 'LGBTIQ+', 'Dab', 'Solitaire', 'Séducteur', 'Sociale', 'Chanteur',
+    'Karaoké', 'LGBTQI+', 'Lady Gaga', 'Loup garou', 'Morning beer', 'Métal', 'Nuit blanche', 'Ovalie', 'Psychedelic',
-         'Se lacher', 'Chill', 'Débile', 'Beauf', 'Bon enfant']
+    'Pétanque', 'Rave', 'Reggae', 'Rhum', 'Ricard', 'Rock', 'Rosé', 'Rétro', 'Séducteur', 'Techno', 'Thérapie taxi',
+    'Théâtre', 'Trap', 'Turn up', 'Underground', 'Volley', 'Wati B', 'Zinédine Zidane',
+]
 
 
 class WEISurveyForm2021(forms.Form):
@@ -39,19 +44,31 @@ class WEISurveyForm2021(forms.Form):
         if not information.seed:
             information.seed = int(1000 * time.time())
             information.save(registration)
+            registration._force_save = True
             registration.save()
 
-        rng = Random(information.seed)
-
-        words = []
-        for _ in range(information.step + 1):
-            # Generate N times words
-            words = [rng.choice(WORDS) for _ in range(10)]
-        words = [(w, w) for w in words]
         if self.data:
             self.fields["word"].choices = [(w, w) for w in WORDS]
             if self.is_valid():
                 return
+
+        rng = Random((information.step + 1) * information.seed)
+
+        words = None
+
+        buses = WEISurveyAlgorithm2021.get_buses()
+        informations = {bus: WEIBusInformation2021(bus) for bus in buses}
+        scores = sum((list(informations[bus].scores.values()) for bus in buses), [])
+        average_score = sum(scores) / len(scores)
+
+        preferred_words = {bus: [word for word in WORDS
+                                 if informations[bus].scores[word] >= average_score]
+                           for bus in buses}
+        while words is None or len(set(words)) != len(words):
+            # Ensure that there is no the same word 2 times
+            words = [rng.choice(words) for _ignored2, words in preferred_words.items()]
+        rng.shuffle(words)
+        words = [(w, w) for w in words]
         self.fields["word"].choices = words
 
 
@@ -59,9 +76,12 @@ class WEIBusInformation2021(WEIBusInformation):
     """
     For each word, the bus has a score
     """
+    scores: dict
+
     def __init__(self, bus):
+        self.scores = {}
         for word in WORDS:
-            setattr(self, word, 0.0)
+            self.scores[word] = 0.0
         super().__init__(bus)
 
 
@@ -119,12 +139,46 @@ class WEISurvey2021(WEISurvey):
         """
         return self.information.step == 20
 
+    @classmethod
+    @lru_cache()
+    def word_mean(cls, word):
+        """
+        Calculate the mid-score given by all buses.
+        """
+        buses = cls.get_algorithm_class().get_buses()
+        return sum([cls.get_algorithm_class().get_bus_information(bus).scores[word] for bus in buses]) / buses.count()
+
+    @lru_cache()
+    def score(self, bus):
+        if not self.is_complete():
+            raise ValueError("Survey is not ended, can't calculate score")
+
+        bus_info = self.get_algorithm_class().get_bus_information(bus)
+        # Score is the given score by the bus subtracted to the mid-score of the buses.
+        s = sum(bus_info.scores[getattr(self.information, 'word' + str(i))]
+                - self.word_mean(getattr(self.information, 'word' + str(i))) for i in range(1, 21)) / 20
+        return s
+
+    @lru_cache()
+    def scores_per_bus(self):
+        return {bus: self.score(bus) for bus in self.get_algorithm_class().get_buses()}
+
+    @lru_cache()
+    def ordered_buses(self):
+        values = list(self.scores_per_bus().items())
+        values.sort(key=lambda item: -item[1])
+        return values
+
+    @classmethod
+    def clear_cache(cls):
+        cls.word_mean.cache_clear()
+        return super().clear_cache()
+
 
 class WEISurveyAlgorithm2021(WEISurveyAlgorithm):
     """
     The algorithm class for the year 2021.
-    For now, the algorithm is quite simple: the selected bus is the chosen bus.
+    We use Gale-Shapley algorithm to attribute 1y students into buses.
-    TODO: Improve this algorithm.
     """
 
     @classmethod
@@ -135,9 +189,105 @@ class WEISurveyAlgorithm2021(WEISurveyAlgorithm):
     def get_bus_information_class(cls):
         return WEIBusInformation2021
 
-    def run_algorithm(self):
+    def run_algorithm(self, display_tqdm=False):
-        for registration in self.get_registrations():
+        """
-            survey = self.get_survey_class()(registration)
+        Gale-Shapley algorithm implementation.
-            rng = Random(survey.information.seed)
+        We modify it to allow buses to have multiple "weddings".
-            survey.select_bus(rng.choice(Bus.objects.all()))
+        """
+        surveys = list(self.get_survey_class()(r) for r in self.get_registrations())  # All surveys
+        surveys = [s for s in surveys if s.is_complete()]  # Don't consider invalid surveys
+        # Don't manage hardcoded people
+        surveys = [s for s in surveys if not hasattr(s.information, 'hardcoded') or not s.information.hardcoded]
+
+        # Reset previous algorithm run
+        for survey in surveys:
+            survey.free()
             survey.save()
+
+        non_men = [s for s in surveys if s.registration.gender != 'male']
+        men = [s for s in surveys if s.registration.gender == 'male']
+
+        quotas = {}
+        registrations = self.get_registrations()
+        non_men_total = registrations.filter(~Q(gender='male')).count()
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = 4 + int(non_men_total / registrations.count() * free_seats)
+
+        tqdm_obj = None
+        if display_tqdm:
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(non_men), desc="Non-hommes")
+
+        # Repartition for non men people first
+        self.make_repartition(non_men, quotas, tqdm_obj=tqdm_obj)
+
+        quotas = {}
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            free_seats -= sum(1 for s in non_men if s.information.selected_bus_pk == bus.pk)
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = free_seats
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(men), desc="Hommes")
+
+        self.make_repartition(men, quotas, tqdm_obj=tqdm_obj)
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+        # Clear cache information after running algorithm
+        WEISurvey2021.clear_cache()
+
+    def make_repartition(self, surveys, quotas=None, tqdm_obj=None):
+        free_surveys = surveys.copy()  # Remaining surveys
+        while free_surveys:  # Some students are not affected
+            survey = free_surveys[0]
+            buses = survey.ordered_buses()  # Preferences of the student
+            for bus, current_score in buses:
+                if self.get_bus_information(bus).has_free_seats(surveys, quotas):
+                    # Selected bus has free places. Put student in the bus
+                    survey.select_bus(bus)
+                    survey.save()
+                    free_surveys.remove(survey)
+                    break
+                else:
+                    # Current bus has not enough places. Remove the least preferred student from the bus if existing
+                    least_preferred_survey = None
+                    least_score = -1
+                    # Find the least student in the bus that has a lower score than the current student
+                    for survey2 in surveys:
+                        if not survey2.information.valid or survey2.information.get_selected_bus() != bus:
+                            continue
+                        score2 = survey2.score(bus)
+                        if current_score <= score2:  # Ignore better students
+                            continue
+                        if least_preferred_survey is None or score2 < least_score:
+                            least_preferred_survey = survey2
+                            least_score = score2
+
+                    if least_preferred_survey is not None:
+                        # Remove the least student from the bus and put the current student in.
+                        # If it does not exist, choose the next bus.
+                        least_preferred_survey.free()
+                        least_preferred_survey.save()
+                        free_surveys.append(least_preferred_survey)
+                        survey.select_bus(bus)
+                        survey.save()
+                        free_surveys.remove(survey)
+                        break
+            else:
+                raise ValueError(f"User {survey.registration.user} has no free seat")
+
+            if tqdm_obj is not None:
+                tqdm_obj.n = len(surveys) - len(free_surveys)
+                tqdm_obj.refresh()

apps/wei/forms/surveys/wei2022.py

@@ -0,0 +1,296 @@
+# Copyright (C) 2018-2023 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import time
+from functools import lru_cache
+from random import Random
+
+from django import forms
+from django.db import transaction
+from django.db.models import Q
+from django.utils.translation import gettext_lazy as _
+
+from .base import WEISurvey, WEISurveyInformation, WEISurveyAlgorithm, WEIBusInformation
+from ...models import WEIMembership
+
+WORDS = [
+    'ABBA', 'After', 'Alcoolique anonyme', 'Ambiance festive', 'Années 2000', 'Apéro', 'Art',
+    'Baby foot billard biere pong', 'BBQ', 'Before', 'Bière pong', 'Bon enfant', 'Calme', 'Canapé',
+    'Chanson paillarde', 'Chanson populaire', 'Chartreuse', 'Cheerleader', 'Chill', 'Choré',
+    'Cinéma', 'Cocktail', 'Comédie musicle', 'Commercial', 'Copaing', 'Danse', 'Dancefloor',
+    'Electro', 'Fanfare', 'Gin tonic', 'Inclusif', 'Jazz', "Jeux d'alcool", 'Jeux de carte',
+    'Jeux de rôle', 'Jeux de société', 'JUL', 'Jus de fruit', 'Kfet', 'Kleptomanie assurée',
+    'LGBTQ+', 'Livre', 'Morning beer', 'Musique', 'NAPS', 'Paillettes', 'Pastis', 'Paté Hénaff',
+    'Peluche', 'Pena baiona', "Peu d'alcool", 'Pilier de bar', 'PMU', 'Poulpe', 'Punch', 'Rap',
+    'Réveil', 'Rock', 'Rugby', 'Sandwich', 'Serge', 'Shot', 'Sociable', 'Spectacle', 'Techno',
+    'Techno house', 'Thérapie Taxi', 'Tradition kchanaises', 'Troisième mi-temps', 'Turn up',
+    'Vodka', 'Vodka pomme', 'Volley', 'Vomi stratégique'
+]
+
+
+class WEISurveyForm2022(forms.Form):
+    """
+    Survey form for the year 2022.
+    Members choose 20 words, from which we calculate the best associated bus.
+    """
+
+    word = forms.ChoiceField(
+        label=_("Choose a word:"),
+        widget=forms.RadioSelect(),
+    )
+
+    def set_registration(self, registration):
+        """
+        Filter the bus selector with the buses of the current WEI.
+        """
+        information = WEISurveyInformation2022(registration)
+        if not information.seed:
+            information.seed = int(1000 * time.time())
+            information.save(registration)
+            registration._force_save = True
+            registration.save()
+
+        if self.data:
+            self.fields["word"].choices = [(w, w) for w in WORDS]
+            if self.is_valid():
+                return
+
+        rng = Random((information.step + 1) * information.seed)
+
+        words = None
+
+        buses = WEISurveyAlgorithm2022.get_buses()
+        informations = {bus: WEIBusInformation2022(bus) for bus in buses}
+        scores = sum((list(informations[bus].scores.values()) for bus in buses), [])
+        average_score = sum(scores) / len(scores)
+
+        preferred_words = {bus: [word for word in WORDS
+                                 if informations[bus].scores[word] >= average_score]
+                           for bus in buses}
+        while words is None or len(set(words)) != len(words):
+            # Ensure that there is no the same word 2 times
+            words = [rng.choice(words) for _ignored2, words in preferred_words.items()]
+        rng.shuffle(words)
+        words = [(w, w) for w in words]
+        self.fields["word"].choices = words
+
+
+class WEIBusInformation2022(WEIBusInformation):
+    """
+    For each word, the bus has a score
+    """
+    scores: dict
+
+    def __init__(self, bus):
+        self.scores = {}
+        for word in WORDS:
+            self.scores[word] = 0.0
+        super().__init__(bus)
+
+
+class WEISurveyInformation2022(WEISurveyInformation):
+    """
+    We store the id of the selected bus. We store only the name, but is not used in the selection:
+    that's only for humans that try to read data.
+    """
+    # Random seed that is stored at the first time to ensure that words are generated only once
+    seed = 0
+    step = 0
+
+    def __init__(self, registration):
+        for i in range(1, 21):
+            setattr(self, "word" + str(i), None)
+        super().__init__(registration)
+
+
+class WEISurvey2022(WEISurvey):
+    """
+    Survey for the year 2022.
+    """
+
+    @classmethod
+    def get_year(cls):
+        return 2022
+
+    @classmethod
+    def get_survey_information_class(cls):
+        return WEISurveyInformation2022
+
+    def get_form_class(self):
+        return WEISurveyForm2022
+
+    def update_form(self, form):
+        """
+        Filter the bus selector with the buses of the WEI.
+        """
+        form.set_registration(self.registration)
+
+    @transaction.atomic
+    def form_valid(self, form):
+        word = form.cleaned_data["word"]
+        self.information.step += 1
+        setattr(self.information, "word" + str(self.information.step), word)
+        self.save()
+
+    @classmethod
+    def get_algorithm_class(cls):
+        return WEISurveyAlgorithm2022
+
+    def is_complete(self) -> bool:
+        """
+        The survey is complete once the bus is chosen.
+        """
+        return self.information.step == 20
+
+    @classmethod
+    @lru_cache()
+    def word_mean(cls, word):
+        """
+        Calculate the mid-score given by all buses.
+        """
+        buses = cls.get_algorithm_class().get_buses()
+        return sum([cls.get_algorithm_class().get_bus_information(bus).scores[word] for bus in buses]) / buses.count()
+
+    @lru_cache()
+    def score(self, bus):
+        if not self.is_complete():
+            raise ValueError("Survey is not ended, can't calculate score")
+
+        bus_info = self.get_algorithm_class().get_bus_information(bus)
+        # Score is the given score by the bus subtracted to the mid-score of the buses.
+        s = sum(bus_info.scores[getattr(self.information, 'word' + str(i))]
+                - self.word_mean(getattr(self.information, 'word' + str(i))) for i in range(1, 21)) / 20
+        return s
+
+    @lru_cache()
+    def scores_per_bus(self):
+        return {bus: self.score(bus) for bus in self.get_algorithm_class().get_buses()}
+
+    @lru_cache()
+    def ordered_buses(self):
+        values = list(self.scores_per_bus().items())
+        values.sort(key=lambda item: -item[1])
+        return values
+
+    @classmethod
+    def clear_cache(cls):
+        cls.word_mean.cache_clear()
+        return super().clear_cache()
+
+
+class WEISurveyAlgorithm2022(WEISurveyAlgorithm):
+    """
+    The algorithm class for the year 2022.
+    We use Gale-Shapley algorithm to attribute 1y students into buses.
+    """
+
+    @classmethod
+    def get_survey_class(cls):
+        return WEISurvey2022
+
+    @classmethod
+    def get_bus_information_class(cls):
+        return WEIBusInformation2022
+
+    def run_algorithm(self, display_tqdm=False):
+        """
+        Gale-Shapley algorithm implementation.
+        We modify it to allow buses to have multiple "weddings".
+        """
+        surveys = list(self.get_survey_class()(r) for r in self.get_registrations())  # All surveys
+        surveys = [s for s in surveys if s.is_complete()]  # Don't consider invalid surveys
+        # Don't manage hardcoded people
+        surveys = [s for s in surveys if not hasattr(s.information, 'hardcoded') or not s.information.hardcoded]
+
+        # Reset previous algorithm run
+        for survey in surveys:
+            survey.free()
+            survey.save()
+
+        non_men = [s for s in surveys if s.registration.gender != 'male']
+        men = [s for s in surveys if s.registration.gender == 'male']
+
+        quotas = {}
+        registrations = self.get_registrations()
+        non_men_total = registrations.filter(~Q(gender='male')).count()
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = 4 + int(non_men_total / registrations.count() * free_seats)
+
+        tqdm_obj = None
+        if display_tqdm:
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(non_men), desc="Non-hommes")
+
+        # Repartition for non men people first
+        self.make_repartition(non_men, quotas, tqdm_obj=tqdm_obj)
+
+        quotas = {}
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            free_seats -= sum(1 for s in non_men if s.information.selected_bus_pk == bus.pk)
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = free_seats
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(men), desc="Hommes")
+
+        self.make_repartition(men, quotas, tqdm_obj=tqdm_obj)
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+        # Clear cache information after running algorithm
+        WEISurvey2022.clear_cache()
+
+    def make_repartition(self, surveys, quotas=None, tqdm_obj=None):
+        free_surveys = surveys.copy()  # Remaining surveys
+        while free_surveys:  # Some students are not affected
+            survey = free_surveys[0]
+            buses = survey.ordered_buses()  # Preferences of the student
+            for bus, current_score in buses:
+                if self.get_bus_information(bus).has_free_seats(surveys, quotas):
+                    # Selected bus has free places. Put student in the bus
+                    survey.select_bus(bus)
+                    survey.save()
+                    free_surveys.remove(survey)
+                    break
+                else:
+                    # Current bus has not enough places. Remove the least preferred student from the bus if existing
+                    least_preferred_survey = None
+                    least_score = -1
+                    # Find the least student in the bus that has a lower score than the current student
+                    for survey2 in surveys:
+                        if not survey2.information.valid or survey2.information.get_selected_bus() != bus:
+                            continue
+                        score2 = survey2.score(bus)
+                        if current_score <= score2:  # Ignore better students
+                            continue
+                        if least_preferred_survey is None or score2 < least_score:
+                            least_preferred_survey = survey2
+                            least_score = score2
+
+                    if least_preferred_survey is not None:
+                        # Remove the least student from the bus and put the current student in.
+                        # If it does not exist, choose the next bus.
+                        least_preferred_survey.free()
+                        least_preferred_survey.save()
+                        free_surveys.append(least_preferred_survey)
+                        survey.select_bus(bus)
+                        survey.save()
+                        free_surveys.remove(survey)
+                        break
+            else:
+                raise ValueError(f"User {survey.registration.user} has no free seat")
+
+            if tqdm_obj is not None:
+                tqdm_obj.n = len(surveys) - len(free_surveys)
+                tqdm_obj.refresh()

apps/wei/forms/surveys/wei2023.py

@@ -0,0 +1,296 @@
+# Copyright (C) 2018-2023 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import time
+from functools import lru_cache
+from random import Random
+
+from django import forms
+from django.db import transaction
+from django.db.models import Q
+from django.utils.translation import gettext_lazy as _
+
+from .base import WEISurvey, WEISurveyInformation, WEISurveyAlgorithm, WEIBusInformation
+from ...models import WEIMembership
+
+WORDS = [
+    'ABBA', 'After', 'Alcoolique anonyme', 'Ambiance festive', 'Années 2000', 'Apéro', 'Art',
+    'Baby foot billard biere pong', 'BBQ', 'Before', 'Bière pong', 'Bon enfant', 'Calme', 'Canapé',
+    'Chanson paillarde', 'Chanson populaire', 'Chartreuse', 'Cheerleader', 'Chill', 'Choré',
+    'Cinéma', 'Cocktail', 'Comédie musicle', 'Commercial', 'Copaing', 'Danse', 'Dancefloor',
+    'Electro', 'Fanfare', 'Gin tonic', 'Inclusif', 'Jazz', "Jeux d'alcool", 'Jeux de carte',
+    'Jeux de rôle', 'Jeux de société', 'JUL', 'Jus de fruit', 'Kfet', 'Kleptomanie assurée',
+    'LGBTQ+', 'Livre', 'Morning beer', 'Musique', 'NAPS', 'Paillettes', 'Pastis', 'Paté Hénaff',
+    'Peluche', 'Pena baiona', "Peu d'alcool", 'Pilier de bar', 'PMU', 'Poulpe', 'Punch', 'Rap',
+    'Réveil', 'Rock', 'Rugby', 'Sandwich', 'Serge', 'Shot', 'Sociable', 'Spectacle', 'Techno',
+    'Techno house', 'Thérapie Taxi', 'Tradition kchanaises', 'Troisième mi-temps', 'Turn up',
+    'Vodka', 'Vodka pomme', 'Volley', 'Vomi stratégique'
+]
+
+
+class WEISurveyForm2023(forms.Form):
+    """
+    Survey form for the year 2023.
+    Members choose 20 words, from which we calculate the best associated bus.
+    """
+
+    word = forms.ChoiceField(
+        label=_("Choose a word:"),
+        widget=forms.RadioSelect(),
+    )
+
+    def set_registration(self, registration):
+        """
+        Filter the bus selector with the buses of the current WEI.
+        """
+        information = WEISurveyInformation2023(registration)
+        if not information.seed:
+            information.seed = int(1000 * time.time())
+            information.save(registration)
+            registration._force_save = True
+            registration.save()
+
+        if self.data:
+            self.fields["word"].choices = [(w, w) for w in WORDS]
+            if self.is_valid():
+                return
+
+        rng = Random((information.step + 1) * information.seed)
+
+        words = None
+
+        buses = WEISurveyAlgorithm2023.get_buses()
+        informations = {bus: WEIBusInformation2023(bus) for bus in buses}
+        scores = sum((list(informations[bus].scores.values()) for bus in buses), [])
+        average_score = sum(scores) / len(scores)
+
+        preferred_words = {bus: [word for word in WORDS
+                                 if informations[bus].scores[word] >= average_score]
+                           for bus in buses}
+        while words is None or len(set(words)) != len(words):
+            # Ensure that there is no the same word 2 times
+            words = [rng.choice(words) for _ignored2, words in preferred_words.items()]
+        rng.shuffle(words)
+        words = [(w, w) for w in words]
+        self.fields["word"].choices = words
+
+
+class WEIBusInformation2023(WEIBusInformation):
+    """
+    For each word, the bus has a score
+    """
+    scores: dict
+
+    def __init__(self, bus):
+        self.scores = {}
+        for word in WORDS:
+            self.scores[word] = 0.0
+        super().__init__(bus)
+
+
+class WEISurveyInformation2023(WEISurveyInformation):
+    """
+    We store the id of the selected bus. We store only the name, but is not used in the selection:
+    that's only for humans that try to read data.
+    """
+    # Random seed that is stored at the first time to ensure that words are generated only once
+    seed = 0
+    step = 0
+
+    def __init__(self, registration):
+        for i in range(1, 21):
+            setattr(self, "word" + str(i), None)
+        super().__init__(registration)
+
+
+class WEISurvey2023(WEISurvey):
+    """
+    Survey for the year 2023.
+    """
+
+    @classmethod
+    def get_year(cls):
+        return 2023
+
+    @classmethod
+    def get_survey_information_class(cls):
+        return WEISurveyInformation2023
+
+    def get_form_class(self):
+        return WEISurveyForm2023
+
+    def update_form(self, form):
+        """
+        Filter the bus selector with the buses of the WEI.
+        """
+        form.set_registration(self.registration)
+
+    @transaction.atomic
+    def form_valid(self, form):
+        word = form.cleaned_data["word"]
+        self.information.step += 1
+        setattr(self.information, "word" + str(self.information.step), word)
+        self.save()
+
+    @classmethod
+    def get_algorithm_class(cls):
+        return WEISurveyAlgorithm2023
+
+    def is_complete(self) -> bool:
+        """
+        The survey is complete once the bus is chosen.
+        """
+        return self.information.step == 20
+
+    @classmethod
+    @lru_cache()
+    def word_mean(cls, word):
+        """
+        Calculate the mid-score given by all buses.
+        """
+        buses = cls.get_algorithm_class().get_buses()
+        return sum([cls.get_algorithm_class().get_bus_information(bus).scores[word] for bus in buses]) / buses.count()
+
+    @lru_cache()
+    def score(self, bus):
+        if not self.is_complete():
+            raise ValueError("Survey is not ended, can't calculate score")
+
+        bus_info = self.get_algorithm_class().get_bus_information(bus)
+        # Score is the given score by the bus subtracted to the mid-score of the buses.
+        s = sum(bus_info.scores[getattr(self.information, 'word' + str(i))]
+                - self.word_mean(getattr(self.information, 'word' + str(i))) for i in range(1, 21)) / 20
+        return s
+
+    @lru_cache()
+    def scores_per_bus(self):
+        return {bus: self.score(bus) for bus in self.get_algorithm_class().get_buses()}
+
+    @lru_cache()
+    def ordered_buses(self):
+        values = list(self.scores_per_bus().items())
+        values.sort(key=lambda item: -item[1])
+        return values
+
+    @classmethod
+    def clear_cache(cls):
+        cls.word_mean.cache_clear()
+        return super().clear_cache()
+
+
+class WEISurveyAlgorithm2023(WEISurveyAlgorithm):
+    """
+    The algorithm class for the year 2023.
+    We use Gale-Shapley algorithm to attribute 1y students into buses.
+    """
+
+    @classmethod
+    def get_survey_class(cls):
+        return WEISurvey2023
+
+    @classmethod
+    def get_bus_information_class(cls):
+        return WEIBusInformation2023
+
+    def run_algorithm(self, display_tqdm=False):
+        """
+        Gale-Shapley algorithm implementation.
+        We modify it to allow buses to have multiple "weddings".
+        """
+        surveys = list(self.get_survey_class()(r) for r in self.get_registrations())  # All surveys
+        surveys = [s for s in surveys if s.is_complete()]  # Don't consider invalid surveys
+        # Don't manage hardcoded people
+        surveys = [s for s in surveys if not hasattr(s.information, 'hardcoded') or not s.information.hardcoded]
+
+        # Reset previous algorithm run
+        for survey in surveys:
+            survey.free()
+            survey.save()
+
+        non_men = [s for s in surveys if s.registration.gender != 'male']
+        men = [s for s in surveys if s.registration.gender == 'male']
+
+        quotas = {}
+        registrations = self.get_registrations()
+        non_men_total = registrations.filter(~Q(gender='male')).count()
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = 4 + int(non_men_total / registrations.count() * free_seats)
+
+        tqdm_obj = None
+        if display_tqdm:
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(non_men), desc="Non-hommes")
+
+        # Repartition for non men people first
+        self.make_repartition(non_men, quotas, tqdm_obj=tqdm_obj)
+
+        quotas = {}
+        for bus in self.get_buses():
+            free_seats = bus.size - WEIMembership.objects.filter(bus=bus, registration__first_year=False).count()
+            free_seats -= sum(1 for s in non_men if s.information.selected_bus_pk == bus.pk)
+            # Remove hardcoded people
+            free_seats -= WEIMembership.objects.filter(bus=bus, registration__first_year=True,
+                                                       registration__information_json__icontains="hardcoded").count()
+            quotas[bus] = free_seats
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+            from tqdm import tqdm
+            tqdm_obj = tqdm(total=len(men), desc="Hommes")
+
+        self.make_repartition(men, quotas, tqdm_obj=tqdm_obj)
+
+        if display_tqdm:
+            tqdm_obj.close()
+
+        # Clear cache information after running algorithm
+        WEISurvey2023.clear_cache()
+
+    def make_repartition(self, surveys, quotas=None, tqdm_obj=None):
+        free_surveys = surveys.copy()  # Remaining surveys
+        while free_surveys:  # Some students are not affected
+            survey = free_surveys[0]
+            buses = survey.ordered_buses()  # Preferences of the student
+            for bus, current_score in buses:
+                if self.get_bus_information(bus).has_free_seats(surveys, quotas):
+                    # Selected bus has free places. Put student in the bus
+                    survey.select_bus(bus)
+                    survey.save()
+                    free_surveys.remove(survey)
+                    break
+                else:
+                    # Current bus has not enough places. Remove the least preferred student from the bus if existing
+                    least_preferred_survey = None
+                    least_score = -1
+                    # Find the least student in the bus that has a lower score than the current student
+                    for survey2 in surveys:
+                        if not survey2.information.valid or survey2.information.get_selected_bus() != bus:
+                            continue
+                        score2 = survey2.score(bus)
+                        if current_score <= score2:  # Ignore better students
+                            continue
+                        if least_preferred_survey is None or score2 < least_score:
+                            least_preferred_survey = survey2
+                            least_score = score2
+
+                    if least_preferred_survey is not None:
+                        # Remove the least student from the bus and put the current student in.
+                        # If it does not exist, choose the next bus.
+                        least_preferred_survey.free()
+                        least_preferred_survey.save()
+                        free_surveys.append(least_preferred_survey)
+                        survey.select_bus(bus)
+                        survey.save()
+                        free_surveys.remove(survey)
+                        break
+            else:
+                raise ValueError(f"User {survey.registration.user} has no free seat")
+
+            if tqdm_obj is not None:
+                tqdm_obj.n = len(surveys) - len(free_surveys)
+                tqdm_obj.refresh()

apps/wei/management/commands/import_scores.py

@@ -0,0 +1,50 @@
+# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+import argparse
+import sys
+
+from django.core.management import BaseCommand
+from django.db import transaction
+
+from ...forms import CurrentSurvey
+from ...forms.surveys.wei2021 import WORDS   # WARNING: this is specific to 2021
+from ...models import Bus
+
+
+class Command(BaseCommand):
+    """
+    This script is used to load scores for buses from a CSV file.
+    """
+    def add_arguments(self, parser):
+        parser.add_argument('file', nargs='?', type=argparse.FileType('r'), default=sys.stdin, help='Input CSV file')
+
+    @transaction.atomic
+    def handle(self, *args, **options):
+        file = options['file']
+        head = file.readline().replace('\n', '')
+        bus_names = head.split(';')
+        bus_names = [name for name in bus_names if name]
+        buses = []
+        for name in bus_names:
+            qs = Bus.objects.filter(name__iexact=name)
+            if not qs.exists():
+                raise ValueError(f"Bus '{name}' does not exist")
+            buses.append(qs.get())
+
+        informations = {bus: CurrentSurvey.get_algorithm_class().get_bus_information(bus) for bus in buses}
+
+        for line in file:
+            elem = line.split(';')
+            word = elem[0]
+            if word not in WORDS:
+                raise ValueError(f"Word {word} is not used")
+
+            for i, bus in enumerate(buses):
+                info = informations[bus]
+                info.scores[word] = float(elem[i + 1].replace(',', '.'))
+
+        for bus, info in informations.items():
+            info.save()
+            bus.save()
+            if options['verbosity'] > 0:
+                self.stdout.write(f"Bus {bus.name} saved!")

apps/wei/management/commands/wei_algorithm.py

@@ -5,7 +5,7 @@ from argparse import ArgumentParser, FileType
 from django.core.management import BaseCommand
 from django.db import transaction
 
-from wei.forms import CurrentSurvey
+from ...forms import CurrentSurvey
 
 
 class Command(BaseCommand):
@@ -24,17 +24,31 @@ class Command(BaseCommand):
         sid = transaction.savepoint()
 
         algorithm = CurrentSurvey.get_algorithm_class()()
-        algorithm.run_algorithm()
+
+        try:
+            from tqdm import tqdm
+            del tqdm
+            display_tqdm = True
+        except ImportError:
+            display_tqdm = False
+
+        algorithm.run_algorithm(display_tqdm=display_tqdm)
 
         output = options['output']
         registrations = algorithm.get_registrations()
-        per_bus = {bus: [r for r in registrations if r.information['selected_bus_pk'] == bus.pk]
+        per_bus = {bus: [r for r in registrations if 'selected_bus_pk' in r.information
+                         and r.information['selected_bus_pk'] == bus.pk]
                    for bus in algorithm.get_buses()}
         for bus, members in per_bus.items():
             output.write(bus.name + "\n")
             output.write("=" * len(bus.name) + "\n")
+            _order = -1
             for r in members:
-                output.write(r.user.username + "\n")
+                survey = CurrentSurvey(r)
+                for _order, (b, _score) in enumerate(survey.ordered_buses()):
+                    if b == bus:
+                        break
+                output.write(f"{r.user.username} ({_order + 1})\n")
             output.write("\n")
 
         if not options['doit']:

apps/wei/migrations/0003_bus_size.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.19 on 2021-08-25 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wei', '0002_auto_20210313_1235'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='bus',
+            name='size',
+            field=models.IntegerField(default=50, verbose_name='seat count in the bus'),
+        ),
+    ]

apps/wei/migrations/0004_auto_20220904_2325.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.26 on 2022-09-04 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wei', '0003_bus_size'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='weiclub',
+            name='year',
+            field=models.PositiveIntegerField(default=2022, unique=True, verbose_name='year'),
+        ),
+    ]

apps/wei/migrations/0005_auto_20230128_1850.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-01-28 17:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wei', '0004_auto_20220904_2325'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='weiclub',
+            name='year',
+            field=models.PositiveIntegerField(default=2023, unique=True, verbose_name='year'),
+        ),
+    ]

apps/wei/migrations/0006_unisex_clothing_cut.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-07-09 09:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wei', '0005_auto_20230128_1850'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='weiregistration',
+            name='clothing_cut',
+            field=models.CharField(choices=[('male', 'Male'), ('female', 'Female'), ('unisex', 'Unisex')], default='unisex', max_length=16, verbose_name='clothing cut'),
+        ),
+    ]

apps/wei/migrations/0007_help_text_emergency_contact.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-07-09 12:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wei', '0006_unisex_clothing_cut'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='weiregistration',
+            name='emergency_contact_name',
+            field=models.CharField(help_text='The emergency contact must not be a WEI participant', max_length=255, verbose_name='emergency contact name'),
+        ),
+    ]

apps/wei/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2023 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
@@ -7,6 +7,7 @@ from datetime import date
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.db import models
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 from phonenumber_field.modelfields import PhoneNumberField
 from member.models import Club, Membership
@@ -66,6 +67,11 @@ class Bus(models.Model):
         verbose_name=_("name"),
     )
 
+    size = models.IntegerField(
+        verbose_name=_("seat count in the bus"),
+        default=50,
+    )
+
     description = models.TextField(
         blank=True,
         default="",
@@ -91,7 +97,14 @@ class Bus(models.Model):
         """
         Store information as a JSON string
         """
-        self.information_json = json.dumps(information)
+        self.information_json = json.dumps(information, indent=2)
+
+    @property
+    def suggested_first_year(self):
+        registrations = WEIRegistration.objects.filter(Q(membership__isnull=True) | Q(membership__bus__isnull=True),
+                                                       first_year=True, wei=self.wei)
+        registrations = [r for r in registrations if 'selected_bus_pk' in r.information]
+        return sum(1 for r in registrations if r.information['selected_bus_pk'] == self.pk)
 
     def __str__(self):
         return self.name
@@ -196,7 +209,9 @@ class WEIRegistration(models.Model):
         choices=(
             ('male', _("Male")),
             ('female', _("Female")),
+            ('unisex', _("Unisex")),
         ),
+        default='unisex',
         verbose_name=_("clothing cut"),
     )
 
@@ -222,6 +237,7 @@ class WEIRegistration(models.Model):
     emergency_contact_name = models.CharField(
         max_length=255,
         verbose_name=_("emergency contact name"),
+        help_text=_("The emergency contact must not be a WEI participant")
     )
 
     emergency_contact_phone = PhoneNumberField(
@@ -255,7 +271,34 @@ class WEIRegistration(models.Model):
         """
         Store information as a JSON string
         """
-        self.information_json = json.dumps(information)
+        self.information_json = json.dumps(information, indent=2)
+
+    @property
+    def fee(self):
+        bde = Club.objects.get(pk=1)
+        kfet = Club.objects.get(pk=2)
+
+        kfet_member = Membership.objects.filter(
+            club_id=kfet.id,
+            user=self.user,
+            date_start__gte=kfet.membership_start,
+        ).exists()
+        bde_member = Membership.objects.filter(
+            club_id=bde.id,
+            user=self.user,
+            date_start__gte=bde.membership_start,
+        ).exists()
+
+        fee = self.wei.membership_fee_paid if self.user.profile.paid \
+            else self.wei.membership_fee_unpaid
+        if not kfet_member:
+            fee += kfet.membership_fee_paid if self.user.profile.paid \
+                else kfet.membership_fee_unpaid
+        if not bde_member:
+            fee += bde.membership_fee_paid if self.user.profile.paid \
+                else bde.membership_fee_unpaid
+
+        return fee
 
     @property
     def is_validated(self):
@@ -332,8 +375,19 @@ class WEIMembership(Membership):
                 # to treasurers.
                 transaction.refresh_from_db()
                 from treasury.models import SogeCredit
-                soge_credit = SogeCredit.objects.get_or_create(user=self.user)[0]
+                soge_credit, created = SogeCredit.objects.get_or_create(user=self.user)
                 soge_credit.refresh_from_db()
                 transaction.save()
                 soge_credit.transactions.add(transaction)
                 soge_credit.save()
+
+                soge_credit.update_transactions()
+                soge_credit.save()
+
+                if soge_credit.valid and \
+                        soge_credit.credit_transaction.total != sum(tr.total for tr in soge_credit.transactions.all()):
+                    # The credit is already validated, but we add a new transaction (eg. for the WEI).
+                    # Then we invalidate the transaction, update the credit transaction amount
+                    # and re-validate the credit.
+                    soge_credit.validate(True)
+                    soge_credit.save()

apps/wei/tables.py

@@ -4,11 +4,12 @@
 from datetime import date
 
 import django_tables2 as tables
+from django.db.models import Q
 from django.urls import reverse_lazy
 from django.utils.html import format_html
 from django.utils.translation import gettext_lazy as _
 from django_tables2 import A
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
 from .models import WEIClub, WEIRegistration, Bus, BusTeam, WEIMembership
@@ -43,6 +44,7 @@ class WEIRegistrationTable(tables.Table):
 
     edit = tables.LinkColumn(
         'wei:wei_update_registration',
+        orderable=False,
         args=[A('pk')],
         verbose_name=_("Edit"),
         text=_("Edit"),
@@ -53,18 +55,14 @@ class WEIRegistrationTable(tables.Table):
             }
         }
     )
-    validate = tables.LinkColumn(
+
-        'wei:validate_registration',
+    validate = tables.Column(
-        args=[A('pk')],
         verbose_name=_("Validate"),
-        text=_("Validate"),
+        orderable=False,
+        accessor=A('pk'),
         attrs={
             'th': {
                 'id': 'validate-membership-header'
-            },
-            'a': {
-                'class': 'btn btn-success',
-                'data-type': 'validate-membership'
             }
         }
     )
@@ -72,6 +70,7 @@ class WEIRegistrationTable(tables.Table):
     delete = tables.LinkColumn(
         'wei:wei_delete_registration',
         args=[A('pk')],
+        orderable=False,
         verbose_name=_("delete"),
         text=_("Delete"),
         attrs={
@@ -87,7 +86,7 @@ class WEIRegistrationTable(tables.Table):
 
     def render_validate(self, record):
         hasperm = PermissionBackend.check_perm(
-            get_current_authenticated_user(), "wei.add_weimembership", WEIMembership(
+            get_current_request(), "wei.add_weimembership", WEIMembership(
                 club=record.wei,
                 user=record.user,
                 date_start=date.today(),
@@ -96,10 +95,26 @@ class WEIRegistrationTable(tables.Table):
                 registration=record,
             )
         )
-        return _("Validate") if hasperm else format_html("<span class='no-perm'></span>")
+        if not hasperm:
+            return format_html("<span class='no-perm'></span>")
+
+        url = reverse_lazy('wei:validate_registration', args=(record.pk,))
+        text = _('Validate')
+        if record.fee > record.user.note.balance and not record.soge_credit:
+            btn_class = 'btn-secondary'
+            tooltip = _("The user does not have enough money.")
+        elif record.first_year:
+            btn_class = 'btn-info'
+            tooltip = _("The user is in first year. You may validate the credit, the algorithm will run later.")
+        else:
+            btn_class = 'btn-success'
+            tooltip = _("The user has enough money, you can validate the registration.")
+
+        return format_html(f"<a class=\"btn {btn_class}\" data-type='validate-membership' data-toggle=\"tooltip\" "
+                           f"title=\"{tooltip}\" href=\"{url}\">{text}</a>")
 
     def render_delete(self, record):
-        hasperm = PermissionBackend.check_perm(get_current_authenticated_user(), "wei.delete_weimembership", record)
+        hasperm = PermissionBackend.check_perm(get_current_request(), "wei.delete_weimembership", record)
         return _("Delete") if hasperm else format_html("<span class='no-perm'></span>")
 
     class Meta:
@@ -108,7 +123,8 @@ class WEIRegistrationTable(tables.Table):
         }
         model = WEIRegistration
         template_name = 'django_tables2/bootstrap4.html'
-        fields = ('user', 'user__first_name', 'user__last_name', 'first_year', 'caution_check',)
+        fields = ('user', 'user__first_name', 'user__last_name', 'first_year', 'caution_check',
+                  'edit', 'validate', 'delete',)
         row_attrs = {
             'class': 'table-row',
             'id': lambda record: "row-" + str(record.pk),
@@ -154,6 +170,35 @@ class WEIMembershipTable(tables.Table):
         }
 
 
+class WEIRegistration1ATable(tables.Table):
+    user = tables.LinkColumn(
+        'wei:wei_bus_1A',
+        args=[A('pk')],
+    )
+
+    preferred_bus = tables.Column(
+        verbose_name=_('preferred bus').capitalize,
+        accessor='pk',
+        orderable=False,
+    )
+
+    def render_preferred_bus(self, record):
+        information = record.information
+        return information['selected_bus_name'] if 'selected_bus_name' in information else "—"
+
+    class Meta:
+        attrs = {
+            'class': 'table table-condensed table-striped table-hover'
+        }
+        model = WEIRegistration
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('user', 'user__last_name', 'user__first_name', 'gender',
+                  'user__profile__department', 'preferred_bus', 'membership__bus', )
+        row_attrs = {
+            'class': lambda record: '' if 'selected_bus_pk' in record.information else 'bg-danger',
+        }
+
+
 class BusTable(tables.Table):
     name = tables.LinkColumn(
         'wei:manage_bus',
@@ -230,3 +275,66 @@ class BusTeamTable(tables.Table):
             'id': lambda record: "row-" + str(record.pk),
             'data-href': lambda record: reverse_lazy('wei:manage_bus_team', args=(record.pk, ))
         }
+
+
+class BusRepartitionTable(tables.Table):
+    name = tables.Column(
+        verbose_name=_("name").capitalize,
+        accessor='name',
+    )
+
+    suggested_first_year = tables.Column(
+        verbose_name=_("suggested first year").capitalize,
+        accessor='pk',
+        orderable=False,
+    )
+
+    validated_first_year = tables.Column(
+        verbose_name=_("validated first year").capitalize,
+        accessor='pk',
+        orderable=False,
+    )
+
+    validated_staff = tables.Column(
+        verbose_name=_("validated staff").capitalize,
+        accessor='pk',
+        orderable=False,
+    )
+
+    size = tables.Column(
+        verbose_name=_("seat count in the bus").capitalize,
+        accessor='size',
+    )
+
+    free_seats = tables.Column(
+        verbose_name=_("free seats").capitalize,
+        accessor='pk',
+        orderable=False,
+    )
+
+    def render_suggested_first_year(self, record):
+        registrations = WEIRegistration.objects.filter(Q(membership__isnull=True) | Q(membership__bus__isnull=True),
+                                                       first_year=True, wei=record.wei)
+        registrations = [r for r in registrations if 'selected_bus_pk' in r.information]
+        return sum(1 for r in registrations if r.information['selected_bus_pk'] == record.pk)
+
+    def render_validated_first_year(self, record):
+        return WEIRegistration.objects.filter(first_year=True, membership__bus=record).count()
+
+    def render_validated_staff(self, record):
+        return WEIRegistration.objects.filter(first_year=False, membership__bus=record).count()
+
+    def render_free_seats(self, record):
+        return record.size - self.render_validated_staff(record) - self.render_validated_first_year(record)
+
+    class Meta:
+        attrs = {
+            'class': 'table table-condensed table-striped table-hover'
+        }
+        models = Bus
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('name', )
+        row_attrs = {
+            'class': 'table-row',
+            'id': lambda record: "row-" + str(record.pk),
+        }

apps/wei/templates/wei/1A_list.html

@@ -0,0 +1,20 @@
+{% extends "wei/base.html" %}
+
+{% load i18n %}
+{% load render_table from django_tables2 %}
+
+{% block profile_content %}
+    <div class="card">
+        <div class="card-header text-center">
+            <h3>{% trans "Attribute first year members into buses" %}</h3>
+        </div>
+
+        <div class="card-body">
+            {% render_table bus_repartition_table %}
+            <hr>
+            <a href="{% url 'wei:wei_bus_1A_next' pk=club.pk %}" class="btn btn-block btn-success">{% trans "Start attribution!" %}</a>
+            <hr>
+            {% render_table table %}
+        </div>
+    </div>
+{% endblock %}

apps/wei/templates/wei/attribute_bus_1A.html

@@ -0,0 +1,88 @@
+{% extends "wei/base.html" %}
+
+{% load i18n %}
+
+{% block profile_content %}
+    <div class="card">
+        <div class="card-header text-center">
+            <h3>{% trans "Bus attribution" %}</h3>
+        </div>
+
+        <div class="card-body">
+            <dl class="row">
+                <dt class="col-xl-6">{% trans 'user'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.user }}</dd>
+
+                <dt class="col-xl-6">{% trans 'last name'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.user.last_name }}</dd>
+
+                <dt class="col-xl-6">{% trans 'first name'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.user.first_name }}</dd>
+
+                <dt class="col-xl-6">{% trans 'gender'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.get_gender_display }}</dd>
+
+                <dt class="col-xl-6">{% trans 'department'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.user.profile.get_department_display }}</dd>
+
+                <dt class="col-xl-6">{% trans 'health issues'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ object.health_issues|default:"—" }}</dd>
+
+                <dt class="col-xl-6">{% trans 'suggested bus'|capfirst %}</dt>
+                <dd class="col-xl-6">{{ survey.information.selected_bus_name }}</dd>
+            </dl>
+
+            <div class="card">
+                <div class="card-header">
+                    <button class="btn btn-link" data-toggle="collapse" data-target="#raw-survey">{% trans "View raw survey information" %}</button>
+                </div>
+                <div class="collapse" id="raw-survey">
+                    <dl class="row">
+                        {% for key, value in survey.registration.information.items %}
+                            <dt class="col-xl-6">{{ key }}</dt>
+                            <dd class="col-xl-6">{{ value }}</dd>
+                        {% endfor %}
+                    </dl>
+                </div>
+            </div>
+
+            <hr>
+
+            {% for bus, score in survey.ordered_buses %}
+                <button class="btn btn-{% if bus.pk == survey.information.selected_bus_pk %}success{% else %}light{% endif %}" onclick="choose_bus({{ bus.pk }})">
+                    {{ bus }} ({{ score|floatformat:2 }}) : {{ bus.memberships.count }}+{{ bus.suggested_first_year }} / {{ bus.size }}
+                </button>
+            {% endfor %}
+
+            <a href="{% url 'wei:wei_1A_list' pk=object.wei.pk %}" class="btn btn-block btn-info">{% trans "Back to main list" %}</a>
+        </div>
+    </div>
+{% endblock %}
+
+{% block extrajavascript %}
+    <script>
+        function choose_bus(bus_id) {
+            let valid_buses = [{% for bus, score in survey.ordered_buses %}{{ bus.pk }}, {% endfor %}];
+            if (valid_buses.indexOf(bus_id) === -1) {
+                console.log("Invalid chosen bus")
+                return
+            }
+
+            $.ajax({
+                url: "/api/wei/membership/{{ object.membership.id }}/",
+                type: "PATCH",
+                dataType: "json",
+                headers: {
+                    "X-CSRFTOKEN": CSRF_TOKEN
+                },
+                data: {
+                    bus: bus_id,
+                }
+            }).done(function () {
+                window.location = "{% url 'wei:wei_bus_1A_next' pk=object.wei.pk %}"
+            }).fail(function (xhr) {
+                errMsg(xhr.responseJSON)
+            })
+        }
+    </script>
+{% endblock %}

apps/wei/templates/wei/weiclub_detail.html

@@ -94,6 +94,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
     </div>
 </div>
 {% endif %}
+
+    {% if can_validate_1a %}
+        <a href="{% url 'wei:wei_1A_list' pk=object.pk %}" class="btn btn-block btn-info">{% trans "Attribute buses" %}</a>
+    {% endif %}
 {% endblock %}
 
 {% block extrajavascript %}

apps/wei/templates/wei/weilist_sample.tex

@@ -2,6 +2,7 @@
 
 \usepackage{fontspec}
 \usepackage[margin=1.5cm]{geometry}
+\usepackage{longtable}
 
 \begin{document}
 \begin{center}
@@ -19,7 +20,7 @@
 
 \begin{center}
 \footnotesize
-\begin{tabular}{ccccccccc}
+\begin{longtable}{ccccccccc}
 \textbf{Nom} & \textbf{Prénom} & \textbf{Date de naissance} & \textbf{Genre} & \textbf{Section}
  & \textbf{Bus} & \textbf{Équipe} & \textbf{Rôles} \\
 {% for membership in memberships %}
@@ -27,20 +28,20 @@
 & {{ membership.registration.get_gender_display|safe }} & {{ membership.user.profile.section_generated|safe }} & {{ membership.bus.name|safe }}
 & {% if membership.team %}{{ membership.team.name|safe }}{% else %}--{% endif %} & {{ membership.roles.first|safe }} \\
 {% endfor %}
-\end{tabular}
+\end{longtable}
 \end{center}
 
 \footnotesize
 Section = Année à l'ENS + code du département
 
 \begin{center}
-\begin{tabular}{ccccccccc}
+\begin{longtable}{ccccccccc}
 \textbf{Code} & A0 & A1 & A2 & A'2 & A''2 & A3 & B1234 & B1 \\
 \textbf{Département} & Informatique & Maths & Physique & Physique appliquée & Chimie & Biologie & SAPHIRE & Mécanique \\
 \hline
 \textbf{Code} & B2 & B3 & B4 & C & D2 & D3 & E & EXT \\
 \textbf{Département} & Génie civil & Génie mécanique & EEA & Design & Éco-gestion & Sciences sociales & Anglais & Extérieur
-\end{tabular}
+\end{longtable}
 \end{center}
 
 \end{document}

apps/wei/templates/wei/weimembership_form.html

@@ -53,10 +53,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
                 <dd class="col-xl-6">{{ registration.first_year|yesno }}</dd>
 
                 <dt class="col-xl-6">{% trans 'gender'|capfirst %}</dt>
-                <dd class="col-xl-6">{{ registration.gender }}</dd>
+                <dd class="col-xl-6">{{ registration.get_gender_display }}</dd>
 
                 <dt class="col-xl-6">{% trans 'clothing cut'|capfirst %}</dt>
-                <dd class="col-xl-6">{{ registration.clothing_cut }}</dd>
+                <dd class="col-xl-6">{{ registration.get_clothing_cut_display }}</dd>
 
                 <dt class="col-xl-6">{% trans 'clothing size'|capfirst %}</dt>
                 <dd class="col-xl-6">{{ registration.clothing_size }}</dd>