Remove unused file

.ansible-lint

@@ -0,0 +1,3 @@
+skip_list:
+  - command-instead-of-shell  # Use shell only when shell functionality is required
+  - experimental  # all rules tagged as experimental

.env_example

@@ -10,6 +10,7 @@ DJANGO_SECRET_KEY=CHANGE_ME
 DJANGO_SETTINGS_MODULE=note_kfet.settings
 CONTACT_EMAIL=tresorerie.bde@localhost
 NOTE_URL=localhost
+DOMAIN=localhost
 
 # Config for mails. Only used in production
 NOTE_MAIL=notekfet@localhost

.gitignore

@@ -47,7 +47,6 @@ backups/
 env/
 venv/
 db.sqlite3
-shell.nix
 
 # ansibles customs host
 ansible/host_vars/*.yaml

.gitlab-ci.yml

@@ -10,50 +10,22 @@ variables:
 # Debian Buster
 py37-django22:
   stage: test
-  image: debian:buster-backports
+  image: otthorn/nk20_ci_37
-  before_script:
-    - >
-        apt-get update &&
-        apt-get install --no-install-recommends -t buster-backports -y
-        python3-django python3-django-crispy-forms
-        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
-        python3-bs4 python3-setuptools tox texlive-xetex
   script: tox -e py37-django22
 
 # Ubuntu 20.04
 py38-django22:
   stage: test
-  image: ubuntu:20.04
+  image: otthorn/nk20_ci_38
-  before_script:
-    # Fix tzdata prompt
-    - ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime && echo Europe/Paris > /etc/timezone
-    - >
-        apt-get update &&
-        apt-get install --no-install-recommends -y
-        python3-django python3-django-crispy-forms
-        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
-        python3-bs4 python3-setuptools tox texlive-xetex
   script: tox -e py38-django22
 
 # Debian Bullseye
 py39-django22:
   stage: test
-  image: debian:bullseye
+  image: otthorn/nk20_ci_39
-  before_script:
-    - >
-        apt-get update &&
-        apt-get install --no-install-recommends -y
-        python3-django python3-django-crispy-forms
-        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
-        python3-bs4 python3-setuptools tox texlive-xetex
   script: tox -e py39-django22
 
+# Tox linter
 linters:
   stage: quality-assurance
   image: debian:buster-backports
@@ -64,6 +36,20 @@ linters:
   # Be nice to new contributors, but please use `tox`
   allow_failure: true
 
+# Ansible linter
+ansible-linter:
+  stage: quality-assurance
+  image: otthorn/nk20_ci_ansiblelint
+  script: ansible-lint ansible/
+
+# Docker linter
+docker-linter:
+  stage: quality-assurance
+  image: hadolint/hadolint
+  script:
+    - hadolint -c .hadolint Dockerfile
+    - hadolint -c .hadolint docker_ci/Dockerfile.*
+
 # Compile documentation
 documentation:
   stage: docs

.hadolint

@@ -0,0 +1,4 @@
+ignored:
+  - DL3008  # Do not force to pin version in apt (Debian)
+  - DL3013  # Do not force to pin version in pip (PyPI)
+  - DL3018  # Do not force to pin version in apk (Alpine)

Dockerfile

@@ -12,7 +12,7 @@ RUN apt-get update && \
     python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
     python3-bs4 python3-setuptools \
     uwsgi uwsgi-plugin-python3 \
-    texlive-xetex gettext libjs-bootstrap4 && \
+    texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome && \
     rm -rf /var/lib/apt/lists/*
 
 # Instal PyPI requirements

README.md

@@ -23,7 +23,7 @@ Bien que cela permette de créer une instance sur toutes les distributions,
     $ sudo apt update
     $ sudo apt install --no-install-recommends -y \
         ipython3 python3-setuptools python3-venv python3-dev \
-        texlive-xetex gettext libjs-bootstrap4 git
+        texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome git
     ```
 
 2.  **Clonage du dépot** là où vous voulez :
@@ -115,7 +115,7 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
         python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
         python3-bs4 python3-setuptools python3-docutils \
         memcached uwsgi uwsgi-plugin-python3 \
-        texlive-xetex gettext libjs-bootstrap4 \
+        texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome \
         nginx python3-venv git acl
     ```
 
@@ -279,8 +279,7 @@ Le cahier des charges initial est disponible [sur le Wiki Crans](https://wiki.cr
 La documentation des classes et fonctions est directement dans le code et est explorable à partir de la partie documentation de l'interface d'administration de Django.
 **Commentez votre code !**
 
-La documentation plus haut niveau sur le développement et sur l'utilisation
+La documentation plus haut niveau sur le développement est disponible sur [le Wiki associé au dépôt Git](https://gitlab.crans.org/bde/nk20/-/wikis/home).
-est disponible sur <https://note.crans.org/doc> et également dans le dossier `docs`.
 
 ## FAQ
 

ansible/host_vars/bde-nk20-beta.adh.crans.org.yml

@@ -0,0 +1,6 @@
+---
+note:
+  server_name: note-beta.crans.org
+  git_branch: beta
+  cron_enabled: false
+  email: notekfet2020@lists.crans.org

ansible/host_vars/bde-note-dev.adh.crans.org.yml

@@ -2,6 +2,5 @@
 note:
   server_name: note-dev.crans.org
   git_branch: beta
-  serve_static: false
   cron_enabled: false
   email: notekfet2020@lists.crans.org

ansible/host_vars/bde-note.adh.crans.org.yml

@@ -2,6 +2,5 @@
 note:
   server_name: note.crans.org
   git_branch: master
-  serve_static: true
   cron_enabled: true
   email: notekfet2020@lists.crans.org

ansible/hosts_example

@@ -1,5 +1,6 @@
 [dev]
 bde-note-dev.adh.crans.org
+bde-nk20-beta.adh.crans.org
 
 [prod]
 bde-note.adh.crans.org

ansible/roles/1-apt-basic/tasks/main.yml

@@ -17,6 +17,7 @@
       - ipython3
 
       # Front-end dependencies
+      - fonts-font-awesome
       - libjs-bootstrap4
 
       # Python dependencies

ansible/roles/5-nginx/templates/nginx_note.conf

@@ -41,7 +41,6 @@ server {
     # max upload size
     client_max_body_size 75M;   # adjust to taste
 
-{% if note.serve_static %}
     # Django media
     location /media  {
         alias /var/www/note_kfet/media;  # your Django project's media files - amend as required
@@ -51,7 +50,6 @@ server {
         alias /var/www/note_kfet/static; # your Django project's static files - amend as required
     }
 
-{% endif %}
     location /doc {
         alias /var/www/documentation;    # The documentation of the project
     }

apps/activity/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'activity.apps.ActivityConfig'

apps/activity/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin

apps/activity/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/activity/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import ActivityTypeViewSet, ActivityViewSet, EntryViewSet, GuestViewSet

apps/activity/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from api.viewsets import ReadProtectedModelViewSet

apps/activity/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/activity/forms.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta
@@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
 from member.models import Club
 from note.models import Note, NoteUser
 from note_kfet.inputs import Autocomplete, DateTimePickerInput
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 
 from .models import Activity, Guest
@@ -24,16 +24,10 @@ class ActivityForm(forms.ModelForm):
         self.fields["attendees_club"].initial = Club.objects.get(name="Kfet")
         self.fields["attendees_club"].widget.attrs["placeholder"] = "Kfet"
         clubs = list(Club.objects.filter(PermissionBackend
-                                         .filter_queryset(get_current_request(), Club, "view")).all())
+                                         .filter_queryset(get_current_authenticated_user(), Club, "view")).all())
         shuffle(clubs)
         self.fields["organizer"].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
 
-    def clean_organizer(self):
-        organizer = self.cleaned_data['organizer']
-        if not organizer.note.is_active:
-            self.add_error('organiser', _('The note of this club is inactive.'))
-        return organizer
-
     def clean_date_end(self):
         date_end = self.cleaned_data["date_end"]
         date_start = self.cleaned_data["date_start"]

apps/activity/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import os

apps/activity/tables.py

@@ -1,9 +1,7 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
 from django.utils import timezone
-from django.utils.html import escape
+from django.utils.html import format_html
-from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
 import django_tables2 as tables
 from django_tables2 import A
@@ -54,8 +52,8 @@ class GuestTable(tables.Table):
     def render_entry(self, record):
         if record.has_entry:
             return str(_("Entered on ") + str(_("{:%Y-%m-%d %H:%M:%S}").format(record.entry.time, )))
-        return mark_safe('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
+        return format_html('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
-                         '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
+                           '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
 
 
 def get_row_class(record):
@@ -93,7 +91,7 @@ class EntryTable(tables.Table):
         if hasattr(record, 'username'):
             username = record.username
             if username != value:
-                return mark_safe(escape(value) + " <em>aka.</em> " + escape(username))
+                return format_html(value + " <em>aka.</em> " + username)
         return value
 
     def render_balance(self, value):

apps/activity/templates/activity/activity_entry.html

@@ -63,12 +63,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
         refreshBalance();
     }
 
-    alias_obj.keyup(function(event) {
+    alias_obj.keyup(reloadTable);
-        let code = event.originalEvent.keyCode
-        if (65 <= code <= 122 || code === 13) {
-            debounce(reloadTable)()
-        }
-    });
 
     $(document).ready(init);
 

apps/activity/templates/activity/activity_list.html

@@ -34,9 +34,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
     {% endif %}
     <div class="card-footer">
         <a class="btn btn-sm btn-success" href="{% url 'activity:activity_create' %}" data-turbolinks="false">
-            <svg class="bi bi-calendar-plus" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-calendar-plus-o" aria-hidden="true"></i>
-                <path d="M4 .5a.5.5 0 0 0-1 0V1H2a2 2 0 0 0-2 2v1h16V3a2 2 0 0 0-2-2h-1V.5a.5.5 0 0 0-1 0V1H4V.5zM16 14V5H0v9a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2zM8.5 8.5V10H10a.5.5 0 0 1 0 1H8.5v1.5a.5.5 0 0 1-1 0V11H6a.5.5 0 0 1 0-1h1.5V8.5a.5.5 0 0 1 1 0z"/>
-            </svg>
             {% trans 'New activity' %}
         </a>
     </div>

apps/activity/tests/test_activities.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta

apps/activity/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.urls import path

apps/activity/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from hashlib import md5
@@ -66,19 +66,21 @@ class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView
     ordering = ('-date_start',)
     extra_context = {"title": _("Activities")}
 
-    def get_queryset(self, **kwargs):
+    def get_queryset(self):
-        return super().get_queryset(**kwargs).distinct()
+        return super().get_queryset().distinct()
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
 
         upcoming_activities = Activity.objects.filter(date_end__gt=timezone.now())
         context['upcoming'] = ActivityTable(
-            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request, Activity, "view")),
+            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")),
             prefix='upcoming-',
         )
 
-        started_activities = self.get_queryset().filter(open=True, valid=True).distinct().all()
+        started_activities = Activity.objects\
+            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
+            .filter(open=True, valid=True).all()
         context["started_activities"] = started_activities
 
         return context
@@ -96,7 +98,7 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data()
 
         table = GuestTable(data=Guest.objects.filter(activity=self.object)
-                           .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")))
+                           .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view")))
         context["guests"] = table
 
         context["activity_started"] = timezone.now() > timezone.localtime(self.object.date_start)
@@ -142,15 +144,15 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
 
     def get_form(self, form_class=None):
         form = super().get_form(form_class)
-        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
+        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
-            .filter(pk=self.kwargs["pk"]).first()
+            .get(pk=self.kwargs["pk"])
         form.fields["inviter"].initial = self.request.user.note
         return form
 
     @transaction.atomic
     def form_valid(self, form):
         form.instance.activity = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
+            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")).get(pk=self.kwargs["pk"])
         return super().form_valid(form)
 
     def get_success_url(self, **kwargs):
@@ -171,7 +173,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         activity = Activity.objects.get(pk=self.kwargs["pk"])
 
         sample_entry = Entry(activity=activity, note=self.request.user.note)
-        if not PermissionBackend.check_perm(self.request, "activity.add_entry", sample_entry):
+        if not PermissionBackend.check_perm(self.request.user, "activity.add_entry", sample_entry):
             raise PermissionDenied(_("You are not allowed to display the entry interface for this activity."))
 
         if not activity.activity_type.manage_entries:
@@ -189,8 +191,8 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         guest_qs = Guest.objects\
             .annotate(balance=F("inviter__balance"), note_name=F("inviter__user__username"))\
             .filter(activity=activity)\
-            .filter(PermissionBackend.filter_queryset(self.request, Guest, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view"))\
-            .order_by('last_name', 'first_name')
+            .order_by('last_name', 'first_name').distinct()
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
@@ -204,7 +206,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
             )
         else:
             guest_qs = guest_qs.none()
-        return guest_qs.distinct()
+        return guest_qs
 
     def get_invited_note(self, activity):
         """
@@ -228,7 +230,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         )
 
         # Filter with permission backend
-        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request, Alias, "view"))
+        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))
 
         if "search" in self.request.GET and self.request.GET["search"]:
             pattern = self.request.GET["search"]
@@ -254,7 +256,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         """
         context = super().get_context_data(**kwargs)
 
-        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
+        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
             .distinct().get(pk=self.kwargs["pk"])
         context["activity"] = activity
 
@@ -279,9 +281,9 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         context["notespecial_ctype"] = ContentType.objects.get_for_model(NoteSpecial).pk
 
         activities_open = Activity.objects.filter(open=True).filter(
-            PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
+            PermissionBackend.filter_queryset(self.request.user, Activity, "view")).distinct().all()
         context["activities_open"] = [a for a in activities_open
-                                      if PermissionBackend.check_perm(self.request,
+                                      if PermissionBackend.check_perm(self.request.user,
                                                                       "activity.add_entry",
                                                                       Entry(activity=a, note=self.request.user.note,))]
 

apps/api/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'api.apps.APIConfig'

apps/api/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/api/serializers.py

@@ -1,17 +1,13 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.auth.models import User
-from django.utils import timezone
+from rest_framework.serializers import ModelSerializer
-from rest_framework import serializers
-from member.api.serializers import ProfileSerializer, MembershipSerializer
-from note.api.serializers import NoteSerializer
-from note.models import Alias
 
 
-class UserSerializer(serializers.ModelSerializer):
+class UserSerializer(ModelSerializer):
     """
     REST API Serializer for Users.
     The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
@@ -26,7 +22,7 @@ class UserSerializer(serializers.ModelSerializer):
         )
 
 
-class ContentTypeSerializer(serializers.ModelSerializer):
+class ContentTypeSerializer(ModelSerializer):
     """
     REST API Serializer for Users.
     The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
@@ -35,42 +31,3 @@ class ContentTypeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ContentType
         fields = '__all__'
-
-
-class OAuthSerializer(serializers.ModelSerializer):
-    """
-    Informations that are transmitted by OAuth.
-    For now, this includes user, profile and valid memberships.
-    This should be better managed later.
-    """
-    normalized_name = serializers.SerializerMethodField()
-
-    profile = ProfileSerializer()
-
-    note = NoteSerializer()
-
-    memberships = serializers.SerializerMethodField()
-
-    def get_normalized_name(self, obj):
-        return Alias.normalize(obj.username)
-
-    def get_memberships(self, obj):
-        return serializers.ListSerializer(child=MembershipSerializer()).to_representation(
-            obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now()))
-
-    class Meta:
-        model = User
-        fields = (
-            'id',
-            'username',
-            'normalized_name',
-            'first_name',
-            'last_name',
-            'email',
-            'is_superuser',
-            'is_active',
-            'is_staff',
-            'profile',
-            'note',
-            'memberships',
-        )

apps/api/tests.py

@@ -1,9 +1,8 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
 from datetime import datetime, date
-from decimal import Decimal
 from urllib.parse import quote_plus
 from warnings import warn
 
@@ -153,8 +152,6 @@ class TestAPI(TestCase):
                 value = value.isoformat()
             elif isinstance(value, ImageFieldFile):
                 value = value.name
-            elif isinstance(value, Decimal):
-                value = str(value)
             query = json.dumps({field.name: value})
 
             # Create sample permission

apps/api/urls.py

@@ -1,11 +1,10 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings
 from django.conf.urls import url, include
 from rest_framework import routers
 
-from .views import UserInformationView
 from .viewsets import ContentTypeViewSet, UserViewSet
 
 # Routers provide an easy way of automatically determining the URL conf.
@@ -48,6 +47,5 @@ app_name = 'api'
 # Additionally, we include login URLs for the browsable API.
 urlpatterns = [
     url('^', include(router.urls)),
-    url('^me/', UserInformationView.as_view()),
     url('^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
 ]

apps/api/views.py

@@ -1,20 +0,0 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-from django.contrib.auth.models import User
-from rest_framework.generics import RetrieveAPIView
-
-from .serializers import OAuthSerializer
-
-
-class UserInformationView(RetrieveAPIView):
-    """
-    These fields are give to OAuth authenticators.
-    """
-    serializer_class = OAuthSerializer
-
-    def get_queryset(self):
-        return User.objects.filter(pk=self.request.user.pk)
-
-    def get_object(self):
-        return self.request.user

apps/api/viewsets.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib.contenttypes.models import ContentType
@@ -9,6 +9,7 @@ from django.contrib.auth.models import User
 from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
+from note_kfet.middlewares import get_current_session
 from note.models import Alias
 
 from .serializers import UserSerializer, ContentTypeSerializer
@@ -24,7 +25,9 @@ class ReadProtectedModelViewSet(ModelViewSet):
         self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
 
     def get_queryset(self):
-        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()
+        user = self.request.user
+        get_current_session().setdefault("permission_mask", 42)
+        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
 
 
 class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
@@ -37,7 +40,9 @@ class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
         self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()
 
     def get_queryset(self):
-        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()
+        user = self.request.user
+        get_current_session().setdefault("permission_mask", 42)
+        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
 
 
 class UserViewSet(ReadProtectedModelViewSet):

apps/logs/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'logs.apps.LogsConfig'

apps/logs/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/logs/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import ChangelogViewSet

apps/logs/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django_filters.rest_framework import DjangoFilterBackend

apps/logs/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/logs/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings

apps/logs/signals.py

@@ -1,11 +1,11 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib.contenttypes.models import ContentType
 from rest_framework.renderers import JSONRenderer
 from rest_framework.serializers import ModelSerializer
 from note.models import NoteUser, Alias
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_authenticated_user, get_current_ip
 
 from .models import Changelog
 
@@ -57,9 +57,9 @@ def save_object(sender, instance, **kwargs):
     previous = instance._previous
 
     # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    request = get_current_request()
+    user, ip = get_current_authenticated_user(), get_current_ip()
 
-    if request is None:
+    if user is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
         # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@@ -71,23 +71,9 @@ def save_object(sender, instance, **kwargs):
         # else:
         if note.exists():
             user = note.get().user
-        else:
-            user = None
-    else:
-        user = request.user
-        if 'HTTP_X_REAL_IP' in request.META:
-            ip = request.META.get('HTTP_X_REAL_IP')
-        elif 'HTTP_X_FORWARDED_FOR' in request.META:
-            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
-        else:
-            ip = request.META.get('REMOTE_ADDR')
-
-        if not user.is_authenticated:
-            # For registration and OAuth2 purposes
-            user = None
 
     # noinspection PyProtectedMember
-    if request is not None and instance._meta.label_lower == "auth.user" and previous:
+    if user is not None and instance._meta.label_lower == "auth.user" and previous:
         # On n'enregistre pas les connexions
         if instance.last_login != previous.last_login:
             return
@@ -135,9 +121,9 @@ def delete_object(sender, instance, **kwargs):
         return
 
     # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    request = get_current_request()
+    user, ip = get_current_authenticated_user(), get_current_ip()
 
-    if request is None:
+    if user is None:
         # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
         # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
         # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@@ -149,20 +135,6 @@ def delete_object(sender, instance, **kwargs):
         # else:
         if note.exists():
             user = note.get().user
-        else:
-            user = None
-    else:
-        user = request.user
-        if 'HTTP_X_REAL_IP' in request.META:
-            ip = request.META.get('HTTP_X_REAL_IP')
-        elif 'HTTP_X_FORWARDED_FOR' in request.META:
-            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
-        else:
-            ip = request.META.get('REMOTE_ADDR')
-
-        if not user.is_authenticated:
-            # For registration and OAuth2 purposes
-            user = None
 
     # On crée notre propre sérialiseur JSON pour pouvoir sauvegarder les modèles
     class CustomSerializer(ModelSerializer):

apps/member/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'member.apps.MemberConfig'

apps/member/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin

apps/member/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/member/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import ProfileViewSet, ClubViewSet, MembershipViewSet

apps/member/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django_filters.rest_framework import DjangoFilterBackend

apps/member/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/member/auth.py

@@ -1,17 +0,0 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-from cas_server.auth import DjangoAuthUser  # pragma: no cover
-from note.models import Alias
-
-
-class CustomAuthUser(DjangoAuthUser):  # pragma: no cover
-    """
-    Override Django Auth User model to define a custom Matrix username.
-    """
-
-    def attributs(self):
-        d = super().attributs()
-        if self.user:
-            d["normalized_name"] = Alias.normalize(self.user.username)
-        return d

apps/member/forms.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import io

apps/member/hashers.py

@@ -1,14 +1,12 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import hashlib
-from collections import OrderedDict
 
 from django.conf import settings
-from django.contrib.auth.hashers import PBKDF2PasswordHasher, mask_hash
+from django.contrib.auth.hashers import PBKDF2PasswordHasher
 from django.utils.crypto import constant_time_compare
-from django.utils.translation import gettext_lazy as _
+from note_kfet.middlewares import get_current_authenticated_user, get_current_session
-from note_kfet.middlewares import get_current_request
 
 
 class CustomNK15Hasher(PBKDF2PasswordHasher):
@@ -26,22 +24,16 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):
 
     def must_update(self, encoded):
         if settings.DEBUG:
-            # Small hack to let superusers to impersonate people.
+            current_user = get_current_authenticated_user()
-            # Don't change their password.
-            request = get_current_request()
-            current_user = request.user
             if current_user is not None and current_user.is_superuser:
                 return False
         return True
 
     def verify(self, password, encoded):
         if settings.DEBUG:
-            # Small hack to let superusers to impersonate people.
+            current_user = get_current_authenticated_user()
-            # If a superuser is already connected, let him/her log in as another person.
-            request = get_current_request()
-            current_user = request.user
             if current_user is not None and current_user.is_superuser\
-                    and request.session.get("permission_mask", -1) >= 42:
+                    and get_current_session().get("permission_mask", -1) >= 42:
                 return True
 
         if '|' in encoded:
@@ -49,18 +41,6 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):
             return constant_time_compare(hashlib.sha256((salt + password).encode("utf-8")).hexdigest(), db_hashed_pass)
         return super().verify(password, encoded)
 
-    def safe_summary(self, encoded):
-        # Displayed information in Django Admin.
-        if '|' in encoded:
-            salt, db_hashed_pass = encoded.split('$')[2].split('|')
-            return OrderedDict([
-                (_('algorithm'), 'custom_nk15'),
-                (_('iterations'), '1'),
-                (_('salt'), mask_hash(salt)),
-                (_('hash'), mask_hash(db_hashed_pass)),
-            ])
-        return super().safe_summary(encoded)
-
 
 class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
     """
@@ -71,11 +51,8 @@ class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
 
     def verify(self, password, encoded):
         if settings.DEBUG:
-            # Small hack to let superusers to impersonate people.
+            current_user = get_current_authenticated_user()
-            # If a superuser is already connected, let him/her log in as another person.
-            request = get_current_request()
-            current_user = request.user
             if current_user is not None and current_user.is_superuser\
-                    and request.session.get("permission_mask", -1) >= 42:
+                    and get_current_session().get("permission_mask", -1) >= 42:
                 return True
         return super().verify(password, encoded)

apps/member/migrations/0003_create_bde_and_kfet.py

@@ -19,8 +19,8 @@ def create_bde_and_kfet(apps, schema_editor):
         membership_fee_paid=500,
         membership_fee_unpaid=500,
         membership_duration=396,
-        membership_start="2021-08-01",
+        membership_start="2020-08-01",
-        membership_end="2022-09-30",
+        membership_end="2021-09-30",
     )
     Club.objects.get_or_create(
         id=2,
@@ -31,8 +31,8 @@ def create_bde_and_kfet(apps, schema_editor):
         membership_fee_paid=3500,
         membership_fee_unpaid=3500,
         membership_duration=396,
-        membership_start="2021-08-01",
+        membership_start="2020-08-01",
-        membership_end="2022-09-30",
+        membership_end="2021-09-30",
     )
 
     NoteClub.objects.get_or_create(

apps/member/migrations/0007_auto_20210313_1235.py

@@ -1,23 +0,0 @@
-# Generated by Django 2.2.19 on 2021-03-13 11:35
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('member', '0006_create_note_account_bde_membership'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='membership',
-            name='roles',
-            field=models.ManyToManyField(related_name='memberships', to='permission.Role', verbose_name='roles'),
-        ),
-        migrations.AlterField(
-            model_name='profile',
-            name='promotion',
-            field=models.PositiveSmallIntegerField(default=2021, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
-        ),
-    ]

apps/member/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import datetime
@@ -57,7 +57,7 @@ class Profile(models.Model):
             ('A1', _("Mathematics (A1)")),
             ('A2', _("Physics (A2)")),
             ("A'2", _("Applied physics (A'2)")),
-            ("A''2", _("Chemistry (A''2)")),
+            ('A''2', _("Chemistry (A''2)")),
             ('A3', _("Biology (A3)")),
             ('B1234', _("SAPHIRE (B1234)")),
             ('B1', _("Mechanics (B1)")),
@@ -74,7 +74,7 @@ class Profile(models.Model):
 
     promotion = models.PositiveSmallIntegerField(
         null=True,
-        default=datetime.date.today().year if datetime.date.today().month >= 8 else datetime.date.today().year - 1,
+        default=datetime.date.today().year,
         verbose_name=_("promotion"),
         help_text=_("Year of entry to the school (None if not ENS student)"),
     )
@@ -413,12 +413,6 @@ class Membership(models.Model):
         """
         Calculate fee and end date before saving the membership and creating the transaction if needed.
         """
-        # Ensure that club membership dates are valid
-        old_membership_start = self.club.membership_start
-        self.club.update_membership_dates()
-        if self.club.membership_start != old_membership_start:
-            self.club.save()
-
         created = not self.pk
         if not created:
             for role in self.roles.all():

apps/member/signals.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 

apps/member/tables.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import date
@@ -9,7 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from django.urls import reverse_lazy
 from django.utils.html import format_html
 from note.templatetags.pretty_money import pretty_money
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 
 from .models import Club, Membership
@@ -31,8 +31,7 @@ class ClubTable(tables.Table):
         row_attrs = {
             'class': 'table-row',
             'id': lambda record: "row-" + str(record.pk),
-            'data-href': lambda record: record.pk,
+            'data-href': lambda record: record.pk
-            'style': 'cursor:pointer',
         }
 
 
@@ -52,19 +51,19 @@ class UserTable(tables.Table):
     def render_email(self, record, value):
         # Replace the email by a dash if the user can't see the profile detail
         # Replace also the URL
-        if not PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile):
+        if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
             value = "—"
             record.email = value
         return value
 
     def render_section(self, record, value):
         return value \
-            if PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile) \
+            if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
             else "—"
 
     def render_balance(self, record, value):
         return pretty_money(value)\
-            if PermissionBackend.check_perm(get_current_request(), "note.view_note", record.note) else "—"
+            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
 
     class Meta:
         attrs = {
@@ -75,8 +74,7 @@ class UserTable(tables.Table):
         model = User
         row_attrs = {
             'class': 'table-row',
-            'data-href': lambda record: record.pk,
+            'data-href': lambda record: record.pk
-            'style': 'cursor:pointer',
         }
 
 
@@ -95,7 +93,7 @@ class MembershipTable(tables.Table):
     def render_user(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.username
-        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
 
@@ -104,7 +102,7 @@ class MembershipTable(tables.Table):
     def render_club(self, value):
         # If the user has the right, link the displayed club with the page of its detail.
         s = value.name
-        if PermissionBackend.check_perm(get_current_request(), "member.view_club", value):
+        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_club", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:club_detail', kwargs={"pk": value.pk}), name=s)
 
@@ -129,7 +127,7 @@ class MembershipTable(tables.Table):
                     date_end=date.today(),
                     fee=0,
                 )
-                if PermissionBackend.check_perm(get_current_request(),
+                if PermissionBackend.check_perm(get_current_authenticated_user(),
                                                 "member.add_membership", empty_membership):  # If the user has right
                     renew_url = reverse_lazy('member:club_renew_membership',
                                              kwargs={"pk": record.pk})
@@ -144,7 +142,7 @@ class MembershipTable(tables.Table):
         # If the user has the right to manage the roles, display the link to manage them
         roles = record.roles.all()
         s = ", ".join(str(role) for role in roles)
-        if PermissionBackend.check_perm(get_current_request(), "member.change_membership_roles", record):
+        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.change_membership_roles", record):
             s = format_html("<a href='" + str(reverse_lazy("member:club_manage_roles", kwargs={"pk": record.pk}))
                             + "'>" + s + "</a>")
         return s
@@ -167,7 +165,7 @@ class ClubManagerTable(tables.Table):
     def render_user(self, value):
         # If the user has the right, link the displayed user with the page of its detail.
         s = value.username
-        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
             s = format_html("<a href={url}>{name}</a>",
                             url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
 

apps/member/templates/member/base.html

@@ -45,10 +45,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
             <div class="card-footer">
                 {% if user_object %}
                 <a class="btn btn-sm btn-secondary" href="{% url 'member:user_update_profile' user_object.pk %}">
-                    <svg class="bi bi-edit" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+                    <i class="fa fa-edit"></i> {% trans 'Update Profile' %}
-                        <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
-                    </svg>
-                    {% trans 'Update Profile' %}
                 </a>
                 {% url 'member:user_detail' user_object.pk as user_profile_url %}
                 {% if request.path_info != user_profile_url %}
@@ -62,10 +59,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
                 {% if ".change_"|has_perm:club %}
                 <a class="btn btn-sm btn-secondary" href="{% url 'member:club_update' pk=club.pk %}"
                    data-turbolinks="false">
-                    <svg class="bi bi-edit" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+                    <i class="fa fa-edit"></i> {% trans 'Update Profile' %}
-                        <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
-                    </svg>
-                    {% trans 'Update Profile' %}
                 </a>
                 {% endif %}
                 {% url 'member:club_detail' club.pk as club_detail_url %}

apps/member/templates/member/club_detail.html

@@ -10,10 +10,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 <div class="card">
     <div class="card-header position-relative" id="clubListHeading">
         <a class="font-weight-bold">
-            <svg class="bi bi-users" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-users"></i> {% trans "Club managers" %}
-                <path d="M3 14s-1 0-1-1 1-4 6-4 6 3 6 4-1 1-1 1H3zm5-6a3 3 0 1 0 0-6 3 3 0 0 0 0 6z"/>
-            </svg>
-            {% trans "Club managers" %}
         </a>
     </div>
     {% render_table managers %}
@@ -26,12 +23,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 <div class="card">
     <div class="card-header position-relative" id="clubListHeading">
         <a class="stretched-link font-weight-bold" href="{% url 'member:club_members' pk=club.pk %}">
-            <svg class="bi bi-users" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-users"></i> {% trans "Club members" %}
-                <path d="M7 14s-1 0-1-1 1-4 5-4 5 3 5 4-1 1-1 1H7zm4-6a3 3 0 1 0 0-6 3 3 0 0 0 0 6z"/>
-                <path fill-rule="evenodd" d="M5.216 14A2.238 2.238 0 0 1 5 13c0-1.355.68-2.75 1.936-3.72A6.325 6.325 0 0 0 5 9c-4 0-5 3-5 4s1 1 1 1h4.216z"/>
-                <path d="M4.5 8a2.5 2.5 0 1 0 0-5 2.5 2.5 0 0 0 0 5z"/>
-            </svg>
-            {% trans "Club members" %}
         </a>
     </div>
     {% render_table member_list %}
@@ -45,10 +37,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
     <div class="card-header position-relative" id="historyListHeading">
         <a class="stretched-link font-weight-bold" {% if "note.view_note"|has_perm:club.note %}
             href="{% url 'note:transactions' pk=club.note.pk %}" {% endif %}>
-            <svg class="bi bi-euro" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-euro"></i> {% trans "Transaction history" %}
-                <path d="M4 9.42h1.063C5.4 12.323 7.317 14 10.34 14c.622 0 1.167-.068 1.659-.185v-1.3c-.484.119-1.045.17-1.659.17-2.1 0-3.455-1.198-3.775-3.264h4.017v-.928H6.497v-.936c0-.11 0-.219.008-.329h4.078v-.927H6.618c.388-1.898 1.719-2.985 3.723-2.985.614 0 1.175.05 1.659.177V2.194A6.617 6.617 0 0 0 10.341 2c-2.928 0-4.82 1.569-5.244 4.3H4v.928h1.01v1.265H4v.928z"/>
-            </svg>
-            {% trans "Transaction history" %}
         </a>
     </div>
     <div id="history_list">

apps/member/templates/member/includes/club_info.html

@@ -47,9 +47,7 @@
     <dt class="col-xl-6">{% trans 'aliases'|capfirst %}</dt>
     <dd class="col-xl-6">
         <a class="badge badge-secondary" href="{% url 'member:club_alias' club.pk %}">
-            <svg class="bi bi-edit" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-edit"></i>
-                <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
-            </svg>
             {% trans 'Manage aliases' %} ({{ club.note.alias.all|length }})
         </a>
     </dd>

apps/member/templates/member/includes/profile_info.html

@@ -11,9 +11,7 @@
     <dt class="col-xl-6">{% trans 'password'|capfirst %}</dt>
     <dd class="col-xl-6">
         <a class="badge badge-secondary" href="{% url 'password_change' %}">
-            <svg class="bi bi-lock" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-lock"></i>
-                <path d="M8 1a2 2 0 0 1 2 2v4H6V3a2 2 0 0 1 2-2zm3 6V3a3 3 0 0 0-6 0v4a2 2 0 0 0-2 2v5a2 2 0 0 0 2 2h6a2 2 0 0 0 2-2V9a2 2 0 0 0-2-2z"/>
-            </svg>
             {% trans 'Change password' %}
         </a>
     </dd>
@@ -22,9 +20,7 @@
     <dt class="col-xl-6">{% trans 'aliases'|capfirst %}</dt>
     <dd class="col-xl-6">
         <a class="badge badge-secondary" href="{% url 'member:user_alias' user_object.pk %}">
-            <svg class="bi bi-edit" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-edit"></i>
-                <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
-            </svg>
             {% trans 'Manage aliases' %} ({{ user_object.note.alias.all|length }})
         </a>
     </dd>
@@ -43,23 +39,20 @@
         <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
         <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
 
-        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+        {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
-        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
-    {% endif %}
-
-    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
         <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
         <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+
+        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+        {% endif %}
     {% endif %}
 </dl>
 
 {% if user_object.pk == user.pk %}
     <div class="text-center">
         <a class="small badge badge-secondary" href="{% url 'member:auth_token' %}">
-            <svg class="bi bi-cogs" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-cogs"></i>{% trans 'API token' %}
-                <path d="M9.405 1.05c-.413-1.4-2.397-1.4-2.81 0l-.1.34a1.464 1.464 0 0 1-2.105.872l-.31-.17c-1.283-.698-2.686.705-1.987 1.987l.169.311c.446.82.023 1.841-.872 2.105l-.34.1c-1.4.413-1.4 2.397 0 2.81l.34.1a1.464 1.464 0 0 1 .872 2.105l-.17.31c-.698 1.283.705 2.686 1.987 1.987l.311-.169a1.464 1.464 0 0 1 2.105.872l.1.34c.413 1.4 2.397 1.4 2.81 0l.1-.34a1.464 1.464 0 0 1 2.105-.872l.31.17c1.283.698 2.686-.705 1.987-1.987l-.169-.311a1.464 1.464 0 0 1 .872-2.105l.34-.1c1.4-.413 1.4-2.397 0-2.81l-.34-.1a1.464 1.464 0 0 1-.872-2.105l.17-.31c.698-1.283-.705-2.686-1.987-1.987l-.311.169a1.464 1.464 0 0 1-2.105-.872l-.1-.34zM8 10.93a2.929 2.929 0 1 1 0-5.86 2.929 2.929 0 0 1 0 5.858z"/>
-            </svg>
-            {% trans 'API token' %}
         </a>
     </div>
 {% endif %}

apps/member/templates/member/manage_auth_tokens.html

@@ -5,98 +5,32 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% load i18n %}
 
 {% block content %}
-<div class="row mt-4">
+<div class="alert alert-info">
-    <div class="col-xl-6">
+    <h4>À quoi sert un jeton d'authentification ?</h4>
-        <div class="card">
-            <div class="card-header text-center">
-                <h3>{% trans "Token authentication" %}</h3>
-            </div>
-            <div class="card-body">
-                <div class="alert alert-info">
-                    <h4>À quoi sert un jeton d'authentification ?</h4>
 
-                    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a> via votre propre compte
+    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a>.<br />
-                    depuis un client externe.<br />
+    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
-                    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
+    pour pouvoir vous identifier.<br /><br />
-                    pour pouvoir vous identifier.<br /><br />
 
-                    La documentation de l'API est disponible ici :
+    Une documentation de l'API arrivera ultérieurement.
-                    <a href="/doc/api/">{{ request.scheme }}://{{ request.get_host }}/doc/api/</a>.
-                </div>
-
-                <div class="alert alert-info">
-                    <strong>{%trans  'Token' %} :</strong>
-                    {% if 'show' in request.GET %}
-                    {{ token.key }} (<a href="?">cacher</a>)
-                    {% else %}
-                    <em>caché</em> (<a href="?show">montrer</a>)
-                    {% endif %}
-                    <br />
-                    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
-                </div>
-
-                <div class="alert alert-warning">
-                    <strong>{% trans "Warning" %} :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
-                </div>
-            </div>
-            <div class="card-footer text-center">
-                <a href="?regenerate">
-                    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
-                </a>
-            </div>
-        </div>
-    </div>
-
-    <div class="col-xl-6">
-        <div class="card">
-            <div class="card-header text-center">
-                <h3>{% trans "OAuth2 authentication" %}</h3>
-            </div>
-            <div class="card-header">
-                <div class="alert alert-info">
-                    <p>
-                        La Note Kfet implémente également le protocole <a href="https://oauth.net/2/">OAuth2</a>, afin de
-                        permettre à des applications tierces d'interagir avec la Note en récoltant des informations
-                        (de connexion par exemple) voir en permettant des modifications à distance, par exemple lorsqu'il
-                        s'agit d'avoir un site marchand sur lequel faire des transactions via la Note Kfet.
-                    </p>
-
-                    <p>
-                        L'usage de ce protocole est recommandé pour tout usage non personnel, car permet de mieux cibler
-                        les droits dont on a besoin, en restreignant leur usage par jeton généré.
-                    </p>
-
-                    <p>
-                        La documentation vis-à-vis de l'usage de ce protocole est disponible ici :
-                        <a href="/doc/external_services/oauth2/">{{ request.scheme }}://{{ request.get_host }}/doc/external_services/oauth2/</a>.
-                    </p>
-                </div>
-
-                Liste des URL à communiquer à votre application :
-
-                <ul>
-                    <li>
-                        {% trans "Authorization:" %}
-                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:authorize' %}</a>
-                    </li>
-                    <li>
-                        {% trans "Token:" %}
-                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:token' %}</a>
-                    </li>
-                    <li>
-                        {% trans "Revoke Token:" %}
-                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:revoke-token' %}</a>
-                    </li>
-                    <li>
-                        {% trans "Introspect Token:" %}
-                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:introspect' %}</a>
-                    </li>
-                </ul>
-            </div>
-            <div class="card-footer text-center">
-                <a class="btn btn-primary" href="{% url 'oauth2_provider:list' %}">{% trans "Show my applications" %}</a>
-            </div>
-        </div>
-    </div>
 </div>
+
+<div class="alert alert-info">
+    <strong>{%trans  'Token' %} :</strong>
+    {% if 'show' in request.GET %}
+    {{ token.key }} (<a href="?">cacher</a>)
+    {% else %}
+    <em>caché</em> (<a href="?show">montrer</a>)
+    {% endif %}
+    <br />
+    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
+</div>
+
+<div class="alert alert-warning">
+    <strong>Attention :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
+</div>
+
+<a href="?regenerate">
+    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
+</a>
 {% endblock %}

apps/member/templates/member/profile_detail.html

@@ -18,10 +18,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 <div class="card bg-light mb-3">
     <div class="card-header position-relative" id="clubListHeading">
         <a class="font-weight-bold">
-            <svg class="bi bi-users" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-users"></i> {% trans "View my memberships" %}
-                <path d="M3 14s-1 0-1-1 1-4 6-4 6 3 6 4-1 1-1 1H3zm5-6a3 3 0 1 0 0-6 3 3 0 0 0 0 6z"/>
-            </svg>
-            {% trans "View my memberships" %}
         </a>
     </div>
     {% render_table club_list %}
@@ -32,10 +29,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
         <a class="stretched-link font-weight-bold text-decoration-none"
             {% if "note.view_note"|has_perm:user_object.note %}
             href="{% url 'note:transactions' pk=user_object.note.pk %}" {% endif %}>
-            <svg class="bi bi-euro" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+            <i class="fa fa-euro"></i> {% trans "Transaction history" %}
-                <path d="M4 9.42h1.063C5.4 12.323 7.317 14 10.34 14c.622 0 1.167-.068 1.659-.185v-1.3c-.484.119-1.045.17-1.659.17-2.1 0-3.455-1.198-3.775-3.264h4.017v-.928H6.497v-.936c0-.11 0-.219.008-.329h4.078v-.927H6.618c.388-1.898 1.719-2.985 3.723-2.985.614 0 1.175.05 1.659.177V2.194A6.617 6.617 0 0 0 10.341 2c-2.928 0-4.82 1.569-5.244 4.3H4v.928h1.01v1.265H4v.928z"/>
-            </svg>
-            {% trans "Transaction history" %}
         </a>
     </div>
     <div id="history_list">

apps/member/templates/member/user_list.html

@@ -7,11 +7,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% block content %}
 {% if can_manage_registrations %}
 <a class="btn btn-block btn-secondary mb-3" href="{% url 'registration:future_user_list' %}">
-    <svg class="bi bi-user-plus" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+    <i class="fa fa-user-plus"></i> {% trans "Registrations" %}
-        <path d="M1 14s-1 0-1-1 1-4 6-4 6 3 6 4-1 1-1 1H1zm5-6a3 3 0 1 0 0-6 3 3 0 0 0 0 6z"/>
-        <path fill-rule="evenodd" d="M13.5 5a.5.5 0 0 1 .5.5V7h1.5a.5.5 0 0 1 0 1H14v1.5a.5.5 0 0 1-1 0V8h-1.5a.5.5 0 0 1 0-1H13V5.5a.5.5 0 0 1 .5-.5z"/>
-    </svg>
-    {% trans "Registrations" %}
 </a>
 {% endif %}
 

apps/member/templatetags/memberinfo.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import date

apps/member/tests/test_login.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 from django.conf import settings
 from django.contrib.auth.models import User

apps/member/tests/test_memberships.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import hashlib

apps/member/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.urls import path

apps/member/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import timedelta, date
@@ -21,7 +21,7 @@ from rest_framework.authtoken.models import Token
 from note.models import Alias, NoteUser
 from note.models.transactions import Transaction, SpecialTransaction
 from note.tables import HistoryTable, AliasTable
-from note_kfet.middlewares import _set_current_request
+from note_kfet.middlewares import _set_current_user_and_ip
 from permission.backends import PermissionBackend
 from permission.models import Role
 from permission.views import ProtectQuerysetMixin, ProtectedCreateView
@@ -41,8 +41,7 @@ class CustomLoginView(LoginView):
     @transaction.atomic
     def form_valid(self, form):
         logout(self.request)
-        self.request.user = form.get_user()
+        _set_current_user_and_ip(form.get_user(), self.request.session, None)
-        _set_current_request(self.request)
         self.request.session['permission_mask'] = form.cleaned_data['permission_mask'].rank
         return super().form_valid(form)
 
@@ -71,7 +70,7 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         form.fields['email'].required = True
         form.fields['email'].help_text = _("This address must be valid.")
 
-        if PermissionBackend.check_perm(self.request, "member.change_profile", context['user_object'].profile):
+        if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
             context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
                                                         data=self.request.POST if self.request.POST else None)
             if not self.object.profile.report_frequency:
@@ -154,13 +153,13 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         history_list = \
             Transaction.objects.all().filter(Q(source=user.note) | Q(destination=user.note))\
             .order_by("-created_at")\
-            .filter(PermissionBackend.filter_queryset(self.request, Transaction, "view"))
+            .filter(PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))
         history_table = HistoryTable(history_list, prefix='transaction-')
         history_table.paginate(per_page=20, page=self.request.GET.get("transaction-page", 1))
         context['history_list'] = history_table
 
         club_list = Membership.objects.filter(user=user, date_end__gte=date.today() - timedelta(days=15))\
-            .filter(PermissionBackend.filter_queryset(self.request, Membership, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request.user, Membership, "view"))\
             .order_by("club__name", "-date_start")
         # Display only the most recent membership
         club_list = club_list.distinct("club__name")\
@@ -177,20 +176,21 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
             modified_note.is_active = True
             modified_note.inactivity_reason = 'manual'
             context["can_lock_note"] = user.note.is_active and PermissionBackend\
-                                           .check_perm(self.request, "note.change_noteuser_is_active", modified_note)
+                                           .check_perm(self.request.user, "note.change_noteuser_is_active",
+                                                       modified_note)
             old_note = NoteUser.objects.select_for_update().get(pk=user.note.pk)
             modified_note.inactivity_reason = 'forced'
             modified_note._force_save = True
             modified_note.save()
             context["can_force_lock"] = user.note.is_active and PermissionBackend\
-                .check_perm(self.request, "note.change_note_is_active", modified_note)
+                .check_perm(self.request.user, "note.change_note_is_active", modified_note)
             old_note._force_save = True
             old_note._no_signal = True
             old_note.save()
             modified_note.refresh_from_db()
             modified_note.is_active = True
             context["can_unlock_note"] = not user.note.is_active and PermissionBackend\
-                .check_perm(self.request, "note.change_note_is_active", modified_note)
+                .check_perm(self.request.user, "note.change_note_is_active", modified_note)
 
         return context
 
@@ -237,7 +237,7 @@ class UserListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        pre_registered_users = User.objects.filter(PermissionBackend.filter_queryset(self.request, User, "view"))\
+        pre_registered_users = User.objects.filter(PermissionBackend.filter_queryset(self.request.user, User, "view"))\
             .filter(profile__registration_valid=False)
         context["can_manage_registrations"] = pre_registered_users.exists()
         return context
@@ -256,8 +256,8 @@ class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
         context["aliases"] = AliasTable(
-            note.alias.filter(PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct().all())
+            note.alias.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
-        context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
+        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
             normalized_name="",
@@ -382,7 +382,7 @@ class ClubListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        context["can_add_club"] = PermissionBackend.check_perm(self.request, "member.add_club", Club(
+        context["can_add_club"] = PermissionBackend.check_perm(self.request.user, "member.add_club", Club(
             name="",
             email="club@example.com",
         ))
@@ -404,7 +404,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data(**kwargs)
 
         club = context["club"]
-        if PermissionBackend.check_perm(self.request, "member.change_club_membership_start", club):
+        if PermissionBackend.check_perm(self.request.user, "member.change_club_membership_start", club):
             club.update_membership_dates()
         # managers list
         managers = Membership.objects.filter(club=self.object, roles__name="Bureau de club",
@@ -413,7 +413,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context["managers"] = ClubManagerTable(data=managers, prefix="managers-")
         # transaction history
         club_transactions = Transaction.objects.all().filter(Q(source=club.note) | Q(destination=club.note))\
-            .filter(PermissionBackend.filter_queryset(self.request, Transaction, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))\
             .order_by('-created_at')
         history_table = HistoryTable(club_transactions, prefix="history-")
         history_table.paginate(per_page=20, page=self.request.GET.get('history-page', 1))
@@ -422,7 +422,7 @@ class ClubDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         club_member = Membership.objects.filter(
             club=club,
             date_end__gte=date.today() - timedelta(days=15),
-        ).filter(PermissionBackend.filter_queryset(self.request, Membership, "view"))\
+        ).filter(PermissionBackend.filter_queryset(self.request.user, Membership, "view"))\
             .order_by("user__username", "-date_start")
         # Display only the most recent membership
         club_member = club_member.distinct("user__username")\
@@ -459,8 +459,8 @@ class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
         context["aliases"] = AliasTable(note.alias.filter(
-            PermissionBackend.filter_queryset(self.request, Alias, "view")).distinct().all())
+            PermissionBackend.filter_queryset(self.request.user, Alias, "view")).distinct().all())
-        context["can_create"] = PermissionBackend.check_perm(self.request, "note.add_alias", Alias(
+        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
             note=context["object"].note,
             name="",
             normalized_name="",
@@ -535,7 +535,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         form = context['form']
 
         if "club_pk" in self.kwargs:  # We create a new membership.
-            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request, Club, "view"))\
+            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request.user, Club, "view"))\
                 .get(pk=self.kwargs["club_pk"], weiclub=None)
             form.fields['credit_amount'].initial = club.membership_fee_paid
             # Ensure that the user is member of the parent club and all its the family tree.
@@ -625,6 +625,9 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         # Retrieve form data
         credit_type = form.cleaned_data["credit_type"]
         credit_amount = form.cleaned_data["credit_amount"]
+        last_name = form.cleaned_data["last_name"]
+        first_name = form.cleaned_data["first_name"]
+        bank = form.cleaned_data["bank"]
         soge = form.cleaned_data["soge"] and not user.profile.soge and (club.name == "BDE" or club.name == "Kfet")
 
         if not credit_type:
@@ -655,7 +658,8 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         if club.name != "Kfet" and club.parent_club and not Membership.objects.filter(
                 user=form.instance.user,
                 club=club.parent_club,
-                date_start__gte=club.parent_club.membership_start,
+                date_start__lte=timezone.now(),
+                date_end__gte=club.parent_club.membership_end,
         ).exists():
             form.add_error('user', _('User is not a member of the parent club') + ' ' + club.parent_club.name)
             error = True
@@ -670,9 +674,17 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
                            .format(form.instance.club.membership_end))
             error = True
 
-        if credit_amount and not SpecialTransaction.validate_payment_form(form):
+        if credit_amount:
-            # Check that special information for payment are filled
+            if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
-            error = True
+                if not last_name:
+                    form.add_error('last_name', _("This field is required."))
+                    error = True
+                if not first_name:
+                    form.add_error('first_name', _("This field is required."))
+                    error = True
+                if not bank and credit_type.special_type == "Chèque":
+                    form.add_error('bank', _("This field is required."))
+                    error = True
 
         return not error
 
@@ -683,7 +695,7 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         """
         # Get the club that is concerned by the membership
         if "club_pk" in self.kwargs:  # get from url of new membership
-            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request, Club, "view")) \
+            club = Club.objects.filter(PermissionBackend.filter_queryset(self.request.user, Club, "view")) \
                 .get(pk=self.kwargs["club_pk"])
             user = form.instance.user
             old_membership = None
@@ -734,7 +746,6 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
             # When we renew the BDE membership, we update the profile section
             # that should happens at least once a year.
             user.profile.section = user.profile.section_generated
-            user.profile._force_save = True
             user.profile.save()
 
         # Credit note before the membership is created.
@@ -867,7 +878,7 @@ class ClubMembersListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableV
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         club = Club.objects.filter(
-            PermissionBackend.filter_queryset(self.request, Club, "view")
+            PermissionBackend.filter_queryset(self.request.user, Club, "view")
         ).get(pk=self.kwargs["pk"])
         context["club"] = club
 

apps/note/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'note.apps.NoteConfig'

apps/note/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin

apps/note/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.conf import settings
@@ -8,7 +8,7 @@ from rest_framework.exceptions import ValidationError
 from rest_polymorphic.serializers import PolymorphicSerializer
 from member.api.serializers import MembershipSerializer
 from member.models import Membership
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 from rest_framework.utils import model_meta
 
@@ -126,7 +126,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
         """
         # If the user has no right to see the note, then we only display the note identifier
         return NotePolymorphicSerializer().to_representation(obj.note)\
-            if PermissionBackend.check_perm(get_current_request(), "note.view_note", obj.note)\
+            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", obj.note)\
             else dict(
             id=obj.note.id,
             name=str(obj.note),
@@ -142,7 +142,7 @@ class ConsumerSerializer(serializers.ModelSerializer):
     def get_membership(self, obj):
         if isinstance(obj.note, NoteUser):
             memberships = Membership.objects.filter(
-                PermissionBackend.filter_queryset(get_current_request(), Membership, "view")).filter(
+                PermissionBackend.filter_queryset(get_current_authenticated_user(), Membership, "view")).filter(
                 user=obj.note.user,
                 club=2,  # Kfet
             ).order_by("-date_start")

apps/note/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import NotePolymorphicViewSet, AliasViewSet, ConsumerViewSet, \

apps/note/api/views.py

@@ -1,6 +1,5 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-import re
 
 from django.conf import settings
 from django.db.models import Q
@@ -11,6 +10,7 @@ from rest_framework import viewsets
 from rest_framework.response import Response
 from rest_framework import status
 from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
+from note_kfet.middlewares import get_current_session
 from permission.backends import PermissionBackend
 
 from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer,\
@@ -40,11 +40,12 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
         Parse query and apply filters.
         :return: The filtered set of requested notes
         """
-        queryset = self.queryset.filter(PermissionBackend.filter_queryset(self.request, Note, "view")
+        user = self.request.user
-                                        | PermissionBackend.filter_queryset(self.request, NoteUser, "view")
+        get_current_session().setdefault("permission_mask", 42)
-                                        | PermissionBackend.filter_queryset(self.request, NoteClub, "view")
+        queryset = self.queryset.filter(PermissionBackend.filter_queryset(user, Note, "view")
-                                        | PermissionBackend.filter_queryset(self.request, NoteSpecial, "view"))\
+                                        | PermissionBackend.filter_queryset(user, NoteUser, "view")
-            .distinct()
+                                        | PermissionBackend.filter_queryset(user, NoteClub, "view")
+                                        | PermissionBackend.filter_queryset(user, NoteSpecial, "view")).distinct()
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
@@ -66,15 +67,14 @@ class AliasViewSet(ReadProtectedModelViewSet):
     serializer_class = AliasSerializer
     filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
-    filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
+    filterset_fields = ['note', 'note__noteuser__user', 'note__noteclub__club', 'note__polymorphic_ctype__model', ]
-                        'note__noteclub__club', 'note__polymorphic_ctype__model', ]
     ordering_fields = ['name', 'normalized_name', ]
 
     def get_serializer_class(self):
         serializer_class = self.serializer_class
         if self.request.method in ['PUT', 'PATCH']:
             # alias owner cannot be change once establish
-            serializer_class.Meta.read_only_fields = ('note',)
+            setattr(serializer_class.Meta, 'read_only_fields', ('note',))
         return serializer_class
 
     def destroy(self, request, *args, **kwargs):
@@ -82,7 +82,7 @@ class AliasViewSet(ReadProtectedModelViewSet):
         try:
             self.perform_destroy(instance)
         except ValidationError as e:
-            return Response({e.code: str(e)}, status.HTTP_400_BAD_REQUEST)
+            return Response({e.code: e.message}, status.HTTP_400_BAD_REQUEST)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
     def get_queryset(self):
@@ -118,8 +118,7 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
     serializer_class = ConsumerSerializer
     filter_backends = [SearchFilter, OrderingFilter, DjangoFilterBackend]
     search_fields = ['$normalized_name', '$name', '$note__polymorphic_ctype__model', ]
-    filterset_fields = ['name', 'normalized_name', 'note', 'note__noteuser__user',
+    filterset_fields = ['note', 'note__noteuser__user', 'note__noteclub__club', 'note__polymorphic_ctype__model', ]
-                        'note__noteclub__club', 'note__polymorphic_ctype__model', ]
     ordering_fields = ['name', 'normalized_name', ]
 
     def get_queryset(self):
@@ -134,31 +133,23 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
             if settings.DATABASES[queryset.db]["ENGINE"] == 'django.db.backends.postgresql' else queryset
 
         alias = self.request.query_params.get("alias", None)
-        # Check if this is a valid regex. If not, we won't check regex
-        try:
-            re.compile(alias)
-            valid_regex = True
-        except (re.error, TypeError):
-            valid_regex = False
-        suffix = '__iregex' if valid_regex else '__istartswith'
-        alias_prefix = '^' if valid_regex else ''
         queryset = queryset.prefetch_related('note')
 
         if alias:
             # We match first an alias if it is matched without normalization,
             # then if the normalized pattern matches a normalized alias.
             queryset = queryset.filter(
-                **{f'name{suffix}': alias_prefix + alias}
+                name__iregex="^" + alias
             ).union(
                 queryset.filter(
-                    Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
+                    Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
+                    & ~Q(name__iregex="^" + alias)
                 ),
                 all=True).union(
                 queryset.filter(
-                    Q(**{f'normalized_name{suffix}': alias_prefix + alias.lower()})
+                    Q(normalized_name__iregex="^" + alias.lower())
-                    & ~Q(**{f'normalized_name{suffix}': alias_prefix + Alias.normalize(alias)})
+                    & ~Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(**{f'name{suffix}': alias_prefix + alias})
+                    & ~Q(name__iregex="^" + alias)
                 ),
                 all=True)
 
@@ -214,5 +205,7 @@ class TransactionViewSet(ReadProtectedModelViewSet):
     ordering_fields = ['created_at', 'amount', ]
 
     def get_queryset(self):
-        return self.model.objects.filter(PermissionBackend.filter_queryset(self.request, self.model, "view"))\
+        user = self.request.user
+        get_current_session().setdefault("permission_mask", 42)
+        return self.model.objects.filter(PermissionBackend.filter_queryset(user, self.model, "view"))\
             .order_by("created_at", "id")

apps/note/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/note/forms.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 from datetime import datetime
 

apps/note/migrations/0005_auto_20210313_1235.py

@@ -1,19 +0,0 @@
-# Generated by Django 2.2.19 on 2021-03-13 11:35
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('note', '0004_remove_null_tag_on_charfields'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='alias',
-            name='note',
-            field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='alias', to='note.Note'),
-        ),
-    ]

apps/note/models/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .notes import Alias, Note, NoteClub, NoteSpecial, NoteUser

apps/note/models/notes.py

@@ -1,9 +1,10 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import unicodedata
 
 from django.conf import settings
+from django.conf.global_settings import DEFAULT_FROM_EMAIL
 from django.core.exceptions import ValidationError
 from django.core.mail import send_mail
 from django.core.validators import RegexValidator
@@ -189,8 +190,8 @@ class NoteClub(Note):
     def send_mail_negative_balance(self):
         plain_text = render_to_string("note/mails/negative_balance.txt", dict(note=self))
         html = render_to_string("note/mails/negative_balance.html", dict(note=self))
-        send_mail("[Note Kfet] Passage en négatif (club {})".format(self.club.name), plain_text,
+        send_mail("[Note Kfet] Passage en négatif (club {})".format(self.club.name), plain_text, DEFAULT_FROM_EMAIL,
-                  settings.DEFAULT_FROM_EMAIL, [self.club.email], html_message=html)
+                  [self.club.email], html_message=html)
 
 
 class NoteSpecial(Note):

apps/note/models/transactions.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.core.exceptions import ValidationError
@@ -333,36 +333,6 @@ class SpecialTransaction(Transaction):
         self.clean()
         super().save(*args, **kwargs)
 
-    @staticmethod
-    def validate_payment_form(form):
-        """
-        Ensure that last name and first name are filled for a form that creates a SpecialTransaction,
-        and check that if the user pays with a check, then the bank field is filled.
-
-        Return True iff there is no error.
-        Whenever there is an error, they are inserted in the form errors.
-        """
-
-        credit_type = form.cleaned_data["credit_type"]
-        last_name = form.cleaned_data["last_name"]
-        first_name = form.cleaned_data["first_name"]
-        bank = form.cleaned_data["bank"]
-
-        error = False
-
-        if not last_name or not first_name or (not bank and credit_type.special_type == "Chèque"):
-            if not last_name:
-                form.add_error('last_name', _("This field is required."))
-                error = True
-            if not first_name:
-                form.add_error('first_name', _("This field is required."))
-                error = True
-            if not bank and credit_type.special_type == "Chèque":
-                form.add_error('bank', _("This field is required."))
-                error = True
-
-        return not error
-
     class Meta:
         verbose_name = _("Special transaction")
         verbose_name_plural = _("Special transactions")

apps/note/signals.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.utils import timezone

apps/note/static/note/js/consos.js

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+// Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 // SPDX-License-Identifier: GPL-3.0-or-later
 
 // When a transaction is performed, lock the interface to prevent spam clicks.
@@ -28,7 +28,7 @@ $(document).ready(function () {
 
   // Switching in double consumptions mode should update the layout
   $('#double_conso').change(function () {
-    document.getElementById('consos_list_div').classList.remove('d-none')
+    $('#consos_list_div').removeClass('d-none')
     $('#infos_div').attr('class', 'col-sm-5 col-xl-6')
 
     const note_list_obj = $('#note_list')
@@ -37,7 +37,7 @@ $(document).ready(function () {
       note_list_obj.html('')
 
       buttons.forEach(function (button) {
-        document.getElementById(`conso_button_${button.id}`).addEventListener('click', () => {
+        $('#conso_button_' + button.id).click(function () {
           if (LOCK) { return }
           removeNote(button, 'conso_button', buttons, 'consos_list')()
         })
@@ -46,7 +46,7 @@ $(document).ready(function () {
   })
 
   $('#single_conso').change(function () {
-    document.getElementById('consos_list_div').classList.add('d-none')
+    $('#consos_list_div').addClass('d-none')
     $('#infos_div').attr('class', 'col-sm-5 col-md-4')
 
     const consos_list_obj = $('#consos_list')
@@ -68,9 +68,9 @@ $(document).ready(function () {
   })
 
   // Ensure we begin in single consumption. Fix issue with TurboLinks and BootstrapJS
-  document.querySelector("label[for='double_conso']").classList.remove('active')
+  $("label[for='double_conso']").removeClass('active')
 
-  document.getElementById("consume_all").addEventListener('click', consumeAll)
+  $('#consume_all').click(consumeAll)
 })
 
 notes = []
@@ -127,10 +127,11 @@ function addConso (dest, amount, type, category_id, category_name, template_id,
       html += li('conso_button_' + button.id, button.name +
                 '<span class="badge badge-dark badge-pill">' + button.quantity + '</span>')
     })
-    document.getElementById(list).innerHTML = html
 
-    buttons.forEach((button) => {
+    $('#' + list).html(html)
-      document.getElementById(`conso_button_${button.id}`).addEventListener('click', () => {
+
+    buttons.forEach(function (button) {
+      $('#conso_button_' + button.id).click(function () {
         if (LOCK) { return }
         removeNote(button, 'conso_button', buttons, list)()
       })
@@ -145,13 +146,12 @@ function reset () {
   notes_display.length = 0
   notes.length = 0
   buttons.length = 0
-  document.getElementById('note_list').innerHTML = ''
+  $('#note_list').html('')
-  document.getElementById('consos_list').innerHTML = ''
+  $('#consos_list').html('')
-  document.getElementById('note').value = ''
+  $('#note').val('')
-  document.getElementById('note').dataset.originTitle = ''
+  $('#note').attr('data-original-title', '').tooltip('hide')
-  $('#note').tooltip('hide')
+  $('#profile_pic').attr('src', '/static/member/img/default_picture.png')
-  document.getElementById('profile_pic').src = '/static/member/img/default_picture.png'
+  $('#profile_pic_link').attr('href', '#')
-  document.getElementById('profile_pic_link').href = '#'
   refreshHistory()
   refreshBalance()
   LOCK = false
@@ -168,7 +168,7 @@ function consumeAll () {
   let error = false
 
   if (notes_display.length === 0) {
-    document.getElementById('note').classList.add('is-invalid')
+    $('#note').addClass('is-invalid')
     $('#note_list').html(li('', '<strong>Ajoutez des émetteurs.</strong>', 'text-danger'))
     error = true
   }

apps/note/static/note/js/transfer.js

@@ -222,13 +222,6 @@ $(document).ready(function () {
   })
 })
 
-// Make transfer when pressing Enter on the amount section
-$('#amount, #reason, #last_name, #first_name, #bank').keypress((event) => {
-  if (event.originalEvent.charCode === 13) {
-    $('#btn_transfer').click()
-  }
-})
-
 $('#btn_transfer').click(function () {
   if (LOCK) { return }
 
@@ -250,7 +243,7 @@ $('#btn_transfer').click(function () {
     error = true
   }
 
-  const amount = Math.round(100 * amount_field.val())
+  const amount = Math.floor(100 * amount_field.val())
   if (amount > 2147483647) {
     amount_field.addClass('is-invalid')
     $('#amount-required').html('<strong>' + gettext('The amount must stay under 21,474,836.47 €.') + '</strong>')
@@ -355,14 +348,14 @@ $('#btn_transfer').click(function () {
               destination_alias: dest.name
             }).done(function () {
             addMsg(interpolate(gettext('Transfer of %s from %s to %s failed: %s'),
-                [pretty_money(source.quantity * dest.quantity * amount), source.name, dest.name, gettext('insufficient funds')]), 'danger', 10000)
+                [pretty_money(source.quantity * dest.quantity * amount), source.name, + dest.name, gettext('insufficient funds')]), 'danger', 10000)
             reset()
           }).fail(function (err) {
             const errObj = JSON.parse(err.responseText)
             let error = errObj.detail ? errObj.detail : errObj.non_field_errors
             if (!error) { error = err.responseText }
             addMsg(interpolate(gettext('Transfer of %s from %s to %s failed: %s'),
-                [pretty_money(source.quantity * dest.quantity * amount), source.name, dest.name, error]), 'danger')
+                [pretty_money(source.quantity * dest.quantity * amount), source.name, + dest.name, error]), 'danger')
             LOCK = false
           })
         })

apps/note/tables.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import html
@@ -7,7 +7,7 @@ import django_tables2 as tables
 from django.utils.html import format_html
 from django_tables2.utils import A
 from django.utils.translation import gettext_lazy as _
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 
 from .models.notes import Alias
@@ -88,16 +88,16 @@ class HistoryTable(tables.Table):
                 "class": lambda record:
                 str(record.valid).lower()
                 + (' validate' if record.source.is_active and record.destination.is_active and PermissionBackend
-                   .check_perm(get_current_request(), "note.change_transaction_invalidity_reason", record)
+                   .check_perm(get_current_authenticated_user(), "note.change_transaction_invalidity_reason", record)
                    else ''),
                 "data-toggle": "tooltip",
                 "title": lambda record: (_("Click to invalidate") if record.valid else _("Click to validate"))
-                if PermissionBackend.check_perm(get_current_request(),
+                if PermissionBackend.check_perm(get_current_authenticated_user(),
                                                 "note.change_transaction_invalidity_reason", record)
                 and record.source.is_active and record.destination.is_active else None,
                 "onclick": lambda record: 'de_validate(' + str(record.id) + ', ' + str(record.valid).lower()
                                           + ', "' + str(record.__class__.__name__) + '")'
-                if PermissionBackend.check_perm(get_current_request(),
+                if PermissionBackend.check_perm(get_current_authenticated_user(),
                                                 "note.change_transaction_invalidity_reason", record)
                 and record.source.is_active and record.destination.is_active else None,
                 "onmouseover": lambda record: '$("#invalidity_reason_'
@@ -126,7 +126,7 @@ class HistoryTable(tables.Table):
         When the validation status is hovered, an input field is displayed to let the user specify an invalidity reason
         """
         has_perm = PermissionBackend \
-            .check_perm(get_current_request(), "note.change_transaction_invalidity_reason", record)
+            .check_perm(get_current_authenticated_user(), "note.change_transaction_invalidity_reason", record)
 
         val = "✔" if value else "✖"
 
@@ -165,7 +165,7 @@ class AliasTable(tables.Table):
                                        extra_context={"delete_trans": _('delete')},
                                        attrs={'td': {'class': lambda record: 'col-sm-1' + (
                                            ' d-none' if not PermissionBackend.check_perm(
-                                               get_current_request(), "note.delete_alias",
+                                               get_current_authenticated_user(), "note.delete_alias",
                                                record) else '')}}, verbose_name=_("Delete"), )
 
 

apps/note/templates/note/conso_form.html

@@ -129,10 +129,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
                 {# Mode switch #}
                 <div class="card-footer border-primary">
                     <a class="btn btn-sm btn-secondary float-left" href="{% url 'note:template_list' %}">
-                        <svg class="bi bi-edit" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
+                        <i class="fa fa-edit"></i> {% trans "Edit" %}
-                            <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
-                        </svg>
-                        {% trans "Edit" %}
                     </a>
                     <div class="btn-group btn-group-toggle float-right" data-toggle="buttons">
                         <label for="single_conso" class="btn btn-sm btn-outline-primary active">

apps/note/templates/note/transaction_form.html

@@ -10,25 +10,21 @@ SPDX-License-Identifier: GPL-2.0-or-later
 {# bandeau transfert/crédit/débit/activité #}
     <div class="row">
         <div class="col-xl-12">
-            <div class="btn-group btn-block">
+            <div class="btn-group btn-group-toggle btn-block" data-toggle="buttons">
-                <div class="btn-group btn-group-toggle btn-block" data-toggle="buttons">
+                <label for="type_transfer" class="btn btn-sm btn-outline-primary active">
-                    <label for="type_transfer" class="btn btn-sm btn-outline-primary active">
+                    <input type="radio" name="transaction_type" id="type_transfer">
-                        <input type="radio" name="transaction_type" id="type_transfer">
+                    {% trans "Transfer" %}
-                        {% trans "Transfer" %}
+                </label>
+                {% if "note.notespecial"|not_empty_model_list %}
+                    <label for="type_credit" class="btn btn-sm btn-outline-primary">
+                        <input type="radio" name="transaction_type" id="type_credit">
+                        {% trans "Credit" %}
                     </label>
-                    {% if "note.notespecial"|not_empty_model_list %}
+                    <label for="type_debit" class="btn btn-sm btn-outline-primary">
-                        <label for="type_credit" class="btn btn-sm btn-outline-primary">
+                        <input type="radio" name="transaction_type" id="type_debit">
-                            <input type="radio" name="transaction_type" id="type_credit">
+                        {% trans "Debit" %}
-                            {% trans "Credit" %}
+                    </label>
-                        </label>
+                {% endif %}
-                        <label for="type_debit" class="btn btn-sm btn-outline-primary">
-                            <input type="radio" name="transaction_type" id="type_debit">
-                            {% trans "Debit" %}
-                        </label>
-                    {% endif %}
-                </div>
-
-                {# Add shortcuts for opened activites if necessary #}
                 {% for activity in activities_open %}
                     <a href="{% url "activity:activity_entry" pk=activity.pk %}" class="btn btn-sm btn-outline-primary">
                         {% trans "Entries" %} {{ activity.name }}
@@ -61,7 +57,7 @@ SPDX-License-Identifier: GPL-2.0-or-later
                 <ul class="list-group list-group-flush" id="source_note_list">
                 </ul>
                 <div class="card-body">
-                    <select id="credit_type" class="form-control custom-select d-none">
+                    <select id="credit_type" class="custom-select d-none">
                         {% for special_type in special_types %}
                             <option value="{{ special_type.id }}">{{ special_type.special_type }}</option>
                         {% endfor %}
@@ -88,7 +84,7 @@ SPDX-License-Identifier: GPL-2.0-or-later
                 <ul class="list-group list-group-flush" id="dest_note_list">
                 </ul>
                 <div class="card-body">
-                    <select id="debit_type" class="form-control custom-select d-none">
+                    <select id="debit_type" class="custom-select d-none">
                         {% for special_type in special_types %}
                             <option value="{{ special_type.id }}">{{ special_type.special_type }}</option>
                         {% endfor %}

apps/note/templatetags/getenv.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django import template

apps/note/templatetags/pretty_money.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django import template

apps/note/tests/test_transactions.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from api.tests import TestAPI

apps/note/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.urls import path

apps/note/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
@@ -38,7 +38,7 @@ class TransactionCreateView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTabl
     def get_queryset(self, **kwargs):
         # retrieves only Transaction that user has the right to see.
         return Transaction.objects.filter(
-            PermissionBackend.filter_queryset(self.request, Transaction, "view")
+            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
         ).order_by("-created_at").all()[:20]
 
     def get_context_data(self, **kwargs):
@@ -47,16 +47,16 @@ class TransactionCreateView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTabl
         context['polymorphic_ctype'] = ContentType.objects.get_for_model(Transaction).pk
         context['special_polymorphic_ctype'] = ContentType.objects.get_for_model(SpecialTransaction).pk
         context['special_types'] = NoteSpecial.objects\
-            .filter(PermissionBackend.filter_queryset(self.request, NoteSpecial, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request.user, NoteSpecial, "view"))\
             .order_by("special_type").all()
 
         # Add a shortcut for entry page for open activities
         if "activity" in settings.INSTALLED_APPS:
             from activity.models import Activity
-            activities_open = Activity.objects.filter(open=True, activity_type__manage_entries=True).filter(
+            activities_open = Activity.objects.filter(open=True).filter(
-                PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
+                PermissionBackend.filter_queryset(self.request.user, Activity, "view")).distinct().all()
             context["activities_open"] = [a for a in activities_open
-                                          if PermissionBackend.check_perm(self.request,
+                                          if PermissionBackend.check_perm(self.request.user,
                                                                           "activity.add_entry",
                                                                           Entry(activity=a,
                                                                                 note=self.request.user.note, ))]
@@ -159,7 +159,7 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
             return self.handle_no_permission()
 
         templates = TransactionTemplate.objects.filter(
-            PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
+            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
         )
         if not templates.exists():
             raise PermissionDenied(_("You can't see any button."))
@@ -170,7 +170,7 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         restrict to the transaction history the user can see.
         """
         return Transaction.objects.filter(
-            PermissionBackend.filter_queryset(self.request, Transaction, "view")
+            PermissionBackend.filter_queryset(self.request.user, Transaction, "view")
         ).order_by("-created_at").all()[:20]
 
     def get_context_data(self, **kwargs):
@@ -180,13 +180,13 @@ class ConsoView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
         # for each category, find which transaction templates the user can see.
         for category in categories:
             category.templates_filtered = category.templates.filter(
-                PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
+                PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
             ).filter(display=True).order_by('name').all()
 
         context['categories'] = [cat for cat in categories if cat.templates_filtered]
         # some transactiontemplate are put forward to find them easily
         context['highlighted'] = TransactionTemplate.objects.filter(highlighted=True).filter(
-            PermissionBackend().filter_queryset(self.request, TransactionTemplate, "view")
+            PermissionBackend().filter_queryset(self.request.user, TransactionTemplate, "view")
         ).order_by('name').all()
         context['polymorphic_ctype'] = ContentType.objects.get_for_model(RecurrentTransaction).pk
 
@@ -209,7 +209,7 @@ class TransactionSearchView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView
         data = form.cleaned_data if form.is_valid() else {}
 
         transactions = Transaction.objects.annotate(total_amount=F("quantity") * F("amount")).filter(
-            PermissionBackend.filter_queryset(self.request, Transaction, "view"))\
+            PermissionBackend.filter_queryset(self.request.user, Transaction, "view"))\
             .filter(Q(source=self.object) | Q(destination=self.object)).order_by('-created_at')
 
         if "source" in data and data["source"]:

apps/permission/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_app_config = 'permission.apps.PermissionConfig'

apps/permission/admin.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-lateré
 
 from django.contrib import admin

apps/permission/api/serializers.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework import serializers

apps/permission/api/urls.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from .views import PermissionViewSet, RoleViewSet

apps/permission/api/views.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from api.viewsets import ReadOnlyProtectedModelViewSet

apps/permission/apps.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.apps import AppConfig

apps/permission/backends.py

@@ -1,15 +1,15 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from datetime import date
 
 from django.contrib.auth.backends import ModelBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q, F
 from django.utils import timezone
 from note.models import Note, NoteUser, NoteClub, NoteSpecial
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_session
 from member.models import Membership, Club
 
 from .decorators import memoize
@@ -26,31 +26,14 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def get_raw_permissions(request, t):
+    def get_raw_permissions(user, t):
         """
         Query permissions of a certain type for a user, then memoize it.
-        :param request: The current request
+        :param user: The owner of the permissions
         :param t: The type of the permissions: view, change, add or delete
         :return: The queryset of the permissions of the user (memoized) grouped by clubs
         """
-        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+        if isinstance(user, AnonymousUser):
-            # OAuth2 Authentication
-            user = request.auth.user
-
-            def permission_filter(membership_obj):
-                query = Q(pk=-1)
-                for scope in request.auth.scope.split(' '):
-                    permission_id, club_id = scope.split('_')
-                    if int(club_id) == membership_obj.club_id:
-                        query |= Q(pk=permission_id)
-                return query
-        else:
-            user = request.user
-
-            def permission_filter(membership_obj):
-                return Q(mask__rank__lte=request.session.get("permission_mask", 42))
-
-        if user.is_anonymous:
             # Unauthenticated users have no permissions
             return Permission.objects.none()
 
@@ -60,7 +43,7 @@ class PermissionBackend(ModelBackend):
 
         for membership in memberships:
             for role in membership.roles.all():
-                for perm in role.permissions.filter(permission_filter(membership), type=t).all():
+                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
                     if not perm.permanent:
                         if membership.date_start > date.today() or membership.date_end < date.today():
                             continue
@@ -69,22 +52,16 @@ class PermissionBackend(ModelBackend):
         return perms
 
     @staticmethod
-    def permissions(request, model, type):
+    def permissions(user, model, type):
         """
         List all permissions of the given user that applies to a given model and a give type
-        :param request: The current request
+        :param user: The owner of the permissions
         :param model: The model that the permissions shoud apply
         :param type: The type of the permissions: view, change, add or delete
         :return: A generator of the requested permissions
         """
 
-        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+        for permission in PermissionBackend.get_raw_permissions(user, type):
-            # OAuth2 Authentication
-            user = request.auth.user
-        else:
-            user = request.user
-
-        for permission in PermissionBackend.get_raw_permissions(request, type):
             if not isinstance(model.model_class()(), permission.model.model_class()) or not permission.membership:
                 continue
 
@@ -111,26 +88,20 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def filter_queryset(request, model, t, field=None):
+    def filter_queryset(user, model, t, field=None):
         """
         Filter a queryset by considering the permissions of a given user.
-        :param request: The current request
+        :param user: The owner of the permissions that are fetched
         :param model: The concerned model of the queryset
         :param t: The type of modification (view, add, change, delete)
         :param field: The field of the model to test, if concerned
         :return: A query that corresponds to the filter to give to a queryset
         """
-        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+        if user is None or isinstance(user, AnonymousUser):
-            # OAuth2 Authentication
-            user = request.auth.user
-        else:
-            user = request.user
-
-        if user is None or user.is_anonymous:
             # Anonymous users can't do anything
             return Q(pk=-1)
 
-        if user.is_superuser and request.session.get("permission_mask", -1) >= 42:
+        if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
             # Superusers have all rights
             return Q()
 
@@ -139,7 +110,7 @@ class PermissionBackend(ModelBackend):
 
         # Never satisfied
         query = Q(pk=-1)
-        perms = PermissionBackend.permissions(request, model, t)
+        perms = PermissionBackend.permissions(user, model, t)
         for perm in perms:
             if perm.field and field != perm.field:
                 continue
@@ -151,7 +122,7 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def check_perm(request, perm, obj=None):
+    def check_perm(user_obj, perm, obj=None):
         """
         Check is the given user has the permission over a given object.
         The result is then memoized.
@@ -159,18 +130,11 @@ class PermissionBackend(ModelBackend):
         primary key, the result is not memoized. Moreover, the right could change
         (e.g. for a transaction, the balance of the user could change)
         """
-        # Requested by a shell
+        if user_obj is None or isinstance(user_obj, AnonymousUser):
-        if request is None:
             return False
 
-        user_obj = request.user
+        sess = get_current_session()
-        sess = request.session
+        if sess is not None and sess.session_key is None:
-
-        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
-            # OAuth2 Authentication
-            user_obj = request.auth.user
-
-        if user_obj is None or user_obj.is_anonymous:
             return False
 
         if user_obj.is_superuser and sess.get("permission_mask", -1) >= 42:
@@ -185,19 +149,16 @@ class PermissionBackend(ModelBackend):
 
         ct = ContentType.objects.get_for_model(obj)
         if any(permission.applies(obj, perm_type, perm_field)
-               for permission in PermissionBackend.permissions(request, ct, perm_type)):
+               for permission in PermissionBackend.permissions(user_obj, ct, perm_type)):
             return True
         return False
 
     def has_perm(self, user_obj, perm, obj=None):
-        # Warning: this does not check that user_obj has the permission,
+        return PermissionBackend.check_perm(user_obj, perm, obj)
-        # but if the current request has the permission.
-        # This function is implemented for backward compatibility, and should not be used.
-        return PermissionBackend.check_perm(get_current_request(), perm, obj)
 
     def has_module_perms(self, user_obj, app_label):
         return False
 
     def get_all_permissions(self, user_obj, obj=None):
         ct = ContentType.objects.get_for_model(obj)
-        return list(self.permissions(get_current_request(), ct, "view"))
+        return list(self.permissions(user_obj, ct, "view"))

apps/permission/decorators.py

@@ -1,11 +1,11 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 import sys
 from functools import lru_cache
 from time import time
 
 from django.contrib.sessions.models import Session
-from note_kfet.middlewares import get_current_request
+from note_kfet.middlewares import get_current_session
 
 
 def memoize(f):
@@ -48,11 +48,11 @@ def memoize(f):
             last_collect = time()
 
         # If there is no session, then we don't memoize anything.
-        request = get_current_request()
+        sess = get_current_session()
-        if request is None or request.session is None or request.session.session_key is None:
+        if sess is None or sess.session_key is None:
             return f(*args, **kwargs)
 
-        sess_key = request.session.session_key
+        sess_key = sess.session_key
         if sess_key not in sess_funs:
             # lru_cache makes the job of memoization
             # We store only the 512 latest data per session. It has to be enough.

apps/permission/fixtures/initial.json

@@ -111,12 +111,12 @@
 				"note",
 				"alias"
 			],
-			"query": "[\"AND\", [\"OR\", {\"note__noteuser__user__memberships__club__name\": \"BDE\", \"note__noteuser__user__memberships__date_start__lte\": [\"today\"], \"note__noteuser__user__memberships__date_end__gte\": [\"today\"]}, {\"note__noteclub__isnull\": false}], {\"note__is_active\": true}]",
+			"query": "[\"AND\", [\"OR\", {\"note__noteuser__user__memberships__club__name\": \"Kfet\", \"note__noteuser__user__memberships__date_start__lte\": [\"today\"], \"note__noteuser__user__memberships__date_end__gte\": [\"today\"]}, {\"note__noteclub__isnull\": false}], {\"note__is_active\": true}]",
 			"type": "view",
 			"mask": 1,
 			"field": "",
 			"permanent": false,
-			"description": "Voir les aliases des notes des clubs et des adhérents du club BDE"
+			"description": "Voir les aliases des notes des clubs et des adhérents du club Kfet"
 		}
 	},
 	{
@@ -627,7 +627,7 @@
 			"type": "view",
 			"mask": 1,
 			"field": "",
-			"permanent": true,
+			"permanent": false,
 			"description": "Voir les personnes qu'on a invitées"
 		}
 	},
@@ -1235,7 +1235,7 @@
 			"type": "view",
 			"mask": 1,
 			"field": "",
-			"permanent": true,
+			"permanent": false,
 			"description": "Voir le dernier WEI"
 		}
 	},
@@ -1267,7 +1267,7 @@
 			"type": "add",
 			"mask": 1,
 			"field": "",
-			"permanent": true,
+			"permanent": false,
 			"description": "M'inscrire au dernier WEI"
 		}
 	},
@@ -1331,7 +1331,7 @@
 			"type": "view",
 			"mask": 1,
 			"field": "",
-			"permanent": true,
+			"permanent": false,
 			"description": "Voir ma propre inscription WEI"
 		}
 	},
@@ -1379,7 +1379,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "soge_credit",
-			"permanent": true,
+			"permanent": false,
 			"description": "Indiquer si mon inscription WEI est payée par la Société générale tant qu'elle n'est pas validée"
 		}
 	},
@@ -1427,7 +1427,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "birth_date",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier la date de naissance de ma propre inscription WEI"
 		}
 	},
@@ -1459,7 +1459,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "gender",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier le genre de ma propre inscription WEI"
 		}
 	},
@@ -1491,7 +1491,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "health_issues",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier mes problèmes de santé de mon inscription WEI"
 		}
 	},
@@ -1523,7 +1523,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "emergency_contact_name",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier le nom du contact en cas d'urgence de mon inscription WEI"
 		}
 	},
@@ -1555,7 +1555,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "emergency_contact_phone",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier le téléphone du contact en cas d'urgence de mon inscription WEI"
 		}
 	},
@@ -1699,7 +1699,7 @@
 			"type": "add",
 			"mask": 3,
 			"field": "",
-			"permanent": true,
+			"permanent": false,
 			"description": "Créer une adhésion WEI pour le dernier WEI"
 		}
 	},
@@ -2003,7 +2003,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "clothing_cut",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier ma coupe de vêtements de mon inscription WEI"
 		}
 	},
@@ -2035,7 +2035,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "clothing_size",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier la taille de vêtements de mon inscription WEI"
 		}
 	},
@@ -2243,7 +2243,7 @@
 			"type": "change",
 			"mask": 1,
 			"field": "information_json",
-			"permanent": true,
+			"permanent": false,
 			"description": "Modifier mes préférences en terme de bus et d'équipe si mon inscription n'est pas validée et que je suis en 2A+"
 		}
 	},
@@ -2883,7 +2883,6 @@
 				3,
 				4,
 				5,
-				6,
 				7,
 				8,
 				9,
@@ -2891,10 +2890,6 @@
 				11,
 				12,
 				13,
-				14,
-				15,
-				16,
-				17,
 				22,
 				48,
 				52,
@@ -2912,6 +2907,11 @@
 			"for_club": 2,
 			"name": "Adh\u00e9rent Kfet",
 			"permissions": [
+				6,
+				14,
+				15,
+				16,
+				17,
 				22,
 				34,
 				36,
@@ -3048,7 +3048,6 @@
 				31,
 				32,
 				33,
-				43,
 				51,
 				53,
 				54,
@@ -3305,7 +3304,6 @@
 				30,
 				31,
 				70,
-				72,
 				143,
 				166,
 				167,
@@ -3497,7 +3495,7 @@
 		"model": "permission.role",
 		"pk": 20,
 		"fields": {
-			"for_club": 1,
+			"for_club": 2,
 			"name": "PC Kfet",
 			"permissions": [
 				6,
@@ -3513,9 +3511,6 @@
 				56,
 				57,
 				58,
-				70,
-				72,
-				135,
 				137,
 				143,
 				147,
@@ -3526,7 +3521,8 @@
 				176,
 				177,
 				180,
-				181
+				181,
+				182
 			]
 		}
 	},

apps/permission/models.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import functools

apps/permission/permissions.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from rest_framework.permissions import DjangoObjectPermissions
@@ -45,7 +45,7 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
 
         perms = self.get_required_object_permissions(request.method, model_cls)
         # if not user.has_perms(perms, obj):
-        if not all(PermissionBackend.check_perm(request, perm, obj) for perm in perms):
+        if not all(PermissionBackend.check_perm(user, perm, obj) for perm in perms):
             # If the user does not have permissions we need to determine if
             # they have read permissions to see 403, or not, and simply see
             # a 404 response.