ynerant/nk20
1
0
Fork 0
mirror of https://gitlab.crans.org/bde/nk20 synced 2025-11-15 02:57:42 +01:00
Code Issues Releases Wiki Activity

Compare commits

base: ynerant:small_features
Branches Tags
ynerant:main ynerant:oauth2 ynerant:note_sheet ynerant:small_features ynerant:translations ynerant:update_invoice_template ynerant:round_transaction ynerant:wei ynerant:family ynerant:phone_input ynerant:food_traceability ynerant:beta ynerant:django-5.2 ynerant:oidc ynerant:darbonne ynerant:potvieux ynerant:food_bugs ynerant:delete_activity ynerant:time-display ynerant:guests_schools ynerant:export_members_ml ynerant:notekfet_wrapped ynerant:Add_some_permissions ynerant:permissions_fo_parent_clubs ynerant:respo_comm_permissionsV2 ynerant:fix_activity_view ynerant:Automation_mailing_lists ynerant:New_permission ynerant:finito_sda ynerant:non-BDE-members-permission-fix ynerant:survey_wei_2024 ynerant:migration-django-4-2 ynerant:summary_notes ynerant:traduction_inclusive_fr ynerant:migration-django-5-0 ynerant:qrcode ynerant:VSS ynerant:update_permission ynerant:fix_pipeline ynerant:permission_var ynerant:inclusive ynerant:nix-shell ynerant:sheets ynerant:svg_icons ynerant:faster_ci
ynerant:v1.0.3 ynerant:v1.0.2 ynerant:v1.0.1 ynerant:v1.0.0
..
compare: ynerant:68341a2a7edaaac492deb41b1b5f7685ad89170e
Branches Tags
ynerant:oauth2 ynerant:note_sheet ynerant:main ynerant:small_features ynerant:translations ynerant:update_invoice_template ynerant:round_transaction ynerant:wei ynerant:family ynerant:phone_input ynerant:food_traceability ynerant:beta ynerant:django-5.2 ynerant:oidc ynerant:darbonne ynerant:potvieux ynerant:food_bugs ynerant:delete_activity ynerant:time-display ynerant:guests_schools ynerant:export_members_ml ynerant:notekfet_wrapped ynerant:Add_some_permissions ynerant:permissions_fo_parent_clubs ynerant:respo_comm_permissionsV2 ynerant:fix_activity_view ynerant:Automation_mailing_lists ynerant:New_permission ynerant:finito_sda ynerant:non-BDE-members-permission-fix ynerant:survey_wei_2024 ynerant:migration-django-4-2 ynerant:summary_notes ynerant:traduction_inclusive_fr ynerant:migration-django-5-0 ynerant:qrcode ynerant:VSS ynerant:update_permission ynerant:fix_pipeline ynerant:permission_var ynerant:inclusive ynerant:nix-shell ynerant:sheets ynerant:svg_icons ynerant:faster_ci
ynerant:v1.0.3 ynerant:v1.0.2 ynerant:v1.0.1 ynerant:v1.0.0

7 Commits
small_feat ... 68341a2a7e

Author SHA1 Message Date
quark
68341a2a7e Add test for oauth2 flow, add temporary ROPB for NoteApp #137 2025-11-07 10:41:10 +01:00
quark
d2cc1b902d allows mask for Oauth2 2025-10-17 17:45:41 +02:00
ehouarn
4c40566513 Merge branch 'small_features' into 'main' 
Small features

See merge request bde/nk20!355
 2025-10-16 20:25:02 +02:00
ehouarn
418268db27 Merge branch 'update_invoice_template' into 'main' 
Replace Diolistos_bg.jpg

See merge request bde/nk20!354
 2025-10-12 18:49:43 +02:00
ehouarn
73045586a3 Replace Diolistos_bg.jpg 2025-10-12 18:26:39 +02:00
ehouarn
d4cb464169 Merge branch 'small_features' into 'main' 
Export activity guests

See merge request bde/nk20!353
 2025-09-28 21:34:21 +02:00
ehouarn
cb3b34f874 Merge branch 'small_features' into 'main' 
Small features

See merge request bde/nk20!352
 2025-09-27 13:39:34 +02:00
13 changed files with 187 additions and 47 deletions
Expand all files Collapse all files

8
apps/activity/views.py
View File

@@ -152,11 +152,9 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMix
def get_tables_data(self): def get_tables_data(self):
return [ return [
Guest.objects.filter(activity=self.object) Guest.objects.filter(activity=self.object)
.filter(PermissionBackend.filter_queryset(self.request, Guest, "view")) .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")),
.distinct(),
self.object.opener.filter(activity=self.object) self.object.opener.filter(activity=self.object)
.filter(PermissionBackend.filter_queryset(self.request, Opener, "view")) .filter(PermissionBackend.filter_queryset(self.request, Opener, "view")),
.distinct(),
] ]
def render_to_response(self, context, **response_kwargs): def render_to_response(self, context, **response_kwargs):
@@ -311,7 +309,7 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
@transaction.atomic @transaction.atomic
def form_valid(self, form): def form_valid(self, form):
form.instance.activity = Activity.objects\ form.instance.activity = Activity.objects\
.filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().get(pk=self.kwargs["pk"]) .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
return super().form_valid(form) return super().form_valid(form)
def get_success_url(self, **kwargs): def get_success_url(self, **kwargs):

10
apps/permission/backends.py
View File

@@ -26,7 +26,7 @@ class PermissionBackend(ModelBackend):
@staticmethod @staticmethod
@memoize @memoize
def get_raw_permissions(request, t): def get_raw_permissions(request, t): # noqa: C901
""" """
Query permissions of a certain type for a user, then memoize it. Query permissions of a certain type for a user, then memoize it.
:param request: The current request :param request: The current request
@@ -39,7 +39,15 @@ class PermissionBackend(ModelBackend):
def permission_filter(membership_obj): def permission_filter(membership_obj):
query = Q(pk=-1) query = Q(pk=-1)
if 'mask' in request.GET:
try:
rank = int(request.GET['mask'])
except ValueError:
rank = 42
query &= Q(mask__rank__lte=rank)
for scope in request.auth.scope.split(' '): for scope in request.auth.scope.split(' '):
if scope == "openid":
continue
permission_id, club_id = scope.split('_') permission_id, club_id = scope.split('_')
if int(club_id) == membership_obj.club_id: if int(club_id) == membership_obj.club_id:
query |= Q(pk=permission_id) query |= Q(pk=permission_id)

30
apps/permission/fixtures/initial.json
View File

@@ -927,7 +927,7 @@
"note", "note",
"transactiontemplate" "transactiontemplate"
], ],
"query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]", "query": "{\"destination\": [\"club\", \"note\"]}",
"type": "view", "type": "view",
"mask": 2, "mask": 2,
"field": "", "field": "",
@@ -943,7 +943,7 @@
"note", "note",
"transactiontemplate" "transactiontemplate"
], ],
"query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]", "query": "{\"destination\": [\"club\", \"note\"]}",
"type": "add", "type": "add",
"mask": 3, "mask": 3,
"field": "", "field": "",
@@ -959,7 +959,7 @@
"note", "note",
"transactiontemplate" "transactiontemplate"
], ],
"query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]", "query": "{\"destination\": [\"club\", \"note\"]}",
"type": "change", "type": "change",
"mask": 3, "mask": 3,
"field": "", "field": "",
@@ -3486,22 +3486,6 @@
"description": "Voir la bouffe servie" "description": "Voir la bouffe servie"
} }
}, },
{
"model": "permission.permission",
"pk": 223,
"fields": {
"model": [
"note",
"templatecategory"
],
"query": "{\"name\": \"Clubs\"}",
"type": "view",
"mask": 2,
"field": "",
"permanent": false,
"description": "Voir la catégorie de bouton Clubs"
}
},
{ {
"model": "permission.permission", "model": "permission.permission",
"pk": 239, "pk": 239,
@@ -4912,6 +4896,7 @@
19, 19,
20, 20,
21, 21,
27,
59, 59,
60, 60,
61, 61,
@@ -4922,7 +4907,6 @@
182, 182,
184, 184,
185, 185,
223,
239, 239,
240, 240,
241 241
@@ -5287,12 +5271,6 @@
176, 176,
177, 177,
197, 197,
211,
212,
213,
214,
215,
216,
311, 311,
319 319
] ]

10
apps/permission/scopes.py
View File

@@ -10,6 +10,8 @@ from note_kfet.middlewares import get_current_request
from .backends import PermissionBackend from .backends import PermissionBackend
from .models import Permission from .models import Permission
from django.utils.translation import gettext_lazy as _
class PermissionScopes(BaseScopes): class PermissionScopes(BaseScopes):
""" """
@@ -32,7 +34,7 @@ class PermissionScopes(BaseScopes):
scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
for p in Permission.objects.all() for club in Club.objects.all()} for p in Permission.objects.all() for club in Club.objects.all()}
scopes['openid'] = "OpenID Connect" scopes['openid'] = _("OpenID Connect (username and email)")
return scopes return scopes
def get_available_scopes(self, application=None, request=None, *args, **kwargs): def get_available_scopes(self, application=None, request=None, *args, **kwargs):
@@ -82,8 +84,12 @@ class PermissionOAuth2Validator(OAuth2Validator):
valid_scopes = set() valid_scopes = set()
# simple patch for have functionnal ROPB flow
# TODO rewrite
r = get_current_request()
r.user = request.user
for t in Permission.PERMISSION_TYPES: for t in Permission.PERMISSION_TYPES:
for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]): for p in PermissionBackend.get_raw_permissions(r, t[0]):
scope = f"{p.id}_{p.membership.club.id}" scope = f"{p.id}_{p.membership.club.id}"
if scope in scopes: if scope in scopes:
valid_scopes.add(scope) valid_scopes.add(scope)

37
apps/permission/tests/test_oauth2.py → apps/permission/tests/test_oauth2_access.py
View File

@@ -21,6 +21,7 @@ class OAuth2TestCase(TestCase):
def setUp(self): def setUp(self):
self.user = User.objects.create( self.user = User.objects.create(
username="toto", username="toto",
password="toto1234",
) )
self.application = Application.objects.create( self.application = Application.objects.create(
name="Test", name="Test",
@@ -92,3 +93,39 @@ class OAuth2TestCase(TestCase):
self.assertEqual(resp.status_code, 200) self.assertEqual(resp.status_code, 200)
self.assertIn(self.application, resp.context['scopes']) self.assertIn(self.application, resp.context['scopes'])
self.assertIn('1_1', resp.context['scopes'][self.application]) # Now the user has this permission self.assertIn('1_1', resp.context['scopes'][self.application]) # Now the user has this permission
def test_oidc(self):
"""
Ensure OIDC work
"""
# Create access token that has access to our own user detail
token = AccessToken.objects.create(
user=self.user,
application=self.application,
scope="openid",
token=get_random_string(64),
expires=timezone.now() + timedelta(days=365),
)
# No access without token
resp = self.client.get('/o/userinfo/') # userinfo endpoint
self.assertEqual(resp.status_code, 401)
# Valid token
resp = self.client.get('/o/userinfo/', **{'Authorization': f'Bearer {token.token}'})
self.assertEqual(resp.status_code, 200)
# Create membership to test api
NoteUser.objects.create(user=self.user)
membership = Membership.objects.create(user=self.user, club_id=1)
membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
membership.save()
# Token can always be use to see yourself
resp = self.client.get('/api/me/',
**{'Authorization': f'Bearer {token.token}'})
# Token is not granted to see other api
resp = self.client.get(f'/api/user/{self.user.pk}/',
**{'Authorization': f'Bearer {token.token}'})
self.assertEqual(resp.status_code, 404)

115
apps/permission/tests/test_oauth2_flow.py Normal file
View File

@@ -0,0 +1,115 @@
# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later
import base64
from django.contrib.auth.models import User
from django.test import TestCase
from member.models import Membership, Club
from note.models import NoteUser
from oauth2_provider.models import Application
from ..models import Role, Permission
class OAuth2TestCase(TestCase):
fixtures = ('initial', )
def setUp(self):
self.user = User.objects.create(
username="toto",
password="toto1234",
)
NoteUser.objects.create(user=self.user)
membership = Membership.objects.create(user=self.user, club_id=1)
membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
membership.save()
bde = Club.objects.get(name="BDE")
view_user_perm = Permission.objects.get(pk=1) # View own user detail
self.base_scope = f'{view_user_perm.pk}_{bde.pk}'
def test_oauth2_authorization_code_flow(self):
"""
Ensure OAuth2 Authorization Code Flow work
"""
pass
def test_oauth2_implicit_flow(self):
"""
Ensure OAuth2 Implicit Flow work
"""
pass
def test_oauth2_resource_owner_password_credentials_flow(self):
"""
Ensure OAuth2 Resource Owner Password Credentials Flow work
"""
pass
def test_oauth2_client_credentials(self):
"""
Ensure OAuth2 Client Credentials work
"""
app = Application.objects.create(
name="Test credentials",
client_type=Application.CLIENT_CONFIDENTIAL,
authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
user=self.user,
hash_client_secret=False,
algorithm=Application.NO_ALGORITHM,
)
# No token without credential
resp = self.client.post('/o/token/',
data={"grant_type": "client_credentials"},
**{"Content-Type": 'application/x-www-form-urlencoded'}
)
self.assertEqual(resp.status_code, 401)
# Access with credential
credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
resp = self.client.post('/o/token/',
data={"grant_type": "client_credentials"},
**{'HTTP_Authorization': f'Basic {credential}',
"Content-Type": 'application/x-www-form-urlencoded'}
)
self.assertEqual(resp.status_code, 200)
token = resp.json()['access_token']
# Token is valid but has no right
resp = self.client.get('/api/user/{self.user.pk}',
**{'Authorization': f'Bearer {token}'}
)
self.assertEqual(resp.status_code, 403)
# RFC6749 4.4.2 allows use of scope in client credential flow
resp = self.client.post('/o/token/',
data={"grant_type": "client_credentials",
"scope": self.base_scope},
**{'http_Authorization': f'Basic {credential}',
"Content-Type": 'application/x-www-form-urlencoded'}
)
self.assertEqual(resp.status_code, 200)
token = resp.json()['access_token']
# Now app can see his creator
resp = self.client.post(f'/api/user/{self.user.pk}/',
**{'Authorization': f'Bearer {token}'})
self.assertEqual(resp.status_code, 200)
def test_oidc_flow(self):
"""
Ensure OIDC Flow work
"""
pass

13
apps/treasury/models.py
View File

@@ -338,13 +338,13 @@ class SogeCredit(models.Model):
last_name=self.user.last_name, last_name=self.user.last_name,
first_name=self.user.first_name, first_name=self.user.first_name,
bank="Société générale", bank="Société générale",
valid=True, valid=False,
) )
credit_transaction._force_save = True credit_transaction._force_save = True
credit_transaction.save() credit_transaction.save()
credit_transaction.refresh_from_db() credit_transaction.refresh_from_db()
self.credit_transaction = credit_transaction self.credit_transaction = credit_transaction
elif not self.valid: elif not self.valid_legacy:
self.credit_transaction.amount = self.amount self.credit_transaction.amount = self.amount
self.credit_transaction._force_save = True self.credit_transaction._force_save = True
self.credit_transaction.save() self.credit_transaction.save()
@@ -371,7 +371,7 @@ class SogeCredit(models.Model):
The Sogé credit may be created after the user already paid its memberships. The Sogé credit may be created after the user already paid its memberships.
We query transactions and update the credit, if it is unvalid. We query transactions and update the credit, if it is unvalid.
""" """
if self.valid or not self.pk: if self.valid_legacy or not self.pk:
return return
# Soge do not pay BDE and kfet memberships since 2022 # Soge do not pay BDE and kfet memberships since 2022
@@ -403,7 +403,7 @@ class SogeCredit(models.Model):
self.transactions.add(m.transaction) self.transactions.add(m.transaction)
for tr in self.transactions.all(): for tr in self.transactions.all():
tr.valid = True tr.valid = False
tr.save() tr.save()
def invalidate(self): def invalidate(self):
@@ -411,7 +411,7 @@ class SogeCredit(models.Model):
Invalidating a Société générale delete the transaction of the bank if it was already created. Invalidating a Société générale delete the transaction of the bank if it was already created.
Treasurers must know what they do, With Great Power Comes Great Responsibility... Treasurers must know what they do, With Great Power Comes Great Responsibility...
""" """
if self.valid: if self.valid_legacy:
self.credit_transaction.valid = False self.credit_transaction.valid = False
self.credit_transaction.save() self.credit_transaction.save()
for tr in self.transactions.all(): for tr in self.transactions.all():
@@ -420,7 +420,7 @@ class SogeCredit(models.Model):
tr.save() tr.save()
def validate(self, force=False): def validate(self, force=False):
if self.valid and not force: if self.valid_legacy and not force:
# The credit is already done # The credit is already done
return return
@@ -428,7 +428,6 @@ class SogeCredit(models.Model):
self.invalidate() self.invalidate()
# Refresh credit amount # Refresh credit amount
self.save() self.save()
self.valid = True
self.credit_transaction.valid = True self.credit_transaction.valid = True
self.credit_transaction._force_save = True self.credit_transaction._force_save = True
self.credit_transaction.save() self.credit_transaction.save()

BIN
apps/treasury/static/img/Diolistos_bg.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 284 KiB

After

Width:  |  Height:  |  Size: 104 KiB

1
apps/treasury/tables.py
View File

@@ -56,7 +56,6 @@ class InvoiceTable(tables.Table):
model = Invoice model = Invoice
template_name = 'django_tables2/bootstrap4.html' template_name = 'django_tables2/bootstrap4.html'
fields = ('id', 'name', 'object', 'acquitted', 'invoice',) fields = ('id', 'name', 'object', 'acquitted', 'invoice',)
order_by = ('-id',)
class RemittanceTable(tables.Table): class RemittanceTable(tables.Table):

2
apps/treasury/templates/treasury/invoice_sample.tex
View File

@@ -108,7 +108,7 @@
\renewcommand{\headrulewidth}{0pt} \renewcommand{\headrulewidth}{0pt}
\cfoot{ \cfoot{
\small{\MonNom ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)6 83 55 03 18 \newline \small{\MonNom ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)7 78 17 22 34\newline
E-mail : tresorerie.bde@lists.crans.org ~--~ Numéro SIRET : 399 485 838 00029 E-mail : tresorerie.bde@lists.crans.org ~--~ Numéro SIRET : 399 485 838 00029
} }
} }

2
apps/treasury/tests/test_treasury.py
View File

@@ -359,7 +359,7 @@ class TestSogeCredits(TestCase):
)) ))
self.assertRedirects(response, reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)), 302, 200) self.assertRedirects(response, reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)), 302, 200)
soge_credit.refresh_from_db() soge_credit.refresh_from_db()
self.assertTrue(soge_credit.valid) self.assertTrue(soge_credit.valid_legacy)
self.user.note.refresh_from_db() self.user.note.refresh_from_db()
self.assertEqual( self.assertEqual(
Transaction.objects.filter(Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3) Transaction.objects.filter(Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)

2
apps/treasury/views.py
View File

@@ -417,7 +417,7 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
) )
if "valid" not in self.request.GET or not self.request.GET["valid"]: if "valid" not in self.request.GET or not self.request.GET["valid"]:
qs = qs.filter(valid=False) qs = qs.filter(credit_transaction__valid=False)
return qs return qs

2
apps/wei/tests/test_wei_registration.py
View File

@@ -680,7 +680,7 @@ class TestWEIRegistration(TestCase):
self.assertTrue(soge_credit.exists()) self.assertTrue(soge_credit.exists())
soge_credit = soge_credit.get() soge_credit = soge_credit.get()
self.assertTrue(membership.transaction in soge_credit.transactions.all()) self.assertTrue(membership.transaction in soge_credit.transactions.all())
self.assertTrue(membership.transaction.valid) self.assertFalse(membership.transaction.valid)
# Check that if the WEI is started, we can't update a wei # Check that if the WEI is started, we can't update a wei
self.wei.date_start = date(2000, 1, 1) self.wei.date_start = date(2000, 1, 1)