allows mask for Oauth2

Small features

See merge request bde/nk20!355

apps/activity/templates/activity/activity_entry.html

@@ -38,7 +38,6 @@ SPDX-License-Identifier: GPL-3.0-or-later
 </a>
 
 <input id="alias" type="text" class="form-control" placeholder="Nom/note ...">
-<button id="trigger" class="btn btn-secondary">Click me !</button>
 
 <hr>
 
@@ -64,46 +63,15 @@ SPDX-License-Identifier: GPL-3.0-or-later
         refreshBalance();
     }
 
-    function process_qrcode() {
-        let name = alias_obj.val();
-        $.get("/api/note/note?search=" + name + "&format=json").done(
-            function (res) {
-                let note = res.results[0];
-                $.post("/api/activity/entry/?format=json", {
-                    csrfmiddlewaretoken: CSRF_TOKEN,
-                    activity: {{ activity.id }},
-                    note: note.id,
-                    guest: null
-                }).done(function () {
-                    addMsg(interpolate(gettext(
-                        "Entry made for %s whose balance is %s €"),
-                        [note.name, note.balance / 100]), "success", 4000);
-                    reloadTable(true);
-                }).fail(function (xhr) {
-                    errMsg(xhr.responseJSON, 4000);
-                });
-            }).fail(function (xhr) {
-                errMsg(xhr.responseJSON, 4000);
-            });
-    }
-
     alias_obj.keyup(function(event) {
         let code = event.originalEvent.keyCode
         if (65 <= code <= 122 || code === 13) {
             debounce(reloadTable)()
         }
-        if (code === 0)
-            process_qrcode();
     });
 
     $(document).ready(init);
 
-    alias_obj2 = document.getElementById("alias");
-    $("#trigger").click(function (e) {
-        addMsg("Clicked", "success", 1000);
-        alias_obj.val(alias_obj.val() + "\0");
-        alias_obj2.dispatchEvent(new KeyboardEvent('keyup'));
-    })
     function init() {
         $(".table-row").click(function (e) {
             let target = e.target.parentElement;
@@ -200,4 +168,4 @@ SPDX-License-Identifier: GPL-3.0-or-later
         });
     }
 </script>
-{% endblock %}
+{% endblock %}

apps/food/views.py

@@ -74,11 +74,15 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
 
         search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
         # table open
-        open_table = self.get_queryset().order_by('expiry_date').filter(
+        open_table = self.get_queryset().filter(
             Q(polymorphic_ctype__model='transformedfood')
             | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
                 expiry_date__lt=timezone.now(), end_of_life='').filter(
                     PermissionBackend.filter_queryset(self.request, Food, 'view'))
+        open_table = open_table.union(self.get_queryset().filter(
+            Q(end_of_life='', order__iexact='open')
+        ).filter(
+            PermissionBackend.filter_queryset(self.request, Food, 'view'))).order_by('expiry_date')
         # table served
         served_table = self.get_queryset().order_by('-pk').filter(
             end_of_life='', is_ready=True).exclude(

apps/member/models.py

@@ -417,7 +417,7 @@ class Membership(models.Model):
         A membership is valid if today is between the start and the end date.
         """
         if self.date_end is not None:
-            return self.date_start.toordinal() <= datetime.datetime.now().toordinal() < self.date_end.toordinal()
+            return self.date_start.toordinal() <= datetime.datetime.now().toordinal() <= self.date_end.toordinal()
         else:
             return self.date_start.toordinal() <= datetime.datetime.now().toordinal()
 

apps/member/templates/member/includes/profile_info.html

@@ -73,10 +73,7 @@
 {% if user_object.pk == user.pk %}
     <div class="text-center">
         <a class="small badge badge-secondary" href="{% url 'member:auth_token' %}">
-            <i class="fa fa-cogs"></i>&nbsp;{% trans 'API token' %}
+            <i class="fa fa-cogs"></i>{% trans 'API token' %}
-        </a>
-        <a class="small badge badge-secondary" href="{% url 'member:qr_code' user_object.pk %}">
-            <i class="fa fa-qrcode"></i>&nbsp;{% trans 'QR Code' %}
         </a>
     </div>
 {% endif %}

apps/member/templates/member/qr_code.html

@@ -1,36 +0,0 @@
-{% extends "base.html" %}
-{% comment %}
-SPDX-License-Identifier: GPL-3.0-or-later
-{% endcomment %}
-{% load i18n %}
-
-{% block content %}
-<div class="card bg-light">
-  	<h3 class="card-header text-center">
-		{% trans "QR Code for" %} {{ user_object.username }} ({{ user_object.first_name }} {{user_object.last_name }})
-  	</h3>
-  	<div class="text-center" id="qrcode">
-  	</div>
-</div>
-
-
-{% endblock %}
-
-{% block extrajavascript %}
-<script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js" integrity="sha512-CNgIRecGo7nphbeZ04Sc13ka07paqdeTu0WR1IM4kNcpmBAUSHSQX0FslNhTDadL4O5SAGapGt4FodqL8My0mA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-<script>
-	var qrc = new QRCode(document.getElementById("qrcode"), {
-		text: "{{ user_object.pk }}\0",
-		width: 1024,
-		height: 1024
-	});
-</script>
-{% endblock %}
-
-{% block extracss %}
-<style>
-img {
-    width: 100%
-}
-</style>
-{% endblock %}

apps/member/urls.py

@@ -25,5 +25,4 @@ urlpatterns = [
     path('user/<int:pk>/aliases/', views.ProfileAliasView.as_view(), name="user_alias"),
     path('user/<int:pk>/trust', views.ProfileTrustView.as_view(), name="user_trust"),
     path('manage-auth-token/', views.ManageAuthTokens.as_view(), name='auth_token'),
-    path('user/<int:pk>/qr_code/', views.QRCodeView.as_view(), name='qr_code'),
 ]

apps/member/views.py

@@ -408,14 +408,6 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
         context['token'] = Token.objects.get_or_create(user=self.request.user)[0]
         return context
 
-class QRCodeView(LoginRequiredMixin, DetailView):
-    """
-    Affiche le QR Code
-    """
-    model = User
-    context_object_name = "user_object"
-    template_name = "member/qr_code.html"
-    extra_context = {"title": _("QR Code")}
 
 # ******************************* #
 #              CLUB               #

apps/note/static/note/js/consos.js

@@ -228,7 +228,7 @@ function consume (source, source_alias, dest, quantity, amount, reason, type, ca
           addMsg(interpolate(gettext('Warning, the transaction from the note %s succeed, ' +
               'but the emitter note %s is negative.'), [source_alias, source_alias]), 'warning', 30000)
         }
-        if (source.membership && source.membership.date_end < new Date().toISOString()) {
+        if (source.membership && source.membership.date_end <= new Date().toISOString()) {
           addMsg(interpolate(gettext('Warning, the emitter note %s is no more a BDE member.'), [source_alias]),
               'danger', 30000)
         }

apps/note/static/note/js/transfer.js

@@ -310,10 +310,10 @@ $('#btn_transfer').click(function () {
             destination: dest.note.id,
             destination_alias: dest.name
           }).done(function () {
-          if (source.note.membership && source.note.membership.date_end < new Date().toISOString()) {
+          if (source.note.membership && source.note.membership.date_end <= new Date().toISOString()) {
             addMsg(interpolate(gettext('Warning, the emitter note %s is no more a BDE member.'), [source.name]), 'danger', 30000)
           }
-          if (dest.note.membership && dest.note.membership.date_end < new Date().toISOString()) {
+          if (dest.note.membership && dest.note.membership.date_end <= new Date().toISOString()) {
             addMsg(interpolate(gettext('Warning, the destination note %s is no more a BDE member.'), [dest.name]), 'danger', 30000)
           }
 
@@ -414,7 +414,7 @@ $('#btn_transfer').click(function () {
         bank: $('#bank').val()
       }).done(function () {
       addMsg(gettext('Credit/debit succeed!'), 'success', 10000)
-      if (user_note.membership && user_note.membership.date_end < new Date().toISOString()) { addMsg(gettext('Warning, the emitter note %s is no more a BDE member.'), 'danger', 10000) }
+      if (user_note.membership && user_note.membership.date_end <= new Date().toISOString()) { addMsg(gettext('Warning, the emitter note %s is no more a BDE member.'), 'danger', 10000) }
       reset()
     }).fail(function (err) {
       const errObj = JSON.parse(err.responseText)

apps/permission/backends.py

@@ -39,7 +39,15 @@ class PermissionBackend(ModelBackend):
 
             def permission_filter(membership_obj):
                 query = Q(pk=-1)
+                if 'mask' in request.GET:
+                    try:
+                        rank = int(request.GET['mask'])
+                    except:
+                        rank = 42
+                    query &= Q(mask__rank__lte=rank)
                 for scope in request.auth.scope.split(' '):
+                    if scope == "openid":
+                        continue
                     permission_id, club_id = scope.split('_')
                     if int(club_id) == membership_obj.club_id:
                         query |= Q(pk=permission_id)

apps/permission/scopes.py

@@ -10,6 +10,7 @@ from note_kfet.middlewares import get_current_request
 from .backends import PermissionBackend
 from .models import Permission
 
+from django.utils.translation import gettext_lazy as _
 
 class PermissionScopes(BaseScopes):
     """
@@ -32,7 +33,7 @@ class PermissionScopes(BaseScopes):
 
         scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
                   for p in Permission.objects.all() for club in Club.objects.all()}
-        scopes['openid'] = "OpenID Connect"
+        scopes['openid'] = _("OpenID Connect (username and email)")
         return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):

apps/treasury/migrations/0011_sogecredit_valid.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.6 on 2025-09-28 20:12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('treasury', '0010_alter_invoice_bde'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sogecredit',
+            name='valid',
+            field=models.BooleanField(blank=True, default=False, verbose_name='Valid'),
+        ),
+    ]

apps/treasury/models.py

@@ -308,6 +308,12 @@ class SogeCredit(models.Model):
         null=True,
     )
 
+    valid = models.BooleanField(
+        default=False,
+        verbose_name=_("Valid"),
+        blank=True,
+    )
+
     class Meta:
         verbose_name = _("Credit from the Société générale")
         verbose_name_plural = _("Credits from the Société générale")
@@ -338,7 +344,7 @@ class SogeCredit(models.Model):
             credit_transaction.save()
             credit_transaction.refresh_from_db()
             self.credit_transaction = credit_transaction
-        elif not self.valid:
+        elif not self.valid_legacy:
             self.credit_transaction.amount = self.amount
             self.credit_transaction._force_save = True
             self.credit_transaction.save()
@@ -346,12 +352,12 @@ class SogeCredit(models.Model):
         return super().save(*args, **kwargs)
 
     @property
-    def valid(self):
+    def valid_legacy(self):
         return self.credit_transaction and self.credit_transaction.valid
 
     @property
     def amount(self):
-        if self.valid:
+        if self.valid_legacy:
             return self.credit_transaction.total
         amount = 0
         transactions_wei = self.transactions.filter(membership__club__weiclub__isnull=False)
@@ -365,7 +371,7 @@ class SogeCredit(models.Model):
         The Sogé credit may be created after the user already paid its memberships.
         We query transactions and update the credit, if it is unvalid.
         """
-        if self.valid or not self.pk:
+        if self.valid_legacy or not self.pk:
             return
 
 # Soge do not pay BDE and kfet memberships since 2022
@@ -405,7 +411,7 @@ class SogeCredit(models.Model):
         Invalidating a Société générale delete the transaction of the bank if it was already created.
         Treasurers must know what they do, With Great Power Comes Great Responsibility...
         """
-        if self.valid:
+        if self.valid_legacy:
             self.credit_transaction.valid = False
             self.credit_transaction.save()
         for tr in self.transactions.all():
@@ -414,7 +420,7 @@ class SogeCredit(models.Model):
             tr.save()
 
     def validate(self, force=False):
-        if self.valid and not force:
+        if self.valid_legacy and not force:
             # The credit is already done
             return
 

apps/treasury/tests/test_treasury.py

@@ -359,7 +359,7 @@ class TestSogeCredits(TestCase):
         ))
         self.assertRedirects(response, reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)), 302, 200)
         soge_credit.refresh_from_db()
-        self.assertTrue(soge_credit.valid)
+        self.assertTrue(soge_credit.valid_legacy)
         self.user.note.refresh_from_db()
         self.assertEqual(
             Transaction.objects.filter(Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)

requirements.txt

@@ -12,7 +12,7 @@ django-filter~=25.1
 django-mailer~=2.3.2
 django-oauth-toolkit~=3.0.1
 django-phonenumber-field~=8.1.0
-django-polymorphic~=3.1.0
+django-polymorphic~=4.1.0
 djangorestframework~=3.16.0
 django-rest-polymorphic~=0.1.10
 django-tables2~=2.7.5