Merge branch 'beta' into 'master'

OAuth2, no side effect permissions

See merge request bde/nk20!128

.gitlab-ci.yml

@@ -16,8 +16,8 @@ py37-django22:
         apt-get install --no-install-recommends -t buster-backports -y
         python3-django python3-django-crispy-forms
         python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
         python3-bs4 python3-setuptools tox texlive-xetex
   script: tox -e py37-django22
 
@@ -33,8 +33,8 @@ py38-django22:
         apt-get install --no-install-recommends -y
         python3-django python3-django-crispy-forms
         python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
         python3-bs4 python3-setuptools tox texlive-xetex
   script: tox -e py38-django22
 

Dockerfile

@@ -8,8 +8,8 @@ RUN apt-get update && \
     apt-get install --no-install-recommends -t buster-backports -y \
     python3-django python3-django-crispy-forms \
     python3-django-extensions python3-django-filters python3-django-polymorphic \
-    python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil \
+    python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil \
-    python3-babel python3-lockfile python3-pip python3-phonenumbers ipython3 \
+    python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
     python3-bs4 python3-setuptools \
     uwsgi uwsgi-plugin-python3 \
     texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome && \

README.md

@@ -93,10 +93,10 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
     $ sudo apt install --no-install-recommends -t buster-backports -y \
         python3-django python3-django-crispy-forms \
         python3-django-extensions python3-django-filters python3-django-polymorphic \
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil \
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil \
-        python3-babel python3-lockfile python3-pip python3-phonenumbers ipython3 \
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
         python3-bs4 python3-setuptools \
-        uwsgi uwsgi-plugin-python3 \
+        memcached uwsgi uwsgi-plugin-python3 \
         texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome \
         nginx python3-venv git acl
     ```

ansible/roles/1-apt-basic/tasks/main.yml

@@ -23,13 +23,14 @@
       - python3-babel
       - python3-bs4
       - python3-django
-      - python3-django-cas-server
       - python3-django-crispy-forms
       - python3-django-extensions
       - python3-django-filters
+      - python3-django-oauth-toolkit
       - python3-django-polymorphic
       - python3-djangorestframework
       - python3-lockfile
+      - python3-memcache
       - python3-phonenumbers
       - python3-pil
       - python3-pip
@@ -40,6 +41,9 @@
       # LaTeX (PDF generation)
       - texlive-xetex
 
+      # Cache server
+      - memcached
+
       # WSGI server
       - uwsgi
       - uwsgi-plugin-python3

apps/activity/views.py

@@ -12,8 +12,10 @@ from django.db.models import F, Q
 from django.http import HttpResponse
 from django.urls import reverse_lazy
 from django.utils import timezone
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import cache_page
 from django.views.generic import DetailView, TemplateView, UpdateView
 from django_tables2.views import SingleTableView
 from note.models import Alias, NoteSpecial, NoteUser
@@ -288,6 +290,8 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
         return context
 
 
+# Cache for 1 hour
+@method_decorator(cache_page(60 * 60), name='dispatch')
 class CalendarView(View):
     """
     Render an ICS calendar with all valid activities.

apps/member/templates/member/add_members.html

@@ -13,15 +13,29 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {% if additional_fee_renewal %}
         <div class="alert alert-warning">
             {% if renewal %}
-            {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                {% if club.name == "Kfet" %} {# Auto-renewal #}
-            The user is not a member of the club·s {{ clubs }}. An additional fee of {{ pretty_fee }}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
-            will be charged to renew automatically the membership in this/these club·s.
+                    The user is not a member of the club·s {{ clubs }}. An additional fee of {{ pretty_fee }}
-            {% endblocktrans %}
+                    will be charged to renew automatically the membership in this/these club·s.
+                    {% endblocktrans %}
+                {% else %}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                        The user is not a member of the club·s {{ clubs }}. Please create the required memberships,
+                        otherwise it will fail.
+                    {% endblocktrans %}
+                {% endif %}
             {% else %}
-            {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                {% if club.name == "Kfet" %}
-            This club has parents {{ clubs }}. An additional fee of {{ pretty_fee }}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
-            will be charged to adhere automatically to this/these club·s.
+                    This club has parents {{ clubs }}. An additional fee of {{ pretty_fee }}
-            {% endblocktrans %}
+                    will be charged to adhere automatically to this/these club·s.
+                    {% endblocktrans %}
+                {% else %}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                        This club has parents {{ clubs }}. Please make sure that the user is a member of this or these club·s,
+                        otherwise the creation of this membership will fail.
+                    {% endblocktrans %}
+                {% endif %}
             {% endif %}
         </div>
         {% endif %}

apps/member/views.py

@@ -166,6 +166,8 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         # Check permissions to see if the authenticated user can lock/unlock the note
         with transaction.atomic():
             modified_note = NoteUser.objects.get(pk=user.note.pk)
+            # Don't log these tests
+            modified_note._no_signal = True
             modified_note.is_active = True
             modified_note.inactivity_reason = 'manual'
             context["can_lock_note"] = user.note.is_active and PermissionBackend\
@@ -178,6 +180,7 @@ class UserDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
             context["can_force_lock"] = user.note.is_active and PermissionBackend\
                 .check_perm(self.request.user, "note.change_note_is_active", modified_note)
             old_note._force_save = True
+            old_note._no_signal = True
             old_note.save()
             modified_note.refresh_from_db()
             modified_note.is_active = True
@@ -610,6 +613,9 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
         bank = form.cleaned_data["bank"]
         soge = form.cleaned_data["soge"] and not user.profile.soge and (club.name == "BDE" or club.name == "Kfet")
 
+        if not credit_type:
+            credit_amount = 0
+
         if not soge and user.note.balance + credit_amount < fee and not Membership.objects.filter(
                 club__name="Kfet",
                 user=user,
@@ -631,6 +637,16 @@ class ClubAddMemberView(ProtectQuerysetMixin, ProtectedCreateView):
             form.add_error('user', _('User is already a member of the club'))
             error = True
 
+        # Must join the parent club before joining this club, except for the Kfet club where it can be at the same time.
+        if club.name != "Kfet" and club.parent_club and not Membership.objects.filter(
+                user=form.instance.user,
+                club=club.parent_club,
+                date_start__lte=club.parent_club.membership_start,
+                date_end__gte=club.parent_club.membership_end,
+        ).exists():
+            form.add_error('user', _('User is not a member of the parent club') + ' ' + club.parent_club.name)
+            error = True
+
         if club.membership_start and form.instance.date_start < club.membership_start:
             form.add_error('user', _("The membership must start after {:%m-%d-%Y}.")
                            .format(form.instance.club.membership_start))

apps/note/static/note/js/transfer.js

@@ -388,7 +388,7 @@ $('#btn_transfer').click(function () {
       alias = sources_notes_display[0].name
       source_id = user_note.id
       dest_id = special_note
-      reason = 'Retrait ' + $('#credit_type option:selected').text().toLowerCase()
+      reason = 'Retrait ' + $('#debit_type option:selected').text().toLowerCase()
       if (given_reason.length > 0) { reason += ' (' + given_reason + ')' }
     }
     $.post('/api/note/transaction/transaction/',

apps/permission/fixtures/initial.json

@@ -2775,6 +2775,22 @@
 			"description": "Modifier n'importe quel profil non encore inscrit"
 		}
 	},
+	{
+		"model": "permission.permission",
+		"pk": 178,
+		"fields": {
+			"model": [
+				"note",
+				"alias"
+			],
+			"query": "{}",
+			"type": "view",
+			"mask": 3,
+			"field": "",
+			"permanent": false,
+			"description": "Voir tous les alias, y compris ceux des non adhérents"
+		}
+	},
 	{
 		"model": "permission.role",
 		"pk": 1,
@@ -2986,7 +3002,8 @@
 				174,
 				175,
 				176,
-				177
+				177,
+				178
 			]
 		}
 	},
@@ -3168,7 +3185,8 @@
 				174,
 				175,
 				176,
-				177
+				177,
+				178
 			]
 		}
 	},

apps/permission/models.py

@@ -43,6 +43,7 @@ class InstancedPermission:
                 obj = copy(obj)
                 obj.pk = 0
                 with transaction.atomic():
+                    sid = transaction.savepoint()
                     for o in self.model.model_class().objects.filter(pk=0).all():
                         o._force_delete = True
                         Model.delete(o)
@@ -62,8 +63,10 @@ class InstancedPermission:
                     Model.save(obj, force_insert=True)
                     ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
                     # Delete testing object
+                    obj._no_signal = True
                     obj._force_delete = True
                     Model.delete(obj)
+                    transaction.savepoint_rollback(sid)
 
                 return ret
 

note.cron

@@ -20,3 +20,5 @@
  55  6     *   *   *     root   cd /var/www/note_kfet && env/bin/python manage.py send_reports
 # Mettre à jour les boutons mis en avant
  00  9     *   *   *     root   cd /var/www/note_kfet && env/bin/python manage.py refresh_highlighted_buttons
+# Vider les tokens Oauth2
+ 00  6     *   *   *     root   cd /var/www/note_kfet && env/bin/python manage.py cleartokens

note_kfet/admin.py

@@ -26,6 +26,14 @@ admin_site = StrongAdminSite()
 admin_site.register(Site, SiteAdmin)
 
 # Add external apps model
+if "oauth2_provider" in settings.INSTALLED_APPS:
+    from oauth2_provider.admin import Application, ApplicationAdmin, Grant, \
+        GrantAdmin, AccessToken, AccessTokenAdmin, RefreshToken, RefreshTokenAdmin
+    admin_site.register(Application, ApplicationAdmin)
+    admin_site.register(Grant, GrantAdmin)
+    admin_site.register(AccessToken, AccessTokenAdmin)
+    admin_site.register(RefreshToken, RefreshTokenAdmin)
+
 if "django_htcpcp_tea" in settings.INSTALLED_APPS:
     from django_htcpcp_tea.admin import *
     from django_htcpcp_tea.models import *
@@ -44,9 +52,3 @@ if "rest_framework" in settings.INSTALLED_APPS:
     from rest_framework.authtoken.admin import *
     from rest_framework.authtoken.models import *
     admin_site.register(Token, TokenAdmin)
-
-if "cas_server" in settings.INSTALLED_APPS:
-    from cas_server.admin import *
-    from cas_server.models import *
-    admin_site.register(ServicePattern, ServicePatternAdmin)
-    admin_site.register(FederatedIendityProvider, FederatedIendityProviderAdmin)

note_kfet/fixtures/cas.json

@@ -1,11 +0,0 @@
-[
-    {
-        "model": "cas_server.servicepattern",
-        "pk": 1,
-        "fields": {
-            "pos": 1,
-            "pattern": ".*",
-            "name": "REPLACEME"
-        }
-    }
-]

note_kfet/fixtures/initial.json

@@ -3,7 +3,7 @@
         "model": "sites.site",
         "pk": 1,
         "fields": {
-            "domain": "localhost",
+            "domain": "note.crans.org",
             "name": "La Note Kfet \ud83c\udf7b"
         }
     }

note_kfet/settings/__init__.py

@@ -49,13 +49,6 @@ try:
 except ImportError:
     pass
 
-if "cas_server" in INSTALLED_APPS:
-    # CAS Settings
-    CAS_AUTO_CREATE_USER = False
-    CAS_LOGO_URL = "/static/img/Saperlistpopette.png"
-    CAS_FAVICON_URL = "/static/favicon/favicon-32x32.png"
-    CAS_SHOW_POWERED = False
-
 if "logs" in INSTALLED_APPS:
     MIDDLEWARE += ('note_kfet.middlewares.SessionMiddleware',)
 

note_kfet/settings/base.py

@@ -35,8 +35,10 @@ INSTALLED_APPS = [
     'mailer',
     'phonenumber_field',
     'polymorphic',
+    'oauth2_provider',
 
     # Django contrib
+    # Django Admin will autodiscover our apps for our custom admin site.
     'django.contrib.admin',
     'django.contrib.admindocs',
     'django.contrib.auth',
@@ -214,6 +216,16 @@ EMAIL_HOST_PASSWORD = os.getenv('EMAIL_PASSWORD', None)
 SERVER_EMAIL = os.getenv("NOTE_MAIL", "notekfet@example.com")
 DEFAULT_FROM_EMAIL = "NoteKfet2020 <" + SERVER_EMAIL + ">"
 
+# Cache
+# https://docs.djangoproject.com/en/2.2/topics/cache/#setting-up-the-cache
+cache_address = os.getenv("CACHE_ADDRESS", "127.0.0.1:11211")
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+        'LOCATION': cache_address,
+    }
+}
+
 # Django REST Framework
 REST_FRAMEWORK = {
     'DEFAULT_PERMISSION_CLASSES': [

note_kfet/settings/development.py

@@ -24,6 +24,14 @@ if os.getenv("DJANGO_DEV_STORE_METHOD", "sqlite") != "postgresql":
         }
     }
 
+# Dummy cache for development
+# https://docs.djangoproject.com/en/2.2/topics/cache/#setting-up-the-cache
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
+    }
+}
+
 # Break it, fix it!
 DEBUG = True
 

note_kfet/settings/secrets_example.py

@@ -3,7 +3,6 @@
 
 # CAS
 OPTIONAL_APPS = [
-#    'cas_server',
 #    'debug_toolbar'
 ]
 

note_kfet/templates/cas_server/base.html

@@ -1,99 +0,0 @@
-{% load i18n %}{% load static %}{% get_current_language as LANGUAGE_CODE %}<!DOCTYPE html>
-<html{% if LANGUAGE_CODE %} lang="{{LANGUAGE_CODE}}"{% endif %}>
-    <head>
-        <meta charset="utf-8">
-        <!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge" /><![endif]-->
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>{% block title %}{% trans "Central Authentication Service"  %}{% endblock %}</title>
-        <link href="{{settings.CAS_COMPONENT_URLS.bootstrap3_css}}" rel="stylesheet">
-        <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
-        <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
-        <!--[if lt IE 9]>
-        <script src="{{settings.CAS_COMPONENT_URLS.html5shiv}}"></script>
-        <script src="{{settings.CAS_COMPONENT_URLS.respond}}"></script>
-        <![endif]-->
-        {% if settings.CAS_FAVICON_URL %}<link rel="shortcut icon" href="{{settings.CAS_FAVICON_URL}}" />{% endif %}
-        <link href="{% static "cas_server/styles.css" %}" rel="stylesheet">
-    </head>
-    <body>
-      <div id="wrap">
-        <div class="container">
-            {% if auto_submit %}<noscript>{% endif %}
-            <div class="row">
-              <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
-                <h1 id="app-name">
-                    {% if settings.CAS_LOGO_URL %}<img src="{{settings.CAS_LOGO_URL}}" alt="cas-logo" />{% endif %}
-                    Authentification Note Kfet 2020</h1>
-              </div>
-            </div>
-            {% if auto_submit %}</noscript>{% endif %}
-            <div class="row">
-            <div class="col-lg-3 col-md-3 col-sm-2 col-xs-12"></div>
-            <div class="col-lg-6 col-md-6 col-sm-8 col-xs-12">
-            {% if auto_submit %}<noscript>{% endif %}
-            {% for msg in CAS_INFO_RENDER %}
-              <div class="alert alert-{{msg.type}}{% if msg.discardable %} alert-dismissable{% endif %}">
-                {% if msg.discardable %}<button type="button" class="close" data-dismiss="alert" aria-hidden="true" id="info-{{msg.name}}">&#215;</button>{% endif %}
-                <p>{{msg.message}}</p>
-              </div>
-            {% endfor %}
-            {% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
-              <div class="alert alert-info alert-dismissable">
-                <button type="button" class="close" data-dismiss="alert" aria-hidden="true" id="alert-version">&#215;</button>
-                <p>{% blocktrans %}A new version of the application is available. This instance runs {{VERSION}} and the last version is {{LAST_VERSION}}. Please consider upgrading.{% endblocktrans %}</p>
-              </div>
-            {% endif %}
-            {% block ante_messages %}{% endblock %}
-            {% for message in messages %}
-                <div {% spaceless %}
-                    {% if message.level == message_levels.DEBUG %}
-                        class="alert alert-warning"
-                    {% elif message.level == message_levels.INFO %}
-                        class="alert alert-info"
-                    {% elif message.level == message_levels.SUCCESS %}
-                        class="alert alert-success"
-                    {% elif message.level == message_levels.WARNING %}
-                        class="alert alert-warning"
-                    {% else %}
-                        class="alert alert-danger"
-                    {% endif %}
-                {% endspaceless %}>
-                    <p>{{message}}</p>
-                </div>
-            {% endfor %}
-            {% if auto_submit %}</noscript>{% endif %}
-            {% block content %}{% endblock %}
-            </div>
-            <div class="col-lg-3 col-md-3 col-sm-2 col-xs-0"></div>
-            </div>
-        </div> <!-- /container -->
-      </div>
-      <div style="clear: both;"></div>
-      {% if settings.CAS_SHOW_POWERED %}
-      <div id="footer">
-          <p><a class="text-muted" href="https://pypi.org/project/django-cas-server/">django-cas-server powered</a></p>
-      </div>
-      {% endif %}
-      <script src="{{settings.CAS_COMPONENT_URLS.jquery}}"></script>
-      <script src="{{settings.CAS_COMPONENT_URLS.bootstrap3_js}}"></script>
-      <script src="{% static "cas_server/functions.js" %}"></script>
-      <script type="text/javascript">
-{% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
-discard_and_remember("#alert-version", "cas-alert-version", "{{LAST_VERSION}}");
-{% endif %}
-{% for msg in CAS_INFO_RENDER %}
-{% if msg.discardable %}
-discard_and_remember("#info-{{msg.name}}", "cas-info-{{msg.name}}", "{{msg.hash}}");
-{% endif %}
-{% endfor %}
-{% block javascript_inline %}{% endblock %}
-</script>
-      {% block javascript %}{% endblock %}
-    </body>
-</html>
-<!--
-Powered by django-cas-server version {{VERSION}}
-
-Pypi: https://pypi.org/project/django-cas-server/
-github: https://github.com/nitmir/django-cas-server
--->

note_kfet/urls.py

@@ -40,12 +40,11 @@ urlpatterns = [
 if settings.DEBUG:
     urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 
-
+if "oauth2_provider" in settings.INSTALLED_APPS:
-if "cas_server" in settings.INSTALLED_APPS:
+    # OAuth2 provider
-    urlpatterns += [
+    urlpatterns.append(
-        # Include CAS Server routers
+        path('o/', include('oauth2_provider.urls', namespace='oauth2_provider'))
-        path('cas/', include('cas_server.urls', namespace="cas_server")),
+    )
-    ]
 
 if "debug_toolbar" in settings.INSTALLED_APPS:
     import debug_toolbar

requirements.txt

@@ -1,17 +1,18 @@
 beautifulsoup4~=4.7.1
 Django~=2.2.15
 django-bootstrap-datepicker-plus~=3.0.5
-django-cas-server>=1.2.0
 django-colorfield~=0.3.2
 django-crispy-forms~=1.7.2
 django-extensions~=2.1.4
 django-filter~=2.1.0
 django-htcpcp-tea~=0.3.1
 django-mailer~=2.0.1
+django-oauth-toolkit~=1.1.2
 django-phonenumber-field~=5.0.0
 django-polymorphic~=2.0.3
 djangorestframework~=3.9.0
 django-rest-polymorphic~=0.1.9
 django-tables2~=2.3.1
+python-memcached~=1.59
 phonenumbers~=8.9.10
 Pillow>=5.4.1