allow search with club name

Update invoice template

See merge request bde/nk20!307

.gitignore

@@ -42,6 +42,7 @@ map.json
 backups/
 /static/
 /media/
+/tmp/
 
 # Virtualenv
 env/

.gitlab-ci.yml

@@ -7,25 +7,10 @@ stages:
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
 
-# Debian Buster
-py37-django22:
+# Ubuntu 22.04
+py310-django42:
   stage: test
-  image: debian:buster-backports
-  before_script:
-    - >
-        apt-get update &&
-        apt-get install --no-install-recommends -t buster-backports -y
-        python3-django python3-django-crispy-forms
-        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
-        python3-bs4 python3-setuptools tox texlive-xetex
-  script: tox -e py37-django22
-
-# Ubuntu 20.04
-py38-django22:
-  stage: test
-  image: ubuntu:20.04
+  image: ubuntu:22.04
   before_script:
     # Fix tzdata prompt
     - ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime && echo Europe/Paris > /etc/timezone
@@ -37,12 +22,12 @@ py38-django22:
         python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
         python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
         python3-bs4 python3-setuptools tox texlive-xetex
-  script: tox -e py38-django22
+  script: tox -e py310-django42
 
-# Debian Bullseye
-py39-django22:
+# Debian Bookworm
+py311-django42:
   stage: test
-  image: debian:bullseye
+  image: debian:bookworm
   before_script:
     - >
         apt-get update &&
@@ -52,11 +37,11 @@ py39-django22:
         python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
         python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
         python3-bs4 python3-setuptools tox texlive-xetex
-  script: tox -e py39-django22
+  script: tox -e py311-django42
 
 linters:
   stage: quality-assurance
-  image: debian:buster-backports
+  image: debian:bookworm
   before_script:
     - apt-get update && apt-get install -y tox
   script: tox -e linters

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "apps/scripts"]
 	path = apps/scripts
-	url = https://gitlab.crans.org/bde/nk20-scripts.git
+	url = https://gitlab.crans.org/bde/nk20-scripts

README.md

@@ -55,10 +55,16 @@ Bien que cela permette de créer une instance sur toutes les distributions,
     (env)$ ./manage.py makemigrations
     (env)$ ./manage.py migrate
     (env)$ ./manage.py loaddata initial
-    (env)$ ./manage.py createsuperuser  # Création d'un utilisateur initial
+    (env)$ ./manage.py createsuperuser  # Création d'un⋅e utilisateur⋅rice initial
     ```
 
-6.  Enjoy :
+6. (Optionnel) **Création d'une clé privée OpenID Connect**
+
+Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+
+7.  Enjoy :
 
     ```bash
     (env)$ ./manage.py runserver 0.0.0.0:8000
@@ -228,7 +234,13 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
         (env)$ ./manage.py check # pas de bêtise qui traine
         (env)$ ./manage.py migrate
 
-7.  *Enjoy \o/*
+7. **Création d'une clé privée OpenID Connect**
+
+Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+
+8.  *Enjoy \o/*
 
 ### Installation avec Docker
 

apps/activity/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'activity.apps.ActivityConfig'

apps/activity/admin.py

@@ -1,11 +1,11 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin
 from note_kfet.admin import admin_site
 
 from .forms import GuestForm
-from .models import Activity, ActivityType, Entry, Guest
+from .models import Activity, ActivityType, Entry, Guest, Opener
 
 
 @admin.register(Activity, site=admin_site)
@@ -35,7 +35,7 @@ class GuestAdmin(admin.ModelAdmin):
     """
     Admin customisation for Guest
     """
-    list_display = ('last_name', 'first_name', 'activity', 'inviter')
+    list_display = ('last_name', 'first_name', 'school', 'activity', 'inviter')
     form = GuestForm
 
 
@@ -45,3 +45,11 @@ class EntryAdmin(admin.ModelAdmin):
     Admin customisation for Entry
     """
     list_display = ('note', 'activity', 'time', 'guest')
+
+
+@admin.register(Opener, site=admin_site)
+class OpenerAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for Opener
+    """
+    list_display = ('activity', 'opener')

apps/activity/api/serializers.py

@@ -1,9 +1,11 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
+from rest_framework.validators import UniqueTogetherValidator
 
-from ..models import Activity, ActivityType, Entry, Guest, GuestTransaction
+from ..models import Activity, ActivityType, Entry, Guest, GuestTransaction, Opener
 
 
 class ActivityTypeSerializer(serializers.ModelSerializer):
@@ -59,3 +61,17 @@ class GuestTransactionSerializer(serializers.ModelSerializer):
     class Meta:
         model = GuestTransaction
         fields = '__all__'
+
+
+class OpenerSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Openers.
+    The djangorestframework plugin will analyse the model `Opener` and parse all fields in the API.
+    """
+
+    class Meta:
+        model = Opener
+        fields = '__all__'
+        validators = [UniqueTogetherValidator(
+            queryset=Opener.objects.all(), fields=("opener", "activity"),
+            message=_("This opener already exists"))]

apps/activity/api/urls.py

@@ -1,7 +1,7 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from .views import ActivityTypeViewSet, ActivityViewSet, EntryViewSet, GuestViewSet
+from .views import ActivityTypeViewSet, ActivityViewSet, EntryViewSet, GuestViewSet, OpenerViewSet
 
 
 def register_activity_urls(router, path):
@@ -12,3 +12,4 @@ def register_activity_urls(router, path):
     router.register(path + '/type', ActivityTypeViewSet)
     router.register(path + '/guest', GuestViewSet)
     router.register(path + '/entry', EntryViewSet)
+    router.register(path + '/opener', OpenerViewSet)

apps/activity/api/views.py

@@ -1,12 +1,15 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+from api.filters import RegexSafeSearchFilter
 from api.viewsets import ReadProtectedModelViewSet
+from django.core.exceptions import ValidationError
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.filters import SearchFilter
+from rest_framework.response import Response
+from rest_framework import status
 
-from .serializers import ActivitySerializer, ActivityTypeSerializer, EntrySerializer, GuestSerializer
-from ..models import Activity, ActivityType, Entry, Guest
+from .serializers import ActivitySerializer, ActivityTypeSerializer, EntrySerializer, GuestSerializer, OpenerSerializer
+from ..models import Activity, ActivityType, Entry, Guest, Opener
 
 
 class ActivityTypeViewSet(ReadProtectedModelViewSet):
@@ -29,7 +32,7 @@ class ActivityViewSet(ReadProtectedModelViewSet):
     """
     queryset = Activity.objects.order_by('id')
     serializer_class = ActivitySerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['name', 'description', 'activity_type', 'location', 'creater', 'organizer', 'attendees_club',
                         'date_start', 'date_end', 'valid', 'open', ]
     search_fields = ['$name', '$description', '$location', '$creater__last_name', '$creater__first_name',
@@ -47,10 +50,10 @@ class GuestViewSet(ReadProtectedModelViewSet):
     """
     queryset = Guest.objects.order_by('id')
     serializer_class = GuestSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
-    filterset_fields = ['activity', 'activity__name', 'last_name', 'first_name', 'inviter', 'inviter__alias__name',
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
+    filterset_fields = ['activity', 'activity__name', 'last_name', 'first_name', 'school', 'inviter', 'inviter__alias__name',
                         'inviter__alias__normalized_name', ]
-    search_fields = ['$activity__name', '$last_name', '$first_name', '$inviter__user__email', '$inviter__alias__name',
+    search_fields = ['$activity__name', '$last_name', '$first_name', '$school', '$inviter__user__email', '$inviter__alias__name',
                      '$inviter__alias__normalized_name', ]
 
 
@@ -62,7 +65,36 @@ class EntryViewSet(ReadProtectedModelViewSet):
     """
     queryset = Entry.objects.order_by('id')
     serializer_class = EntrySerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['activity', 'time', 'note', 'guest', ]
     search_fields = ['$activity__name', '$note__user__email', '$note__alias__name', '$note__alias__normalized_name',
                      '$guest__last_name', '$guest__first_name', ]
+
+
+class OpenerViewSet(ReadProtectedModelViewSet):
+    """
+    REST Opener View set.
+    The djangorestframework plugin will get all `Opener` objects, serialize it to JSON with the given serializer,
+    then render it on /api/activity/opener/
+    """
+    queryset = Opener.objects
+    serializer_class = OpenerSerializer
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend]
+    search_fields = ['$opener__alias__name', '$opener__alias__normalized_name',
+                     '$activity__name']
+    filterset_fields = ['opener', 'opener__noteuser__user', 'activity']
+
+    def get_serializer_class(self):
+        serializer_class = self.serializer_class
+        if self.request.method in ['PUT', 'PATCH']:
+            # opener-activity can't change
+            serializer_class.Meta.read_only_fields = ('opener', 'acitivity',)
+        return serializer_class
+
+    def destroy(self, request, *args, **kwargs):
+        instance = self.get_object()
+        try:
+            self.perform_destroy(instance)
+        except ValidationError as e:
+            return Response({e.code: str(e)}, status.HTTP_400_BAD_REQUEST)
+        return Response(status=status.HTTP_204_NO_CONTENT)

apps/activity/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/activity/fixtures/initial.json

@@ -6,7 +6,7 @@
             "name": "Pot",
             "manage_entries": true,
             "can_invite": true,
-            "guest_entry_fee": 500
+            "guest_entry_fee": 1000
         }
     },
     {
@@ -28,5 +28,25 @@
             "can_invite": false,
             "guest_entry_fee": 0
         }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 5,
+        "fields": {
+            "name": "Soir\u00e9e avec entrées",
+            "manage_entries": true,
+            "can_invite": false,
+            "guest_entry_fee": 0
+        }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 7,
+        "fields": {
+            "name": "Soir\u00e9e avec invitations",
+            "manage_entries": true,
+            "can_invite": true,
+            "guest_entry_fee": 0
+        }
     }
 ]

apps/activity/forms.py

@@ -1,16 +1,17 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta
 from random import shuffle
 
+from bootstrap_datepicker_plus.widgets import DateTimePickerInput
 from django import forms
 from django.contrib.contenttypes.models import ContentType
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from member.models import Club
 from note.models import Note, NoteUser
-from note_kfet.inputs import Autocomplete, DateTimePickerInput
+from note_kfet.inputs import Autocomplete
 from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 
@@ -43,7 +44,7 @@ class ActivityForm(forms.ModelForm):
 
     class Meta:
         model = Activity
-        exclude = ('creater', 'valid', 'open', )
+        exclude = ('creater', 'valid', 'open', 'opener', )
         widgets = {
             "organizer": Autocomplete(
                 model=Club,
@@ -106,7 +107,7 @@ class GuestForm(forms.ModelForm):
 
     class Meta:
         model = Guest
-        fields = ('last_name', 'first_name', 'inviter', )
+        fields = ('last_name', 'first_name', 'school', 'inviter', )
         widgets = {
             "inviter": Autocomplete(
                 NoteUser,

apps/activity/migrations/0003_auto_20240323_1422.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2024-03-23 13:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('activity', '0002_auto_20200904_2341'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='activity',
+            name='description',
+            field=models.TextField(blank=True, default='', verbose_name='description'),
+        ),
+    ]

apps/activity/migrations/0004_opener.py

@@ -0,0 +1,28 @@
+# Generated by Django 2.2.28 on 2024-08-01 12:36
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('note', '0006_trust'),
+        ('activity', '0003_auto_20240323_1422'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Opener',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('activity', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='opener', to='activity.Activity', verbose_name='activity')),
+                ('opener', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='activity_responsible', to='note.Note', verbose_name='opener')),
+            ],
+            options={
+                'verbose_name': 'opener',
+                'verbose_name_plural': 'openers',
+                'unique_together': {('opener', 'activity')},
+            },
+        ),
+    ]

apps/activity/migrations/0005_alter_opener_options_alter_opener_opener.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.15 on 2024-08-28 08:00
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('note', '0006_trust'),
+        ('activity', '0004_opener'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='opener',
+            options={'verbose_name': 'Opener', 'verbose_name_plural': 'Openers'},
+        ),
+        migrations.AlterField(
+            model_name='opener',
+            name='opener',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='activity_responsible', to='note.note', verbose_name='Opener'),
+        ),
+    ]

apps/activity/migrations/0006_guest_school.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.20 on 2025-03-25 09:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("activity", "0005_alter_opener_options_alter_opener_opener"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="guest",
+            name="school",
+            field=models.CharField(default="", max_length=255, verbose_name="school"),
+            preserve_default=False,
+        ),
+    ]

apps/activity/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import os
@@ -11,7 +11,7 @@ from django.db import models, transaction
 from django.db.models import Q
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
-from note.models import NoteUser, Transaction
+from note.models import NoteUser, Transaction, Note
 from rest_framework.exceptions import ValidationError
 
 
@@ -66,6 +66,8 @@ class Activity(models.Model):
 
     description = models.TextField(
         verbose_name=_('description'),
+        blank=True,
+        default="",
     )
 
     location = models.CharField(
@@ -123,6 +125,14 @@ class Activity(models.Model):
         verbose_name=_('open'),
     )
 
+    class Meta:
+        verbose_name = _("activity")
+        verbose_name_plural = _("activities")
+        unique_together = ("name", "date_start", "date_end",)
+
+    def __str__(self):
+        return self.name
+
     @transaction.atomic
     def save(self, *args, **kwargs):
         """
@@ -144,14 +154,6 @@ class Activity(models.Model):
                 if settings.DATABASES["default"]["ENGINE"] == 'django.db.backends.postgresql' else refresh_activities()
         return ret
 
-    def __str__(self):
-        return self.name
-
-    class Meta:
-        verbose_name = _("activity")
-        verbose_name_plural = _("activities")
-        unique_together = ("name", "date_start", "date_end",)
-
 
 class Entry(models.Model):
     """
@@ -199,7 +201,8 @@ class Entry(models.Model):
     def save(self, *args, **kwargs):
         qs = Entry.objects.filter(~Q(pk=self.pk), activity=self.activity, note=self.note, guest=self.guest)
         if qs.exists():
-            raise ValidationError(_("Already entered on ") + _("{:%Y-%m-%d %H:%M:%S}").format(qs.get().time, ))
+            raise ValidationError(_("Already entered on ")
+                                  + _("{:%Y-%m-%d %H:%M:%S}").format(timezone.localtime(qs.get().time), ))
 
         if self.guest:
             self.note = self.guest.inviter
@@ -245,6 +248,11 @@ class Guest(models.Model):
         verbose_name=_("first name"),
     )
 
+    school = models.CharField(
+        max_length=255,
+        verbose_name=_("school"),
+    )
+
     inviter = models.ForeignKey(
         NoteUser,
         on_delete=models.PROTECT,
@@ -252,14 +260,13 @@ class Guest(models.Model):
         verbose_name=_("inviter"),
     )
 
-    @property
-    def has_entry(self):
-        try:
-            if self.entry:
-                return True
-            return False
-        except AttributeError:
-            return False
+    class Meta:
+        verbose_name = _("guest")
+        verbose_name_plural = _("guests")
+        unique_together = ("activity", "last_name", "first_name", )
+
+    def __str__(self):
+        return self.first_name + " " + self.last_name
 
     @transaction.atomic
     def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
@@ -290,13 +297,14 @@ class Guest(models.Model):
 
         return super().save(force_insert, force_update, using, update_fields)
 
-    def __str__(self):
-        return self.first_name + " " + self.last_name
-
-    class Meta:
-        verbose_name = _("guest")
-        verbose_name_plural = _("guests")
-        unique_together = ("activity", "last_name", "first_name", )
+    @property
+    def has_entry(self):
+        try:
+            if self.entry:
+                return True
+            return False
+        except AttributeError:
+            return False
 
 
 class GuestTransaction(Transaction):
@@ -308,3 +316,31 @@ class GuestTransaction(Transaction):
     @property
     def type(self):
         return _('Invitation')
+
+
+class Opener(models.Model):
+    """
+    Allow the user to make activity entries without more rights
+    """
+    activity = models.ForeignKey(
+        Activity,
+        on_delete=models.CASCADE,
+        related_name='opener',
+        verbose_name=_('activity')
+    )
+
+    opener = models.ForeignKey(
+        Note,
+        on_delete=models.CASCADE,
+        related_name='activity_responsible',
+        verbose_name=_('Opener')
+    )
+
+    class Meta:
+        verbose_name = _("Opener")
+        verbose_name_plural = _("Openers")
+        unique_together = ("opener", "activity")
+
+    def __str__(self):
+        return _("{opener} is opener of activity {acivity}").format(
+            opener=str(self.opener), acivity=str(self.activity))

apps/activity/static/activity/js/opener.js

@@ -0,0 +1,57 @@
+/**
+ * On form submit, add a new opener
+ */
+function form_create_opener (e) {
+  // Do not submit HTML form
+  e.preventDefault()
+
+  // Get data and send to API
+  const formData = new FormData(e.target)
+  $.getJSON('/api/note/alias/'+formData.get('opener') + '/',
+    function (opener_alias) {
+      create_opener(formData.get('activity'), opener_alias.note)
+    }).fail(function (xhr, _textStatus, _error) {
+        errMsg(xhr.responseJSON)
+    })
+}
+
+/**
+ * Add an opener between an activity and a user
+ * @param activity:Integer activity id
+ * @param opener:Integer user note id
+ */
+function create_opener(activity, opener) {
+  $.post('/api/activity/opener/', {
+      activity: activity,
+      opener: opener,
+      csrfmiddlewaretoken: CSRF_TOKEN
+  }).done(function () {
+  // Reload tables
+  $('#opener_table').load(location.pathname + ' #opener_table')
+    addMsg(gettext('Opener successfully added'), 'success')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+/**
+ * On click of "delete", delete the opener
+ * @param button_id:Integer Opener id to remove
+ */
+function delete_button (button_id) {
+  $.ajax({
+    url: '/api/activity/opener/' + button_id + '/',
+    method: 'DELETE',
+    headers: { 'X-CSRFTOKEN': CSRF_TOKEN }
+  }).done(function () {
+    addMsg(gettext('Opener successfully deleted'), 'success')
+    $('#opener_table').load(location.pathname + ' #opener_table')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+$(document).ready(function () {
+  // Attach event
+  document.getElementById('form_opener').addEventListener('submit', form_create_opener)
+})

apps/activity/tables.py

@@ -1,15 +1,17 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.utils import timezone
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
+from note_kfet.middlewares import get_current_request
 import django_tables2 as tables
 from django_tables2 import A
+from permission.backends import PermissionBackend
 from note.templatetags.pretty_money import pretty_money
 
-from .models import Activity, Entry, Guest
+from .models import Activity, Entry, Guest, Opener
 
 
 class ActivityTable(tables.Table):
@@ -49,11 +51,11 @@ class GuestTable(tables.Table):
         }
         model = Guest
         template_name = 'django_tables2/bootstrap4.html'
-        fields = ("last_name", "first_name", "inviter", )
+        fields = ("last_name", "first_name", "inviter", "school")
 
     def render_entry(self, record):
         if record.has_entry:
-            return str(_("Entered on ") + str(_("{:%Y-%m-%d %H:%M:%S}").format(record.entry.time, )))
+            return str(_("Entered on ") + str(_("{:%Y-%m-%d %H:%M:%S}").format(timezone.localtime(record.entry.time))))
         return mark_safe('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
                          '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
 
@@ -113,3 +115,34 @@ class EntryTable(tables.Table):
             'data-last-name': lambda record: record.last_name,
             'data-first-name': lambda record: record.first_name,
         }
+
+
+# function delete_button(id) provided in template file
+DELETE_TEMPLATE = """
+    <button id="{{ record.pk }}" class="btn btn-danger btn-sm" onclick="delete_button(this.id)"> {{ delete_trans }}</button>
+"""
+
+
+class OpenerTable(tables.Table):
+    class Meta:
+        attrs = {
+            'class': 'table table condensed table-striped',
+            'id': "opener_table"
+        }
+        model = Opener
+        fields = ("opener",)
+        template_name = 'django_tables2/bootstrap4.html'
+
+    show_header = False
+    opener = tables.Column(attrs={'td': {'class': 'text-center'}})
+
+    delete_col = tables.TemplateColumn(
+        template_code=DELETE_TEMPLATE,
+        extra_context={"delete_trans": _('Delete')},
+        attrs={
+            'td': {
+                'class': lambda record: 'col-sm-1'
+                + (' d-none' if not PermissionBackend.check_perm(
+                    get_current_request(), "activity.delete_opener", record)
+                   else '')}},
+        verbose_name=_("Delete"),)

apps/activity/templates/activity/activity_detail.html

@@ -4,11 +4,31 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% endcomment %}
 {% load i18n perms %}
 {% load render_table from django_tables2 %}
+{% load static django_tables2 i18n %}
 
 {% block content %}
 <h1 class="text-white">{{ title }}</h1>
 {% include "activity/includes/activity_info.html" %}
 
+{% if activity.activity_type.manage_entries and ".change__opener"|has_perm:activity %}
+    <div class="card bg-white mb-3">
+        <h3 class="card-header text-center">
+            {% trans "Openers" %}
+        </h3>
+        <div class="card-body">
+            <form class="input-group" method="POST" id="form_opener">
+                {% csrf_token %}
+                <input type="hidden" name="activity" value="{{ object.pk }}">
+                {%include "autocomplete_model.html" %}
+                <div class="input-group-append">
+                    <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
+                </div>
+            </form>
+        </div>
+        {% render_table opener %}
+    </div>
+{% endif %}
+
 {% if guests.data %}
 <div class="card bg-white mb-3">
     <h3 class="card-header text-center">
@@ -22,6 +42,8 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% endblock %}
 
 {% block extrajavascript %}
+<script src="{% static "activity/js/opener.js" %}"></script>
+<script src="{% static "js/autocomplete_model.js" %}"></script>
 <script>
     function remove_guest(guest_id) {
         $.ajax({

apps/activity/templates/activity/activity_form.html

@@ -17,4 +17,27 @@ SPDX-License-Identifier: GPL-3.0-or-later
     </form>
   </div>
 </div>
-{% endblock %}
+{% endblock %}
+
+{% block extrajavascript %}
+<script>
+  var date_end = document.getElementById("id_date_end");
+  var date_start = document.getElementById("id_date_start");
+
+  function update_date_end (){
+    if(date_end.value=="" || date_end.value<date_start.value){
+      date_end.value = date_start.value;
+    };
+  };
+
+  function update_date_start (){
+    if(date_start.value=="" || date_end.value<date_start.value){
+      date_start.value = date_end.value;
+    };
+  };
+
+  date_start.addEventListener('focusout', update_date_end);
+  date_end.addEventListener('focusout', update_date_start);
+  
+</script>
+{% endblock %}

apps/activity/templates/activity/activity_list.html

@@ -46,4 +46,4 @@ SPDX-License-Identifier: GPL-3.0-or-later
     </h3>
     {% render_table table %}
 </div>
-{% endblock %}
+{% endblock %}

apps/activity/tests/test_activities.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta
@@ -50,6 +50,7 @@ class TestActivities(TestCase):
             inviter=self.user.note,
             last_name="GUEST",
             first_name="Guest",
+            school="School",
         )
 
     def test_activity_list(self):
@@ -156,6 +157,7 @@ class TestActivities(TestCase):
             inviter=self.user.note.id,
             last_name="GUEST2",
             first_name="Guest",
+            school="School",
         ))
         self.assertEqual(response.status_code, 200)
 
@@ -167,6 +169,7 @@ class TestActivities(TestCase):
             inviter=self.user.note.id,
             last_name="GUEST2",
             first_name="Guest",
+            school="School",
         ))
         self.assertRedirects(response, reverse("activity:activity_detail", args=(self.activity.pk,)), 302, 200)
 
@@ -200,6 +203,7 @@ class TestActivityAPI(TestAPI):
             inviter=self.user.note,
             last_name="GUEST",
             first_name="Guest",
+            school="School",
         )
 
         self.entry = Entry.objects.create(

apps/activity/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.urls import path

apps/activity/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from hashlib import md5
@@ -17,14 +17,16 @@ from django.utils.translation import gettext_lazy as _
 from django.views import View
 from django.views.decorators.cache import cache_page
 from django.views.generic import DetailView, TemplateView, UpdateView
-from django_tables2.views import SingleTableView
+from django.views.generic.list import ListView
+from django_tables2.views import MultiTableMixin, SingleTableMixin
+from api.viewsets import is_regex
 from note.models import Alias, NoteSpecial, NoteUser
 from permission.backends import PermissionBackend
 from permission.views import ProtectQuerysetMixin, ProtectedCreateView
 
 from .forms import ActivityForm, GuestForm
-from .models import Activity, Entry, Guest
-from .tables import ActivityTable, EntryTable, GuestTable
+from .models import Activity, Entry, Guest, Opener
+from .tables import ActivityTable, EntryTable, GuestTable, OpenerTable
 
 
 class ActivityCreateView(ProtectQuerysetMixin, ProtectedCreateView):
@@ -57,26 +59,36 @@ class ActivityCreateView(ProtectQuerysetMixin, ProtectedCreateView):
         return reverse_lazy('activity:activity_detail', kwargs={"pk": self.object.pk})
 
 
-class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
+class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, ListView):
     """
     Displays all Activities, and classify if they are on-going or upcoming ones.
     """
     model = Activity
-    table_class = ActivityTable
-    ordering = ('-date_start',)
+    tables = [
+        lambda data: ActivityTable(data, prefix="all-"),
+        lambda data: ActivityTable(data, prefix="upcoming-"),
+    ]
     extra_context = {"title": _("Activities")}
 
     def get_queryset(self, **kwargs):
         return super().get_queryset(**kwargs).distinct()
 
+    def get_tables_data(self):
+        # first table = all activities, second table = upcoming
+        return [
+            self.get_queryset().order_by("-date_start"),
+            Activity.objects.filter(date_end__gt=timezone.now())
+                            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))
+                            .distinct()
+                            .order_by("date_start")
+        ]
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
 
-        upcoming_activities = Activity.objects.filter(date_end__gt=timezone.now())
-        context['upcoming'] = ActivityTable(
-            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request, Activity, "view")),
-            prefix='upcoming-',
-        )
+        tables = context["tables"]
+        for name, table in zip(["table", "upcoming"], tables):
+            context[name] = table
 
         started_activities = self.get_queryset().filter(open=True, valid=True).distinct().all()
         context["started_activities"] = started_activities
@@ -84,7 +96,7 @@ class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView
         return context
 
 
-class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, DetailView):
     """
     Shows details about one activity. Add guest to context
     """
@@ -92,15 +104,40 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     context_object_name = "activity"
     extra_context = {"title": _("Activity detail")}
 
+    tables = [
+        lambda data: GuestTable(data, prefix="guests-"),
+        lambda data: OpenerTable(data, prefix="opener-"),
+    ]
+
+    def get_tables_data(self):
+        return [
+            Guest.objects.filter(activity=self.object)
+                         .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")),
+            self.object.opener.filter(activity=self.object)
+                              .filter(PermissionBackend.filter_queryset(self.request, Opener, "view")),
+        ]
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data()
 
-        table = GuestTable(data=Guest.objects.filter(activity=self.object)
-                           .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")))
-        context["guests"] = table
+        tables = context["tables"]
+        for name, table in zip(["guests", "opener"], tables):
+            context[name] = table
 
         context["activity_started"] = timezone.now() > timezone.localtime(self.object.date_start)
 
+        context["widget"] = {
+            "name": "opener",
+            "resetable": True,
+            "attrs": {
+                "class": "autocomplete form-control",
+                "id": "opener",
+                "api_url": "/api/note/alias/?note__polymorphic_ctype__model=noteuser",
+                "name_field": "name",
+                "placeholder": ""
+            }
+        }
+
         return context
 
 
@@ -131,6 +168,7 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
             activity=activity,
             first_name="",
             last_name="",
+            school="",
             inviter=self.request.user.note,
         )
 
@@ -157,12 +195,14 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
         return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})
 
 
-class ActivityEntryView(LoginRequiredMixin, TemplateView):
+class ActivityEntryView(LoginRequiredMixin, SingleTableMixin, TemplateView):
     """
     Manages entry to an activity
     """
     template_name = "activity/activity_entry.html"
 
+    table_class = EntryTable
+
     def dispatch(self, request, *args, **kwargs):
         """
         Don't display the entry interface if the user has no right to see it (no right to add an entry for itself),
@@ -197,13 +237,16 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
-            if pattern[0] != "^":
-                pattern = "^" + pattern
+
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__istartswith"
+            pattern = "^" + pattern if valid_regex and pattern[0] != "^" else pattern
             guest_qs = guest_qs.filter(
-                Q(first_name__iregex=pattern)
-                | Q(last_name__iregex=pattern)
-                | Q(inviter__alias__name__iregex=pattern)
-                | Q(inviter__alias__normalized_name__iregex=Alias.normalize(pattern))
+                Q(**{f"first_name{suffix}": pattern})
+                | Q(**{f"last_name{suffix}": pattern})
+                | Q(**{f"inviter__alias__name{suffix}": pattern})
+                | Q(**{f"inviter__alias__normalized_name{suffix}": Alias.normalize(pattern)})
             )
         else:
             guest_qs = guest_qs.none()
@@ -223,23 +266,26 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         # Keep only users that have a note
         note_qs = note_qs.filter(note__noteuser__isnull=False)
 
-        # Keep only members
+        # Keep only valid members
         note_qs = note_qs.filter(
             note__noteuser__user__memberships__club=activity.attendees_club,
             note__noteuser__user__memberships__date_start__lte=timezone.now(),
-            note__noteuser__user__memberships__date_end__gte=timezone.now(),
-        )
+            note__noteuser__user__memberships__date_end__gte=timezone.now()).exclude(note__inactivity_reason='forced')
 
         # Filter with permission backend
         note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request, Alias, "view"))
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
+
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__icontains"
             note_qs = note_qs.filter(
-                Q(note__noteuser__user__first_name__iregex=pattern)
-                | Q(note__noteuser__user__last_name__iregex=pattern)
-                | Q(name__iregex=pattern)
-                | Q(normalized_name__iregex=Alias.normalize(pattern))
+                Q(**{f"note__noteuser__user__first_name{suffix}": pattern})
+                | Q(**{f"note__noteuser__user__last_name{suffix}": pattern})
+                | Q(**{f"name{suffix}": pattern})
+                | Q(**{f"normalized_name{suffix}": Alias.normalize(pattern)})
             )
         else:
             note_qs = note_qs.none()
@@ -251,15 +297,9 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
             if settings.DATABASES[note_qs.db]["ENGINE"] == 'django.db.backends.postgresql' else note_qs.distinct()[:20]
         return note_qs
 
-    def get_context_data(self, **kwargs):
-        """
-        Query the list of Guest and Note to the activity and add information to makes entry with JS.
-        """
-        context = super().get_context_data(**kwargs)
-
+    def get_table_data(self):
         activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
             .distinct().get(pk=self.kwargs["pk"])
-        context["activity"] = activity
 
         matched = []
 
@@ -272,8 +312,17 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
             note.activity = activity
             matched.append(note)
 
-        table = EntryTable(data=matched)
-        context["table"] = table
+        return matched
+
+    def get_context_data(self, **kwargs):
+        """
+        Query the list of Guest and Note to the activity and add information to makes entry with JS.
+        """
+        context = super().get_context_data(**kwargs)
+
+        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
+            .distinct().get(pk=self.kwargs["pk"])
+        context["activity"] = activity
 
         context["entries"] = Entry.objects.filter(activity=activity)
 
@@ -281,7 +330,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         context["noteuser_ctype"] = ContentType.objects.get_for_model(NoteUser).pk
         context["notespecial_ctype"] = ContentType.objects.get_for_model(NoteSpecial).pk
 
-        activities_open = Activity.objects.filter(open=True).filter(
+        activities_open = Activity.objects.filter(open=True, activity_type__manage_entries=True).filter(
             PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
         context["activities_open"] = [a for a in activities_open
                                       if PermissionBackend.check_perm(self.request,
@@ -315,8 +364,8 @@ X-WR-CALNAME:Kfet Calendar
 NAME:Kfet Calendar
 CALSCALE:GREGORIAN
 BEGIN:VTIMEZONE
-TZID:Europe/Berlin
-X-LIC-LOCATION:Europe/Berlin
+TZID:Europe/Paris
+X-LIC-LOCATION:Europe/Paris
 BEGIN:DAYLIGHT
 TZOFFSETFROM:+0100
 TZOFFSETTO:+0200
@@ -338,10 +387,10 @@ END:VTIMEZONE
 DTSTAMP:{"{:%Y%m%dT%H%M%S}".format(activity.date_start)}Z
 UID:{md5((activity.name + "$" + str(activity.id) + str(activity.date_start)).encode("UTF-8")).hexdigest()}
 SUMMARY;CHARSET=UTF-8:{self.multilines(activity.name, 75, 22)}
-DTSTART;TZID=Europe/Berlin:{"{:%Y%m%dT%H%M%S}".format(activity.date_start)}
-DTEND;TZID=Europe/Berlin:{"{:%Y%m%dT%H%M%S}".format(activity.date_end)}
+DTSTART:{"{:%Y%m%dT%H%M%S}Z".format(activity.date_start)}
+DTEND:{"{:%Y%m%dT%H%M%S}Z".format(activity.date_end)}
 LOCATION:{self.multilines(activity.location, 75, 9) if activity.location else "Kfet"}
-DESCRIPTION;CHARSET=UTF-8:""" + self.multilines(activity.description.replace("\n", "\\n"), 75, 26) + """
+DESCRIPTION;CHARSET=UTF-8:""" + self.multilines(activity.description.replace("\n", "\\n"), 75, 26) + f"""
  -- {activity.organizer.name}
 END:VEVENT
 """

apps/api/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'api.apps.APIConfig'

apps/api/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/api/filters.py

@@ -0,0 +1,42 @@
+import re
+from functools import lru_cache
+
+from rest_framework.filters import SearchFilter
+
+
+class RegexSafeSearchFilter(SearchFilter):
+    @lru_cache
+    def validate_regex(self, search_term) -> bool:
+        try:
+            re.compile(search_term)
+            return True
+        except re.error:
+            return False
+
+    def get_search_fields(self, view, request):
+        """
+        Ensure that given regex are valid.
+        If not, we consider that the user is trying to search by substring.
+        """
+        search_fields = super().get_search_fields(view, request)
+        search_terms = self.get_search_terms(request)
+
+        for search_term in search_terms:
+            if not self.validate_regex(search_term):
+                # Invalid regex. We assume we don't query by regex but by substring.
+                search_fields = [f.replace('$', '') for f in search_fields]
+                break
+
+        return search_fields
+
+    def get_search_terms(self, request):
+        """
+        Ensure that search field is a valid regex query. If not, we remove extra characters.
+        """
+        terms = super().get_search_terms(request)
+        if not all(self.validate_regex(term) for term in terms):
+            # Invalid regex. If a ^ is prefixed to the search term, we remove it.
+            terms = [term[1:] if term[0] == '^' else term for term in terms]
+            # Same for dollars.
+            terms = [term[:-1] if term[-1] == '$' else term for term in terms]
+        return terms

apps/api/pagination.py

@@ -0,0 +1,5 @@
+from rest_framework.pagination import PageNumberPagination
+
+
+class CustomPagination(PageNumberPagination):
+    page_size_query_param = 'page_size'

apps/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 

apps/api/tests.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
@@ -12,11 +12,12 @@ from django.contrib.contenttypes.models import ContentType
 from django.db.models.fields.files import ImageFieldFile
 from django.test import TestCase
 from django_filters.rest_framework import DjangoFilterBackend
+from phonenumbers import PhoneNumber
+from rest_framework.filters import OrderingFilter
+from api.filters import RegexSafeSearchFilter
 from member.models import Membership, Club
 from note.models import NoteClub, NoteUser, Alias, Note
 from permission.models import PermissionMask, Permission, Role
-from phonenumbers import PhoneNumber
-from rest_framework.filters import SearchFilter, OrderingFilter
 
 from .viewsets import ContentTypeViewSet, UserViewSet
 
@@ -87,7 +88,7 @@ class TestAPI(TestCase):
                     resp = self.client.get(url + f"?ordering=-{field}")
                     self.assertEqual(resp.status_code, 200)
 
-            if SearchFilter in backends:
+            if RegexSafeSearchFilter in backends:
                 # Basic search
                 for field in viewset.search_fields:
                     obj = self.fix_note_object(obj, field)

apps/api/urls.py

@@ -1,8 +1,9 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings
-from django.conf.urls import url, include
+from django.conf.urls import include
+from django.urls import re_path
 from rest_framework import routers
 
 from .views import UserInformationView
@@ -14,40 +15,48 @@ router = routers.DefaultRouter()
 router.register('models', ContentTypeViewSet)
 router.register('user', UserViewSet)
 
-if "member" in settings.INSTALLED_APPS:
-    from member.api.urls import register_members_urls
-    register_members_urls(router, 'members')
-
-if "member" in settings.INSTALLED_APPS:
+if "activity" in settings.INSTALLED_APPS:
     from activity.api.urls import register_activity_urls
     register_activity_urls(router, 'activity')
 
-if "note" in settings.INSTALLED_APPS:
-    from note.api.urls import register_note_urls
-    register_note_urls(router, 'note')
-
-if "treasury" in settings.INSTALLED_APPS:
-    from treasury.api.urls import register_treasury_urls
-    register_treasury_urls(router, 'treasury')
-
-if "permission" in settings.INSTALLED_APPS:
-    from permission.api.urls import register_permission_urls
-    register_permission_urls(router, 'permission')
+if "food" in settings.INSTALLED_APPS:
+    from food.api.urls import register_food_urls
+    register_food_urls(router, 'food')
 
 if "logs" in settings.INSTALLED_APPS:
     from logs.api.urls import register_logs_urls
     register_logs_urls(router, 'logs')
 
+if "member" in settings.INSTALLED_APPS:
+    from member.api.urls import register_members_urls
+    register_members_urls(router, 'members')
+
+if "note" in settings.INSTALLED_APPS:
+    from note.api.urls import register_note_urls
+    register_note_urls(router, 'note')
+
+if "permission" in settings.INSTALLED_APPS:
+    from permission.api.urls import register_permission_urls
+    register_permission_urls(router, 'permission')
+
+if "treasury" in settings.INSTALLED_APPS:
+    from treasury.api.urls import register_treasury_urls
+    register_treasury_urls(router, 'treasury')
+
 if "wei" in settings.INSTALLED_APPS:
     from wei.api.urls import register_wei_urls
     register_wei_urls(router, 'wei')
 
+if "wrapped" in settings.INSTALLED_APPS:
+    from wrapped.api.urls import register_wrapped_urls
+    register_wrapped_urls(router, 'wrapped')
+
 app_name = 'api'
 
 # Wire up our API using automatic URL routing.
 # Additionally, we include login URLs for the browsable API.
 urlpatterns = [
-    url('^', include(router.urls)),
-    url('^me/', UserInformationView.as_view()),
-    url('^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
+    re_path('^', include(router.urls)),
+    re_path('^me/', UserInformationView.as_view()),
+    re_path('^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
 ]

apps/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib.auth.models import User

apps/api/viewsets.py

@@ -1,19 +1,29 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import re
+
 from django.contrib.contenttypes.models import ContentType
 from django_filters.rest_framework import DjangoFilterBackend
 from django.db.models import Q
 from django.conf import settings
 from django.contrib.auth.models import User
-from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
 from note.models import Alias
 
+from .filters import RegexSafeSearchFilter
 from .serializers import UserSerializer, ContentTypeSerializer
 
 
+def is_regex(pattern):
+    try:
+        re.compile(pattern)
+        return True
+    except (re.error, TypeError):
+        return False
+
+
 class ReadProtectedModelViewSet(ModelViewSet):
     """
     Protect a ModelViewSet by filtering the objects that the user cannot see.
@@ -60,34 +70,38 @@ class UserViewSet(ReadProtectedModelViewSet):
 
         if "search" in self.request.GET:
             pattern = self.request.GET["search"]
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__istartswith"
+            prefix = "^" if valid_regex else ""
 
             # Filter with different rules
             # We use union-all to keep each filter rule sorted in result
             queryset = queryset.filter(
                 # Match without normalization
-                note__alias__name__iregex="^" + pattern
+                Q(**{f"note__alias__name{suffix}": prefix + pattern})
             ).union(
                 queryset.filter(
                     # Match with normalization
-                    Q(note__alias__normalized_name__iregex="^" + Alias.normalize(pattern))
-                    & ~Q(note__alias__name__iregex="^" + pattern)
+                    Q(**{f"note__alias__normalized_name{suffix}": prefix + Alias.normalize(pattern)})
+                    & ~Q(**{f"note__alias__name{suffix}": prefix + pattern})
                 ),
                 all=True,
             ).union(
                 queryset.filter(
                     # Match on lower pattern
-                    Q(note__alias__normalized_name__iregex="^" + pattern.lower())
-                    & ~Q(note__alias__normalized_name__iregex="^" + Alias.normalize(pattern))
-                    & ~Q(note__alias__name__iregex="^" + pattern)
+                    Q(**{f"note__alias__normalized_name{suffix}": prefix + pattern.lower()})
+                    & ~Q(**{f"note__alias__normalized_name{suffix}": prefix + Alias.normalize(pattern)})
+                    & ~Q(**{f"note__alias__name{suffix}": prefix + pattern})
                 ),
                 all=True,
             ).union(
                 queryset.filter(
                     # Match on firstname or lastname
-                    (Q(last_name__iregex="^" + pattern) | Q(first_name__iregex="^" + pattern))
-                    & ~Q(note__alias__normalized_name__iregex="^" + pattern.lower())
-                    & ~Q(note__alias__normalized_name__iregex="^" + Alias.normalize(pattern))
-                    & ~Q(note__alias__name__iregex="^" + pattern)
+                    (Q(**{f"last_name{suffix}": prefix + pattern}) | Q(**{f"first_name{suffix}": prefix + pattern}))
+                    & ~Q(**{f"note__alias__normalized_name{suffix}": prefix + pattern.lower()})
+                    & ~Q(**{f"note__alias__normalized_name{suffix}": prefix + Alias.normalize(pattern)})
+                    & ~Q(**{f"note__alias__name{suffix}": prefix + pattern})
                 ),
                 all=True,
             )
@@ -107,6 +121,6 @@ class ContentTypeViewSet(ReadOnlyModelViewSet):
     """
     queryset = ContentType.objects.order_by('id')
     serializer_class = ContentTypeSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['id', 'app_label', 'model', ]
     search_fields = ['$app_label', '$model', ]

apps/food/admin.py

@@ -0,0 +1,59 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib import admin
+from polymorphic.admin import PolymorphicChildModelAdmin, PolymorphicParentModelAdmin
+from note_kfet.admin import admin_site
+
+from .models import Allergen, Food, BasicFood, TransformedFood, QRCode
+
+
+@admin.register(Allergen, site=admin_site)
+class AllergenAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for Allergen
+    """
+    ordering = ['name']
+
+
+@admin.register(Food, site=admin_site)
+class FoodAdmin(PolymorphicParentModelAdmin):
+    """
+    Admin customisation for Food
+    """
+    child_models = (Food, BasicFood, TransformedFood)
+    list_display = ('name', 'expiry_date', 'owner', 'is_ready')
+    list_filter = ('is_ready', 'end_of_life')
+    search_fields = ['name']
+    ordering = ['expiry_date', 'name']
+
+
+@admin.register(BasicFood, site=admin_site)
+class BasicFood(PolymorphicChildModelAdmin):
+    """
+    Admin customisation for BasicFood
+    """
+    list_display = ('name', 'expiry_date', 'date_type', 'owner', 'is_ready')
+    list_filter = ('is_ready', 'date_type', 'end_of_life')
+    search_fields = ['name']
+    ordering = ['expiry_date', 'name']
+
+
+@admin.register(TransformedFood, site=admin_site)
+class TransformedFood(PolymorphicChildModelAdmin):
+    """
+    Admin customisation for TransformedFood
+    """
+    list_display = ('name', 'expiry_date', 'shelf_life', 'owner', 'is_ready')
+    list_filter = ('is_ready', 'end_of_life', 'shelf_life')
+    search_fields = ['name']
+    ordering = ['expiry_date', 'name']
+
+
+@admin.register(QRCode, site=admin_site)
+class QRCodeAdmin(admin.ModelAdmin):
+    """
+    Admin customisation for QRCode
+    """
+    list_diplay = ('qr_code_number', 'food_container')
+    search_fields = ['food_container__name']

apps/food/api/serializers.py

@@ -0,0 +1,56 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from rest_framework import serializers
+
+from ..models import Allergen, Food, BasicFood, TransformedFood, QRCode
+
+
+class AllergenSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Allergen.
+    The djangorestframework plugin will analyse the model `Allergen` and parse all fields in the API.
+    """
+    class Meta:
+        model = Allergen
+        fields = '__all__'
+
+
+class FoodSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for Food.
+    The djangorestframework plugin will analyse the model `Food` and parse all fields in the API.
+    """
+    class Meta:
+        model = Food
+        fields = '__all__'
+
+
+class BasicFoodSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for BasicFood.
+    The djangorestframework plugin will analyse the model `BasicFood` and parse all fields in the API.
+    """
+    class Meta:
+        model = BasicFood
+        fields = '__all__'
+
+
+class TransformedFoodSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for TransformedFood.
+    The djangorestframework plugin will analyse the model `TransformedFood` and parse all fields in the API.
+    """
+    class Meta:
+        model = TransformedFood
+        fields = '__all__'
+
+
+class QRCodeSerializer(serializers.ModelSerializer):
+    """
+    REST API Serializer for QRCode.
+    The djangorestframework plugin will analyse the model `QRCode` and parse all fields in the API.
+    """
+    class Meta:
+        model = QRCode
+        fields = '__all__'

apps/food/api/urls.py

@@ -0,0 +1,15 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from .views import AllergenViewSet, FoodViewSet, BasicFoodViewSet, TransformedFoodViewSet, QRCodeViewSet
+
+
+def register_food_urls(router, path):
+    """
+    Configure router for Food REST API.
+    """
+    router.register(path + '/allergen', AllergenViewSet)
+    router.register(path + '/food', FoodViewSet)
+    router.register(path + '/basicfood', BasicFoodViewSet)
+    router.register(path + '/transformedfood', TransformedFoodViewSet)
+    router.register(path + '/qrcode', QRCodeViewSet)

apps/food/api/views.py

@@ -0,0 +1,74 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from api.viewsets import ReadProtectedModelViewSet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import SearchFilter
+
+from .serializers import AllergenSerializer, FoodSerializer, BasicFoodSerializer, TransformedFoodSerializer, QRCodeSerializer
+from ..models import Allergen, Food, BasicFood, TransformedFood, QRCode
+
+
+class AllergenViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Allergen` objects, serialize it to JSON with the given serializer,
+    then render it on /api/food/allergen/
+    """
+    queryset = Allergen.objects.order_by('id')
+    serializer_class = AllergenSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', ]
+    search_fields = ['$name', ]
+
+
+class FoodViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `Food` objects, serialize it to JSON with the given serializer,
+    then render it on /api/food/food/
+    """
+    queryset = Food.objects.order_by('id')
+    serializer_class = FoodSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', ]
+    search_fields = ['$name', ]
+
+
+class BasicFoodViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `BasicFood` objects, serialize it to JSON with the given serializer,
+    then render it on /api/food/basicfood/
+    """
+    queryset = BasicFood.objects.order_by('id')
+    serializer_class = BasicFoodSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', ]
+    search_fields = ['$name', ]
+
+
+class TransformedFoodViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `TransformedFood` objects, serialize it to JSON with the given serializer,
+    then render it on /api/food/transformedfood/
+    """
+    queryset = TransformedFood.objects.order_by('id')
+    serializer_class = TransformedFoodSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', ]
+    search_fields = ['$name', ]
+
+
+class QRCodeViewSet(ReadProtectedModelViewSet):
+    """
+    REST API View set.
+    The djangorestframework plugin will get all `QRCode` objects, serialize it to JSON with the given serializer,
+    then render it on /api/food/qrcode/
+    """
+    queryset = QRCode.objects.order_by('id')
+    serializer_class = QRCodeSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['qr_code_number', ]
+    search_fields = ['$qr_code_number', ]

apps/food/apps.py

@@ -0,0 +1,11 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+from django.utils.translation import gettext_lazy as _
+from django.apps import AppConfig
+
+
+class FoodkfetConfig(AppConfig):
+    name = 'food'
+    verbose_name = _('food')

apps/food/fixtures/initial.json

@@ -0,0 +1,100 @@
+[
+    {
+	"model": "food.allergen",
+	"pk": 1,
+	"fields": {
+	    "name": "Lait"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 2,
+	"fields": {
+	    "name": "Oeufs"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 3,
+	"fields": {
+	    "name": "Gluten"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 4,
+	"fields": {
+	    "name": "Fruits à coques"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 5,
+	"fields": {
+	    "name": "Arachides"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 6,
+	"fields": {
+	    "name": "Sésame"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 7,
+	"fields": {
+	    "name": "Soja"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 8,
+	"fields": {
+	    "name": "Céleri"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 9,
+	"fields": {
+	    "name": "Lupin"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 10,
+	"fields": {
+	    "name": "Moutarde"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 11,
+	"fields": {
+	    "name": "Sulfites"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 12,
+	"fields": {
+	    "name": "Crustacés"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 13,
+	"fields": {
+	    "name": "Mollusques"
+	}
+    },
+    {
+	"model": "food.allergen",
+	"pk": 14,
+	"fields": {
+	    "name": "Poissons"
+	}
+    }
+]

apps/food/forms.py

@@ -0,0 +1,187 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from random import shuffle
+
+from bootstrap_datepicker_plus.widgets import DateTimePickerInput
+from django import forms
+from django.forms.widgets import NumberInput
+from django.utils.translation import gettext_lazy as _
+from member.models import Club
+from note_kfet.inputs import Autocomplete
+from note_kfet.middlewares import get_current_request
+from permission.backends import PermissionBackend
+
+from .models import Food, BasicFood, TransformedFood, QRCode
+
+
+class QRCodeForms(forms.ModelForm):
+    """
+    Form for create QRCode for container
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['food_container'].queryset = self.fields['food_container'].queryset.filter(
+            end_of_life__isnull=True,
+            polymorphic_ctype__model='transformedfood',
+        ).filter(PermissionBackend.filter_queryset(
+            get_current_request(),
+            TransformedFood,
+            "view",
+        ))
+
+    class Meta:
+        model = QRCode
+        fields = ('food_container',)
+
+
+class BasicFoodForms(forms.ModelForm):
+    """
+    Form for add basicfood
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['name'].widget.attrs.update({"autofocus": "autofocus"})
+        self.fields['name'].required = True
+        self.fields['owner'].required = True
+
+        # Some example
+        self.fields['name'].widget.attrs.update({"placeholder": _("Pasta METRO 5kg")})
+        clubs = list(Club.objects.filter(PermissionBackend.filter_queryset(get_current_request(), Club, "change")).all())
+        shuffle(clubs)
+        self.fields['owner'].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
+        self.fields['order'].widget.attrs["placeholder"] = _("Specific order given to GCKs")
+
+    class Meta:
+        model = BasicFood
+        fields = ('name', 'owner', 'date_type', 'expiry_date', 'allergens', 'order',)
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+            "expiry_date": DateTimePickerInput(),
+        }
+
+
+class TransformedFoodForms(forms.ModelForm):
+    """
+    Form for add transformedfood
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['name'].required = True
+        self.fields['owner'].required = True
+
+        # Some example
+        self.fields['name'].widget.attrs.update({"placeholder": _("Lasagna")})
+        clubs = list(Club.objects.filter(PermissionBackend.filter_queryset(get_current_request(), Club, "change")).all())
+        shuffle(clubs)
+        self.fields['owner'].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
+        self.fields['order'].widget.attrs["placeholder"] = _("Specific order given to GCKs")
+
+    class Meta:
+        model = TransformedFood
+        fields = ('name', 'owner', 'order',)
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+        }
+
+
+class BasicFoodUpdateForms(forms.ModelForm):
+    """
+    Form for update basicfood object
+    """
+    class Meta:
+        model = BasicFood
+        fields = ('name', 'owner', 'date_type', 'expiry_date', 'end_of_life', 'is_ready', 'order', 'allergens')
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+            "expiry_date": DateTimePickerInput(),
+        }
+
+
+class TransformedFoodUpdateForms(forms.ModelForm):
+    """
+    Form for update transformedfood object
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['shelf_life'].label = _('Shelf life (in hours)')
+
+    class Meta:
+        model = TransformedFood
+        fields = ('name', 'owner', 'end_of_life', 'is_ready', 'order', 'shelf_life')
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+            "expiry_date": DateTimePickerInput(),
+            "shelf_life": NumberInput(),
+        }
+
+
+class AddIngredientForms(forms.ModelForm):
+    """
+    Form for add an ingredient
+    """
+    fully_used = forms.BooleanField()
+    fully_used.initial = True
+    fully_used.required = False
+    fully_used.label = _("Fully used")
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # TODO find a better way to get pk (be not url scheme dependant)
+        pk = get_current_request().path.split('/')[-1]
+        self.fields['ingredients'].queryset = self.fields['ingredients'].queryset.filter(
+            polymorphic_ctype__model="transformedfood",
+            is_ready=False,
+            end_of_life='',
+        ).filter(PermissionBackend.filter_queryset(get_current_request(), TransformedFood, "change")).exclude(pk=pk)
+
+    class Meta:
+        model = TransformedFood
+        fields = ('ingredients',)
+
+
+class ManageIngredientsForm(forms.Form):
+    """
+    Form to manage ingredient
+    """
+    fully_used = forms.BooleanField()
+    fully_used.initial = True
+    fully_used.required = True
+    fully_used.label = _('Fully used')
+
+    name = forms.CharField()
+    name.widget = Autocomplete(
+        model=Food,
+        resetable=True,
+        attrs={"api_url": "/api/food/food",
+               "class": "autocomplete"},
+    )
+    name.label = _('Name')
+
+    qrcode = forms.IntegerField()
+    qrcode.widget = Autocomplete(
+        model=QRCode,
+        resetable=True,
+        attrs={"api_url": "/api/food/qrcode/",
+               "name_field": "qr_code_number",
+               "class": "autocomplete"},
+    )
+    qrcode.label = _('QR code number')
+
+
+ManageIngredientsFormSet = forms.formset_factory(
+    ManageIngredientsForm,
+    extra=1,
+)

apps/food/migrations/0001_initial.py

@@ -0,0 +1,199 @@
+# Generated by Django 4.2.20 on 2025-04-17 21:43
+
+import datetime
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+    initial = True
+
+    dependencies = [
+        ("contenttypes", "0002_remove_content_type_name"),
+        ("member", "0013_auto_20240801_1436"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Allergen",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("name", models.CharField(max_length=255, verbose_name="name")),
+            ],
+            options={
+                "verbose_name": "Allergen",
+                "verbose_name_plural": "Allergens",
+            },
+        ),
+        migrations.CreateModel(
+            name="Food",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("name", models.CharField(max_length=255, verbose_name="name")),
+                ("expiry_date", models.DateTimeField(verbose_name="expiry date")),
+                (
+                    "end_of_life",
+                    models.CharField(max_length=255, verbose_name="end of life"),
+                ),
+                (
+                    "is_ready",
+                    models.BooleanField(max_length=255, verbose_name="is ready"),
+                ),
+                ("order", models.CharField(max_length=255, verbose_name="order")),
+                (
+                    "allergens",
+                    models.ManyToManyField(
+                        blank=True, to="food.allergen", verbose_name="allergens"
+                    ),
+                ),
+                (
+                    "owner",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.PROTECT,
+                        related_name="+",
+                        to="member.club",
+                        verbose_name="owner",
+                    ),
+                ),
+                (
+                    "polymorphic_ctype",
+                    models.ForeignKey(
+                        editable=False,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="polymorphic_%(app_label)s.%(class)s_set+",
+                        to="contenttypes.contenttype",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Food",
+                "verbose_name_plural": "Foods",
+            },
+        ),
+        migrations.CreateModel(
+            name="BasicFood",
+            fields=[
+                (
+                    "food_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="food.food",
+                    ),
+                ),
+                (
+                    "arrival_date",
+                    models.DateTimeField(
+                        default=django.utils.timezone.now, verbose_name="arrival date"
+                    ),
+                ),
+                (
+                    "date_type",
+                    models.CharField(
+                        choices=[("DLC", "DLC"), ("DDM", "DDM")], max_length=255
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Basic food",
+                "verbose_name_plural": "Basic foods",
+            },
+            bases=("food.food",),
+        ),
+        migrations.CreateModel(
+            name="QRCode",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "qr_code_number",
+                    models.PositiveIntegerField(
+                        unique=True, verbose_name="qr code number"
+                    ),
+                ),
+                (
+                    "food_container",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="QR_code",
+                        to="food.food",
+                        verbose_name="food container",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "QR-code",
+                "verbose_name_plural": "QR-codes",
+            },
+        ),
+        migrations.CreateModel(
+            name="TransformedFood",
+            fields=[
+                (
+                    "food_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="food.food",
+                    ),
+                ),
+                (
+                    "creation_date",
+                    models.DateTimeField(
+                        default=django.utils.timezone.now, verbose_name="creation date"
+                    ),
+                ),
+                (
+                    "shelf_life",
+                    models.DurationField(
+                        default=datetime.timedelta(days=3), verbose_name="shelf life"
+                    ),
+                ),
+                (
+                    "ingredients",
+                    models.ManyToManyField(
+                        blank=True,
+                        related_name="transformed_ingredient_inv",
+                        to="food.food",
+                        verbose_name="transformed ingredient",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Transformed food",
+                "verbose_name_plural": "Transformed foods",
+            },
+            bases=("food.food",),
+        ),
+    ]

apps/food/models.py

@@ -0,0 +1,286 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from django.db import models, transaction
+from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
+from polymorphic.models import PolymorphicModel
+from member.models import Club
+
+
+class Allergen(models.Model):
+    """
+    Allergen and alimentary restrictions
+    """
+    name = models.CharField(
+        verbose_name=_('name'),
+        max_length=255,
+    )
+
+    class Meta:
+        verbose_name = _("Allergen")
+        verbose_name_plural = _("Allergens")
+
+    def __str__(self):
+        return self.name
+
+
+class Food(PolymorphicModel):
+    """
+    Describe any type of food
+    """
+    name = models.CharField(
+        verbose_name=_("name"),
+        max_length=255,
+    )
+
+    owner = models.ForeignKey(
+        Club,
+        on_delete=models.PROTECT,
+        related_name='+',
+        verbose_name=_('owner'),
+    )
+
+    allergens = models.ManyToManyField(
+        Allergen,
+        blank=True,
+        verbose_name=_('allergens'),
+    )
+
+    expiry_date = models.DateTimeField(
+        verbose_name=_('expiry date'),
+        null=False,
+    )
+
+    end_of_life = models.CharField(
+        blank=True,
+        verbose_name=_('end of life'),
+        max_length=255,
+    )
+
+    is_ready = models.BooleanField(
+        verbose_name=_('is ready'),
+        max_length=255,
+    )
+
+    order = models.CharField(
+        blank=True,
+        verbose_name=_('order'),
+        max_length=255,
+    )
+
+    def __str__(self):
+        return self.name
+
+    @transaction.atomic
+    def update_allergens(self):
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            old_allergens = list(parent.allergens.all()).copy()
+            parent.allergens.clear()
+            for child in parent.ingredients.iterator():
+                if child.pk != self.pk:
+                    parent.allergens.set(parent.allergens.union(child.allergens.all()))
+            parent.allergens.set(parent.allergens.union(self.allergens.all()))
+            if old_allergens != list(parent.allergens.all()):
+                parent.save(old_allergens=old_allergens)
+
+    def update_expiry_date(self):
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            old_expiry_date = parent.expiry_date
+            parent.expiry_date = parent.shelf_life + parent.creation_date
+            for child in parent.ingredients.iterator():
+                if (child.pk != self.pk
+                    and not (child.polymorphic_ctype.model == 'basicfood'
+                             and child.date_type == 'DDM')):
+                    parent.expiry_date = min(parent.expiry_date, child.expiry_date)
+
+            if self.polymorphic_ctype.model == 'basicfood' and self.date_type == 'DLC':
+                parent.expiry_date = min(parent.expiry_date, self.expiry_date)
+            if old_expiry_date != parent.expiry_date:
+                parent.save()
+
+    class Meta:
+        verbose_name = _('Food')
+        verbose_name_plural = _('Foods')
+
+
+class BasicFood(Food):
+    """
+    A basic food is a food directly buy and stored
+    """
+    arrival_date = models.DateTimeField(
+        default=timezone.now,
+        verbose_name=_('arrival date'),
+    )
+
+    date_type = models.CharField(
+        max_length=255,
+        choices=(
+            ("DLC", "DLC"),
+            ("DDM", "DDM"),
+        )
+    )
+
+    @transaction.atomic
+    def save(self, force_insert=False, force_update=False, using=None, update_fields=None, **kwargs):
+        created = self.pk is None
+        if not created:
+            # Check if important fields are updated
+            old_food = Food.objects.select_for_update().get(pk=self.pk)
+            if not hasattr(self, "_force_save"):
+                # Allergens
+
+                if ('old_allergens' in kwargs
+                        and list(self.allergens.all()) != kwargs['old_allergens']):
+                    self.update_allergens()
+
+                # Expiry date
+                if ((self.expiry_date != old_food.expiry_date
+                        and self.date_type == 'DLC')
+                        or old_food.date_type != self.date_type):
+                    self.update_expiry_date()
+
+        return super().save(force_insert, force_update, using, update_fields)
+
+    @staticmethod
+    def get_lastests_objects(number, distinct_field, order_by_field):
+        """
+        Get the last object with distinct field and ranked with order_by
+        This methods exist because we can't distinct with one field and
+        order with another
+        """
+        foods = BasicFood.objects.order_by(order_by_field).all()
+        field = []
+        for food in foods:
+            if getattr(food, distinct_field) in field:
+                continue
+            else:
+                field.append(getattr(food, distinct_field))
+                number -= 1
+                yield food
+            if not number:
+                return
+
+    class Meta:
+        verbose_name = _('Basic food')
+        verbose_name_plural = _('Basic foods')
+
+    def __str__(self):
+        return self.name
+
+
+class TransformedFood(Food):
+    """
+    A transformed food is a food with ingredients
+    """
+    creation_date = models.DateTimeField(
+        default=timezone.now,
+        verbose_name=_('creation date'),
+    )
+
+    # Without microbiological analyzes, the storage time is 3 days
+    shelf_life = models.DurationField(
+        default=timedelta(days=3),
+        verbose_name=_('shelf life'),
+    )
+
+    ingredients = models.ManyToManyField(
+        Food,
+        blank=True,
+        symmetrical=False,
+        related_name='transformed_ingredient_inv',
+        verbose_name=_('transformed ingredient'),
+    )
+
+    def check_cycle(self, ingredients, origin, checked):
+        for ingredient in ingredients:
+            if ingredient == origin:
+                # We break the cycle
+                self.ingredients.remove(ingredient)
+            if ingredient.polymorphic_ctype.model == 'transformedfood' and ingredient not in checked:
+                ingredient.check_cycle(ingredient.ingredients.all(), origin, checked)
+                checked.append(ingredient)
+
+    @transaction.atomic
+    def save(self, force_insert=False, force_update=False, using=None, update_fields=None, **kwargs):
+        created = self.pk is None
+        if not created:
+            # Check if important fields are updated
+            update = {'allergens': False, 'expiry_date': False}
+            old_food = Food.objects.select_for_update().get(pk=self.pk)
+            if not hasattr(self, "_force_save"):
+                # Allergens
+                # Unfortunately with the many-to-many relation we can't access
+                # to old allergens
+                if ('old_allergens' in kwargs
+                        and list(self.allergens.all()) != kwargs['old_allergens']):
+                    update['allergens'] = True
+
+                # Expiry date
+                update['expiry_date'] = (self.shelf_life != old_food.shelf_life
+                                         or self.creation_date != old_food.creation_date)
+                if update['expiry_date']:
+                    self.expiry_date = self.creation_date + self.shelf_life
+                # Unfortunately with the set method ingredients are already save,
+                # we check cycle after if possible
+                if ('old_ingredients' in kwargs
+                        and list(self.ingredients.all()) != list(kwargs['old_ingredients'])):
+                    update['allergens'] = True
+                    update['expiry_date'] = True
+
+                    # it's preferable to keep a queryset but we allow list too
+                    if type(kwargs['old_ingredients']) is list:
+                        kwargs['old_ingredients'] = Food.objects.filter(
+                            pk__in=[food.pk for food in kwargs['old_ingredients']])
+                    self.check_cycle(self.ingredients.all().difference(kwargs['old_ingredients']), self, [])
+                if update['allergens']:
+                    self.update_allergens()
+                if update['expiry_date']:
+                    self.update_expiry_date()
+
+        if created:
+            self.expiry_date = self.shelf_life + self.creation_date
+
+            # We save here because we need pk for many-to-many relation
+            super().save(force_insert, force_update, using, update_fields)
+
+            for child in self.ingredients.iterator():
+                self.allergens.set(self.allergens.union(child.allergens.all()))
+                if not (child.polymorphic_ctype.model == 'basicfood' and child.date_type == 'DDM'):
+                    self.expiry_date = min(self.expiry_date, child.expiry_date)
+        return super().save(force_insert, force_update, using, update_fields)
+
+    class Meta:
+        verbose_name = _('Transformed food')
+        verbose_name_plural = _('Transformed foods')
+
+    def __str__(self):
+        return self.name
+
+
+class QRCode(models.Model):
+    """
+    QR-code for register food
+    """
+    qr_code_number = models.PositiveIntegerField(
+        unique=True,
+        verbose_name=_('qr code number'),
+    )
+
+    food_container = models.ForeignKey(
+        Food,
+        on_delete=models.CASCADE,
+        related_name='QR_code',
+        verbose_name=_('food container'),
+    )
+
+    class Meta:
+        verbose_name = _('QR-code')
+        verbose_name_plural = _('QR-codes')
+
+    def __str__(self):
+        return _('QR-code number') + ' ' + str(self.qr_code_number)

apps/food/tables.py

@@ -0,0 +1,21 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import django_tables2 as tables
+
+from .models import Food
+
+
+class FoodTable(tables.Table):
+    """
+    List all foods.
+    """
+    class Meta:
+        model = Food
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('name', 'owner', 'allergens', 'expiry_date')
+        row_attrs = {
+            'class': 'table-row',
+            'data-href': lambda record: 'detail/' + str(record.pk),
+            'style': 'cursor:pointer',
+        }

apps/food/templates/food/food_detail.html

@@ -0,0 +1,53 @@
+{% extends "base.html" %}
+{% comment %}
+Copyright (C) by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    {{ title }} {{ food.name }}
+  </h3>
+  <div class="card-body">
+    <ul>
+      {% for field, value in fields %}
+      <li> {{ field }} : {{ value }}</li>
+      {% endfor %}
+      {% if meals %}
+      <li> {% trans "Contained in" %} : 
+      {% for meal in meals %}
+      <a href="{% url "food:transformedfood_view" pk=meal.pk %}">{{ meal.name }}</a>{% if not forloop.last %},{% endif %} 
+      {% endfor %}
+      </li>
+      {% endif %}
+      {% if foods %}
+      <li> {% trans "Contain" %} : 
+      {% for food in foods %}
+        <a href="{% url "food:food_view" pk=food.pk %}">{{ food.name }}</a>{% if not forloop.last %},{% endif %}
+      {% endfor %}
+      </li>
+      {% endif %}
+    </ul>
+      {% if update %}
+	<a class="btn btn-sm btn-secondary" href="{% url "food:food_update" pk=food.pk %}">
+	  {% trans "Update" %}
+	</a>
+      {% endif %}
+      {% if add_ingredient %}
+	<a class="btn btn-sm btn-primary" href="{% url "food:add_ingredient" pk=food.pk %}">
+	  {% trans "Add to a meal" %}
+	</a>
+      {% endif %}
+      {% if manage_ingredients %}
+        <a class="btn btn-sm btn-secondary" href="{% url "food:manage_ingredients" pk=food.pk %}">
+	  {% trans "Manage ingredients" %}
+	</a>
+      {% endif %}
+	<a class="btn btn-sm btn-primary" href="{% url "food:food_list" %}">
+	  {% trans "Return to the food list" %}
+	</a>
+  </div>
+</div>
+{% endblock %}

apps/food/templates/food/food_list.html

@@ -0,0 +1,71 @@
+{% extends "base_search.html" %}
+{% comment %}
+Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load render_table from django_tables2 %}
+{% load i18n %}
+
+{% block content %}
+{{ block.super }}
+<br>
+<div class="card bg-light mb-3">
+  <h3 class="card-header text-center">
+    {% trans "Meal served" %}
+  </h3>
+  {% if can_add_meal %}
+  <div class="card-footer">
+    <a class="btn btn-sm btn-primary" href="{% url 'food:transformedfood_create' %}">
+      {% trans "New meal" %}
+    </a>
+  </div>
+  {% endif %}
+  {% if served.data %}
+  {% render_table served %}
+  {% else %}
+  <div class="card-body">
+    <div class="alert alert-warning">
+      {% trans "There is no meal served." %}
+    </div>
+  </div>
+</div>
+  {% endif %}
+<div class="card bg-light mb-3">
+  <h3 class="card-header text-center">
+    {% trans "Free food" %}
+  </h3>
+  {% if open.data %}
+  {% render_table open %}
+  {% else %}
+  <div class="card-body">
+    <div class="alert alert-warning">
+      {% trans "There is no free food." %}
+    </div>
+  </div>
+  {% endif %}
+</div>
+{% if club_tables %}
+<div class="card bg-light mb-3">
+  <h3 class="card-header text-center">
+    {% trans "Food of your clubs" %}
+  </h3>
+</div>
+  {% for table in club_tables %}
+<div class="card bg-light mb-3">
+  <h3 class="card-header text-center">
+    {% trans "Food of club" %} {{ table.prefix }} 
+  </h3>
+  {% if table.data %}
+    {% render_table table %}
+  {% else %}
+  <div class="card-body">
+    <div class="alert alert-warning">
+      {% trans "Yours club has not food yet." %}
+    </div>
+  </div>
+  {% endif %}
+</div>
+  {% endfor %}
+  {% endif %}
+</div>
+{% endblock %}

apps/food/templates/food/food_update.html

@@ -0,0 +1,21 @@
+{% extends "base.html" %}
+{% comment %}
+Copyright (C) by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {% csrf_token %}
+      {{ form | crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+  </div>
+</div>
+{% endblock %}

apps/food/templates/food/manage_ingredients.html

@@ -0,0 +1,116 @@
+{% extends "base.html" %}
+{% comment %}
+Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form"></div>
+  <form method="post" action="">
+    {% csrf_token %}
+    <table class="table table-condensed table-striped">
+      {# Fill initial data #}
+      {% for display, form in formset %}
+      {% if forloop.first %}
+      <thead>
+	<tr>
+	  <th>{{ form.name.label }}</th>
+	  <th>{{ form.qrcode.label }}</th>
+	  <th>{{ form.fully_used.label }}</th>
+	</tr>
+      </thead>
+      <tbody id="form_body">
+	{% endif %}
+	{% if display %}
+	<tr class="row-formset ingredients">
+	{% else %}
+	<tr class="row-formset ingredients" style="display: none">
+	{% endif %}
+	  <td>{{ form.name }}</td>
+	  <td>{{ form.qrcode }}</td>
+	  <td>{{ form.fully_used }}</td>
+	</tr>
+      {% endfor %}
+      </tbody>
+    </table>
+
+    {# Display buttons to add and remove ingredients #}
+    <div class="card-body">
+      <div class="btn-group btn-block" role="group">
+	<button type="button" id="add_more" class="btn btn-success">{% trans "Add ingredient" %}</button>
+	<button type="button" id="remove_one" class="btn btn-danger">{% trans "Remove ingredient" %}</button>
+      </div>
+    <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </div>
+  </form>
+</div>
+
+{% endblock %}
+{% block extrajavascript %} 
+<script>
+/* script that handles add and remove lines */
+
+const foods = {{ ingredients | safe }};
+
+function set_ingredient_id () {
+	let ingredients = document.getElementsByClassName('ingredients');
+	for (var i = 0; i < ingredients.length; i++) {
+		ingredients[i].id = 'ingredients-' + parseInt(i);
+	};
+}
+set_ingredient_id();
+
+function prepopulate () {
+	for (var i = 0; i < {{ ingredients_count }}; i++) {
+		let prefix = 'id_form-' + parseInt(i) + '-';
+		document.getElementById(prefix + 'name_pk').value = parseInt(foods[i]['food_pk']);
+		document.getElementById(prefix + 'name').value = foods[i]['food_name'];
+		document.getElementById(prefix + 'qrcode_pk').value = parseInt(foods[i]['qr_pk']);
+		if (foods[i]['qr_number'] === '') {
+			document.getElementById(prefix + 'qrcode').value = '';
+		}
+		else {
+		document.getElementById(prefix + 'qrcode').value = parseInt(foods[i]['qr_number']);
+		};
+		document.getElementById(prefix + 'fully_used').checked = Boolean(foods[i]['fully_used']);
+	};
+}
+prepopulate();
+
+function delete_form_data (form_id) {
+	let prefix = "id_form-" + parseInt(form_id) + "-";
+	document.getElementById(prefix + "name_pk").value = "";
+	document.getElementById(prefix + "name").value = "";
+	document.getElementById(prefix + "qrcode_pk").value = "";
+	document.getElementById(prefix + "qrcode").value = "";
+	document.getElementById(prefix + "fully_used").checked = true;
+}
+var form_count = {{ ingredients_count }} + 1;
+
+$('#add_more').click(function () {
+	let ingredient_form = document.getElementById('ingredients-' + parseInt(form_count));
+	if (ingredient_form === null) {
+		addMsg(gettext("You can't add more ingredient"), "danger",  5000);
+		return;};
+	ingredient_form.style = "display: true";
+	form_count += 1;
+});
+  
+$('#remove_one').click(function () {
+	let ingredient_form = document.getElementById('ingredients-' + parseInt(form_count - 1));
+	if (ingredient_form === null) {
+		return;};
+	ingredient_form.style = "display: none";
+	delete_form_data(form_count - 1);
+	form_count -= 1;
+});
+
+addMsg(gettext("Add ingredient with their name or their qrcode, if two different priority is given to qrcode"), "warning"); 
+
+</script>
+{% endblock %}

apps/food/templates/food/qrcode.html

@@ -0,0 +1,52 @@
+{% extends "base.html" %}
+{% comment %}
+Copyright (C) by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+{% load render_table from django_tables2 %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {% csrf_token %}
+      {{ form | crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+    <div class="card-body">
+    <h4>
+      {% trans "Copy constructor" %}
+      <a class="btn btn-secondary" href="{% url "food:basicfood_create" slug=slug %}">{% trans "New food" %}</a>
+    </h4>
+      <table class="table">
+	<thead>
+	  <tr>
+	    <th class="orderable">
+	      {% trans "Name" %}
+	    </th>
+	    <th class="orderable">
+	      {% trans "Owner" %}
+	    </th>
+	    <th class="orderable">
+	      {% trans "Expiry date" %}
+	    </th>
+	  </tr>
+	</thead>
+	<tbody>
+	  {% for food in last_items %}
+	    <tr>
+		    <td><a href="{% url "food:basicfood_create" slug=slug %}?copy={{ food.pk }}">{{ food.name }}</a></td>
+	      <td>{{ food.owner }}</td>
+	      <td>{{ food.expiry_date }}</td>
+	    </tr>
+	  {% endfor %}
+	</tbody>
+      </table>
+    </div>
+  </div>
+</div>
+{% endblock %}

apps/food/templates/food/transformedfood_update.html

@@ -0,0 +1,87 @@
+{% extends "base.html" %}
+{% comment %}
+Copyright (C) by BDE ENS Paris-Saclay
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {% csrf_token %}
+      {{ form | crispy }}
+      <table class="table table-condensed table-striped">
+        {# Fill initial data #}
+        {% for ingredient_form in formset %}
+        {% if forloop.first %}
+        <thead>
+          <tr>
+	    <th>{% trans "Name" %}</th>
+	    <th>{% trans "QR-code number" %}</th>
+	    <th>{% trans "Fully used" %}<th>
+          </tr>
+        </thead>
+        <tbody id="form_body">
+        {% endif %}
+        <tr class="row-formset">
+		{{ ingredient_form | crispy }}
+          <td>{{ ingredient_form.name }}</td>
+	  <td>{{ ingredient_form.qrcode }}</td>
+	  <td>{{ ingredient_form.fully_used }}</td>
+        </tr>
+        {% endfor %}
+        </tbody>
+      </table>
+      {# Display buttons to add and remove products #}
+      <div class="card-body">
+        <div class="btn-group btn-block" role="group">
+          <button type="button" id="add_more" class="btn btn-success">{% trans "Add ingredient" %}</button>
+	  <button type="button" id="remove_one" class="btn btn-danger">{% trans "Remove ingredient" %}</button>
+        </div>
+        <button type="submit" class="btn btn-block btn-primary">{% trans "Submit" %}</button>
+      </div>
+    </form>
+  </div>
+</div>
+
+{# Hidden div that store an empty product form, to be copied into new forms #}
+<div id="empty_form" style="display: none;">
+    <table class='no_error'>
+        <tbody id="for_real">
+            <tr class="row-formset">
+                <td>{{ formset.empty_form.name }}</td>
+		<td>{{ formset.empty_form.qrcode }}</td>
+		<td>{{ formset.empty_form.fully_used }}</td>
+            </tr>
+        </tbody>
+    </table>
+</div>
+{% endblock %}
+{% block extrajavascript %}
+<script>
+    /* script that handles add and remove lines */
+    IDS = {};
+
+    $("#id_form-TOTAL_FORMS").val($(".row-formset").length - 1);
+
+    $('#add_more').click(function () {
+        let form_idx = $('#id_form-TOTAL_FORMS').val();
+        $('#form_body').append($('#for_real').html().replace(/__prefix__/g, form_idx));
+        $('#id_form-TOTAL_FORMS').val(parseInt(form_idx) + 1);
+        $('#id_form-' + parseInt(form_idx) + '-id').val(IDS[parseInt(form_idx)]);
+    });
+
+    $('#remove_one').click(function () {
+        let form_idx = $('#id_form-TOTAL_FORMS').val();
+        if (form_idx > 0) {
+            IDS[parseInt(form_idx) - 1] = $('#id_form-' + (parseInt(form_idx) - 1) + '-id').val();
+            $('#form_body tr:last-child').remove();
+            $('#id_form-TOTAL_FORMS').val(parseInt(form_idx) - 1);
+        }
+    });
+</script>
+{% endblock %}

apps/food/tests/test_food.py

@@ -0,0 +1,170 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from api.tests import TestAPI
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.urls import reverse
+from django.utils import timezone
+
+from ..api.views import AllergenViewSet, BasicFoodViewSet, TransformedFoodViewSet, QRCodeViewSet
+from ..models import Allergen, BasicFood, TransformedFood, QRCode
+
+
+class TestFood(TestCase):
+    """
+    Test food
+    """
+    fixtures = ('initial',)
+
+    def setUp(self):
+        self.user = User.objects.create_superuser(
+            username='admintoto',
+            password='toto1234',
+            email='toto@example.com'
+        )
+        self.client.force_login(self.user)
+
+        sess = self.client.session
+        sess['permission_mask'] = 42
+        sess.save()
+
+        self.allergen = Allergen.objects.create(
+            name='allergen',
+        )
+
+        self.basicfood = BasicFood.objects.create(
+            name='basicfood',
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=False,
+            date_type='DLC',
+        )
+
+        self.transformedfood = TransformedFood.objects.create(
+            name='transformedfood',
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=False,
+        )
+
+        self.qrcode = QRCode.objects.create(
+            qr_code_number=1,
+            food_container=self.basicfood,
+        )
+
+        def test_food_list(self):
+            """
+            Display food list
+            """
+            response = self.client.get(reverse('food:food_list'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_qrcode_create(self):
+            """
+            Display QRCode creation
+            """
+            response = self.client.get(reverse('food:qrcode_create'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_basicfood_create(self):
+            """
+            Display BasicFood creation
+            """
+            response = self.client.get(reverse('food:basicfood_create'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_transformedfood_create(self):
+            """
+            Display TransformedFood creation
+            """
+            response = self.client.get(reverse('food:transformedfood_create'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_food_create(self):
+            """
+            Display Food update
+            """
+            response = self.client.get(reverse('food:food_update'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_food_view(self):
+            """
+            Display Food detail
+            """
+            response = self.client.get(reverse('food:food_view'))
+            self.assertEqual(response.status_code, 302)
+
+        def test_basicfood_view(self):
+            """
+            Display BasicFood detail
+            """
+            response = self.client.get(reverse('food:basicfood_view'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_transformedfood_view(self):
+            """
+            Display TransformedFood detail
+            """
+            response = self.client.get(reverse('food:transformedfood_view'))
+            self.assertEqual(response.status_code, 200)
+
+        def test_add_ingredient(self):
+            """
+            Display add ingredient view
+            """
+            response = self.client.get(reverse('food:add_ingredient'))
+            self.assertEqual(response.status_code, 200)
+
+
+class TestFoodAPI(TestAPI):
+    def setUp(self) -> None:
+        super().setUP()
+
+        self.allergen = Allergen.objects.create(
+            name='name',
+        )
+
+        self.basicfood = BasicFood.objects.create(
+            name='basicfood',
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=False,
+            date_type='DLC',
+        )
+
+        self.transformedfood = TransformedFood.objects.create(
+            name='transformedfood',
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=False,
+        )
+
+        self.qrcode = QRCode.objects.create(
+            qr_code_number=1,
+            food_container=self.basicfood,
+        )
+
+        def test_allergen_api(self):
+            """
+            Load Allergen API page and test all filters and permissions
+            """
+            self.check_viewset(AllergenViewSet, '/api/food/allergen/')
+
+        def test_basicfood_api(self):
+            """
+            Load BasicFood API page and test all filters and permissions
+            """
+            self.check_viewset(BasicFoodViewSet, '/api/food/basicfood/')
+
+        def test_transformedfood_api(self):
+            """
+            Load TransformedFood API page and test all filters and permissions
+            """
+            self.check_viewset(TransformedFoodViewSet, '/api/food/transformedfood/')
+
+        def test_qrcode_api(self):
+            """
+            Load QRCode API page and test all filters and permissions
+            """
+            self.check_viewset(QRCodeViewSet, '/api/food/qrcode/')

apps/food/urls.py

@@ -0,0 +1,21 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.urls import path
+
+from . import views
+
+app_name = 'food'
+
+urlpatterns = [
+    path('', views.FoodListView.as_view(), name='food_list'),
+    path('<int:slug>', views.QRCodeCreateView.as_view(), name='qrcode_create'),
+    path('<int:slug>/add/basic', views.BasicFoodCreateView.as_view(), name='basicfood_create'),
+    path('add/transformed', views.TransformedFoodCreateView.as_view(), name='transformedfood_create'),
+    path('update/<int:pk>', views.FoodUpdateView.as_view(), name='food_update'),
+    path('update/ingredients/<int:pk>', views.ManageIngredientsView.as_view(), name='manage_ingredients'),
+    path('detail/<int:pk>', views.FoodDetailView.as_view(), name='food_view'),
+    path('detail/basic/<int:pk>', views.BasicFoodDetailView.as_view(), name='basicfood_view'),
+    path('detail/transformed/<int:pk>', views.TransformedFoodDetailView.as_view(), name='transformedfood_view'),
+    path('add/ingredient/<int:pk>', views.AddIngredientView.as_view(), name='add_ingredient'),
+]

apps/food/utils.py

@@ -0,0 +1,53 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.utils.translation import gettext_lazy as _
+
+seconds = (_('second'), _('seconds'))
+minutes = (_('minute'), _('minutes'))
+hours = (_('hour'), _('hours'))
+days = (_('day'), _('days'))
+weeks = (_('week'), _('weeks'))
+
+
+def plural(x):
+    if x == 1:
+        return 0
+    return 1
+
+
+def pretty_duration(duration):
+    """
+    I receive datetime.timedelta object
+    You receive string object
+    """
+    text = []
+    sec = duration.seconds
+    d = duration.days
+
+    if d >= 7:
+        w = d // 7
+        text.append(str(w) + ' ' + weeks[plural(w)])
+        d -= w * 7
+    if d > 0:
+        text.append(str(d) + ' ' + days[plural(d)])
+
+    if sec >= 3600:
+        h = sec // 3600
+        text.append(str(h) + ' ' + hours[plural(h)])
+        sec -= h * 3600
+
+    if sec >= 60:
+        m = sec // 60
+        text.append(str(m) + ' ' + minutes[plural(m)])
+        sec -= m * 60
+
+    if sec > 0:
+        text.append(str(sec) + ' ' + seconds[plural(sec)])
+
+    if len(text) == 0:
+        return ''
+    if len(text) == 1:
+        return text[0]
+    if len(text) >= 2:
+        return ', '.join(t for t in text[:-1]) + ' ' + _('and') + ' ' + text[-1]

apps/food/views.py

@@ -0,0 +1,483 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from api.viewsets import is_regex
+from django_tables2.views import MultiTableMixin
+from django.db import transaction
+from django.db.models import Q
+from django.http import HttpResponseRedirect, Http404
+from django.views.generic import DetailView, UpdateView, CreateView
+from django.views.generic.list import ListView
+from django.urls import reverse_lazy
+from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
+from member.models import Club, Membership
+from permission.backends import PermissionBackend
+from permission.views import ProtectQuerysetMixin, ProtectedCreateView, LoginRequiredMixin
+
+from .models import Food, BasicFood, TransformedFood, QRCode
+from .forms import QRCodeForms, BasicFoodForms, TransformedFoodForms, \
+    ManageIngredientsForm, ManageIngredientsFormSet, AddIngredientForms, \
+    BasicFoodUpdateForms, TransformedFoodUpdateForms
+from .tables import FoodTable
+from .utils import pretty_duration
+
+
+class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, ListView):
+    """
+    Display Food
+    """
+    model = Food
+    tables = [FoodTable, FoodTable, FoodTable, ]
+    extra_context = {"title": _('Food')}
+    template_name = 'food/food_list.html'
+
+    def get_queryset(self, **kwargs):
+        return super().get_queryset(**kwargs).distinct()
+
+    def get_tables(self):
+        bureau_role_pk = 4
+        clubs = Club.objects.filter(membership__in=Membership.objects.filter(
+            user=self.request.user, roles=bureau_role_pk).filter(
+                date_end__gte=timezone.now()))
+
+        tables = [FoodTable] * (clubs.count() + 3)
+        self.tables = tables
+        tables = super().get_tables()
+        tables[0].prefix = 'search-'
+        tables[1].prefix = 'open-'
+        tables[2].prefix = 'served-'
+        for i in range(clubs.count()):
+            tables[i + 3].prefix = clubs[i].name
+        return tables
+
+    def get_tables_data(self):
+        # table search
+        qs = self.get_queryset().order_by('name')
+        if "search" in self.request.GET and self.request.GET['search']:
+            pattern = self.request.GET['search']
+
+            # check regex
+            valid_regex = is_regex(pattern)
+            suffix = '__iregex' if valid_regex else '__istartswith'
+            prefix = '^' if valid_regex else ''
+            qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})
+                           | Q(**{f'owner__name{suffix}': prefix + pattern}))
+        else:
+            qs = qs.none()
+        search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
+        # table open
+        open_table = self.get_queryset().order_by('expiry_date').filter(
+            Q(polymorphic_ctype__model='transformedfood')
+            | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
+                expiry_date__lt=timezone.now(), end_of_life='').filter(
+                    PermissionBackend.filter_queryset(self.request, Food, 'view'))
+        # table served
+        served_table = self.get_queryset().order_by('-pk').filter(
+            end_of_life='', is_ready=True).exclude(
+                Q(polymorphic_ctype__model='basicfood',
+                  basicfood__date_type='DLC',
+                  expiry_date__lte=timezone.now(),)
+                | Q(polymorphic_ctype__model='transformedfood',
+                    expiry_date__lte=timezone.now(),
+                    ))
+        # tables club
+        bureau_role_pk = 4
+        clubs = Club.objects.filter(membership__in=Membership.objects.filter(
+            user=self.request.user, roles=bureau_role_pk).filter(
+                date_end__gte=timezone.now()))
+        club_table = []
+        for club in clubs:
+            club_table.append(self.get_queryset().order_by('expiry_date').filter(
+                owner=club, end_of_life='').filter(
+                    PermissionBackend.filter_queryset(self.request, Food, 'view')
+            ))
+        return [search_table, open_table, served_table] + club_table
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        tables = context['tables']
+        # for extends base_search.html we need to name 'search_table' in 'table'
+        for name, table in zip(['table', 'open', 'served'], tables):
+            context[name] = table
+        context['club_tables'] = tables[3:]
+
+        context['can_add_meal'] = PermissionBackend.check_perm(self.request, 'food.transformedfood_add')
+        return context
+
+
+class QRCodeCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView):
+    """
+    A view to add qrcode
+    """
+    model = QRCode
+    template_name = 'food/qrcode.html'
+    form_class = QRCodeForms
+    extra_context = {"title": _("Add a new QRCode")}
+
+    def get(self, *args, **kwargs):
+        qrcode = kwargs["slug"]
+        if self.model.objects.filter(qr_code_number=qrcode).count() > 0:
+            pk = self.model.objects.get(qr_code_number=qrcode).food_container.pk
+            return HttpResponseRedirect(reverse_lazy("food:food_view", kwargs={"pk": pk}))
+        else:
+            return super().get(*args, **kwargs)
+
+    @transaction.atomic
+    def form_valid(self, form):
+        qrcode_food_form = QRCodeForms(data=self.request.POST)
+        if not qrcode_food_form.is_valid():
+            return self.form_invalid(form)
+
+        qrcode = form.save(commit=False)
+        qrcode.qr_code_number = self.kwargs['slug']
+        qrcode._force_save = True
+        qrcode.save()
+        qrcode.refresh_from_db()
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context['slug'] = self.kwargs['slug']
+
+        # get last 10 BasicFood objects with distincts 'name' ordered by '-pk'
+        # we can't use .distinct and .order_by with differents columns hence the generator
+        context['last_items'] = [food for food in BasicFood.get_lastests_objects(10, 'name', '-pk')]
+        return context
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse_lazy('food:food_view', kwargs={'pk': self.object.food_container.pk})
+
+    def get_sample_object(self):
+        return QRCode(
+            qr_code_number=self.kwargs['slug'],
+            food_container_id=1,
+        )
+
+
+class BasicFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
+    """
+    A view to add basicfood
+    """
+    model = BasicFood
+    form_class = BasicFoodForms
+    extra_context = {"title": _("Add an aliment")}
+    template_name = "food/food_update.html"
+
+    def get_sample_object(self):
+        return BasicFood(
+            name="",
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=True,
+            arrival_date=timezone.now(),
+            date_type='DLC',
+        )
+
+    @transaction.atomic
+    def form_valid(self, form):
+        if QRCode.objects.filter(qr_code_number=self.kwargs['slug']).count() > 0:
+            return HttpResponseRedirect(reverse_lazy('food:qrcode_create', kwargs={'slug': self.kwargs['slug']}))
+        food_form = BasicFoodForms(data=self.request.POST)
+        if not food_form.is_valid():
+            return self.form_invalid(form)
+
+        food = form.save(commit=False)
+        food.is_ready = False
+        food.save()
+        food.refresh_from_db()
+
+        qrcode = QRCode()
+        qrcode.qr_code_number = self.kwargs['slug']
+        qrcode.food_container = food
+        qrcode.save()
+
+        return super().form_valid(form)
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse_lazy('food:basicfood_view', kwargs={"pk": self.object.pk})
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+
+        copy = self.request.GET.get('copy', None)
+        if copy is not None:
+            food = BasicFood.objects.get(pk=copy)
+            print(context['form'].fields)
+            for field in context['form'].fields:
+                if field == 'allergens':
+                    context['form'].fields[field].initial = getattr(food, field).all()
+                else:
+                    context['form'].fields[field].initial = getattr(food, field)
+
+        return context
+
+
+class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
+    """
+    A view to add transformedfood
+    """
+    model = TransformedFood
+    form_class = TransformedFoodForms
+    extra_context = {"title": _("Add a meal")}
+    template_name = "food/food_update.html"
+
+    def get_sample_object(self):
+        return TransformedFood(
+            name="",
+            owner_id=1,
+            expiry_date=timezone.now(),
+            is_ready=True,
+        )
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.expiry_date = timezone.now() + timedelta(days=3)
+        form.instance.is_ready = False
+        return super().form_valid(form)
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
+
+
+MAX_FORMS = 10
+
+
+class ManageIngredientsView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
+    """
+    A view to manage ingredient for a transformed food
+    """
+    model = TransformedFood
+    fields = ['ingredients']
+    extra_context = {"title": _("Manage ingredients of:")}
+    template_name = 'food/manage_ingredients.html'
+
+    @transaction.atomic
+    def form_valid(self, form):
+        old_ingredients = list(self.object.ingredients.all()).copy()
+        old_allergens = list(self.object.allergens.all()).copy()
+        self.object.ingredients.clear()
+        for i in range(self.object.ingredients.all().count() + 1 + MAX_FORMS):
+            prefix = 'form-' + str(i) + '-'
+            if form.data[prefix + 'qrcode'] not in ['0', '']:
+                ingredient = QRCode.objects.get(pk=form.data[prefix + 'qrcode']).food_container
+                self.object.ingredients.add(ingredient)
+                if (prefix + 'fully_used') in form.data and form.data[prefix + 'fully_used'] == 'on':
+                    ingredient.end_of_life = _('Fully used in {meal}'.format(
+                        meal=self.object.name))
+                    ingredient.save()
+
+            elif form.data[prefix + 'name'] != '':
+                ingredient = Food.objects.get(pk=form.data[prefix + 'name'])
+                self.object.ingredients.add(ingredient)
+                if (prefix + 'fully_used') in form.data and form.data[prefix + 'fully_used'] == 'on':
+                    ingredient.end_of_life = _('Fully used in {meal}'.format(
+                        meal=self.object.name))
+                    ingredient.save()
+
+        self.object.save(old_ingredients=old_ingredients, old_allergens=old_allergens)
+        return HttpResponseRedirect(self.get_success_url())
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context['title'] += ' ' + self.object.name
+        formset = ManageIngredientsFormSet()
+        ingredients = self.object.ingredients.all()
+        formset.extra += ingredients.count() + MAX_FORMS
+        context['form'] = ManageIngredientsForm()
+        context['ingredients_count'] = ingredients.count()
+        display = [True] * (1 + ingredients.count()) + [False] * (formset.extra - ingredients.count() - 1)
+        context['formset'] = zip(display, formset)
+        context['ingredients'] = []
+        for ingredient in ingredients:
+            qr = QRCode.objects.filter(food_container=ingredient)
+
+            context['ingredients'].append({
+                'food_pk': ingredient.pk,
+                'food_name': ingredient.name,
+                'qr_pk': '' if qr.count() == 0 else qr[0].pk,
+                'qr_number': '' if qr.count() == 0 else qr[0].qr_code_number,
+                'fully_used': 'true' if ingredient.end_of_life else '',
+            })
+        return context
+
+    def get_success_url(self, **kwargs):
+        return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
+
+
+class AddIngredientView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
+    """
+    A view to add ingredient to a meal
+    """
+    model = Food
+    extra_context = {"title": _("Add the ingredient:")}
+    form_class = AddIngredientForms
+    template_name = 'food/food_update.html'
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context['title'] += ' ' + self.object.name
+        return context
+
+    @transaction.atomic
+    def form_valid(self, form):
+        meals = TransformedFood.objects.filter(pk__in=form.data.getlist('ingredients')).all()
+        if not meals:
+            return HttpResponseRedirect(reverse_lazy('food:food_view', kwargs={"pk": self.object.pk}))
+        for meal in meals:
+            old_ingredients = list(meal.ingredients.all()).copy()
+            old_allergens = list(meal.allergens.all()).copy()
+            meal.ingredients.add(self.object.pk)
+            # update allergen and expiry date if necessary
+            if not (self.object.polymorphic_ctype.model == 'basicfood'
+                    and self.object.date_type == 'DDM'):
+                meal.expiry_date = min(meal.expiry_date, self.object.expiry_date)
+            meal.allergens.set(meal.allergens.union(self.object.allergens.all()))
+            meal.save(old_ingredients=old_ingredients, old_allergens=old_allergens)
+            if 'fully_used' in form.data:
+                if not self.object.end_of_life:
+                    self.object.end_of_life = _(f'Food fully used in : {meal.name}')
+                else:
+                    self.object.end_of_life += ', ' + meal.name
+        if 'fully_used' in form.data:
+            self.object.is_ready = False
+        self.object.save()
+        # We redirect only the first parent
+        parent_pk = meals[0].pk
+        return HttpResponseRedirect(self.get_success_url(parent_pk=parent_pk))
+
+    def get_success_url(self, **kwargs):
+        return reverse_lazy('food:transformedfood_view', kwargs={"pk": kwargs['parent_pk']})
+
+
+class FoodUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
+    """
+    A view to update Food
+    """
+    model = Food
+    extra_context = {"title": _("Update an aliment")}
+    template_name = 'food/food_update.html'
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        food = Food.objects.get(pk=self.kwargs['pk'])
+        old_allergens = list(food.allergens.all()).copy()
+
+        if food.polymorphic_ctype.model == 'transformedfood':
+            old_ingredients = food.ingredients.all()
+            form.instance.shelf_life = timedelta(
+                seconds=int(form.data['shelf_life']) * 60 * 60)
+
+        food_form = self.get_form_class()(data=self.request.POST)
+        if not food_form.is_valid():
+            return self.form_invalid(form)
+        ans = super().form_valid(form)
+        if food.polymorphic_ctype.model == 'transformedfood':
+            form.instance.save(old_ingredients=old_ingredients)
+        else:
+            form.instance.save(old_allergens=old_allergens)
+        return ans
+
+    def get_form_class(self, **kwargs):
+        food = Food.objects.get(pk=self.kwargs['pk'])
+        if food.polymorphic_ctype.model == 'basicfood':
+            return BasicFoodUpdateForms
+        else:
+            return TransformedFoodUpdateForms
+
+    def get_form(self, **kwargs):
+        form = super().get_form(**kwargs)
+        if 'shelf_life' in form.initial:
+            hours = form.initial['shelf_life'].days * 24 + form.initial['shelf_life'].seconds // 3600
+            form.initial['shelf_life'] = hours
+        return form
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse_lazy('food:food_view', kwargs={"pk": self.object.pk})
+
+
+class FoodDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+    """
+    A view to see a food
+    """
+    model = Food
+    extra_context = {"title": _('Details of:')}
+    context_object_name = "food"
+    template_name = "food/food_detail.html"
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        fields = ["name", "owner", "expiry_date", "allergens", "is_ready", "end_of_life", "order"]
+
+        fields = dict([(field, getattr(self.object, field)) for field in fields])
+        if fields["is_ready"]:
+            fields["is_ready"] = _("Yes")
+        else:
+            fields["is_ready"] = _("No")
+        fields["allergens"] = ", ".join(
+            allergen.name for allergen in fields["allergens"].all())
+
+        context["fields"] = [(
+            Food._meta.get_field(field).verbose_name.capitalize(),
+            value) for field, value in fields.items()]
+        context["meals"] = self.object.transformed_ingredient_inv.all()
+        context["update"] = PermissionBackend.check_perm(self.request, "food.change_food")
+        context["add_ingredient"] = (self.object.end_of_life == '' and PermissionBackend.check_perm(self.request, "food.change_transformedfood"))
+        return context
+
+    def get(self, *args, **kwargs):
+        if Food.objects.filter(pk=kwargs['pk']).count() != 1:
+            return Http404
+        model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model
+        if 'stop_redirect' in kwargs and kwargs['stop_redirect']:
+            return super().get(*args, **kwargs)
+        kwargs = {'pk': kwargs['pk']}
+        if model == 'basicfood':
+            return HttpResponseRedirect(reverse_lazy("food:basicfood_view", kwargs=kwargs))
+        return HttpResponseRedirect(reverse_lazy("food:transformedfood_view", kwargs=kwargs))
+
+
+class BasicFoodDetailView(FoodDetailView):
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        fields = ['arrival_date', 'date_type']
+        for field in fields:
+            context["fields"].append((
+                BasicFood._meta.get_field(field).verbose_name.capitalize(),
+                getattr(self.object, field)
+            ))
+        return context
+
+    def get(self, *args, **kwargs):
+        if Food.objects.filter(pk=kwargs['pk']).count() == 1:
+            kwargs['stop_redirect'] = (Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model == 'basicfood')
+        return super().get(*args, **kwargs)
+
+
+class TransformedFoodDetailView(FoodDetailView):
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["fields"].append((
+            TransformedFood._meta.get_field("creation_date").verbose_name.capitalize(),
+            self.object.creation_date
+        ))
+        context["fields"].append((
+            TransformedFood._meta.get_field("shelf_life").verbose_name.capitalize(),
+            pretty_duration(self.object.shelf_life)
+        ))
+        context["foods"] = self.object.ingredients.all()
+        context["manage_ingredients"] = True
+        return context
+
+    def get(self, *args, **kwargs):
+        if Food.objects.filter(pk=kwargs['pk']).count() == 1:
+            kwargs['stop_redirect'] = (Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model == 'transformedfood')
+        return super().get(*args, **kwargs)

apps/logs/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'logs.apps.LogsConfig'

apps/logs/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/logs/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import ChangelogViewSet

apps/logs/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django_filters.rest_framework import DjangoFilterBackend

apps/logs/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/logs/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings
@@ -76,9 +76,6 @@ class Changelog(models.Model):
         verbose_name=_('timestamp'),
     )
 
-    def delete(self, using=None, keep_parents=False):
-        raise ValidationError(_("Logs cannot be destroyed."))
-
     class Meta:
         verbose_name = _("changelog")
         verbose_name_plural = _("changelogs")
@@ -86,3 +83,6 @@ class Changelog(models.Model):
     def __str__(self):
         return _("Changelog of type \"{action}\" for model {model} at {timestamp}").format(
             action=self.get_action_display(), model=str(self.model), timestamp=str(self.timestamp))
+
+    def delete(self, using=None, keep_parents=False):
+        raise ValidationError(_("Logs cannot be destroyed."))

apps/logs/signals.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib.contenttypes.models import ContentType
@@ -56,13 +56,13 @@ def save_object(sender, instance, **kwargs):
     # noinspection PyProtectedMember
     previous = instance._previous
 
-    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
+    # Si un⋅e utilisateur⋅rice est connecté⋅e, on récupère l'utilisateur⋅rice courant⋅e ainsi que son adresse IP
     request = get_current_request()
 
     if request is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
-        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
+        # IMPORTANT : l'utilisateur⋅rice dans la VM doit être un des alias note du respo info
         ip = "127.0.0.1"
         username = Alias.normalize(getpass.getuser())
         note = NoteUser.objects.filter(alias__normalized_name=username)
@@ -134,13 +134,13 @@ def delete_object(sender, instance, **kwargs):
     if instance._meta.label_lower in EXCLUDED or hasattr(instance, "_no_signal"):
         return
 
-    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
+    # Si un⋅e utilisateur⋅rice est connecté⋅e, on récupère l'utilisateur⋅rice courant⋅e ainsi que son adresse IP
     request = get_current_request()
 
     if request is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
-        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
+        # IMPORTANT : l'utilisateur⋅rice dans la VM doit être un des alias note du respo info
         ip = "127.0.0.1"
         username = Alias.normalize(getpass.getuser())
         note = NoteUser.objects.filter(alias__normalized_name=username)

apps/member/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'member.apps.MemberConfig'

apps/member/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin

apps/member/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/member/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import ProfileViewSet, ClubViewSet, MembershipViewSet

apps/member/api/views.py

@@ -1,8 +1,9 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.filters import OrderingFilter
+from api.filters import RegexSafeSearchFilter
 from api.viewsets import ReadProtectedModelViewSet
 
 from .serializers import ProfileSerializer, ClubSerializer, MembershipSerializer
@@ -17,7 +18,7 @@ class ProfileViewSet(ReadProtectedModelViewSet):
     """
     queryset = Profile.objects.order_by('id')
     serializer_class = ProfileSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['user', 'user__first_name', 'user__last_name', 'user__username', 'user__email',
                         'user__note__alias__name', 'user__note__alias__normalized_name', 'phone_number', "section",
                         'department', 'promotion', 'address', 'paid', 'ml_events_registration', 'ml_sport_registration',
@@ -34,7 +35,7 @@ class ClubViewSet(ReadProtectedModelViewSet):
     """
     queryset = Club.objects.order_by('id')
     serializer_class = ClubSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['name', 'email', 'note__alias__name', 'note__alias__normalized_name', 'parent_club',
                         'parent_club__name', 'require_memberships', 'membership_fee_paid', 'membership_fee_unpaid',
                         'membership_duration', 'membership_start', 'membership_end', ]
@@ -49,7 +50,7 @@ class MembershipViewSet(ReadProtectedModelViewSet):
     """
     queryset = Membership.objects.order_by('id')
     serializer_class = MembershipSerializer
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, RegexSafeSearchFilter]
     filterset_fields = ['club__name', 'club__email', 'club__note__alias__name', 'club__note__alias__normalized_name',
                         'user__username', 'user__last_name', 'user__first_name', 'user__email',
                         'user__note__alias__name', 'user__note__alias__normalized_name',

apps/member/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/member/auth.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from cas_server.auth import DjangoAuthUser  # pragma: no cover

apps/member/forms.py

@@ -1,9 +1,9 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import io
 
-from PIL import Image, ImageSequence
+from bootstrap_datepicker_plus.widgets import DatePickerInput
 from django import forms
 from django.conf import settings
 from django.contrib.auth.forms import AuthenticationForm
@@ -13,8 +13,9 @@ from django.forms import CheckboxSelectMultiple
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from note.models import NoteSpecial, Alias
-from note_kfet.inputs import Autocomplete, AmountInput, DatePickerInput
+from note_kfet.inputs import Autocomplete, AmountInput
 from permission.models import PermissionMask, Role
+from PIL import Image, ImageSequence
 
 from .models import Profile, Club, Membership
 
@@ -22,7 +23,7 @@ from .models import Profile, Club, Membership
 class CustomAuthenticationForm(AuthenticationForm):
     permission_mask = forms.ModelChoiceField(
         label=_("Permission mask"),
-        queryset=PermissionMask.objects.order_by("rank"),
+        queryset=PermissionMask.objects.order_by("-rank"),
         empty_label=None,
     )
 
@@ -32,7 +33,7 @@ class UserForm(forms.ModelForm):
         # Django usernames can only contain letters, numbers, @, ., +, - and _.
         # We want to allow users to have uncommon and unpractical usernames:
         # That is their problem, and we have normalized aliases for us.
-        return super()._get_validation_exclusions() + ["username"]
+        return super()._get_validation_exclusions() | {"username"}
 
     class Meta:
         model = User
@@ -43,10 +44,18 @@ class ProfileForm(forms.ModelForm):
     """
     A form for the extras field provided by the :model:`member.Profile` model.
     """
+    # Remove widget=forms.HiddenInput() if you want to use report frequency.
     report_frequency = forms.IntegerField(required=False, initial=0, label=_("Report frequency"))
 
     last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last report date"))
 
+    VSS_charter_read = forms.BooleanField(
+        required=True,
+        label=_("Anti-VSS (<em>Violences Sexistes et Sexuelles</em>) charter read and approved"),
+        help_text=_("Tick after having read and accepted the anti-VSS charter \
+        <a href=https://perso.crans.org/club-bde/Charte-anti-VSS.pdf target=_blank> available here in pdf</a>")
+    )
+
     def clean_promotion(self):
         promotion = self.cleaned_data["promotion"]
         if promotion > timezone.now().year:
@@ -68,7 +77,8 @@ class ProfileForm(forms.ModelForm):
     class Meta:
         model = Profile
         fields = '__all__'
-        exclude = ('user', 'email_confirmed', 'registration_valid', )
+        # Remove ml_[asso]_registration from exclude if the concerned association uses nk20 to manage its mailing list.
+        exclude = ('user', 'email_confirmed', 'registration_valid', 'ml_sport_registration', )
 
 
 class ImageForm(forms.Form):
@@ -114,7 +124,7 @@ class ImageForm(forms.Form):
                 frame = frame.crop((x, y, x + w, y + h))
                 frame = frame.resize(
                     (settings.PIC_WIDTH, settings.PIC_RATIO * settings.PIC_WIDTH),
-                    Image.ANTIALIAS,
+                    Image.LANCZOS,
                 )
                 frames.append(frame)
 
@@ -131,6 +141,9 @@ class ImageForm(forms.Form):
 
         return cleaned_data
 
+    def is_valid(self):
+        return super().is_valid() or super().clean().get('image') is None
+
 
 class ClubForm(forms.ModelForm):
     def clean(self):
@@ -144,7 +157,7 @@ class ClubForm(forms.ModelForm):
 
     class Meta:
         model = Club
-        fields = '__all__'
+        exclude = ("add_registration_form",)
         widgets = {
             "membership_fee_paid": AmountInput(),
             "membership_fee_unpaid": AmountInput(),
@@ -200,9 +213,9 @@ class MembershipForm(forms.ModelForm):
     class Meta:
         model = Membership
         fields = ('user', 'date_start')
-        # Le champ d'utilisateur est remplacé par un champ d'auto-complétion.
+        # Le champ d'utilisateur⋅rice est remplacé par un champ d'auto-complétion.
         # Quand des lettres sont tapées, une requête est envoyée sur l'API d'auto-complétion
-        # et récupère les noms d'utilisateur valides
+        # et récupère les noms d'utilisateur⋅rices valides
         widgets = {
             'user':
                 Autocomplete(

apps/member/hashers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import hashlib

apps/member/migrations/0009_auto_20220904_2325.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.26 on 2022-09-04 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0008_auto_20211005_1544'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2022, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]

apps/member/migrations/0010_new_default_year.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-23 21:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0009_auto_20220904_2325'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2023, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]

apps/member/migrations/0011_profile_vss_charter_read.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-31 09:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0010_new_default_year'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='profile',
+            name='VSS_charter_read',
+            field=models.BooleanField(default=False, verbose_name='VSS charter read'),
+        ),
+    ]

apps/member/migrations/0012_club_add_registration_form.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2024-07-15 09:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0011_profile_vss_charter_read'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='club',
+            name='add_registration_form',
+            field=models.BooleanField(default=False, verbose_name='add to registration form'),
+        ),
+    ]

apps/member/migrations/0013_auto_20240801_1436.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2024-08-01 12:36
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0012_club_add_registration_form'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2024, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]

apps/member/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import datetime
@@ -28,7 +28,6 @@ class Profile(models.Model):
     We do not want to patch the Django Contrib :model:`auth.User`model;
     so this model add an user profile with additional information.
     """
-
     user = models.OneToOneField(
         settings.AUTH_USER_MODEL,
         on_delete=models.CASCADE,
@@ -134,6 +133,22 @@ class Profile(models.Model):
         default=False,
     )
 
+    VSS_charter_read = models.BooleanField(
+        verbose_name=_("VSS charter read"),
+        default=False
+    )
+
+    class Meta:
+        verbose_name = _('user profile')
+        verbose_name_plural = _('user profile')
+        indexes = [models.Index(fields=['user'])]
+
+    def __str__(self):
+        return str(self.user)
+
+    def get_absolute_url(self):
+        return reverse('member:user_detail', args=(self.user_id,))
+
     @property
     def ens_year(self):
         """
@@ -158,17 +173,6 @@ class Profile(models.Model):
             return SogeCredit.objects.filter(user=self.user, credit_transaction__isnull=False).exists()
         return False
 
-    class Meta:
-        verbose_name = _('user profile')
-        verbose_name_plural = _('user profile')
-        indexes = [models.Index(fields=['user'])]
-
-    def get_absolute_url(self):
-        return reverse('member:user_detail', args=(self.user_id,))
-
-    def __str__(self):
-        return str(self.user)
-
     def send_email_validation_link(self):
         subject = "[Note Kfet] " + str(_("Activate your Note Kfet account"))
         token = email_validation_token.make_token(self.user)
@@ -200,9 +204,11 @@ class Club(models.Model):
         max_length=255,
         unique=True,
     )
+
     email = models.EmailField(
         verbose_name=_('email'),
     )
+
     parent_club = models.ForeignKey(
         'self',
         null=True,
@@ -253,25 +259,17 @@ class Club(models.Model):
         help_text=_('Maximal date of a membership, after which members must renew it.'),
     )
 
-    def update_membership_dates(self):
-        """
-        This function is called each time the club detail view is displayed.
-        Update the year of the membership dates.
-        """
-        if not self.membership_start or not self.membership_end:
-            return
+    add_registration_form = models.BooleanField(
+        verbose_name=_("add to registration form"),
+        default=False,
+    )
 
-        today = datetime.date.today()
+    class Meta:
+        verbose_name = _("club")
+        verbose_name_plural = _("clubs")
 
-        if (today - self.membership_start).days >= 365:
-            if self.membership_start:
-                self.membership_start = datetime.date(self.membership_start.year + 1,
-                                                      self.membership_start.month, self.membership_start.day)
-            if self.membership_end:
-                self.membership_end = datetime.date(self.membership_end.year + 1,
-                                                    self.membership_end.month, self.membership_end.day)
-            self._force_save = True
-            self.save(force_update=True)
+    def __str__(self):
+        return self.name
 
     @transaction.atomic
     def save(self, force_insert=False, force_update=False, using=None,
@@ -284,16 +282,36 @@ class Club(models.Model):
             self.membership_end = None
         super().save(force_insert, force_update, update_fields)
 
-    class Meta:
-        verbose_name = _("club")
-        verbose_name_plural = _("clubs")
-
-    def __str__(self):
-        return self.name
-
     def get_absolute_url(self):
         return reverse_lazy('member:club_detail', args=(self.pk,))
 
+    def update_membership_dates(self):
+        """
+        This function is called each time the club detail view is displayed.
+        Update the year of the membership dates.
+        """
+        if not self.membership_start or not self.membership_end:
+            return
+
+        today = datetime.date.today()
+
+        # Avoid any problems on February 29
+        if self.membership_start.month == 2 and self.membership_start.day == 29:
+            self.membership_start -= datetime.timedelta(days=1)
+        if self.membership_end.month == 2 and self.membership_end.day == 29:
+            self.membership_end += datetime.timedelta(days=1)
+
+        while today >= datetime.date(self.membership_start.year + 1,
+                                     self.membership_start.month, self.membership_start.day):
+            if self.membership_start:
+                self.membership_start = datetime.date(self.membership_start.year + 1,
+                                                      self.membership_start.month, self.membership_start.day)
+            if self.membership_end:
+                self.membership_end = datetime.date(self.membership_end.year + 1,
+                                                    self.membership_end.month, self.membership_end.day)
+            self._force_save = True
+            self.save(force_update=True)
+
 
 class Membership(models.Model):
     """
@@ -333,6 +351,66 @@ class Membership(models.Model):
         verbose_name=_('fee'),
     )
 
+    class Meta:
+        verbose_name = _('membership')
+        verbose_name_plural = _('memberships')
+        indexes = [models.Index(fields=['user'])]
+
+    def __str__(self):
+        return _("Membership of {user} for the club {club}").format(user=self.user.username, club=self.club.name, )
+
+    @transaction.atomic
+    def save(self, *args, **kwargs):
+        """
+        Calculate fee and end date before saving the membership and creating the transaction if needed.
+        """
+        # Ensure that club membership dates are valid
+        old_membership_start = self.club.membership_start
+        self.club.update_membership_dates()
+        if self.club.membership_start != old_membership_start:
+            self.club.save()
+
+        created = not self.pk
+        if not created:
+            for role in self.roles.all():
+                club = role.for_club
+                if club is not None:
+                    if club.pk != self.club_id:
+                        raise ValidationError(_('The role {role} does not apply to the club {club}.')
+                                              .format(role=role.name, club=club.name))
+        else:
+            if Membership.objects.filter(
+                    user=self.user,
+                    club=self.club,
+                    date_start__lte=self.date_start,
+                    date_end__gte=self.date_start,
+            ).exists():
+                raise ValidationError(_('User is already a member of the club'))
+
+            if self.club.parent_club is not None:
+                # Check that the user is already a member of the parent club if the membership is created
+                if not Membership.objects.filter(
+                    user=self.user,
+                    club=self.club.parent_club,
+                    date_start__gte=self.club.parent_club.membership_start,
+                ).exists():
+                    if hasattr(self, '_force_renew_parent') and self._force_renew_parent:
+                        self.renew_parent()
+                    else:
+                        raise ValidationError(_('User is not a member of the parent club')
+                                              + ' ' + self.club.parent_club.name)
+
+            self.fee = self.club.membership_fee_paid if self.user.profile.paid else self.club.membership_fee_unpaid
+
+            self.date_end = self.date_start + datetime.timedelta(days=self.club.membership_duration) \
+                if self.club.membership_duration is not None else self.date_start + datetime.timedelta(days=424242)
+            if self.club.membership_end is not None and self.date_end > self.club.membership_end:
+                self.date_end = self.club.membership_end
+
+        super().save(*args, **kwargs)
+
+        self.make_transaction()
+
     @property
     def valid(self):
         """
@@ -402,66 +480,14 @@ class Membership(models.Model):
 
             if self.club.parent_club.name == "BDE":
                 parent_membership.roles.set(
-                    Role.objects.filter(Q(name="Adhérent BDE") | Q(name="Membre de club")).all())
+                    Role.objects.filter(Q(name="Adhérent⋅e BDE") | Q(name="Membre de club")).all())
             elif self.club.parent_club.name == "Kfet":
                 parent_membership.roles.set(
-                    Role.objects.filter(Q(name="Adhérent Kfet") | Q(name="Membre de club")).all())
+                    Role.objects.filter(Q(name="Adhérent⋅e Kfet") | Q(name="Membre de club")).all())
             else:
                 parent_membership.roles.set(Role.objects.filter(name="Membre de club").all())
             parent_membership.save()
 
-    @transaction.atomic
-    def save(self, *args, **kwargs):
-        """
-        Calculate fee and end date before saving the membership and creating the transaction if needed.
-        """
-        # Ensure that club membership dates are valid
-        old_membership_start = self.club.membership_start
-        self.club.update_membership_dates()
-        if self.club.membership_start != old_membership_start:
-            self.club.save()
-
-        created = not self.pk
-        if not created:
-            for role in self.roles.all():
-                club = role.for_club
-                if club is not None:
-                    if club.pk != self.club_id:
-                        raise ValidationError(_('The role {role} does not apply to the club {club}.')
-                                              .format(role=role.name, club=club.name))
-        else:
-            if Membership.objects.filter(
-                    user=self.user,
-                    club=self.club,
-                    date_start__lte=self.date_start,
-                    date_end__gte=self.date_start,
-            ).exists():
-                raise ValidationError(_('User is already a member of the club'))
-
-            if self.club.parent_club is not None:
-                # Check that the user is already a member of the parent club if the membership is created
-                if not Membership.objects.filter(
-                    user=self.user,
-                    club=self.club.parent_club,
-                    date_start__gte=self.club.parent_club.membership_start,
-                ).exists():
-                    if hasattr(self, '_force_renew_parent') and self._force_renew_parent:
-                        self.renew_parent()
-                    else:
-                        raise ValidationError(_('User is not a member of the parent club')
-                                              + ' ' + self.club.parent_club.name)
-
-            self.fee = self.club.membership_fee_paid if self.user.profile.paid else self.club.membership_fee_unpaid
-
-            self.date_end = self.date_start + datetime.timedelta(days=self.club.membership_duration) \
-                if self.club.membership_duration is not None else self.date_start + datetime.timedelta(days=424242)
-            if self.club.membership_end is not None and self.date_end > self.club.membership_end:
-                self.date_end = self.club.membership_end
-
-        super().save(*args, **kwargs)
-
-        self.make_transaction()
-
     def make_transaction(self):
         """
         Create Membership transaction associated to this membership.
@@ -499,11 +525,3 @@ class Membership(models.Model):
                 soge_credit.save()
             else:
                 transaction.save(force_insert=True)
-
-    def __str__(self):
-        return _("Membership of {user} for the club {club}").format(user=self.user.username, club=self.club.name, )
-
-    class Meta:
-        verbose_name = _('membership')
-        verbose_name_plural = _('memberships')
-        indexes = [models.Index(fields=['user'])]

apps/member/signals.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 

apps/member/static/member/js/trust.js

@@ -1,7 +1,7 @@
 /**
  * On form submit, create a new friendship
  */
-function create_trust (e) {
+function form_create_trust (e) {
   // Do not submit HTML form
   e.preventDefault()
 
@@ -14,25 +14,35 @@ function create_trust (e) {
          addMsg(gettext("You can't add yourself as a friend"), "danger")
          return
       }
-      $.post('/api/note/trust/', {
-        csrfmiddlewaretoken: formData.get('csrfmiddlewaretoken'),
-        trusting: formData.get('trusting'),
-        trusted: trusted_alias.note
-      }).done(function () {
-        // Reload table
-        $('#trust_table').load(location.pathname + ' #trust_table')
-        addMsg(gettext('Friendship successfully added'), 'success')
-      }).fail(function (xhr, _textStatus, _error) {
-        errMsg(xhr.responseJSON)
-      })
+      create_trust(formData.get('trusting'), trusted_alias.note)
     }).fail(function (xhr, _textStatus, _error) {
         errMsg(xhr.responseJSON)
     })
 }
 
 /**
- * On click of "delete", delete the alias
- * @param button_id:Integer Alias id to remove
+ * Create a trust between users
+ * @param trusting:Integer trusting note id
+ * @param trusted:Integer trusted note id
+ */
+function create_trust(trusting, trusted) {
+  $.post('/api/note/trust/', {
+      trusting: trusting,
+      trusted: trusted,
+      csrfmiddlewaretoken: CSRF_TOKEN
+  }).done(function () {
+  // Reload tables
+  $('#trust_table').load(location.pathname + ' #trust_table')
+  $('#trusted_table').load(location.pathname + ' #trusted_table')
+    addMsg(gettext('Friendship successfully added'), 'success')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+/**
+ * On click of "delete", delete the trust
+ * @param button_id:Integer Trust id to remove
  */
 function delete_button (button_id) {
   $.ajax({
@@ -42,6 +52,7 @@ function delete_button (button_id) {
   }).done(function () {
     addMsg(gettext('Friendship successfully deleted'), 'success')
     $('#trust_table').load(location.pathname + ' #trust_table')
+    $('#trusted_table').load(location.pathname + ' #trusted_table')
   }).fail(function (xhr, _textStatus, _error) {
     errMsg(xhr.responseJSON)
   })
@@ -49,5 +60,5 @@ function delete_button (button_id) {
 
 $(document).ready(function () {
   // Attach event
-  document.getElementById('form_trust').addEventListener('submit', create_trust)
+  document.getElementById('form_trust').addEventListener('submit', form_create_trust)
 })

apps/member/tables.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import date
@@ -42,12 +42,12 @@ class UserTable(tables.Table):
     """
     alias = tables.Column()
 
-    section = tables.Column(accessor='profile__section')
+    section = tables.Column(accessor='profile__section', orderable=False)
 
     # Override the column to let replace the URL
     email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
 
-    balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
+    balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"), orderable=False)
 
     def render_email(self, record, value):
         # Replace the email by a dash if the user can't see the profile detail

apps/member/templates/member/club_members.html

@@ -11,7 +11,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {{ title }}
     </h3>
     <div class="card-body">
-        <input id="searchbar" type="text" class="form-control" placeholder="Nom/prénom/note…">
+        <input id="searchbar" type="text" class="form-control" placeholder="Nom/prénom/note...">
         <div class="form-check">
             <label class="form-check-label" for="only_active">
                 <input type="checkbox" class="checkboxinput form-check-input" id="only_active"
@@ -66,4 +66,4 @@ SPDX-License-Identifier: GPL-3.0-or-later
         roles_obj.change(reloadTable);
     });
 </script>
-{% endblock %}
+{% endblock %}

apps/member/templates/member/picture_update.html

@@ -14,15 +14,20 @@ SPDX-License-Identifier: GPL-3.0-or-later
       <form method="post" enctype="multipart/form-data" id="formUpload">
         {% csrf_token %}
         {{ form |crispy }}
+        {% if user.note.display_image != "pic/default.png" %}
+          <input type="submit" class="btn btn-primary" value="{% trans "Remove" %}">
+        {% endif %}
       </form>
     </div>
     <!-- MODAL TO CROP THE IMAGE -->
-    <div class="modal fade" id="modalCrop">
+    <div class="modal fade" id="modalCrop" data-backdrop="static">
       <div class="modal-dialog">
         <div class="modal-content">
-          <div class="modal-body">
-            <img src="" id="modal-image" style="max-width: 100%;">
-          </div>
+            <div class="modal-body-wrapper" style="width: 500px; height: 500px; padding: 16px;">
+              <div class="modal-body" style="width: 100%; height: 100%; padding: 0">
+                <img src="" id="modal-image" style="display: block; max-width: 100%;">
+              </div>
+            </div>
           <div class="modal-footer">
             <div class="btn-group pull-left" role="group">
               <button type="button" class="btn btn-default" id="js-zoom-in">

apps/member/templates/member/profile_trust.html

@@ -7,7 +7,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% block profile_content %}
 <div class="card bg-light mb-3">
     <h3 class="card-header text-center">
-        {% trans "Note friendships" %}
+        {% trans "Add friends" %}
     </h3>
     <div class="card-body">
         {% if can_create %}
@@ -24,7 +24,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
     {% render_table trusting %}
 </div>
 
-<div class="alert alert-warning card">
+<div class="alert alert-warning card mb-3">
     {% blocktrans trimmed %}
         Adding someone as a friend enables them to initiate transactions coming
         from your account (while keeping your balance positive). This is
@@ -33,6 +33,13 @@ SPDX-License-Identifier: GPL-3.0-or-later
         friends without needing additional rights among them.
     {% endblocktrans %}
 </div>
+
+<div class="card bg-light mb-3">
+    <h3 class="card-header text-center">
+        {% trans "People having you as a friend" %}
+    </h3>
+    {% render_table trusted_by %}
+</div>
 {% endblock %}
 
 {% block extrajavascript %}

apps/member/templatetags/memberinfo.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import date

apps/member/tests/test_memberships.py

@@ -183,7 +183,7 @@ class TestMemberships(TestCase):
                 club = Club.objects.get(name="Kfet")
             else:
                 club = Club.objects.create(
-                    name="Second club " + ("with BDE" if bde_parent else "without BDE"),
+                    name="Second club without BDE",
                     parent_club=None,
                     email="newclub@example.com",
                     require_memberships=True,
@@ -291,7 +291,7 @@ class TestMemberships(TestCase):
 
         response = self.client.post(reverse("member:club_manage_roles", args=(self.membership.pk,)), data=dict(
             roles=[role.id for role in Role.objects.filter(
-                Q(name="Membre de club") | Q(name="Trésorier·ère de club") | Q(name="Bureau de club")).all()],
+                Q(name="Membre de club") | Q(name="Trésorièr⋅e de club") | Q(name="Bureau de club")).all()],
         ))
         self.assertRedirects(response, self.user.profile.get_absolute_url(), 302, 200)
         self.membership.refresh_from_db()
@@ -335,6 +335,7 @@ class TestMemberships(TestCase):
             ml_sports_registration=True,
             ml_art_registration=True,
             report_frequency=7,
+            VSS_charter_read=True
         ))
         self.assertRedirects(response, self.user.profile.get_absolute_url(), 302, 200)
         self.assertTrue(User.objects.filter(username="toto changed").exists())

apps/member/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.urls import path

apps/member/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta, date
@@ -8,7 +8,6 @@ from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.models import User
 from django.contrib.auth.views import LoginView
-from django.contrib.contenttypes.models import ContentType
 from django.db import transaction
 from django.db.models import Q, F
 from django.shortcuts import redirect
@@ -17,17 +16,19 @@ from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, UpdateView, TemplateView
 from django.views.generic.edit import FormMixin
-from django_tables2.views import SingleTableView
+from django_tables2.views import MultiTableMixin, SingleTableMixin, SingleTableView
 from rest_framework.authtoken.models import Token
+from api.viewsets import is_regex
 from note.models import Alias, NoteClub, NoteUser, Trust
 from note.models.transactions import Transaction, SpecialTransaction
-from note.tables import HistoryTable, AliasTable, TrustTable
+from note.tables import HistoryTable, AliasTable, TrustTable, TrustedTable
 from note_kfet.middlewares import _set_current_request
 from permission.backends import PermissionBackend
 from permission.models import Role
 from permission.views import ProtectQuerysetMixin, ProtectedCreateView
+from django import forms
 
-from .forms import UserForm, ProfileForm, ImageForm, ClubForm, MembershipForm,\
+from .forms import UserForm, ProfileForm, ImageForm, ClubForm, MembershipForm, \
     CustomAuthenticationForm, MembershipRolesForm
 from .models import Club, Membership
 from .tables import ClubTable, UserTable, MembershipTable, ClubManagerTable
@@ -72,11 +73,24 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         form.fields['email'].required = True
         form.fields['email'].help_text = _("This address must be valid.")
 
-        if PermissionBackend.check_perm(self.request, "member.change_profile", context['user_object'].profile):
-            context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
-                                                        data=self.request.POST if self.request.POST else None)
-            if not self.object.profile.report_frequency:
-                del context['profile_form'].fields["last_report"]
+        profile_form = self.profile_form(instance=context['user_object'].profile,
+                                         data=self.request.POST if self.request.POST else None)
+
+        if not self.object.profile.report_frequency:
+            del profile_form.fields["last_report"]
+
+        fields_to_check = list(profile_form.fields.keys())
+        fields_modifiable = False
+
+        # Delete the fields for which the user does not have the permission to modify
+        for field_name in fields_to_check:
+            if not PermissionBackend.check_perm(self.request, f"member.change_profile_{field_name}", context['user_object'].profile):
+                profile_form.fields[field_name].widget = forms.HiddenInput()
+            else:
+                fields_modifiable = True
+
+        if fields_modifiable:
+            context['profile_form'] = profile_form
 
         return context
 
@@ -220,16 +234,20 @@ class UserListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
 
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__istartswith"
+            prefix = "^" if valid_regex else ""
             qs = qs.filter(
-                username__iregex="^" + pattern
+                Q(**{f"username{suffix}": prefix + pattern})
             ).union(
                 qs.filter(
-                    (Q(alias__iregex="^" + pattern)
-                     | Q(normalized_alias__iregex="^" + Alias.normalize(pattern))
-                     | Q(last_name__iregex="^" + pattern)
-                     | Q(first_name__iregex="^" + pattern)
+                    (Q(**{f"alias{suffix}": prefix + pattern})
+                     | Q(**{f"normalized_alias{suffix}": prefix + Alias.normalize(pattern)})
+                     | Q(**{f"last_name{suffix}": prefix + pattern})
+                     | Q(**{f"first_name{suffix}": prefix + pattern})
                      | Q(email__istartswith=pattern))
-                    & ~Q(username__iregex="^" + pattern)
+                    & ~Q(**{f"username{suffix}": prefix + pattern})
                 ), all=True)
         else:
             qs = qs.none()
@@ -244,7 +262,7 @@ class UserListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         return context
 
 
-class ProfileTrustView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+class ProfileTrustView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, DetailView):
     """
     View and manage user trust relationships
     """
@@ -253,22 +271,35 @@ class ProfileTrustView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     context_object_name = 'user_object'
     extra_context = {"title": _("Note friendships")}
 
+    tables = [
+        lambda data: TrustTable(data, prefix="trust-"),
+        lambda data: TrustedTable(data, prefix="trusted-"),
+    ]
+
+    def get_tables_data(self):
+        note = self.object.note
+        return [
+            note.trusting.filter(PermissionBackend.filter_queryset(self.request, Trust, "view")).distinct(),
+            note.trusted.filter(PermissionBackend.filter_queryset(self.request, Trust, "view")).distinct(),
+        ]
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        note = context['object'].note
-        context["trusting"] = TrustTable(
-            note.trusting.filter(PermissionBackend.filter_queryset(self.request, Trust, "view")).distinct().all())
+
+        tables = context["tables"]
+        for name, table in zip(["trusting", "trusted_by"], tables):
+            context[name] = table
+
         context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_trust", Trust(
             trusting=context["object"].note,
             trusted=context["object"].note
         ))
         context["widget"] = {
             "name": "trusted",
+            "resetable": True,
             "attrs": {
-                "model_pk": ContentType.objects.get_for_model(Alias).pk,
                 "class": "autocomplete form-control",
                 "id": "trusted",
-                "resetable": True,
                 "api_url": "/api/note/alias/?note__polymorphic_ctype__model=noteuser",
                 "name_field": "name",
                 "placeholder": ""
@@ -277,7 +308,7 @@ class ProfileTrustView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         return context
 
 
-class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableMixin, DetailView):
     """
     View and manage user aliases.
     """
@@ -286,12 +317,15 @@ class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     context_object_name = 'user_object'
     extra_context = {"title": _("Note aliases")}
 
+    table_class = AliasTable
+    context_table_name = "aliases"
+
+    def get_table_data(self):
+        return self.object.note.alias.filter(PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct() \
+                                     .order_by('normalized_name')
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        note = context['object'].note
-        context["aliases"] = AliasTable(
-            note.alias.filter(PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct()
-            .order_by('normalized_name').all())
         context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
@@ -326,12 +360,15 @@ class PictureUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, FormMixin, Det
         """Save image to note"""
         image = form.cleaned_data['image']
 
-        # Rename as a PNG or GIF
-        extension = image.name.split(".")[-1]
-        if extension == "gif":
-            image.name = "{}_pic.gif".format(self.object.note.pk)
+        if image is None:
+            image = "pic/default.png"
         else:
-            image.name = "{}_pic.png".format(self.object.note.pk)
+            # Rename as a PNG or GIF
+            extension = image.name.split(".")[-1]
+            if extension == "gif":
+                image.name = "{}_pic.gif".format(self.object.note.pk)
+            else:
+                image.name = "{}_pic.png".format(self.object.note.pk)
 
         # Save
         self.object.note.display_image = image
@@ -407,10 +444,15 @@ class ClubListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         if "search" in self.request.GET:
             pattern = self.request.GET["search"]
 
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__istartswith"
+            prefix = "^" if valid_regex else ""
+
             qs = qs.filter(
-                Q(name__iregex=pattern)
-                | Q(note__alias__name__iregex=pattern)
-                | Q(note__alias__normalized_name__iregex=Alias.normalize(pattern))
+                Q(**{f"name{suffix}": prefix + pattern})
+                | Q(**{f"note__alias__name{suffix}": prefix + pattern})
+                | Q(**{f"note__alias__normalized_name{suffix}": prefix + Alias.normalize(pattern)})
             )
 
         return qs
@@ -507,7 +549,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         return context
 
 
-class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableMixin, DetailView):
     """
     Manage aliases of a club.
     """
@@ -516,11 +558,16 @@ class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     context_object_name = 'club'
     extra_context = {"title": _("Note aliases")}
 
+    table_class = AliasTable
+    context_table_name = "aliases"
+
+    def get_table_data(self):
+        return self.object.note.alias.filter(
+            PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct()
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        note = context['object'].note
-        context["aliases"] = AliasTable(note.alias.filter(
-            PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct().all())
+
         context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
@@ -753,6 +800,10 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
             club = old_membership.club
             user = old_membership.user
 
+        # Update club membership date
+        if PermissionBackend.check_perm(self.request, "member.change_club_membership_start", club):
+            club.update_membership_dates()
+
         form.instance.club = club
 
         # Get form data
@@ -820,8 +871,8 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
 
         ret = super().form_valid(form)
 
-        member_role = Role.objects.filter(Q(name="Adhérent BDE") | Q(name="Membre de club")).all() \
-            if club.name == "BDE" else Role.objects.filter(Q(name="Adhérent Kfet") | Q(name="Membre de club")).all() \
+        member_role = Role.objects.filter(Q(name="Adhérent⋅e BDE") | Q(name="Membre de club")).all() \
+            if club.name == "BDE" else Role.objects.filter(Q(name="Adhérent⋅e Kfet") | Q(name="Membre de club")).all() \
             if club.name == "Kfet"else Role.objects.filter(name="Membre de club").all()
         # Set the same roles as before
         if old_membership:
@@ -857,7 +908,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
                 membership.refresh_from_db()
                 if old_membership.exists():
                     membership.roles.set(old_membership.get().roles.all())
-                membership.roles.set(Role.objects.filter(Q(name="Adhérent Kfet") | Q(name="Membre de club")).all())
+                membership.roles.set(Role.objects.filter(Q(name="Adhérent⋅e Kfet") | Q(name="Membre de club")).all())
                 membership.save()
 
         return ret
@@ -905,10 +956,15 @@ class ClubMembersListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableV
 
         if 'search' in self.request.GET:
             pattern = self.request.GET['search']
+
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(pattern)
+            suffix = "__iregex" if valid_regex else "__istartswith"
+            prefix = "^" if valid_regex else ""
             qs = qs.filter(
-                Q(user__first_name__iregex='^' + pattern)
-                | Q(user__last_name__iregex='^' + pattern)
-                | Q(user__note__alias__normalized_name__iregex='^' + Alias.normalize(pattern))
+                Q(**{f"user__first_name{suffix}": prefix + pattern})
+                | Q(**{f"user__last_name{suffix}": prefix + pattern})
+                | Q(**{f"user__note__alias__normalized_name{suffix}": prefix + Alias.normalize(pattern)})
             )
 
         only_active = "only_active" not in self.request.GET or self.request.GET["only_active"] != '0'

apps/note/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'note.apps.NoteConfig'

apps/note/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin
@@ -7,7 +7,7 @@ from polymorphic.admin import PolymorphicChildModelAdmin, \
     PolymorphicChildModelFilter, PolymorphicParentModelAdmin
 from note_kfet.admin import admin_site
 
-from .models.notes import Alias, Note, NoteClub, NoteSpecial, NoteUser
+from .models.notes import Alias, Note, NoteClub, NoteSpecial, NoteUser, Trust
 from .models.transactions import Transaction, TemplateCategory, TransactionTemplate, \
     RecurrentTransaction, MembershipTransaction, SpecialTransaction
 from .templatetags.pretty_money import pretty_money
@@ -21,6 +21,16 @@ class AliasInlines(admin.TabularInline):
     model = Alias
 
 
+class TrustInlines(admin.TabularInline):
+    """
+    Define trusts when editing the trusting note
+    """
+    model = Trust
+    fk_name = "trusting"
+    extra = 0
+    readonly_fields = ("trusted",)
+
+
 @admin.register(Note, site=admin_site)
 class NoteAdmin(PolymorphicParentModelAdmin):
     """
@@ -92,7 +102,7 @@ class NoteUserAdmin(PolymorphicChildModelAdmin):
     """
     Child for an user note, see NoteAdmin
     """
-    inlines = (AliasInlines,)
+    inlines = (AliasInlines, TrustInlines)
 
     # We can't change user after creation or the balance
     readonly_fields = ('user', 'balance')

apps/note/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings
@@ -11,6 +11,7 @@ from member.models import Membership
 from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend
 from rest_framework.utils import model_meta
+from rest_framework.validators import UniqueTogetherValidator
 
 from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias, Trust
 from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
@@ -86,11 +87,9 @@ class TrustSerializer(serializers.ModelSerializer):
     class Meta:
         model = Trust
         fields = '__all__'
-
-    def validate(self, attrs):
-        instance = Trust(**attrs)
-        instance.clean()
-        return attrs
+        validators = [UniqueTogetherValidator(
+            queryset=Trust.objects.all(), fields=('trusting', 'trusted'),
+            message=_("This friendship already exists"))]
 
 
 class AliasSerializer(serializers.ModelSerializer):

apps/note/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import NotePolymorphicViewSet, AliasViewSet, ConsumerViewSet, \

apps/note/api/views.py

@@ -1,19 +1,19 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-import re
 
 from django.conf import settings
 from django.db.models import Q
 from django.core.exceptions import ValidationError
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework import viewsets
+from rest_framework.filters import OrderingFilter
+from rest_framework import status, viewsets
 from rest_framework.response import Response
-from rest_framework import status
-from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
+from api.filters import RegexSafeSearchFilter
+from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet, \
+    is_regex
 from permission.backends import PermissionBackend
 
-from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer,\
+from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer, \
     TemplateCategorySerializer, TransactionTemplateSerializer, TransactionPolymorphicSerializer, \
     TrustSerializer
 from ..models.notes import Note, Alias, NoteUser, NoteClub, NoteSpecial, Trust
@@ -29,7 +29,7 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
     """
     queryset = Note.objects.order_by('id')
     serializer_class = NotePolymorphicSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter, OrderingFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter, OrderingFilter]
     filterset_fields = ['alias__name', 'polymorphic_ctype', 'is_active', 'balance', 'last_negative', 'created_at', ]
     search_fields = ['$alias__normalized_name', '$alias__name', '$polymorphic_ctype__model',
                      '$noteuser__user__last_name', '$noteuser__user__first_name', '$noteuser__user__email',
@@ -48,10 +48,14 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
             .distinct()
 
         alias = self.request.query_params.get("alias", ".*")
+        # Check if this is a valid regex. If not, we won't check regex
+        valid_regex = is_regex(alias)
+        suffix = '__iregex' if valid_regex else '__istartswith'
+        alias_prefix = '^' if valid_regex else ''
         queryset = queryset.filter(
-            Q(alias__name__iregex="^" + alias)
-            | Q(alias__normalized_name__iregex="^" + Alias.normalize(alias))
-            | Q(alias__normalized_name__iregex="^" + alias.lower())
+            Q(**{f"alias__name{suffix}": alias_prefix + alias})
+            | Q(**{f"alias__normalized_name{suffix}": alias_prefix + Alias.normalize(alias)})
+            | Q(**{f"alias__normalized_name{suffix}": alias_prefix + alias.lower()})
         )
 
         return queryset.order_by("id")
@@ -65,7 +69,7 @@ class TrustViewSet(ReadProtectedModelViewSet):
     """
     queryset = Trust.objects
     serializer_class = TrustSerializer
-    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend, OrderingFilter]
     search_fields = ['$trusting__alias__name', '$trusting__alias__normalized_name',
                      '$trusted__alias__name', '$trusted__alias__normalized_name']
     filterset_fields = ['trusting', 'trusting__noteuser__user', 'trusted', 'trusted__noteuser__user']
@@ -91,11 +95,11 @@ class AliasViewSet(ReadProtectedModelViewSet):
     """
     REST API View set.
     The djangorestframework plugin will get all `Alias` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/aliases/
+    then render it on /api/note/alias/
     """
     queryset = Alias.objects
     serializer_class = AliasSerializer
-    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend, OrderingFilter]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
     filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
                         'note__noteclub__club', 'note__polymorphic_ctype__model', ]
@@ -126,18 +130,22 @@ class AliasViewSet(ReadProtectedModelViewSet):
 
         alias = self.request.query_params.get("alias", None)
         if alias:
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(alias)
+            suffix = '__iregex' if valid_regex else '__istartswith'
+            alias_prefix = '^' if valid_regex else ''
             queryset = queryset.filter(
-                name__iregex="^" + alias
+                **{f"name{suffix}": alias_prefix + alias}
             ).union(
                 queryset.filter(
-                    Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(name__iregex="^" + alias)
+                    Q(**{f"normalized_name{suffix}": alias_prefix + Alias.normalize(alias)})
+                    & ~Q(**{f"name{suffix}": alias_prefix + alias})
                 ),
                 all=True).union(
                 queryset.filter(
-                    Q(normalized_name__iregex="^" + alias.lower())
-                    & ~Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(name__iregex="^" + alias)
+                    Q(**{f"normalized_name{suffix}": "^" + alias.lower()})
+                    & ~Q(**{f"normalized_name{suffix}": "^" + Alias.normalize(alias)})
+                    & ~Q(**{f"name{suffix}": "^" + alias})
                 ),
                 all=True)
 
@@ -147,7 +155,7 @@ class AliasViewSet(ReadProtectedModelViewSet):
 class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
     queryset = Alias.objects
     serializer_class = ConsumerSerializer
-    filter_backends = [SearchFilter, OrderingFilter, DjangoFilterBackend]
+    filter_backends = [RegexSafeSearchFilter, OrderingFilter, DjangoFilterBackend]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
     filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
                         'note__noteclub__club', 'note__polymorphic_ctype__model', ]
@@ -166,11 +174,7 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
 
         alias = self.request.query_params.get("alias", None)
         # Check if this is a valid regex. If not, we won't check regex
-        try:
-            re.compile(alias)
-            valid_regex = True
-        except (re.error, TypeError):
-            valid_regex = False
+        valid_regex = is_regex(alias)
         suffix = '__iregex' if valid_regex else '__istartswith'
         alias_prefix = '^' if valid_regex else ''
         queryset = queryset.prefetch_related('note')
@@ -179,19 +183,10 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
             # We match first an alias if it is matched without normalization,
             # then if the normalized pattern matches a normalized alias.
             queryset = queryset.filter(
-                **{f'name{suffix}': alias_prefix + alias}
-            ).union(
-                queryset.filter(
-                    Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
-                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
-                ),
-                all=True).union(
-                queryset.filter(
-                    Q(**{f'normalized_name{suffix}': alias_prefix + alias.lower()})
-                    & ~Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
-                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
-                ),
-                all=True)
+                Q(**{f'name{suffix}': alias_prefix + alias})
+                | Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
+                | Q(**{f'normalized_name{suffix}': alias_prefix + alias.lower()})
+            )
 
         queryset = queryset if settings.DATABASES[queryset.db]["ENGINE"] == 'django.db.backends.postgresql' \
             else queryset.order_by("name")
@@ -207,7 +202,7 @@ class TemplateCategoryViewSet(ReadProtectedModelViewSet):
     """
     queryset = TemplateCategory.objects.order_by('name')
     serializer_class = TemplateCategorySerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['name', 'templates', 'templates__name']
     search_fields = ['$name', '$templates__name', ]
 
@@ -220,7 +215,7 @@ class TransactionTemplateViewSet(viewsets.ModelViewSet):
     """
     queryset = TransactionTemplate.objects.order_by('name')
     serializer_class = TransactionTemplateSerializer
-    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend, OrderingFilter]
     filterset_fields = ['name', 'amount', 'display', 'category', 'category__name', ]
     search_fields = ['$name', '$category__name', ]
     ordering_fields = ['amount', ]
@@ -234,7 +229,7 @@ class TransactionViewSet(ReadProtectedModelViewSet):
     """
     queryset = Transaction.objects.order_by('-created_at')
     serializer_class = TransactionPolymorphicSerializer
-    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend, OrderingFilter]
     filterset_fields = ['source', 'source_alias', 'source__alias__name', 'source__alias__normalized_name',
                         'destination', 'destination_alias', 'destination__alias__name',
                         'destination__alias__normalized_name', 'quantity', 'polymorphic_ctype', 'amount',

apps/note/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/note/forms.py

@@ -1,13 +1,14 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 from datetime import datetime
 
+from bootstrap_datepicker_plus.widgets import DateTimePickerInput
 from django import forms
 from django.contrib.contenttypes.models import ContentType
 from django.forms import CheckboxSelectMultiple
 from django.utils.timezone import make_aware
 from django.utils.translation import gettext_lazy as _
-from note_kfet.inputs import Autocomplete, AmountInput, DateTimePickerInput
+from note_kfet.inputs import Autocomplete, AmountInput
 
 from .models import TransactionTemplate, NoteClub, Alias
 

apps/note/migrations/0002_create_special_notes.py

@@ -18,6 +18,7 @@ def create_special_notes(apps, schema_editor):
 class Migration(migrations.Migration):
     dependencies = [
         ('note', '0001_initial'),
+        ('logs', '0001_initial'),
     ]
 
     operations = [

apps/note/migrations/0007_alter_note_polymorphic_ctype_and_more.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.2.15 on 2024-08-28 08:00
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('contenttypes', '0002_remove_content_type_name'),
+        ('note', '0006_trust'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='note',
+            name='polymorphic_ctype',
+            field=models.ForeignKey(editable=False, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='polymorphic_%(app_label)s.%(class)s_set+', to='contenttypes.contenttype'),
+        ),
+        migrations.AlterField(
+            model_name='transaction',
+            name='polymorphic_ctype',
+            field=models.ForeignKey(editable=False, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='polymorphic_%(app_label)s.%(class)s_set+', to='contenttypes.contenttype'),
+        ),
+    ]

apps/note/models/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser, Trust

apps/note/models/notes.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import unicodedata
@@ -293,6 +293,11 @@ class Alias(models.Model):
     def __str__(self):
         return self.name
 
+    @transaction.atomic
+    def save(self, *args, **kwargs):
+        self.clean()
+        super().save(*args, **kwargs)
+
     @staticmethod
     def normalize(string):
         """
@@ -321,11 +326,6 @@ class Alias(models.Model):
             pass
         self.normalized_name = normalized_name
 
-    @transaction.atomic
-    def save(self, *args, **kwargs):
-        self.clean()
-        super().save(*args, **kwargs)
-
     def delete(self, using=None, keep_parents=False):
         if self.name == str(self.note):
             raise ValidationError(_("You can't delete your main alias."),