linters

Security against the cycles
Open table and shelf life
2025-06-21 09:58:23 +02:00 · 2024-07-11 13:38:22 +02:00 · 2024-07-08 17:44:09 +02:00 · 2024-07-07 21:25:26 +02:00 · 2024-07-06 19:26:21 +02:00 · 2024-07-05 11:57:44 +02:00
322 changed files with 23832 additions and 3430 deletions
--- a/.env_example
+++ b/.env_example
@ -10,7 +10,6 @@ DJANGO_SECRET_KEY=CHANGE_ME
 DJANGO_SETTINGS_MODULE=note_kfet.settings
 CONTACT_EMAIL=tresorerie.bde@localhost
 NOTE_URL=localhost
-DOMAIN=localhost

 # Config for mails. Only used in production
 NOTE_MAIL=notekfet@localhost
--- a/.gitignore
+++ b/.gitignore
@ -42,8 +42,15 @@ map.json
 backups/
 /static/
 /media/
+/tmp/

 # Virtualenv
 env/
 venv/
 db.sqlite3
+shell.nix
+
+# ansibles customs host
+ansible/host_vars/*.yaml
+!ansible/host_vars/bde*
+ansible/hosts
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,25 +1,26 @@
 stages:
  - test
  - quality-assurance
+  - docs

 # Also fetch submodules
 variables:
  GIT_SUBMODULE_STRATEGY: recursive

 # Debian Buster
-py37-django22:
-  stage: test
-  image: debian:buster-backports
-  before_script:
-    - >
-        apt-get update &&
-        apt-get install --no-install-recommends -t buster-backports -y
-        python3-django python3-django-crispy-forms
-        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers
-        python3-bs4 python3-setuptools tox texlive-xetex
-  script: tox -e py37-django22
+# py37-django22:
+#   stage: test
+#   image: debian:buster-backports
+#   before_script:
+#     - >
+#         apt-get update &&
+#         apt-get install --no-install-recommends -t buster-backports -y
+#         python3-django python3-django-crispy-forms
+#         python3-django-extensions python3-django-filters python3-django-polymorphic
+#         python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
+#         python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
+#         python3-bs4 python3-setuptools tox texlive-xetex
+#   script: tox -e py37-django22

 # Ubuntu 20.04
 py38-django22:
@ -33,17 +34,46 @@ py38-django22:
        apt-get install --no-install-recommends -y
        python3-django python3-django-crispy-forms
        python3-django-extensions python3-django-filters python3-django-polymorphic
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil
-        python3-babel python3-lockfile python3-pip python3-phonenumbers
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
        python3-bs4 python3-setuptools tox texlive-xetex
  script: tox -e py38-django22

+# Debian Bullseye
+py39-django22:
+  stage: test
+  image: debian:bullseye
+  before_script:
+    - >
+        apt-get update &&
+        apt-get install --no-install-recommends -y
+        python3-django python3-django-crispy-forms
+        python3-django-extensions python3-django-filters python3-django-polymorphic
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache
+        python3-bs4 python3-setuptools tox texlive-xetex
+  script: tox -e py39-django22
+
 linters:
  stage: quality-assurance
-  image: debian:buster-backports
+  image: debian:bullseye
  before_script:
    - apt-get update && apt-get install -y tox
  script: tox -e linters

  # Be nice to new contributors, but please use `tox`
  allow_failure: true
+
+# Compile documentation
+documentation:
+  stage: docs
+  image: sphinxdoc/sphinx
+  before_script:
+    - pip install sphinx-rtd-theme
+    - cd docs
+  script:
+    - make dirhtml
+  artifacts:
+    paths:
+      - docs/_build
+    expire_in: 1 day
--- a/4
+++ b/4
@ -8,8 +8,8 @@ RUN apt-get update && \
    apt-get install --no-install-recommends -t buster-backports -y \
    python3-django python3-django-crispy-forms \
    python3-django-extensions python3-django-filters python3-django-polymorphic \
-    python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil \
-    python3-babel python3-lockfile python3-pip python3-phonenumbers ipython3 \
+    python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil \
+    python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
    python3-bs4 python3-setuptools \
    uwsgi uwsgi-plugin-python3 \
    texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome && \
--- a/README.md
+++ b/README.md
@ -1,8 +1,8 @@
 # NoteKfet 2020

 [![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0.txt)
-[![pipeline status](https://gitlab.crans.org/bde/nk20/badges/master/pipeline.svg)](https://gitlab.crans.org/bde/nk20/commits/master)
-[![coverage report](https://gitlab.crans.org/bde/nk20/badges/master/coverage.svg)](https://gitlab.crans.org/bde/nk20/commits/master)
+[![pipeline status](https://gitlab.crans.org/bde/nk20/badges/main/pipeline.svg)](https://gitlab.crans.org/bde/nk20/commits/main)
+[![coverage report](https://gitlab.crans.org/bde/nk20/badges/main/coverage.svg)](https://gitlab.crans.org/bde/nk20/commits/main)

 ## Table des matières

@ -69,13 +69,31 @@ accessible depuis l'ensemble de votre réseau, pratique pour tester le rendu
 de la note sur un téléphone !

 ## Installation d'une instance de production
+Pour déployer facilement la note il est possible d'utiliser le playbook Ansible (sinon vous pouvez toujours le faire a la main, voir plus bas).
+### Avec ansible
+Il vous faudra un serveur sous debian ou ubuntu connecté à internet et que vous souhaiterez accéder à cette instance de la note sur `note.nomdedomaine.tld`.
+
+0. Installer Ansible sur votre machine personnelle.
+
+0. (bis) cloner le dépot sur votre machine personelle.
+
+1.  Copier le fichier `ansible/host_example`
+``` bash
+$ cp ansible/hosts_example ansible/hosts
+```
+et ajouter sous [dev] et/ou [prod] les serveurs sur lesquels vous souhaitez installer la note.
+2.  Créer un fichier `ansible/host_vars/<note.nomdedomaine.tld.yaml>` sur le modèle des fichiers existants dans `ansible/hosts` et compléter les variables nécessaires.
+
+3. lancer `ansible/base.yaml -l <nomdedomaine.tld.yaml>`
+4. Aller vous faire un café, ca peux durer un moment.
+
+### Installation manuelle

 **En production on souhaite absolument utiliser les modules Python packagées dans le gestionnaire de paquet.**
 Cela permet de mettre à jour facilement les dépendances critiques telles que Django.

 L'installation d'une instance de production néccessite **une installation de Debian Buster ou d'Ubuntu 20.04**.

-Pour aller vite vous pouvez lancer le Playbook Ansible fournit dans ce dépôt en l'adaptant.
 Sinon vous pouvez suivre les étapes décrites ci-dessous.

 0.  Sous Debian Buster, **activer Debian Backports.** En effet Django 2.2 LTS n'est que disponible dans les backports.
@ -93,10 +111,10 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
    $ sudo apt install --no-install-recommends -t buster-backports -y \
        python3-django python3-django-crispy-forms \
        python3-django-extensions python3-django-filters python3-django-polymorphic \
-        python3-djangorestframework python3-django-cas-server python3-psycopg2 python3-pil \
-        python3-babel python3-lockfile python3-pip python3-phonenumbers ipython3 \
-        python3-bs4 python3-setuptools \
-        uwsgi uwsgi-plugin-python3 \
+        python3-djangorestframework python3-django-oauth-toolkit python3-psycopg2 python3-pil \
+        python3-babel python3-lockfile python3-pip python3-phonenumbers python3-memcache ipython3 \
+        python3-bs4 python3-setuptools python3-docutils \
+        memcached uwsgi uwsgi-plugin-python3 \
        texlive-xetex gettext libjs-bootstrap4 fonts-font-awesome \
        nginx python3-venv git acl
    ```
@ -261,20 +279,25 @@ Le cahier des charges initial est disponible [sur le Wiki Crans](https://wiki.cr
 La documentation des classes et fonctions est directement dans le code et est explorable à partir de la partie documentation de l'interface d'administration de Django.
 **Commentez votre code !**

-La documentation plus haut niveau sur le développement est disponible sur [le Wiki associé au dépôt Git](https://gitlab.crans.org/bde/nk20/-/wikis/home).
+La documentation plus haut niveau sur le développement et sur l'utilisation
+est disponible sur <https://note.crans.org/doc> et également dans le dossier `docs`.

 ## FAQ

 ### Regénérer les fichiers de traduction

-Pour regénérer les traductions vous pouvez vous placer à la racine du projet et lancer le script `makemessages`. Il faut penser à ignorer les dossiers ne contenant pas notre code, dont le virtualenv.
+Pour regénérer les traductions vous pouvez vous placer à la racine du projet et lancer le script `makemessages`.
+Il faut penser à ignorer les dossiers ne contenant pas notre code, dont le virtualenv.
+De plus, il faut aussi extraire les variables des fichiers JavaScript.

 ```bash
-django-admin makemessages -i env
+python3 manage.py makemessages -i env
+python3 manage.py makemessages -i env -e js -d djangojs
 ```

 Une fois les fichiers édités, vous pouvez compiler les nouvelles traductions avec

 ```bash
-django-admin compilemessages
+python3 manage.py compilemessages
+python3 manage.py compilejsmessages
 ```
--- a/ansible/base.yml
+++ b/ansible/base.yml
@ -7,7 +7,7 @@
      prompt: "Password of the database (leave it blank to skip database init)"
      private: yes
  vars:
-    mirror: deb.debian.org
+    mirror: eclats.crans.org
  roles:
    - 1-apt-basic
    - 2-nk20
@ -16,3 +16,4 @@
    - 5-nginx
    - 6-psql
    - 7-postinstall
+    - 8-docs
--- a/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml
+++ b/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml
@ -1,5 +0,0 @@
---
-note:
-  server_name: note-beta.crans.org
-  git_branch: beta
-  cron_enabled: false
--- a/ansible/host_vars/bde-note-dev.adh.crans.org.yml
+++ b/ansible/host_vars/bde-note-dev.adh.crans.org.yml
@ -2,4 +2,6 @@
 note:
  server_name: note-dev.crans.org
  git_branch: beta
+  serve_static: false
  cron_enabled: false
+  email: notekfet2020@lists.crans.org
--- a/ansible/host_vars/bde-note.adh.crans.org.yml
+++ b/ansible/host_vars/bde-note.adh.crans.org.yml
@ -1,5 +1,7 @@
 ---
 note:
  server_name: note.crans.org
-  git_branch: master
+  git_branch: main
+  serve_static: true
  cron_enabled: true
+  email: notekfet2020@lists.crans.org
--- a/ansible/hosts_example
+++ b/ansible/hosts_example
@ -1,6 +1,5 @@
 [dev]
-bde3-virt.adh.crans.org
-bde-nk20-beta.adh.crans.org
+bde-note-dev.adh.crans.org

 [prod]
 bde-note.adh.crans.org
--- a/ansible/roles/1-apt-basic/tasks/main.yml
+++ b/ansible/roles/1-apt-basic/tasks/main.yml
@ -1,13 +1,15 @@
 ---
- name: Add buster-backports to apt sources
+- name: Add buster-backports to apt sources if needed
  apt_repository:
    repo: deb http://{{ mirror }}/debian buster-backports main
    state: present
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version | int == 10

 - name: Install note_kfet APT dependencies
  apt:
    update_cache: true
-    default_release: buster-backports
    install_recommends: false
    name:
      # Common tools
@ -23,13 +25,14 @@
      - python3-babel
      - python3-bs4
      - python3-django
-      - python3-django-cas-server
      - python3-django-crispy-forms
      - python3-django-extensions
      - python3-django-filters
+      - python3-django-oauth-toolkit
      - python3-django-polymorphic
      - python3-djangorestframework
      - python3-lockfile
+      - python3-memcache
      - python3-phonenumbers
      - python3-pil
      - python3-pip
@ -40,6 +43,9 @@
      # LaTeX (PDF generation)
      - texlive-xetex

+      # Cache server
+      - memcached
+
      # WSGI server
      - uwsgi
      - uwsgi-plugin-python3
--- a/ansible/roles/2-nk20/tasks/main.yml
+++ b/ansible/roles/2-nk20/tasks/main.yml
@ -16,7 +16,7 @@

 - name: Use default env vars (should be updated!)
  template:
-    src: "env_example"
+    src: "env.j2"
    dest: "/var/www/note_kfet/.env"
    mode: 0644
    force: false
@ -36,3 +36,13 @@
    dest: /etc/cron.d/note
    owner: root
    group: root
+
+- name: Set default directory to /var/www/note_kfet
+  lineinfile:
+    path: /etc/skel/.bashrc
+    line: 'cd /var/www/note_kfet'
+
+- name: Automatically source Python virtual environment
+  lineinfile:
+    path: /etc/skel/.bashrc
+    line: 'source /var/www/note_kfet/env/bin/activate'
--- a/ansible/roles/2-nk20/templates/env.j2
+++ b/ansible/roles/2-nk20/templates/env.j2
@ -0,0 +1,23 @@
+DJANGO_APP_STAGE=prod
+# Only used in dev mode, change to "postgresql" if you want to use PostgreSQL in dev
+DJANGO_DEV_STORE_METHOD=sqlite
+DJANGO_DB_HOST=localhost
+DJANGO_DB_NAME=note_db
+DJANGO_DB_USER=note
+DJANGO_DB_PASSWORD={{ DB_PASSWORD }}
+DJANGO_DB_PORT=
+DJANGO_SECRET_KEY=CHANGE_ME
+DJANGO_SETTINGS_MODULE=note_kfet.settings
+CONTACT_EMAIL=tresorerie.bde@localhost
+NOTE_URL= {{note.server_name}}
+
+# Config for mails. Only used in production
+NOTE_MAIL=notekfet@localhost
+EMAIL_HOST=smtp.localhost
+EMAIL_PORT=25
+EMAIL_USER=notekfet@localhost
+EMAIL_PASSWORD=CHANGE_ME
+
+# Wiki configuration
+WIKI_USER=NoteKfet2020
+WIKI_PASSWORD=
--- a/ansible/roles/4-certbot/tasks/main.yml
+++ b/ansible/roles/4-certbot/tasks/main.yml
@ -9,6 +9,11 @@
  retries: 3
  until: pkg_result is succeeded

+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{note.server_name}}/cert.pem
+  register: letsencrypt_cert
+
 - name: Create /etc/letsencrypt/conf.d
  file:
    path: /etc/letsencrypt/conf.d
@ -19,3 +24,17 @@
    src: "letsencrypt/conf.d/nk20.ini.j2"
    dest: "/etc/letsencrypt/conf.d/nk20.ini"
    mode: 0644
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: stopped
+
+- name: Generate new certificate if one doesn't exist.
+  shell: "certbot certonly --non-interactive --agree-tos --config /etc/letsencrypt/conf.d/nk20.ini -d {{note.server_name}}"
+  when: letsencrypt_cert.stat.exists == False
+
+- name: Restart services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: started
--- a/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2
+++ b/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2
@ -10,7 +10,7 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory

 # Uncomment and update to register with the specified e-mail address
-email = notekfet2020@lists.crans.org
+email = {{ note.email }}

 # Uncomment to use a text interface instead of ncurses
 text = True
--- a/ansible/roles/5-nginx/templates/nginx_note.conf
+++ b/ansible/roles/5-nginx/templates/nginx_note.conf
@ -1,5 +1,5 @@
 # the upstream component nginx needs to connect to
-upstream note{
+upstream note {
    server unix:///var/www/note_kfet/note_kfet.sock; # file socket
 }

@ -41,6 +41,7 @@ server {
    # max upload size
    client_max_body_size 75M;   # adjust to taste

+{% if note.serve_static %}
    # Django media
    location /media  {
        alias /var/www/note_kfet/media;  # your Django project's media files - amend as required
@ -50,6 +51,11 @@ server {
        alias /var/www/note_kfet/static; # your Django project's static files - amend as required
    }

+{% endif %}
+    location /doc {
+        alias /var/www/documentation;    # The documentation of the project
+    }
+
    # Finally, send all non-media requests to the Django server.
    location / {
        uwsgi_pass note;
--- a/ansible/roles/6-psql/tasks/main.yml
+++ b/ansible/roles/6-psql/tasks/main.yml
@ -11,14 +11,14 @@
  until: pkg_result is succeeded

 - name: Create role note
-  when: "DB_PASSWORD|bool"    # If the password is not defined, skip the installation
+  when: DB_PASSWORD|length > 0 # If the password is not defined, skip the installation
  postgresql_user:
    name: note
    password: "{{ DB_PASSWORD }}"
  become_user: postgres

 - name: Create NK20 database
-  when: "DB_PASSWORD|bool"
+  when: DB_PASSWORD|length >0
  postgresql_db:
    name: note_db
    owner: note
--- a/ansible/roles/7-postinstall/tasks/main.yml
+++ b/ansible/roles/7-postinstall/tasks/main.yml
@ -1,4 +1,10 @@
 ---
+- name: Collect static files
+  command: /var/www/note_kfet/env/bin/python manage.py collectstatic --noinput
+  args:
+    chdir: /var/www/note_kfet
+  become_user: www-data
+
 - name: Migrate Django database
  command: /var/www/note_kfet/env/bin/python manage.py migrate
  args:
@ -11,14 +17,14 @@
    chdir: /var/www/note_kfet
  become_user: www-data

+- name: Compile JavaScript messages
+  command: /var/www/note_kfet/env/bin/python manage.py compilejsmessages
+  args:
+    chdir: /var/www/note_kfet
+  become_user: www-data
+
 - name: Install initial fixtures
  command: /var/www/note_kfet/env/bin/python manage.py loaddata initial
  args:
    chdir: /var/www/note_kfet
  become_user: postgres
-
- name: Collect static files
-  command: /var/www/note_kfet/env/bin/python manage.py collectstatic --noinput
-  args:
-    chdir: /var/www/note_kfet
-  become_user: www-data
--- a/ansible/roles/8-docs/tasks/main.yml
+++ b/ansible/roles/8-docs/tasks/main.yml
@ -0,0 +1,20 @@
+---
+- name: Install Sphinx and RTD theme
+  pip:
+    requirements: /var/www/note_kfet/docs/requirements.txt
+    virtualenv: /var/www/note_kfet/env
+    virtualenv_command: /usr/bin/python3 -m venv
+    virtualenv_site_packages: true
+  become_user: www-data
+
+- name: Create documentation directory with good permissions
+  file:
+    path: /var/www/documentation
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: u=rwx,g=rwxs,o=rx
+
+- name: Build HTML documentation
+  command: /var/www/note_kfet/env/bin/sphinx-build -b dirhtml /var/www/note_kfet/docs/ /var/www/documentation/
+  become_user: www-data
--- a/apps/activity/init.py
+++ b/apps/activity/init.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 default_app_config = 'activity.apps.ActivityConfig'
--- a/apps/activity/admin.py
+++ b/apps/activity/admin.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.contrib import admin
--- a/apps/activity/api/serializers.py
+++ b/apps/activity/api/serializers.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from rest_framework import serializers
--- a/apps/activity/api/urls.py
+++ b/apps/activity/api/urls.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from .views import ActivityTypeViewSet, ActivityViewSet, EntryViewSet, GuestViewSet
--- a/apps/activity/api/views.py
+++ b/apps/activity/api/views.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from api.viewsets import ReadProtectedModelViewSet
@ -15,10 +15,10 @@ class ActivityTypeViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `ActivityType` objects, serialize it to JSON with the given serializer,
    then render it on /api/activity/type/
    """
-    queryset = ActivityType.objects.all()
+    queryset = ActivityType.objects.order_by('id')
    serializer_class = ActivityTypeSerializer
    filter_backends = [DjangoFilterBackend]
-    filterset_fields = ['name', 'can_invite', ]
+    filterset_fields = ['name', 'manage_entries', 'can_invite', 'guest_entry_fee', ]


 class ActivityViewSet(ReadProtectedModelViewSet):
@ -27,10 +27,16 @@ class ActivityViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Activity` objects, serialize it to JSON with the given serializer,
    then render it on /api/activity/activity/
    """
-    queryset = Activity.objects.all()
+    queryset = Activity.objects.order_by('id')
    serializer_class = ActivitySerializer
-    filter_backends = [DjangoFilterBackend]
-    filterset_fields = ['name', 'description', 'activity_type', ]
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', 'description', 'activity_type', 'location', 'creater', 'organizer', 'attendees_club',
+                        'date_start', 'date_end', 'valid', 'open', ]
+    search_fields = ['$name', '$description', '$location', '$creater__last_name', '$creater__first_name',
+                     '$creater__email', '$creater__note__alias__name', '$creater__note__alias__normalized_name',
+                     '$organizer__name', '$organizer__email', '$organizer__note__alias__name',
+                     '$organizer__note__alias__normalized_name', '$attendees_club__name', '$attendees_club__email',
+                     '$attendees_club__note__alias__name', '$attendees_club__note__alias__normalized_name', ]


 class GuestViewSet(ReadProtectedModelViewSet):
@ -39,10 +45,13 @@ class GuestViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Guest` objects, serialize it to JSON with the given serializer,
    then render it on /api/activity/guest/
    """
-    queryset = Guest.objects.all()
+    queryset = Guest.objects.order_by('id')
    serializer_class = GuestSerializer
-    filter_backends = [SearchFilter]
-    search_fields = ['$last_name', '$first_name', '$inviter__alias__name', '$inviter__alias__normalized_name', ]
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['activity', 'activity__name', 'last_name', 'first_name', 'inviter', 'inviter__alias__name',
+                        'inviter__alias__normalized_name', ]
+    search_fields = ['$activity__name', '$last_name', '$first_name', '$inviter__user__email', '$inviter__alias__name',
+                     '$inviter__alias__normalized_name', ]


 class EntryViewSet(ReadProtectedModelViewSet):
@ -51,7 +60,9 @@ class EntryViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Entry` objects, serialize it to JSON with the given serializer,
    then render it on /api/activity/entry/
    """
-    queryset = Entry.objects.all()
+    queryset = Entry.objects.order_by('id')
    serializer_class = EntrySerializer
-    filter_backends = [SearchFilter]
-    search_fields = ['$last_name', '$first_name', '$inviter__alias__name', '$inviter__alias__normalized_name', ]
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['activity', 'time', 'note', 'guest', ]
+    search_fields = ['$activity__name', '$note__user__email', '$note__alias__name', '$note__alias__normalized_name',
+                     '$guest__last_name', '$guest__first_name', ]
--- a/apps/activity/apps.py
+++ b/apps/activity/apps.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.apps import AppConfig
--- a/apps/activity/fixtures/initial.json
+++ b/apps/activity/fixtures/initial.json
@ -6,7 +6,7 @@
            "name": "Pot",
            "manage_entries": true,
            "can_invite": true,
-            "guest_entry_fee": 500
+            "guest_entry_fee": 1000
        }
    },
    {
@ -28,5 +28,25 @@
            "can_invite": false,
            "guest_entry_fee": 0
        }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 5,
+        "fields": {
+            "name": "Soir\u00e9e avec entrées",
+            "manage_entries": true,
+            "can_invite": false,
+            "guest_entry_fee": 0
+        }
+    },
+    {
+        "model": "activity.activitytype",
+        "pk": 7,
+        "fields": {
+            "name": "Soir\u00e9e avec invitations",
+            "manage_entries": true,
+            "can_invite": true,
+            "guest_entry_fee": 0
+        }
    }
 ]
--- a/apps/activity/forms.py
+++ b/apps/activity/forms.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from datetime import timedelta
@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
 from member.models import Club
 from note.models import Note, NoteUser
 from note_kfet.inputs import Autocomplete, DateTimePickerInput
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend

 from .models import Activity, Guest
@ -24,10 +24,16 @@ class ActivityForm(forms.ModelForm):
        self.fields["attendees_club"].initial = Club.objects.get(name="Kfet")
        self.fields["attendees_club"].widget.attrs["placeholder"] = "Kfet"
        clubs = list(Club.objects.filter(PermissionBackend
-                                         .filter_queryset(get_current_authenticated_user(), Club, "view")).all())
+                                         .filter_queryset(get_current_request(), Club, "view")).all())
        shuffle(clubs)
        self.fields["organizer"].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."

+    def clean_organizer(self):
+        organizer = self.cleaned_data['organizer']
+        if not organizer.note.is_active:
+            self.add_error('organiser', _('The note of this club is inactive.'))
+        return organizer
+
    def clean_date_end(self):
        date_end = self.cleaned_data["date_end"]
        date_start = self.cleaned_data["date_start"]
--- a/apps/activity/migrations/0003_auto_20240323_1422.py
+++ b/apps/activity/migrations/0003_auto_20240323_1422.py
@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2024-03-23 13:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('activity', '0002_auto_20200904_2341'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='activity',
+            name='description',
+            field=models.TextField(blank=True, default='', verbose_name='description'),
+        ),
+    ]
--- a/apps/activity/models.py
+++ b/apps/activity/models.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 import os
@ -7,7 +7,7 @@ from threading import Thread

 from django.conf import settings
 from django.contrib.auth.models import User
-from django.db import models
+from django.db import models, transaction
 from django.db.models import Q
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@ -66,6 +66,8 @@ class Activity(models.Model):

    description = models.TextField(
        verbose_name=_('description'),
+        blank=True,
+        default="",
    )

    location = models.CharField(
@ -123,6 +125,15 @@ class Activity(models.Model):
        verbose_name=_('open'),
    )

+    class Meta:
+        verbose_name = _("activity")
+        verbose_name_plural = _("activities")
+        unique_together = ("name", "date_start", "date_end",)
+
+    def __str__(self):
+        return self.name
+
+    @transaction.atomic
    def save(self, *args, **kwargs):
        """
        Update the activity wiki page each time the activity is updated (validation, change description, ...)
@ -143,14 +154,6 @@ class Activity(models.Model):
                if settings.DATABASES["default"]["ENGINE"] == 'django.db.backends.postgresql' else refresh_activities()
        return ret

-    def __str__(self):
-        return self.name
-
-    class Meta:
-        verbose_name = _("activity")
-        verbose_name_plural = _("activities")
-        unique_together = ("name", "date_start", "date_end",)
-

 class Entry(models.Model):
    """
@ -194,8 +197,8 @@ class Entry(models.Model):
            else _("Entry for {note} to the activity {activity}").format(
            guest=str(self.guest), note=str(self.note), activity=str(self.activity))

+    @transaction.atomic
    def save(self, *args, **kwargs):
-
        qs = Entry.objects.filter(~Q(pk=self.pk), activity=self.activity, note=self.note, guest=self.guest)
        if qs.exists():
            raise ValidationError(_("Already entered on ") + _("{:%Y-%m-%d %H:%M:%S}").format(qs.get().time, ))
@ -251,15 +254,15 @@ class Guest(models.Model):
        verbose_name=_("inviter"),
    )

-    @property
-    def has_entry(self):
-        try:
-            if self.entry:
-                return True
-            return False
-        except AttributeError:
-            return False
+    class Meta:
+        verbose_name = _("guest")
+        verbose_name_plural = _("guests")
+        unique_together = ("activity", "last_name", "first_name", )

+    def __str__(self):
+        return self.first_name + " " + self.last_name
+
+    @transaction.atomic
    def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
        one_year = timedelta(days=365)

@ -288,13 +291,14 @@ class Guest(models.Model):

        return super().save(force_insert, force_update, using, update_fields)

-    def __str__(self):
-        return self.first_name + " " + self.last_name
-
-    class Meta:
-        verbose_name = _("guest")
-        verbose_name_plural = _("guests")
-        unique_together = ("activity", "last_name", "first_name", )
+    @property
+    def has_entry(self):
+        try:
+            if self.entry:
+                return True
+            return False
+        except AttributeError:
+            return False


 class GuestTransaction(Transaction):
--- a/apps/activity/tables.py
+++ b/apps/activity/tables.py
@ -1,7 +1,9 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from django.utils import timezone
-from django.utils.html import format_html
+from django.utils.html import escape
+from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
 import django_tables2 as tables
 from django_tables2 import A
@ -52,8 +54,8 @@ class GuestTable(tables.Table):
    def render_entry(self, record):
        if record.has_entry:
            return str(_("Entered on ") + str(_("{:%Y-%m-%d %H:%M:%S}").format(record.entry.time, )))
-        return format_html('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
-                           '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))
+        return mark_safe('<button id="{id}" class="btn btn-danger btn-sm" onclick="remove_guest(this.id)"> '
+                         '{delete_trans}</button>'.format(id=record.id, delete_trans=_("remove").capitalize()))


 def get_row_class(record):
@ -91,7 +93,7 @@ class EntryTable(tables.Table):
        if hasattr(record, 'username'):
            username = record.username
            if username != value:
-                return format_html(value + " <em>aka.</em> " + username)
+                return mark_safe(escape(value) + " <em>aka.</em> " + escape(username))
        return value

    def render_balance(self, value):
--- a/apps/activity/templates/activity/activity_detail.html
+++ b/apps/activity/templates/activity/activity_detail.html
@ -30,7 +30,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
         headers: {"X-CSRFTOKEN": CSRF_TOKEN}
     })
      .done(function() {
-          addMsg('Invité supprimé','success');
+          addMsg('{% trans "Guest deleted" %}', 'success');
          $("#guests_table").load(location.pathname + " #guests_table");
      })
      .fail(function(xhr, textStatus, error) {
--- a/apps/activity/templates/activity/activity_entry.html
+++ b/apps/activity/templates/activity/activity_entry.html
@ -63,7 +63,12 @@ SPDX-License-Identifier: GPL-3.0-or-later
        refreshBalance();
    }

-    alias_obj.keyup(reloadTable);
+    alias_obj.keyup(function(event) {
+        let code = event.originalEvent.keyCode
+        if (65 <= code <= 122 || code === 13) {
+            debounce(reloadTable)()
+        }
+    });

    $(document).ready(init);

@ -86,10 +91,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
                }).done(function () {
                    if (target.hasClass("table-info"))
                        addMsg(
-                            "Entrée effectuée, mais attention : la personne n'est plus adhérente Kfet.",
+                            "{% trans "Entry done, but caution: the user is not a Kfet member." %}",
                            "warning", 10000);
                    else
-                        addMsg("Entrée effectuée !", "success", 4000);
+                        addMsg("Entry made!", "success", 4000);
                    reloadTable(true);
                }).fail(function (xhr) {
                    errMsg(xhr.responseJSON, 4000);
@ -121,10 +126,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
                    }).done(function () {
                        if (target.hasClass("table-info"))
                            addMsg(
-                                "Entrée effectuée, mais attention : la personne n'est plus adhérente Kfet.",
+                                "{% trans "Entry done, but caution: the user is not a Kfet member." %}",
                                "warning", 10000);
                        else
-                            addMsg("Entrée effectuée !", "success", 4000);
+                            addMsg("{% trans "Entry done!" %}", "success", 4000);
                        reloadTable(true);
                    }).fail(function (xhr) {
                        errMsg(xhr.responseJSON, 4000);
--- a/apps/activity/templates/activity/activity_form.html
+++ b/apps/activity/templates/activity/activity_form.html
@ -17,4 +17,27 @@ SPDX-License-Identifier: GPL-3.0-or-later
    </form>
  </div>
 </div>
-{% endblock %}
+{% endblock %}
+
+{% block extrajavascript %}
+<script>
+  var date_end = document.getElementById("id_date_end");
+  var date_start = document.getElementById("id_date_start");
+  
+  function update_date_end (){
+    if(date_end.value=="" || date_end.value<date_start.value){
+      date_end.value = date_start.value;
+    };
+  };
+  
+  function update_date_start (){
+    if(date_start.value=="" || date_end.value<date_start.value){
+      date_start.value = date_end.value;
+    };
+  };
+  
+  date_start.addEventListener('focusout', update_date_end);
+  date_end.addEventListener('focusout', update_date_start);
+  
+</script>
+{% endblock %}
--- a/apps/activity/tests/test_activities.py
+++ b/apps/activity/tests/test_activities.py
@ -1,15 +1,18 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from datetime import timedelta

+from api.tests import TestAPI
 from django.contrib.auth.models import User
 from django.test import TestCase
 from django.urls import reverse
 from django.utils import timezone
-from activity.models import Activity, ActivityType, Guest, Entry
 from member.models import Club

+from ..api.views import ActivityTypeViewSet, ActivityViewSet, EntryViewSet, GuestViewSet
+from ..models import Activity, ActivityType, Guest, Entry
+

 class TestActivities(TestCase):
    """
@ -173,3 +176,58 @@ class TestActivities(TestCase):
        """
        response = self.client.get(reverse("activity:calendar_ics"))
        self.assertEqual(response.status_code, 200)
+
+
+class TestActivityAPI(TestAPI):
+    def setUp(self) -> None:
+        super().setUp()
+
+        self.activity = Activity.objects.create(
+            name="Activity",
+            description="This is a test activity\non two very very long lines\nbecause this is very important.",
+            location="Earth",
+            activity_type=ActivityType.objects.get(name="Pot"),
+            creater=self.user,
+            organizer=Club.objects.get(name="Kfet"),
+            attendees_club=Club.objects.get(name="Kfet"),
+            date_start=timezone.now(),
+            date_end=timezone.now() + timedelta(days=2),
+            valid=True,
+        )
+
+        self.guest = Guest.objects.create(
+            activity=self.activity,
+            inviter=self.user.note,
+            last_name="GUEST",
+            first_name="Guest",
+        )
+
+        self.entry = Entry.objects.create(
+            activity=self.activity,
+            note=self.user.note,
+            guest=self.guest,
+        )
+
+    def test_activity_api(self):
+        """
+        Load Activity API page and test all filters and permissions
+        """
+        self.check_viewset(ActivityViewSet, "/api/activity/activity/")
+
+    def test_activity_type_api(self):
+        """
+        Load ActivityType API page and test all filters and permissions
+        """
+        self.check_viewset(ActivityTypeViewSet, "/api/activity/type/")
+
+    def test_entry_api(self):
+        """
+        Load Entry API page and test all filters and permissions
+        """
+        self.check_viewset(EntryViewSet, "/api/activity/entry/")
+
+    def test_guest_api(self):
+        """
+        Load Guest API page and test all filters and permissions
+        """
+        self.check_viewset(GuestViewSet, "/api/activity/guest/")
--- a/apps/activity/urls.py
+++ b/apps/activity/urls.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.urls import path
--- a/apps/activity/views.py
+++ b/apps/activity/views.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from hashlib import md5
@ -7,12 +7,15 @@ from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import PermissionDenied
+from django.db import transaction
 from django.db.models import F, Q
 from django.http import HttpResponse
 from django.urls import reverse_lazy
 from django.utils import timezone
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import cache_page
 from django.views.generic import DetailView, TemplateView, UpdateView
 from django_tables2.views import SingleTableView
 from note.models import Alias, NoteSpecial, NoteUser
@ -44,6 +47,7 @@ class ActivityCreateView(ProtectQuerysetMixin, ProtectedCreateView):
            date_end=timezone.now(),
        )

+    @transaction.atomic
    def form_valid(self, form):
        form.instance.creater = self.request.user
        return super().form_valid(form)
@ -62,21 +66,20 @@ class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView
    ordering = ('-date_start',)
    extra_context = {"title": _("Activities")}

-    def get_queryset(self):
-        return super().get_queryset().distinct()
+    def get_queryset(self, **kwargs):
+        return super().get_queryset(**kwargs).distinct()

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)

        upcoming_activities = Activity.objects.filter(date_end__gt=timezone.now())
        context['upcoming'] = ActivityTable(
-            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")),
+            data=upcoming_activities.filter(PermissionBackend.filter_queryset(self.request, Activity, "view")),
            prefix='upcoming-',
+            order_by='date_start',
        )

-        started_activities = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
-            .filter(open=True, valid=True).all()
+        started_activities = self.get_queryset().filter(open=True, valid=True).distinct().all()
        context["started_activities"] = started_activities

        return context
@ -94,7 +97,7 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
        context = super().get_context_data()

        table = GuestTable(data=Guest.objects.filter(activity=self.object)
-                           .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view")))
+                           .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")))
        context["guests"] = table

        context["activity_started"] = timezone.now() > timezone.localtime(self.object.date_start)
@ -140,14 +143,15 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):

    def get_form(self, form_class=None):
        form = super().get_form(form_class)
-        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
-            .get(pk=self.kwargs["pk"])
+        form.activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
+            .filter(pk=self.kwargs["pk"]).first()
        form.fields["inviter"].initial = self.request.user.note
        return form

+    @transaction.atomic
    def form_valid(self, form):
        form.instance.activity = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")).get(pk=self.kwargs["pk"])
+            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
        return super().form_valid(form)

    def get_success_url(self, **kwargs):
@ -165,10 +169,13 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
        Don't display the entry interface if the user has no right to see it (no right to add an entry for itself),
        it is closed or doesn't manage entries.
        """
+        if not self.request.user.is_authenticated:
+            return self.handle_no_permission()
+
        activity = Activity.objects.get(pk=self.kwargs["pk"])

        sample_entry = Entry(activity=activity, note=self.request.user.note)
-        if not PermissionBackend.check_perm(self.request.user, "activity.add_entry", sample_entry):
+        if not PermissionBackend.check_perm(self.request, "activity.add_entry", sample_entry):
            raise PermissionDenied(_("You are not allowed to display the entry interface for this activity."))

        if not activity.activity_type.manage_entries:
@ -186,8 +193,8 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
        guest_qs = Guest.objects\
            .annotate(balance=F("inviter__balance"), note_name=F("inviter__user__username"))\
            .filter(activity=activity)\
-            .filter(PermissionBackend.filter_queryset(self.request.user, Guest, "view"))\
-            .order_by('last_name', 'first_name').distinct()
+            .filter(PermissionBackend.filter_queryset(self.request, Guest, "view"))\
+            .order_by('last_name', 'first_name')

        if "search" in self.request.GET and self.request.GET["search"]:
            pattern = self.request.GET["search"]
@ -201,7 +208,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
            )
        else:
            guest_qs = guest_qs.none()
-        return guest_qs
+        return guest_qs.distinct()

    def get_invited_note(self, activity):
        """
@ -225,7 +232,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
        )

        # Filter with permission backend
-        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))
+        note_qs = note_qs.filter(PermissionBackend.filter_queryset(self.request, Alias, "view"))

        if "search" in self.request.GET and self.request.GET["search"]:
            pattern = self.request.GET["search"]
@ -251,7 +258,7 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
        """
        context = super().get_context_data(**kwargs)

-        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view"))\
+        activity = Activity.objects.filter(PermissionBackend.filter_queryset(self.request, Activity, "view"))\
            .distinct().get(pk=self.kwargs["pk"])
        context["activity"] = activity

@ -276,15 +283,17 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
        context["notespecial_ctype"] = ContentType.objects.get_for_model(NoteSpecial).pk

        activities_open = Activity.objects.filter(open=True).filter(
-            PermissionBackend.filter_queryset(self.request.user, Activity, "view")).distinct().all()
+            PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().all()
        context["activities_open"] = [a for a in activities_open
-                                      if PermissionBackend.check_perm(self.request.user,
+                                      if PermissionBackend.check_perm(self.request,
                                                                      "activity.add_entry",
                                                                      Entry(activity=a, note=self.request.user.note,))]

        return context


+# Cache for 1 hour
+@method_decorator(cache_page(60 * 60), name='dispatch')
 class CalendarView(View):
    """
    Render an ICS calendar with all valid activities.
--- a/apps/api/init.py
+++ b/apps/api/init.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 default_app_config = 'api.apps.APIConfig'
--- a/apps/api/apps.py
+++ b/apps/api/apps.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.apps import AppConfig
--- a/apps/api/pagination.py
+++ b/apps/api/pagination.py
@ -0,0 +1,5 @@
+from rest_framework.pagination import PageNumberPagination
+
+
+class CustomPagination(PageNumberPagination):
+    page_size_query_param = 'page_size'
--- a/apps/api/serializers.py
+++ b/apps/api/serializers.py
@ -1,13 +1,20 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later


 from django.contrib.contenttypes.models import ContentType
 from django.contrib.auth.models import User
-from rest_framework.serializers import ModelSerializer
+from django.utils import timezone
+from rest_framework import serializers
+from member.api.serializers import ProfileSerializer, MembershipSerializer
+from member.models import Membership
+from note.api.serializers import NoteSerializer
+from note.models import Alias
+from note_kfet.middlewares import get_current_request
+from permission.backends import PermissionBackend


-class UserSerializer(ModelSerializer):
+class UserSerializer(serializers.ModelSerializer):
    """
    REST API Serializer for Users.
    The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
@ -22,7 +29,7 @@ class UserSerializer(ModelSerializer):
        )


-class ContentTypeSerializer(ModelSerializer):
+class ContentTypeSerializer(serializers.ModelSerializer):
    """
    REST API Serializer for Users.
    The djangorestframework plugin will analyse the model `User` and parse all fields in the API.
@ -31,3 +38,54 @@ class ContentTypeSerializer(ModelSerializer):
    class Meta:
        model = ContentType
        fields = '__all__'
+
+
+class OAuthSerializer(serializers.ModelSerializer):
+    """
+    Informations that are transmitted by OAuth.
+    For now, this includes user, profile and valid memberships.
+    This should be better managed later.
+    """
+    normalized_name = serializers.SerializerMethodField()
+
+    profile = serializers.SerializerMethodField()
+
+    note = serializers.SerializerMethodField()
+
+    memberships = serializers.SerializerMethodField()
+
+    def get_normalized_name(self, obj):
+        return Alias.normalize(obj.username)
+
+    def get_profile(self, obj):
+        # Display the profile of the user only if we have rights to see it.
+        return ProfileSerializer().to_representation(obj.profile) \
+            if PermissionBackend.check_perm(get_current_request(), 'member.view_profile', obj.profile) else None
+
+    def get_note(self, obj):
+        # Display the note of the user only if we have rights to see it.
+        return NoteSerializer().to_representation(obj.note) \
+            if PermissionBackend.check_perm(get_current_request(), 'note.view_note', obj.note) else None
+
+    def get_memberships(self, obj):
+        # Display only memberships that we are allowed to see.
+        return serializers.ListSerializer(child=MembershipSerializer()).to_representation(
+            obj.memberships.filter(date_start__lte=timezone.now(), date_end__gte=timezone.now())
+                           .filter(PermissionBackend.filter_queryset(get_current_request(), Membership, 'view')))
+
+    class Meta:
+        model = User
+        fields = (
+            'id',
+            'username',
+            'normalized_name',
+            'first_name',
+            'last_name',
+            'email',
+            'is_superuser',
+            'is_active',
+            'is_staff',
+            'profile',
+            'note',
+            'memberships',
+        )
--- a/apps/api/tests.py
+++ b/apps/api/tests.py
@ -0,0 +1,240 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import json
+from datetime import datetime, date
+from decimal import Decimal
+from urllib.parse import quote_plus
+from warnings import warn
+
+from django.contrib.auth.models import User
+from django.contrib.contenttypes.models import ContentType
+from django.db.models.fields.files import ImageFieldFile
+from django.test import TestCase
+from django_filters.rest_framework import DjangoFilterBackend
+from member.models import Membership, Club
+from note.models import NoteClub, NoteUser, Alias, Note
+from permission.models import PermissionMask, Permission, Role
+from phonenumbers import PhoneNumber
+from rest_framework.filters import SearchFilter, OrderingFilter
+
+from .viewsets import ContentTypeViewSet, UserViewSet
+
+
+class TestAPI(TestCase):
+    """
+    Load API pages and check that filters are working.
+    """
+    fixtures = ('initial', )
+
+    def setUp(self) -> None:
+        self.user = User.objects.create_superuser(
+            username="adminapi",
+            password="adminapi",
+            email="adminapi@example.com",
+            last_name="Admin",
+            first_name="Admin",
+        )
+        self.client.force_login(self.user)
+
+        sess = self.client.session
+        sess["permission_mask"] = 42
+        sess.save()
+
+    def check_viewset(self, viewset, url):
+        """
+        This function should be called inside a unit test.
+        This loads the viewset and for each filter entry, it checks that the filter is running good.
+        """
+        resp = self.client.get(url + "?format=json")
+        self.assertEqual(resp.status_code, 200)
+
+        model = viewset.serializer_class.Meta.model
+
+        if not model.objects.exists():  # pragma: no cover
+            warn(f"Warning: unable to test API filters for the model {model._meta.verbose_name} "
+                 "since there is no instance of it.")
+            return
+
+        if hasattr(viewset, "filter_backends"):
+            backends = viewset.filter_backends
+            obj = model.objects.last()
+
+            if DjangoFilterBackend in backends:
+                # Specific search
+                for field in viewset.filterset_fields:
+                    obj = self.fix_note_object(obj, field)
+
+                    value = self.get_value(obj, field)
+                    if value is None:  # pragma: no cover
+                        warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "
+                             "has not been tested.")
+                        continue
+                    resp = self.client.get(url + f"?format=json&{field}={quote_plus(str(value))}")
+                    self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "
+                                                            f"{model._meta.verbose_name} does not work. "
+                                                            f"Given parameter: {value}")
+                    content = json.loads(resp.content)
+                    self.assertGreater(content["count"], 0, f"The filter {field} for the model "
+                                                            f"{model._meta.verbose_name} does not work. "
+                                                            f"Given parameter: {value}")
+
+            if OrderingFilter in backends:
+                # Ensure that ordering is working well
+                for field in viewset.ordering_fields:
+                    resp = self.client.get(url + f"?ordering={field}")
+                    self.assertEqual(resp.status_code, 200)
+                    resp = self.client.get(url + f"?ordering=-{field}")
+                    self.assertEqual(resp.status_code, 200)
+
+            if SearchFilter in backends:
+                # Basic search
+                for field in viewset.search_fields:
+                    obj = self.fix_note_object(obj, field)
+
+                    if field[0] == '$' or field[0] == '=':
+                        field = field[1:]
+                    value = self.get_value(obj, field)
+                    if value is None:  # pragma: no cover
+                        warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "
+                             "has not been tested.")
+                        continue
+                    resp = self.client.get(url + f"?format=json&search={quote_plus(str(value))}")
+                    self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "
+                                                            f"{model._meta.verbose_name} does not work. "
+                                                            f"Given parameter: {value}")
+                    content = json.loads(resp.content)
+                    self.assertGreater(content["count"], 0, f"The filter {field} for the model "
+                                                            f"{model._meta.verbose_name} does not work. "
+                                                            f"Given parameter: {value}")
+
+            self.check_permissions(url, obj)
+
+    def check_permissions(self, url, obj):
+        """
+        Check that permissions are working
+        """
+        # Drop rights
+        self.user.is_superuser = False
+        self.user.save()
+        sess = self.client.session
+        sess["permission_mask"] = 0
+        sess.save()
+
+        # Delete user permissions
+        for m in Membership.objects.filter(user=self.user).all():
+            m.roles.clear()
+            m.save()
+
+        # Create a new role, which will have the checking permission
+        role = Role.objects.get_or_create(name="β-tester")[0]
+        role.permissions.clear()
+        role.save()
+        membership = Membership.objects.get_or_create(user=self.user, club=Club.objects.get(name="BDE"))[0]
+        membership.roles.set([role])
+        membership.save()
+
+        # Ensure that the access to the object is forbidden without permission
+        resp = self.client.get(url + f"{obj.pk}/")
+        self.assertEqual(resp.status_code, 404, f"Mysterious access to {url}{obj.pk}/ for {obj}")
+
+        obj.refresh_from_db()
+
+        # There are problems with polymorphism
+        if isinstance(obj, Note) and hasattr(obj, "note_ptr"):
+            obj = obj.note_ptr
+
+        mask = PermissionMask.objects.get(rank=0)
+
+        for field in obj._meta.fields:
+            # Build permission query
+            value = self.get_value(obj, field.name)
+            if isinstance(value, date) or isinstance(value, datetime):
+                value = value.isoformat()
+            elif isinstance(value, ImageFieldFile):
+                value = value.name
+            elif isinstance(value, Decimal):
+                value = str(value)
+            query = json.dumps({field.name: value})
+
+            # Create sample permission
+            permission = Permission.objects.get_or_create(
+                model=ContentType.objects.get_for_model(obj._meta.model),
+                query=query,
+                mask=mask,
+                type="view",
+                permanent=False,
+                description=f"Can view {obj._meta.verbose_name}",
+            )[0]
+            role.permissions.set([permission])
+            role.save()
+
+            # Check that the access is possible
+            resp = self.client.get(url + f"{obj.pk}/")
+            self.assertEqual(resp.status_code, 200, f"Permission {permission.query} is not working "
+                                                    f"for the model {obj._meta.verbose_name}")
+
+        # Restore rights
+        self.user.is_superuser = True
+        self.user.save()
+        sess = self.client.session
+        sess["permission_mask"] = 42
+        sess.save()
+
+    @staticmethod
+    def get_value(obj, key: str):
+        """
+        Resolve the queryset filter to get the Python value of an object.
+        """
+        if hasattr(obj, "all"):
+            # obj is a RelatedManager
+            obj = obj.last()
+
+        if obj is None:  # pragma: no cover
+            return None
+
+        if '__' not in key:
+            obj = getattr(obj, key)
+            if hasattr(obj, "pk"):
+                return obj.pk
+            elif hasattr(obj, "all"):
+                if not obj.exists():  # pragma: no cover
+                    return None
+                return obj.last().pk
+            elif isinstance(obj, bool):
+                return int(obj)
+            elif isinstance(obj, datetime):
+                return obj.isoformat()
+            elif isinstance(obj, PhoneNumber):
+                return obj.raw_input
+            return obj
+
+        key, remaining = key.split('__', 1)
+        return TestAPI.get_value(getattr(obj, key), remaining)
+
+    @staticmethod
+    def fix_note_object(obj, field):
+        """
+        When querying an object that has a noteclub or a noteuser field,
+        ensure that the object has a good value.
+        """
+        if isinstance(obj, Alias):
+            if "noteuser" in field:
+                return NoteUser.objects.last().alias.last()
+            elif "noteclub" in field:
+                return NoteClub.objects.last().alias.last()
+        elif isinstance(obj, Note):
+            if "noteuser" in field:
+                return NoteUser.objects.last()
+            elif "noteclub" in field:
+                return NoteClub.objects.last()
+        return obj
+
+
+class TestBasicAPI(TestAPI):
+    def test_user_api(self):
+        """
+        Load the user page.
+        """
+        self.check_viewset(ContentTypeViewSet, "/api/models/")
+        self.check_viewset(UserViewSet, "/api/user/")
--- a/apps/api/urls.py
+++ b/apps/api/urls.py
@ -1,10 +1,11 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.conf import settings
 from django.conf.urls import url, include
 from rest_framework import routers

+from .views import UserInformationView
 from .viewsets import ContentTypeViewSet, UserViewSet

 # Routers provide an easy way of automatically determining the URL conf.
@ -47,5 +48,6 @@ app_name = 'api'
 # Additionally, we include login URLs for the browsable API.
 urlpatterns = [
    url('^', include(router.urls)),
+    url('^me/', UserInformationView.as_view()),
    url('^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
 ]
--- a/apps/api/views.py
+++ b/apps/api/views.py
@ -0,0 +1,20 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.auth.models import User
+from rest_framework.generics import RetrieveAPIView
+
+from .serializers import OAuthSerializer
+
+
+class UserInformationView(RetrieveAPIView):
+    """
+    These fields are give to OAuth authenticators.
+    """
+    serializer_class = OAuthSerializer
+
+    def get_queryset(self):
+        return User.objects.filter(pk=self.request.user.pk)
+
+    def get_object(self):
+        return self.request.user
--- a/apps/api/viewsets.py
+++ b/apps/api/viewsets.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.contrib.contenttypes.models import ContentType
@ -6,9 +6,9 @@ from django_filters.rest_framework import DjangoFilterBackend
 from django.db.models import Q
 from django.conf import settings
 from django.contrib.auth.models import User
+from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
-from note_kfet.middlewares import get_current_session
 from note.models import Alias

 from .serializers import UserSerializer, ContentTypeSerializer
@ -24,9 +24,7 @@ class ReadProtectedModelViewSet(ModelViewSet):
        self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()

    def get_queryset(self):
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()


 class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
@ -39,21 +37,20 @@ class ReadOnlyProtectedModelViewSet(ReadOnlyModelViewSet):
        self.model = ContentType.objects.get_for_model(self.serializer_class.Meta.model).model_class()

    def get_queryset(self):
-        user = self.request.user
-        get_current_session().setdefault("permission_mask", 42)
-        return self.queryset.filter(PermissionBackend.filter_queryset(user, self.model, "view")).distinct()
+        return self.queryset.filter(PermissionBackend.filter_queryset(self.request, self.model, "view")).distinct()


 class UserViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `User` objects, serialize it to JSON with the given serializer,
-    then render it on /api/users/
+    then render it on /api/user/
    """
-    queryset = User.objects.all()
+    queryset = User.objects
    serializer_class = UserSerializer
    filter_backends = [DjangoFilterBackend]
-    filterset_fields = ['id', 'username', 'first_name', 'last_name', 'email', 'is_superuser', 'is_staff', 'is_active', ]
+    filterset_fields = ['id', 'username', 'first_name', 'last_name', 'email', 'is_superuser', 'is_staff', 'is_active',
+                        'note__alias__name', 'note__alias__normalized_name', ]

    def get_queryset(self):
        queryset = super().get_queryset()
@ -106,7 +103,10 @@ class ContentTypeViewSet(ReadOnlyModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `User` objects, serialize it to JSON with the given serializer,
-    then render it on /api/users/
+    then render it on /api/models/
    """
-    queryset = ContentType.objects.all()
+    queryset = ContentType.objects.order_by('id')
    serializer_class = ContentTypeSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['id', 'app_label', 'model', ]
+    search_fields = ['$app_label', '$model', ]
--- a/apps/food/init.py
+++ b/apps/food/init.py
--- a/apps/food/admin.py
+++ b/apps/food/admin.py
@ -0,0 +1,37 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib import admin
+from django.db import transaction
+from note_kfet.admin import admin_site
+
+from .models import Allergen, BasicFood, QRCode, TransformedFood
+
+
+@admin.register(QRCode, site=admin_site)
+class QRCodeAdmin(admin.ModelAdmin):
+    pass
+
+
+@admin.register(BasicFood, site=admin_site)
+class BasicFoodAdmin(admin.ModelAdmin):
+    @transaction.atomic
+    def save_related(self, *args, **kwargs):
+        ans = super().save_related(*args, **kwargs)
+        args[1].instance.update()
+        return ans
+
+
+@admin.register(TransformedFood, site=admin_site)
+class TransformedFoodAdmin(admin.ModelAdmin):
+    exclude = ["allergens", "expiry_date"]
+
+    @transaction.atomic
+    def save_related(self, request, form, *args, **kwargs):
+        super().save_related(request, form, *args, **kwargs)
+        form.instance.update()
+
+
+@admin.register(Allergen, site=admin_site)
+class AllergenAdmin(admin.ModelAdmin):
+    pass
--- a/apps/food/apps.py
+++ b/apps/food/apps.py
@ -0,0 +1,11 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+from django.utils.translation import gettext_lazy as _
+from django.apps import AppConfig
+
+
+class FoodkfetConfig(AppConfig):
+    name = 'food'
+    verbose_name = _('food')
--- a/apps/food/fixtures/initial.json
+++ b/apps/food/fixtures/initial.json
@ -0,0 +1,107 @@
+[
+    {
+        "model": "food.allergen",
+        "pk": 1,
+        "fields": {
+            "name": "alcohol"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 2,
+        "fields": {
+            "name": "celery"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 3,
+        "fields": {
+            "name": "crustecean"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 4,
+        "fields": {
+            "name": "egg"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 5,
+        "fields": {
+            "name": "fish"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 6,
+        "fields": {
+            "name": "gluten"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 7,
+        "fields": {
+            "name": "groundnut"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 8,
+        "fields": {
+            "name": "lupine"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 9,
+        "fields": {
+            "name": "milk"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 10,
+        "fields": {
+            "name": "mollusc"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 11,
+        "fields": {
+            "name": "mustard"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 12,
+        "fields": {
+            "name": "nut"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 13,
+        "fields": {
+            "name": "sesame"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 14,
+        "fields": {
+            "name": "soy"
+        }
+    },
+    {
+        "model": "food.allergen",
+        "pk": 15,
+        "fields": {
+            "name": "sulphite"
+        }
+    }
+]
--- a/apps/food/forms.py
+++ b/apps/food/forms.py
@ -0,0 +1,99 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from random import shuffle
+
+from django import forms
+from django.utils.translation import gettext_lazy as _
+from django.utils import timezone
+from member.models import Club
+from note_kfet.inputs import Autocomplete, DateTimePickerInput
+from note_kfet.middlewares import get_current_request
+from permission.backends import PermissionBackend
+
+from .models import BasicFood, QRCode, TransformedFood
+
+
+class AddIngredientForms(forms.ModelForm):
+    """
+    Form for add an ingredient
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['ingredient'].queryset = self.fields['ingredient'].queryset.filter(is_ready=False)
+
+    class Meta:
+        model = TransformedFood
+        fields = ('ingredient',)
+
+
+class BasicFoodForms(forms.ModelForm):
+    """
+    Form for add non-transformed food
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['name'].widget.attrs.update({"autofocus": "autofocus"})
+        self.fields['name'].required = True
+        self.fields['owner'].required = True
+
+        # Some example
+        self.fields['name'].widget.attrs.update({"placeholder": _("pasta")})
+        clubs = list(Club.objects.filter(PermissionBackend.filter_queryset(get_current_request(), Club, "change")).all())
+        shuffle(clubs)
+        self.fields['owner'].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
+
+    class Meta:
+        model = BasicFood
+        fields = ('name', 'owner', 'date_type', 'expiry_date', 'allergens')
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+            'expiry_date': DateTimePickerInput(),
+        }
+
+
+class QRCodeForms(forms.ModelForm):
+    """
+    Form for create QRCode
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['food_container'].queryset = self.fields['food_container'].queryset.filter(is_ready=False)
+
+    class Meta:
+        model = QRCode
+        fields = ('food_container',)
+
+
+class TransformedFoodForms(forms.ModelForm):
+    """
+    Form for add transformed food
+    """
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['name'].widget.attrs.update({"autofocus": "autofocus"})
+        self.fields['name'].required = True
+        self.fields['owner'].required = True
+        self.fields['creation_date'].required = True
+        self.fields['creation_date'].initial = timezone.now
+        self.fields['is_active'].initial = True
+
+        # Some example
+        self.fields['name'].widget.attrs.update({"placeholder": _("lasagna")})
+        clubs = list(Club.objects.filter(PermissionBackend.filter_queryset(get_current_request(), Club, "change")).all())
+        shuffle(clubs)
+        self.fields['owner'].widget.attrs["placeholder"] = ", ".join(club.name for club in clubs[:4]) + ", ..."
+
+    class Meta:
+        model = TransformedFood
+        fields = ('name', 'creation_date', 'owner', 'is_active', 'shelf_life')
+        widgets = {
+            "owner": Autocomplete(
+                model=Club,
+                attrs={"api_url": "/api/members/club/"},
+            ),
+            'creation_date': DateTimePickerInput(),
+        }
--- a/apps/food/migrations/0001_initial.py
+++ b/apps/food/migrations/0001_initial.py
@ -0,0 +1,84 @@
+# Generated by Django 2.2.28 on 2024-07-05 08:57
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('contenttypes', '0002_remove_content_type_name'),
+        ('member', '0011_profile_vss_charter_read'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Allergen',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=255, verbose_name='name')),
+            ],
+            options={
+                'verbose_name': 'Allergen',
+                'verbose_name_plural': 'Allergens',
+            },
+        ),
+        migrations.CreateModel(
+            name='Food',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=255, verbose_name='name')),
+                ('expiry_date', models.DateTimeField(verbose_name='expiry date')),
+                ('was_eaten', models.BooleanField(default=False, verbose_name='was eaten')),
+                ('is_ready', models.BooleanField(default=False, verbose_name='is ready')),
+                ('allergens', models.ManyToManyField(blank=True, to='food.Allergen', verbose_name='allergen')),
+                ('owner', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='+', to='member.Club', verbose_name='owner')),
+                ('polymorphic_ctype', models.ForeignKey(editable=False, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='polymorphic_food.food_set+', to='contenttypes.ContentType')),
+            ],
+            options={
+                'verbose_name': 'foods',
+            },
+        ),
+        migrations.CreateModel(
+            name='BasicFood',
+            fields=[
+                ('food_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='food.Food')),
+                ('date_type', models.CharField(choices=[('DLC', 'DLC'), ('DDM', 'DDM')], max_length=255)),
+                ('arrival_date', models.DateTimeField(default=django.utils.timezone.now, verbose_name='arrival date')),
+            ],
+            options={
+                'verbose_name': 'Basic food',
+                'verbose_name_plural': 'Basic foods',
+            },
+            bases=('food.food',),
+        ),
+        migrations.CreateModel(
+            name='QRCode',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('qr_code_number', models.PositiveIntegerField(unique=True, verbose_name='QR-code number')),
+                ('food_container', models.OneToOneField(on_delete=django.db.models.deletion.PROTECT, related_name='QR_code', to='food.Food', verbose_name='food container')),
+            ],
+            options={
+                'verbose_name': 'QR-code',
+                'verbose_name_plural': 'QR-codes',
+            },
+        ),
+        migrations.CreateModel(
+            name='TransformedFood',
+            fields=[
+                ('food_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='food.Food')),
+                ('creation_date', models.DateTimeField(verbose_name='creation date')),
+                ('is_active', models.BooleanField(default=True, verbose_name='is active')),
+                ('ingredient', models.ManyToManyField(blank=True, related_name='transformed_ingredient_inv', to='food.Food', verbose_name='transformed ingredient')),
+            ],
+            options={
+                'verbose_name': 'Transformed food',
+                'verbose_name_plural': 'Transformed foods',
+            },
+            bases=('food.food',),
+        ),
+    ]
--- a/apps/food/migrations/0002_transformedfood_shelf_life.py
+++ b/apps/food/migrations/0002_transformedfood_shelf_life.py
@ -0,0 +1,19 @@
+# Generated by Django 2.2.28 on 2024-07-06 20:37
+
+import datetime
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('food', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='transformedfood',
+            name='shelf_life',
+            field=models.DurationField(default=datetime.timedelta(days=3), verbose_name='shelf life'),
+        ),
+    ]
--- a/apps/food/migrations/init.py
+++ b/apps/food/migrations/init.py
--- a/apps/food/models.py
+++ b/apps/food/models.py
@ -0,0 +1,217 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from datetime import timedelta
+
+from django.db import models, transaction
+from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
+from member.models import Club
+from polymorphic.models import PolymorphicModel
+
+
+class QRCode(models.Model):
+    """
+    An QRCode model
+    """
+    qr_code_number = models.PositiveIntegerField(
+        verbose_name=_("QR-code number"),
+        unique=True,
+    )
+
+    food_container = models.OneToOneField(
+        'Food',
+        on_delete=models.PROTECT,
+        related_name='QR_code',
+        verbose_name=_('food container'),
+    )
+
+    class Meta:
+        verbose_name = _("QR-code")
+        verbose_name_plural = _("QR-codes")
+
+    def __str__(self):
+        return _("QR-code number {qr_code_number}").format(qr_code_number=self.qr_code_number)
+
+
+class Allergen(models.Model):
+    """
+    A list of allergen and alimentary restrictions
+    """
+    name = models.CharField(
+        verbose_name=_('name'),
+        max_length=255,
+    )
+
+    class Meta:
+        verbose_name = _('Allergen')
+        verbose_name_plural = _('Allergens')
+
+    def __str__(self):
+        return self.name
+
+
+class Food(PolymorphicModel):
+    name = models.CharField(
+        verbose_name=_('name'),
+        max_length=255,
+    )
+
+    owner = models.ForeignKey(
+        Club,
+        on_delete=models.PROTECT,
+        related_name='+',
+        verbose_name=_('owner'),
+    )
+
+    allergens = models.ManyToManyField(
+        Allergen,
+        blank=True,
+        verbose_name=_('allergen'),
+    )
+
+    expiry_date = models.DateTimeField(
+        verbose_name=_('expiry date'),
+        null=False,
+    )
+
+    was_eaten = models.BooleanField(
+        default=False,
+        verbose_name=_('was eaten'),
+    )
+
+    is_ready = models.BooleanField(
+        default=False,
+        verbose_name=_('is ready'),
+    )
+
+    def __str__(self):
+        return self.name
+
+    @transaction.atomic
+    def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
+        return super().save(force_insert, force_update, using, update_fields)
+
+    class Meta:
+        verbose_name = _('food')
+        verbose_name = _('foods')
+
+
+class BasicFood(Food):
+    """
+    Food which has been directly buy on supermarket
+    """
+    date_type = models.CharField(
+        max_length=255,
+        choices=(
+            ("DLC", "DLC"),
+            ("DDM", "DDM"),
+        )
+    )
+
+    arrival_date = models.DateTimeField(
+        verbose_name=_('arrival date'),
+        default=timezone.now,
+    )
+
+    # label = models.ImageField(
+    #     verbose_name=_('food label'),
+    #     max_length=255,
+    #     blank=False,
+    #     null=False,
+    #     upload_to='label/',
+    # )
+
+    @transaction.atomic
+    def update_allergens(self):
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            parent.update_allergens()
+
+    @transaction.atomic
+    def update_expiry_date(self):
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            parent.update_expiry_date()
+
+    @transaction.atomic
+    def update(self):
+        self.update_allergens()
+        self.update_expiry_date()
+
+    class Meta:
+        verbose_name = _('Basic food')
+        verbose_name_plural = _('Basic foods')
+
+
+class TransformedFood(Food):
+    """
+    Transformed food  are a mix between basic food and meal
+    """
+    creation_date = models.DateTimeField(
+        verbose_name=_('creation date'),
+    )
+
+    ingredient = models.ManyToManyField(
+        Food,
+        blank=True,
+        symmetrical=False,
+        related_name='transformed_ingredient_inv',
+        verbose_name=_('transformed ingredient'),
+    )
+
+    is_active = models.BooleanField(
+        default=True,
+        verbose_name=_('is active'),
+    )
+
+    # Without microbiological analyzes, the storage time is 3 days
+    shelf_life = models.DurationField(
+        verbose_name=_("shelf life"),
+        default=timedelta(days=3),
+    )
+
+    @transaction.atomic
+    def update_allergens(self):
+        # When allergens are changed, simply update the parents' allergens
+        old_allergens = list(self.allergens.all())
+        self.allergens.clear()
+        for ingredient in self.ingredient.iterator():
+            self.allergens.set(self.allergens.union(ingredient.allergens.all()))
+
+        if old_allergens == list(self.allergens.all()):
+            return
+        super().save()
+
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            parent.update_allergens()
+
+    @transaction.atomic
+    def update_expiry_date(self):
+        # When expiry_date is changed, simply update the parents' expiry_date
+        old_expiry_date = self.expiry_date
+        self.expiry_date = self.creation_date + self.shelf_life
+        for ingredient in self.ingredient.iterator():
+            self.expiry_date = min(self.expiry_date, ingredient.expiry_date)
+
+        if old_expiry_date == self.expiry_date:
+            return
+        super().save()
+
+        # update parents
+        for parent in self.transformed_ingredient_inv.iterator():
+            parent.update_expiry_date()
+
+    @transaction.atomic
+    def update(self):
+        self.update_allergens()
+        self.update_expiry_date()
+
+    @transaction.atomic
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+
+    class Meta:
+        verbose_name = _('Transformed food')
+        verbose_name_plural = _('Transformed foods')
--- a/apps/food/tables.py
+++ b/apps/food/tables.py
@ -0,0 +1,19 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import django_tables2 as tables
+from django_tables2 import A
+
+from .models import TransformedFood
+
+
+class TransformedFoodTable(tables.Table):
+    name = tables.LinkColumn(
+        'food:food_view',
+        args=[A('pk'), ],
+    )
+
+    class Meta:
+        model = TransformedFood
+        template_name = 'django_tables2/bootstrap4.html'
+        fields = ('name', )
--- a/apps/food/templates/food/add_ingredient_form.html
+++ b/apps/food/templates/food/add_ingredient_form.html
@ -0,0 +1,21 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {%  csrf_token %}
+      {{ form|crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/basic_food_form.html
+++ b/apps/food/templates/food/basic_food_form.html
@ -0,0 +1,21 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {% csrf_token %}
+      {{ form|crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/basicfood_detail.html
+++ b/apps/food/templates/food/basicfood_detail.html
@ -0,0 +1,27 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body">
+    <p>name : {{ food.name }}</p>
+    <p>owner : {{ food.owner }}</p>
+    <p>arrival_date : {{ food.arrival_date }}</p>
+    <p>expiry_date : {{ food.expiry_date }}</p>
+    <p>allergens :</p>
+    <ul>
+      {% for allergen in food.allergens.iterator %}
+        <li>{{ allergen.name }}</li>
+      {% endfor %}
+    </ul>
+    <a href="{% url "food:basic_update" pk=food.pk %}">Update</a>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/create_food_form.html
+++ b/apps/food/templates/food/create_food_form.html
@ -0,0 +1,21 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+    <div class="row">
+      <div class="col-xl-12">
+        <div class="btn-group btn-block">
+            <a href="{% url "food:basic_create" %}" class="btn btn-sm btn-outline-primary">Basic</a>
+            <a href="{% url "food:transformed_create" %}" class="btn btn-sm btn-outline-primary">Transformed</a>
+        </div>
+      </div>
+    </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/create_qrcode_form.html
+++ b/apps/food/templates/food/create_qrcode_form.html
@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <a class="btn btn-sm btn-success" href="{% url "food:qrcode_basic_create" slug=slug %}" data-turbolinks="false">
+      New basic food
+    </a>
+    <form method="post">
+      {%  csrf_token %}
+      {{ form|crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/qrcode_detail.html
+++ b/apps/food/templates/food/qrcode_detail.html
@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body">
+    <p>qrcode : {{ qrcode.qr_code_number }}</p>
+    <p>name : {{ qrcode.food_container.name }}</p>
+    {% if qrcode.food_container.polymorphic_ctype.name == 'Basic food' %}
+      <a href="{% url "food:basic_update" pk=qrcode.food_container.pk %}">Update</a>
+    {% else %}
+      <a href="{% url "food:transformed_update" pk=qrcode.food_container.pk %}">Update</a>
+    {% endif %}
+    <a href="{% url "food:add_ingredient" pk=qrcode.food_container.pk %}">Add the ingrdient</a>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/transformed_food_form.html
+++ b/apps/food/templates/food/transformed_food_form.html
@ -0,0 +1,21 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body" id="form">
+    <form method="post">
+      {%  csrf_token %}
+      {{ form|crispy }}
+      <button class="btn btn-primary" type="submit">{% trans "Submit"%}</button>
+    </form>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/transformedfood_detail.html
+++ b/apps/food/templates/food/transformedfood_detail.html
@ -0,0 +1,33 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load i18n crispy_forms_tags %}
+
+{% block content %}
+<div class="card bg-white mb-3">
+  <h3 class="card-header text-center">
+    HTML not finished <br>
+    {{ title }}
+  </h3>
+  <div class="card-body">
+    <p>name : {{ food.name }}</p>
+    <p>owner : {{ food.owner }}</p>
+    <p>creation_date : {{ food.creation_date }}</p>
+    <p>expiry_date : {{ food.expiry_date }}</p>
+    <p>allergens :</p>
+    <ul>
+      {% for allergen in food.allergens.iterator %}
+        <li>{{ allergen.name }}</li>
+      {% endfor %}
+    </ul>
+    <p>ingredients :</p>
+    <ul>
+      {% for ingredient in food.ingredient.iterator %}
+        <li><a href="{% url "food:food_view" pk=ingredient.pk %}">{{ ingredient.name }}</a></li>
+      {% endfor %}
+    </ul>
+    <a href="{% url "food:transformed_update" pk=food.pk %}">Update</a>
+  </div>
+</div>
+{% endblock %}
--- a/apps/food/templates/food/transformedfood_list.html
+++ b/apps/food/templates/food/transformedfood_list.html
@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load render_table from django_tables2 %}
+{% load i18n %}
+
+{% block content %}
+<div class="card bg-light mb-3">
+  <div class="card-footer">
+    <a class="btn btn-sm btn-success" href="{% url 'food:transformed_create' %}" data-turbolinks="false">
+      New transformed food
+    </a>
+  </div>
+  <h3 class="card-header text-center">
+      In preparation
+  </h3>
+  {% render_table table %}
+  <h3 class="card-header text-center">
+      Open
+  </h3>
+  {% render_table open_table %}
+</div>
+{% endblock %}
--- a/apps/food/tests.py
+++ b/apps/food/tests.py
@ -0,0 +1,3 @@
+# from django.test import TestCase
+
+# Create your tests here.
--- a/apps/food/urls.py
+++ b/apps/food/urls.py
@ -0,0 +1,24 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.urls import path
+
+from . import views
+
+app_name = 'food'
+
+urlpatterns = [
+    path('', views.TransfomedListView.as_view(), name='food_list'),
+    path('<int:slug>', views.QRCodeView.as_view(), name='qrcode_view'),
+    path('detail/<int:pk>', views.FoodView.as_view(), name='food_view'),
+
+    path('<int:slug>/create_qrcode', views.QRCodeCreateView.as_view(), name='qrcode_create'),
+    path('create', views.FoodCreateView.as_view(), name='food_create'),
+    path('<int:slug>/create_qrcode/basic', views.QRCodeBasicFoodCreateView.as_view(), name='qrcode_basic_create'),
+    path('create/transformed', views.TransformedFoodCreateView.as_view(), name='transformed_create'),
+
+    path('update/basic/<int:pk>', views.BasicFoodUpdateView.as_view(), name='basic_update'),
+    path('update/transformed/<int:pk>', views.TransformedFoodUpdateView.as_view(), name='transformed_update'),
+
+    path('add/<int:pk>', views.AddIngredientView.as_view(), name='add_ingredient'),
+]
--- a/apps/food/views.py
+++ b/apps/food/views.py
@ -0,0 +1,278 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.db import transaction
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.http import HttpResponseRedirect
+from django_tables2.views import SingleTableView
+from django.urls import reverse
+from django.utils.translation import gettext_lazy as _
+from django.utils import timezone
+from django.views.generic import DetailView, UpdateView, TemplateView
+from permission.views import ProtectQuerysetMixin, ProtectedCreateView
+
+from .forms import AddIngredientForms, BasicFoodForms, QRCodeForms, TransformedFoodForms
+from .models import BasicFood, Food, QRCode, TransformedFood
+from .tables import TransformedFoodTable
+
+
+class AddIngredientView(ProtectQuerysetMixin, UpdateView):
+    """
+    A view to add an ingredient
+    """
+    model = Food
+    template_name = 'food/add_ingredient_form.html'
+    extra_context = {"title": _("Add the ingredient")}
+    form_class = AddIngredientForms
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["pk"] = self.kwargs["pk"]
+        return context
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        food = Food.objects.get(pk=self.kwargs['pk'])
+        add_ingredient_form = AddIngredientForms(data=self.request.POST)
+        if not food.is_ready:
+            form.add_error(None, _("The product isn't ready"))
+            return self.form_invalid(form)
+        if not add_ingredient_form.is_valid():
+            return self.form_invalid(form)
+
+        # Save the aliment and the allergens associed
+        for transformed_pk in self.request.POST.getlist('ingredient'):
+            transformed = TransformedFood.objects.get(pk=transformed_pk)
+            if not transformed.is_ready:
+                transformed.ingredient.add(food)
+                transformed.update()
+        return HttpResponseRedirect(self.get_success_url())
+
+    def get_success_url(self, **kwargs):
+        return reverse('food:food_list')
+
+
+class BasicFoodUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
+    """
+    A view to add a basic food
+    """
+    model = BasicFood
+    form_class = BasicFoodForms
+    template_name = 'food/basic_food_form.html'
+    extra_context = {"title": _("Add a new aliment")}
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        basic_food_form = BasicFoodForms(data=self.request.POST)
+        if not basic_food_form.is_valid():
+            return self.form_invalid(form)
+
+        ans = super().form_valid(form)
+        form.instance.update()
+        return ans
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse('food:food_view', kwargs={"pk": self.object.pk})
+
+
+class FoodCreateView(ProtectQuerysetMixin, LoginRequiredMixin, TemplateView):
+    """
+    A view to add a new aliment
+    """
+    template_name = 'food/create_food_form.html'
+    extra_context = {"title": _("Add a new aliment")}
+
+
+class FoodView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+    """
+    A view to see a food
+    """
+    model = Food
+    extra_context = {"title": _("Details")}
+    context_object_name = "food"
+
+
+class QRCodeBasicFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
+    #####################################################################
+    # TO DO
+    # - fix picture save
+    # - implement solution crop and convert image (reuse or recode ImageForm from members apps)
+    #####################################################################
+    """
+    A view to add a basic food with a qrcode
+    """
+    model = BasicFood
+    form_class = BasicFoodForms
+    template_name = 'food/basic_food_form.html'
+    extra_context = {"title": _("Add a new basic food with QRCode")}
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        basic_food_form = BasicFoodForms(data=self.request.POST)
+        if not basic_food_form.is_valid():
+            return self.form_invalid(form)
+
+        # Save the aliment and the allergens associed
+        basic_food = form.save(commit=False)
+        # We assume the date of labeling and the same as the date of arrival
+        basic_food.arrival_date = timezone.now()
+        basic_food.is_ready = True
+        basic_food._force_save = True
+        basic_food.save()
+        basic_food.refresh_from_db()
+
+        qrcode = QRCode()
+        qrcode.qr_code_number = self.kwargs['slug']
+        qrcode.food_container = basic_food
+        qrcode.save()
+
+        return super().form_valid(form)
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse('food:qrcode_view', kwargs={"slug": self.kwargs['slug']})
+
+    def get_sample_object(self):
+        return BasicFood(
+            name="",
+            expiry_date=timezone.now(),
+        )
+
+
+class QRCodeCreateView(ProtectQuerysetMixin, ProtectedCreateView):
+    """
+    A view to add a new qrcode
+    """
+    model = QRCode
+    template_name = 'food/create_qrcode_form.html'
+    form_class = QRCodeForms
+    extra_context = {"title": _("Add a new QRCode")}
+
+    def get(self, *args, **kwargs):
+        qrcode = kwargs["slug"]
+        if self.model.objects.filter(qr_code_number=qrcode).count() > 0:
+            return HttpResponseRedirect(reverse("food:qrcode_view", kwargs=kwargs))
+        else:
+            return super().get(*args, **kwargs)
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["slug"] = self.kwargs["slug"]
+        return context
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        qrcode_food_form = QRCodeForms(data=self.request.POST)
+        if not qrcode_food_form.is_valid():
+            return self.form_invalid(form)
+
+        # Save the qrcode
+        qrcode = form.save(commit=False)
+        qrcode.qr_code_number = self.kwargs["slug"]
+        qrcode._force_save = True
+        qrcode.save()
+        qrcode.refresh_from_db()
+
+        qrcode.food_container.is_ready = True
+        qrcode.food_container.save()
+
+        return super().form_valid(form)
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse('food:qrcode_view', kwargs={"slug": self.kwargs['slug']})
+
+    def get_sample_object(self):
+        return QRCode(
+            qr_code_number=self.kwargs["slug"],
+        )
+
+
+class QRCodeView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
+    """
+    A view to see a qrcode
+    """
+    model = QRCode
+    extra_context = {"title": _("QRCode")}
+    context_object_name = "qrcode"
+    slug_field = "qr_code_number"
+
+    def get(self, *args, **kwargs):
+        qrcode = kwargs["slug"]
+        if self.model.objects.filter(qr_code_number=qrcode).count() > 0:
+            return super().get(*args, **kwargs)
+        else:
+            return HttpResponseRedirect(reverse("food:qrcode_create", kwargs=kwargs))
+
+
+class TransformedFoodFormView(ProtectQuerysetMixin):
+    """
+    A view to add a tranformed food
+    """
+    model = TransformedFood
+    template_name = 'food/transformed_food_form.html'
+    form_class = TransformedFoodForms
+    extra_context = {"title": _("Add a new meal")}
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.instance.creater = self.request.user
+        transformed_food_form = TransformedFoodForms(data=self.request.POST)
+        if not transformed_food_form.is_valid():
+            return self.form_invalid(form)
+
+        # Save the aliment and allergens associated
+        transformed_food = form.save(commit=False)
+        transformed_food.expiry_date = transformed_food.creation_date
+        transformed_food._force_save = True
+        transformed_food.save()
+        transformed_food.refresh_from_db()
+        ans = super().form_valid(form)
+        transformed_food.update()
+        return ans
+
+    def get_success_url(self, **kwargs):
+        self.object.refresh_from_db()
+        return reverse('food:food_view', kwargs={"pk": self.object.pk})
+
+
+class TransformedFoodUpdateView(TransformedFoodFormView, LoginRequiredMixin, UpdateView):
+    pass
+
+
+class TransformedFoodCreateView(TransformedFoodFormView, ProtectedCreateView):
+    def get_sample_object(self):
+        return TransformedFood(
+            name="",
+            creation_date=timezone.now(),
+        )
+
+
+class TransfomedListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView):
+    """
+    Displays not ready TransformedFood
+    """
+    model = TransformedFood
+    table_class = TransformedFoodTable
+    ordering = ('name',)
+    extra_context = {"title": _("Transformed food")}
+
+    def get_queryset(self, **kwargs):
+        return super().get_queryset(**kwargs)\
+            .filter(is_ready=False)\
+            .distinct()
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context['open_table'] = TransformedFoodTable(
+            TransformedFood.objects.filter(
+                was_eaten=False,
+                expiry_date__lt=timezone.now()
+            ),
+            prefix="open-")
+        return context
--- a/apps/logs/init.py
+++ b/apps/logs/init.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 default_app_config = 'logs.apps.LogsConfig'
--- a/apps/logs/api/serializers.py
+++ b/apps/logs/api/serializers.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from rest_framework import serializers
--- a/apps/logs/api/urls.py
+++ b/apps/logs/api/urls.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from .views import ChangelogViewSet
--- a/apps/logs/api/views.py
+++ b/apps/logs/api/views.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django_filters.rest_framework import DjangoFilterBackend
@ -15,7 +15,7 @@ class ChangelogViewSet(ReadOnlyProtectedModelViewSet):
    The djangorestframework plugin will get all `Changelog` objects, serialize it to JSON with the given serializer,
    then render it on /api/logs/
    """
-    queryset = Changelog.objects.all()
+    queryset = Changelog.objects.order_by('id')
    serializer_class = ChangelogSerializer
    filter_backends = [DjangoFilterBackend, OrderingFilter]
    filterset_fields = ['model', 'action', "instance_pk", 'user', 'ip', ]
--- a/apps/logs/apps.py
+++ b/apps/logs/apps.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.apps import AppConfig
--- a/apps/logs/models.py
+++ b/apps/logs/models.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.conf import settings
@ -76,9 +76,6 @@ class Changelog(models.Model):
        verbose_name=_('timestamp'),
    )

-    def delete(self, using=None, keep_parents=False):
-        raise ValidationError(_("Logs cannot be destroyed."))
-
    class Meta:
        verbose_name = _("changelog")
        verbose_name_plural = _("changelogs")
@ -86,3 +83,6 @@ class Changelog(models.Model):
    def __str__(self):
        return _("Changelog of type \"{action}\" for model {model} at {timestamp}").format(
            action=self.get_action_display(), model=str(self.model), timestamp=str(self.timestamp))
+
+    def delete(self, using=None, keep_parents=False):
+        raise ValidationError(_("Logs cannot be destroyed."))
--- a/apps/logs/signals.py
+++ b/apps/logs/signals.py
@ -1,11 +1,11 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.contrib.contenttypes.models import ContentType
 from rest_framework.renderers import JSONRenderer
 from rest_framework.serializers import ModelSerializer
 from note.models import NoteUser, Alias
-from note_kfet.middlewares import get_current_authenticated_user, get_current_ip
+from note_kfet.middlewares import get_current_request

 from .models import Changelog

@ -57,9 +57,9 @@ def save_object(sender, instance, **kwargs):
    previous = instance._previous

    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    user, ip = get_current_authenticated_user(), get_current_ip()
+    request = get_current_request()

-    if user is None:
+    if request is None:
        # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
        # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@ -71,9 +71,23 @@ def save_object(sender, instance, **kwargs):
        # else:
        if note.exists():
            user = note.get().user
+        else:
+            user = None
+    else:
+        user = request.user
+        if 'HTTP_X_REAL_IP' in request.META:
+            ip = request.META.get('HTTP_X_REAL_IP')
+        elif 'HTTP_X_FORWARDED_FOR' in request.META:
+            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
+        else:
+            ip = request.META.get('REMOTE_ADDR')
+
+        if not user.is_authenticated:
+            # For registration and OAuth2 purposes
+            user = None

    # noinspection PyProtectedMember
-    if user is not None and instance._meta.label_lower == "auth.user" and previous:
+    if request is not None and instance._meta.label_lower == "auth.user" and previous:
        # On n'enregistre pas les connexions
        if instance.last_login != previous.last_login:
            return
@ -121,9 +135,9 @@ def delete_object(sender, instance, **kwargs):
        return

    # Si un utilisateur est connecté, on récupère l'utilisateur courant ainsi que son adresse IP
-    user, ip = get_current_authenticated_user(), get_current_ip()
+    request = get_current_request()

-    if user is None:
+    if request is None:
        # Si la modification n'a pas été faite via le client Web, on suppose que c'est du à `manage.py`
        # On récupère alors l'utilisateur·trice connecté·e à la VM, et on récupère la note associée
        # IMPORTANT : l'utilisateur dans la VM doit être un des alias note du respo info
@ -135,6 +149,20 @@ def delete_object(sender, instance, **kwargs):
        # else:
        if note.exists():
            user = note.get().user
+        else:
+            user = None
+    else:
+        user = request.user
+        if 'HTTP_X_REAL_IP' in request.META:
+            ip = request.META.get('HTTP_X_REAL_IP')
+        elif 'HTTP_X_FORWARDED_FOR' in request.META:
+            ip = request.META.get('HTTP_X_FORWARDED_FOR').split(', ')[0]
+        else:
+            ip = request.META.get('REMOTE_ADDR')
+
+        if not user.is_authenticated:
+            # For registration and OAuth2 purposes
+            user = None

    # On crée notre propre sérialiseur JSON pour pouvoir sauvegarder les modèles
    class CustomSerializer(ModelSerializer):
--- a/apps/member/init.py
+++ b/apps/member/init.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 default_app_config = 'member.apps.MemberConfig'
--- a/apps/member/admin.py
+++ b/apps/member/admin.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.contrib import admin
--- a/apps/member/api/serializers.py
+++ b/apps/member/api/serializers.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from rest_framework import serializers
--- a/apps/member/api/urls.py
+++ b/apps/member/api/urls.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from .views import ProfileViewSet, ClubViewSet, MembershipViewSet
--- a/apps/member/api/views.py
+++ b/apps/member/api/views.py
@ -1,7 +1,8 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from rest_framework.filters import SearchFilter
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import OrderingFilter, SearchFilter
 from api.viewsets import ReadProtectedModelViewSet

 from .serializers import ProfileSerializer, ClubSerializer, MembershipSerializer
@ -14,8 +15,15 @@ class ProfileViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Profile` objects, serialize it to JSON with the given serializer,
    then render it on /api/members/profile/
    """
-    queryset = Profile.objects.all()
+    queryset = Profile.objects.order_by('id')
    serializer_class = ProfileSerializer
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['user', 'user__first_name', 'user__last_name', 'user__username', 'user__email',
+                        'user__note__alias__name', 'user__note__alias__normalized_name', 'phone_number', "section",
+                        'department', 'promotion', 'address', 'paid', 'ml_events_registration', 'ml_sport_registration',
+                        'ml_art_registration', 'report_frequency', 'email_confirmed', 'registration_valid', ]
+    search_fields = ['$user__first_name', '$user__last_name', '$user__username', '$user__email',
+                     '$user__note__alias__name', '$user__note__alias__normalized_name', ]


 class ClubViewSet(ReadProtectedModelViewSet):
@ -24,10 +32,13 @@ class ClubViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Club` objects, serialize it to JSON with the given serializer,
    then render it on /api/members/club/
    """
-    queryset = Club.objects.all()
+    queryset = Club.objects.order_by('id')
    serializer_class = ClubSerializer
-    filter_backends = [SearchFilter]
-    search_fields = ['$name', ]
+    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filterset_fields = ['name', 'email', 'note__alias__name', 'note__alias__normalized_name', 'parent_club',
+                        'parent_club__name', 'require_memberships', 'membership_fee_paid', 'membership_fee_unpaid',
+                        'membership_duration', 'membership_start', 'membership_end', ]
+    search_fields = ['$name', '$email', '$note__alias__name', '$note__alias__normalized_name', ]


 class MembershipViewSet(ReadProtectedModelViewSet):
@ -36,5 +47,14 @@ class MembershipViewSet(ReadProtectedModelViewSet):
    The djangorestframework plugin will get all `Membership` objects, serialize it to JSON with the given serializer,
    then render it on /api/members/membership/
    """
-    queryset = Membership.objects.all()
+    queryset = Membership.objects.order_by('id')
    serializer_class = MembershipSerializer
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filterset_fields = ['club__name', 'club__email', 'club__note__alias__name', 'club__note__alias__normalized_name',
+                        'user__username', 'user__last_name', 'user__first_name', 'user__email',
+                        'user__note__alias__name', 'user__note__alias__normalized_name',
+                        'date_start', 'date_end', 'fee', 'roles', ]
+    ordering_fields = ['id', 'date_start', 'date_end', ]
+    search_fields = ['$club__name', '$club__email', '$club__note__alias__name', '$club__note__alias__normalized_name',
+                     '$user__username', '$user__last_name', '$user__first_name', '$user__email',
+                     '$user__note__alias__name', '$user__note__alias__normalized_name', '$roles__name', ]
--- a/apps/member/apps.py
+++ b/apps/member/apps.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django.apps import AppConfig
--- a/apps/member/auth.py
+++ b/apps/member/auth.py
@ -0,0 +1,17 @@
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from cas_server.auth import DjangoAuthUser  # pragma: no cover
+from note.models import Alias
+
+
+class CustomAuthUser(DjangoAuthUser):  # pragma: no cover
+    """
+    Override Django Auth User model to define a custom Matrix username.
+    """
+
+    def attributs(self):
+        d = super().attributs()
+        if self.user:
+            d["normalized_name"] = Alias.normalize(self.user.username)
+        return d
--- a/apps/member/forms.py
+++ b/apps/member/forms.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 import io
@ -8,6 +8,7 @@ from django import forms
 from django.conf import settings
 from django.contrib.auth.forms import AuthenticationForm
 from django.contrib.auth.models import User
+from django.db import transaction
 from django.forms import CheckboxSelectMultiple
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@ -46,6 +47,13 @@ class ProfileForm(forms.ModelForm):

    last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last report date"))

+    VSS_charter_read = forms.BooleanField(
+        required=True,
+        label=_("Anti-VSS (<em>Violences Sexistes et Sexuelles</em>) charter read and approved"),
+        help_text=_("Tick after having read and accepted the anti-VSS charter \
+        <a href=https://perso.crans.org/club-bde/Charte-anti-VSS.pdf target=_blank> available here in pdf</a>")
+    )
+
    def clean_promotion(self):
        promotion = self.cleaned_data["promotion"]
        if promotion > timezone.now().year:
@ -57,6 +65,7 @@ class ProfileForm(forms.ModelForm):
        self.fields['address'].widget.attrs.update({"placeholder": "4 avenue des Sciences, 91190 GIF-SUR-YVETTE"})
        self.fields['promotion'].widget.attrs.update({"max": timezone.now().year})

+    @transaction.atomic
    def save(self, commit=True):
        if not self.instance.section or (("department" in self.changed_data
                                         or "promotion" in self.changed_data) and "section" not in self.changed_data):
@ -112,7 +121,7 @@ class ImageForm(forms.Form):
                frame = frame.crop((x, y, x + w, y + h))
                frame = frame.resize(
                    (settings.PIC_WIDTH, settings.PIC_RATIO * settings.PIC_WIDTH),
-                    Image.ANTIALIAS,
+                    Image.LANCZOS,
                )
                frames.append(frame)

@ -148,6 +157,7 @@ class ClubForm(forms.ModelForm):
            "membership_fee_unpaid": AmountInput(),
            "parent_club": Autocomplete(
                Club,
+                resetable=True,
                attrs={
                    'api_url': '/api/members/club/',
                }
@ -161,7 +171,7 @@ class MembershipForm(forms.ModelForm):
    soge = forms.BooleanField(
        label=_("Inscription paid by Société Générale"),
        required=False,
-        help_text=_("Check this case is the Société Générale paid the inscription."),
+        help_text=_("Check this case if the Société Générale paid the inscription."),
    )

    credit_type = forms.ModelChoiceField(
--- a/apps/member/hashers.py
+++ b/apps/member/hashers.py
@ -1,12 +1,14 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 import hashlib
+from collections import OrderedDict

 from django.conf import settings
-from django.contrib.auth.hashers import PBKDF2PasswordHasher
+from django.contrib.auth.hashers import PBKDF2PasswordHasher, mask_hash
 from django.utils.crypto import constant_time_compare
-from note_kfet.middlewares import get_current_authenticated_user, get_current_session
+from django.utils.translation import gettext_lazy as _
+from note_kfet.middlewares import get_current_request


 class CustomNK15Hasher(PBKDF2PasswordHasher):
@ -24,16 +26,22 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):

    def must_update(self, encoded):
        if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # Don't change their password.
+            request = get_current_request()
+            current_user = request.user
            if current_user is not None and current_user.is_superuser:
                return False
        return True

    def verify(self, password, encoded):
        if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # If a superuser is already connected, let him/her log in as another person.
+            request = get_current_request()
+            current_user = request.user
            if current_user is not None and current_user.is_superuser\
-                    and get_current_session().get("permission_mask", -1) >= 42:
+                    and request.session.get("permission_mask", -1) >= 42:
                return True

        if '|' in encoded:
@ -41,6 +49,18 @@ class CustomNK15Hasher(PBKDF2PasswordHasher):
            return constant_time_compare(hashlib.sha256((salt + password).encode("utf-8")).hexdigest(), db_hashed_pass)
        return super().verify(password, encoded)

+    def safe_summary(self, encoded):
+        # Displayed information in Django Admin.
+        if '|' in encoded:
+            salt, db_hashed_pass = encoded.split('$')[2].split('|')
+            return OrderedDict([
+                (_('algorithm'), 'custom_nk15'),
+                (_('iterations'), '1'),
+                (_('salt'), mask_hash(salt)),
+                (_('hash'), mask_hash(db_hashed_pass)),
+            ])
+        return super().safe_summary(encoded)
+

 class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
    """
@ -51,8 +71,11 @@ class DebugSuperuserBackdoor(PBKDF2PasswordHasher):

    def verify(self, password, encoded):
        if settings.DEBUG:
-            current_user = get_current_authenticated_user()
+            # Small hack to let superusers to impersonate people.
+            # If a superuser is already connected, let him/her log in as another person.
+            request = get_current_request()
+            current_user = request.user
            if current_user is not None and current_user.is_superuser\
-                    and get_current_session().get("permission_mask", -1) >= 42:
+                    and request.session.get("permission_mask", -1) >= 42:
                return True
        return super().verify(password, encoded)
--- a/apps/member/migrations/0003_create_bde_and_kfet.py
+++ b/apps/member/migrations/0003_create_bde_and_kfet.py
@ -7,6 +7,7 @@ def create_bde_and_kfet(apps, schema_editor):
    """
    Club = apps.get_model("member", "club")
    NoteClub = apps.get_model("note", "noteclub")
+    Alias = apps.get_model("note", "alias")
    ContentType = apps.get_model('contenttypes', 'ContentType')
    polymorphic_ctype_id = ContentType.objects.get_for_model(NoteClub).id

@ -18,8 +19,8 @@ def create_bde_and_kfet(apps, schema_editor):
        membership_fee_paid=500,
        membership_fee_unpaid=500,
        membership_duration=396,
-        membership_start="2020-08-01",
-        membership_end="2021-09-30",
+        membership_start="2021-08-01",
+        membership_end="2022-09-30",
    )
    Club.objects.get_or_create(
        id=2,
@ -30,8 +31,8 @@ def create_bde_and_kfet(apps, schema_editor):
        membership_fee_paid=3500,
        membership_fee_unpaid=3500,
        membership_duration=396,
-        membership_start="2020-08-01",
-        membership_end="2021-09-30",
+        membership_start="2021-08-01",
+        membership_end="2022-09-30",
    )

    NoteClub.objects.get_or_create(
@ -45,6 +46,19 @@ def create_bde_and_kfet(apps, schema_editor):
        polymorphic_ctype_id=polymorphic_ctype_id,
    )

+    Alias.objects.get_or_create(
+        id=5,
+        note_id=5,
+        name="BDE",
+        normalized_name="bde",
+    )
+    Alias.objects.get_or_create(
+        id=6,
+        note_id=6,
+        name="Kfet",
+        normalized_name="kfet",
+    )
+

 class Migration(migrations.Migration):
    dependencies = [
--- a/apps/member/migrations/0006_create_note_account_bde_membership.py
+++ b/apps/member/migrations/0006_create_note_account_bde_membership.py
@ -0,0 +1,50 @@
+import sys
+
+from django.db import migrations
+
+
+def give_note_account_permissions(apps, schema_editor):
+    """
+    Automatically manage the membership of the Note account.
+    """
+    User = apps.get_model("auth", "user")
+    Membership = apps.get_model("member", "membership")
+    Role = apps.get_model("permission", "role")
+
+    note = User.objects.filter(username="note")
+    if not note.exists():
+        # We are in a test environment, don't log error message
+        if len(sys.argv) > 1 and sys.argv[1] == 'test':
+            return
+        print("Warning: Note account was not found. The note account was not imported.")
+        print("Make sure you have imported the NK15 database. The new import script handles correctly the permissions.")
+        print("This migration will be ignored, you can re-run it if you forgot the note account or ignore it if you "
+              "don't want this account.")
+        return
+
+    note = note.get()
+
+    # Set for the two clubs a large expiration date and the correct role.
+    for m in Membership.objects.filter(user_id=note.id).all():
+        m.date_end = "3142-12-12"
+        m.roles.set(Role.objects.filter(name="PC Kfet").all())
+        m.save()
+    # By default, the note account is only authorized to be logged from localhost.
+    note.password = "ipbased$127.0.0.1"
+    note.is_active = True
+    note.save()
+    # Ensure that the note of the account is disabled
+    note.note.inactivity_reason = 'forced'
+    note.note.is_active = False
+    note.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('member', '0005_remove_null_tag_on_charfields'),
+        ('permission', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.RunPython(give_note_account_permissions),
+    ]
--- a/apps/member/migrations/0007_auto_20210313_1235.py
+++ b/apps/member/migrations/0007_auto_20210313_1235.py
@ -0,0 +1,23 @@
+# Generated by Django 2.2.19 on 2021-03-13 11:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0006_create_note_account_bde_membership'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='membership',
+            name='roles',
+            field=models.ManyToManyField(related_name='memberships', to='permission.Role', verbose_name='roles'),
+        ),
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2021, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]
--- a/apps/member/migrations/0008_auto_20211005_1544.py
+++ b/apps/member/migrations/0008_auto_20211005_1544.py
@ -0,0 +1,18 @@
+# Generated by Django 2.2.24 on 2021-10-05 13:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0007_auto_20210313_1235'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='department',
+            field=models.CharField(choices=[('A0', 'Informatics (A0)'), ('A1', 'Mathematics (A1)'), ('A2', 'Physics (A2)'), ("A'2", "Applied physics (A'2)"), ("A''2", "Chemistry (A''2)"), ('A3', 'Biology (A3)'), ('B1234', 'SAPHIRE (B1234)'), ('B1', 'Mechanics (B1)'), ('B2', 'Civil engineering (B2)'), ('B3', 'Mechanical engineering (B3)'), ('B4', 'EEA (B4)'), ('C', 'Design (C)'), ('D2', 'Economy-management (D2)'), ('D3', 'Social sciences (D3)'), ('E', 'English (E)'), ('EXT', 'External (EXT)')], max_length=8, verbose_name='department'),
+        ),
+    ]
--- a/apps/member/migrations/0009_auto_20220904_2325.py
+++ b/apps/member/migrations/0009_auto_20220904_2325.py
@ -0,0 +1,18 @@
+# Generated by Django 2.2.26 on 2022-09-04 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0008_auto_20211005_1544'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2022, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]
--- a/apps/member/migrations/0010_new_default_year.py
+++ b/apps/member/migrations/0010_new_default_year.py
@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-23 21:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0009_auto_20220904_2325'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='profile',
+            name='promotion',
+            field=models.PositiveSmallIntegerField(default=2023, help_text='Year of entry to the school (None if not ENS student)', null=True, verbose_name='promotion'),
+        ),
+    ]
--- a/apps/member/migrations/0011_profile_vss_charter_read.py
+++ b/apps/member/migrations/0011_profile_vss_charter_read.py
@ -0,0 +1,18 @@
+# Generated by Django 2.2.28 on 2023-08-31 09:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('member', '0010_new_default_year'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='profile',
+            name='VSS_charter_read',
+            field=models.BooleanField(default=False, verbose_name='VSS charter read'),
+        ),
+    ]
--- a/apps/member/models.py
+++ b/apps/member/models.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 import datetime
@ -7,7 +7,7 @@ import os
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
-from django.db import models
+from django.db import models, transaction
 from django.db.models import Q
 from django.template import loader
 from django.urls import reverse, reverse_lazy
@ -28,7 +28,6 @@ class Profile(models.Model):
    We do not want to patch the Django Contrib :model:`auth.User`model;
    so this model add an user profile with additional information.
    """
-
    user = models.OneToOneField(
        settings.AUTH_USER_MODEL,
        on_delete=models.CASCADE,
@ -57,7 +56,7 @@ class Profile(models.Model):
            ('A1', _("Mathematics (A1)")),
            ('A2', _("Physics (A2)")),
            ("A'2", _("Applied physics (A'2)")),
-            ('A''2', _("Chemistry (A''2)")),
+            ("A''2", _("Chemistry (A''2)")),
            ('A3', _("Biology (A3)")),
            ('B1234', _("SAPHIRE (B1234)")),
            ('B1', _("Mechanics (B1)")),
@ -74,7 +73,7 @@ class Profile(models.Model):

    promotion = models.PositiveSmallIntegerField(
        null=True,
-        default=datetime.date.today().year,
+        default=datetime.date.today().year if datetime.date.today().month >= 8 else datetime.date.today().year - 1,
        verbose_name=_("promotion"),
        help_text=_("Year of entry to the school (None if not ENS student)"),
    )
@ -134,6 +133,22 @@ class Profile(models.Model):
        default=False,
    )

+    VSS_charter_read = models.BooleanField(
+        verbose_name=_("VSS charter read"),
+        default=False
+    )
+
+    class Meta:
+        verbose_name = _('user profile')
+        verbose_name_plural = _('user profile')
+        indexes = [models.Index(fields=['user'])]
+
+    def __str__(self):
+        return str(self.user)
+
+    def get_absolute_url(self):
+        return reverse('member:user_detail', args=(self.user_id,))
+
    @property
    def ens_year(self):
        """
@ -158,17 +173,6 @@ class Profile(models.Model):
            return SogeCredit.objects.filter(user=self.user, credit_transaction__isnull=False).exists()
        return False

-    class Meta:
-        verbose_name = _('user profile')
-        verbose_name_plural = _('user profile')
-        indexes = [models.Index(fields=['user'])]
-
-    def get_absolute_url(self):
-        return reverse('member:user_detail', args=(self.user_id,))
-
-    def __str__(self):
-        return str(self.user)
-
    def send_email_validation_link(self):
        subject = "[Note Kfet] " + str(_("Activate your Note Kfet account"))
        token = email_validation_token.make_token(self.user)
@ -200,9 +204,11 @@ class Club(models.Model):
        max_length=255,
        unique=True,
    )
+
    email = models.EmailField(
        verbose_name=_('email'),
    )
+
    parent_club = models.ForeignKey(
        'self',
        null=True,
@ -253,24 +259,14 @@ class Club(models.Model):
        help_text=_('Maximal date of a membership, after which members must renew it.'),
    )

-    def update_membership_dates(self):
-        """
-        This function is called each time the club detail view is displayed.
-        Update the year of the membership dates.
-        """
-        if not self.membership_start:
-            return
+    class Meta:
+        verbose_name = _("club")
+        verbose_name_plural = _("clubs")

-        today = datetime.date.today()
-
-        if (today - self.membership_start).days >= 365:
-            self.membership_start = datetime.date(self.membership_start.year + 1,
-                                                  self.membership_start.month, self.membership_start.day)
-            self.membership_end = datetime.date(self.membership_end.year + 1,
-                                                self.membership_end.month, self.membership_end.day)
-            self._force_save = True
-            self.save(force_update=True)
+    def __str__(self):
+        return self.name

+    @transaction.atomic
    def save(self, force_insert=False, force_update=False, using=None,
             update_fields=None):
        if not self.require_memberships:
@ -281,16 +277,29 @@ class Club(models.Model):
            self.membership_end = None
        super().save(force_insert, force_update, update_fields)

-    class Meta:
-        verbose_name = _("club")
-        verbose_name_plural = _("clubs")
-
-    def __str__(self):
-        return self.name
-
    def get_absolute_url(self):
        return reverse_lazy('member:club_detail', args=(self.pk,))

+    def update_membership_dates(self):
+        """
+        This function is called each time the club detail view is displayed.
+        Update the year of the membership dates.
+        """
+        if not self.membership_start or not self.membership_end:
+            return
+
+        today = datetime.date.today()
+
+        while (today - self.membership_start).days >= 365:
+            if self.membership_start:
+                self.membership_start = datetime.date(self.membership_start.year + 1,
+                                                      self.membership_start.month, self.membership_start.day)
+            if self.membership_end:
+                self.membership_end = datetime.date(self.membership_end.year + 1,
+                                                    self.membership_end.month, self.membership_end.day)
+            self._force_save = True
+            self.save(force_update=True)
+

 class Membership(models.Model):
    """
@ -312,6 +321,7 @@ class Membership(models.Model):

    roles = models.ManyToManyField(
        "permission.Role",
+        related_name="memberships",
        verbose_name=_("roles"),
    )

@ -329,6 +339,66 @@ class Membership(models.Model):
        verbose_name=_('fee'),
    )

+    class Meta:
+        verbose_name = _('membership')
+        verbose_name_plural = _('memberships')
+        indexes = [models.Index(fields=['user'])]
+
+    def __str__(self):
+        return _("Membership of {user} for the club {club}").format(user=self.user.username, club=self.club.name, )
+
+    @transaction.atomic
+    def save(self, *args, **kwargs):
+        """
+        Calculate fee and end date before saving the membership and creating the transaction if needed.
+        """
+        # Ensure that club membership dates are valid
+        old_membership_start = self.club.membership_start
+        self.club.update_membership_dates()
+        if self.club.membership_start != old_membership_start:
+            self.club.save()
+
+        created = not self.pk
+        if not created:
+            for role in self.roles.all():
+                club = role.for_club
+                if club is not None:
+                    if club.pk != self.club_id:
+                        raise ValidationError(_('The role {role} does not apply to the club {club}.')
+                                              .format(role=role.name, club=club.name))
+        else:
+            if Membership.objects.filter(
+                    user=self.user,
+                    club=self.club,
+                    date_start__lte=self.date_start,
+                    date_end__gte=self.date_start,
+            ).exists():
+                raise ValidationError(_('User is already a member of the club'))
+
+            if self.club.parent_club is not None:
+                # Check that the user is already a member of the parent club if the membership is created
+                if not Membership.objects.filter(
+                    user=self.user,
+                    club=self.club.parent_club,
+                    date_start__gte=self.club.parent_club.membership_start,
+                ).exists():
+                    if hasattr(self, '_force_renew_parent') and self._force_renew_parent:
+                        self.renew_parent()
+                    else:
+                        raise ValidationError(_('User is not a member of the parent club')
+                                              + ' ' + self.club.parent_club.name)
+
+            self.fee = self.club.membership_fee_paid if self.user.profile.paid else self.club.membership_fee_unpaid
+
+            self.date_end = self.date_start + datetime.timedelta(days=self.club.membership_duration) \
+                if self.club.membership_duration is not None else self.date_start + datetime.timedelta(days=424242)
+            if self.club.membership_end is not None and self.date_end > self.club.membership_end:
+                self.date_end = self.club.membership_end
+
+        super().save(*args, **kwargs)
+
+        self.make_transaction()
+
    @property
    def valid(self):
        """
@ -406,51 +476,6 @@ class Membership(models.Model):
                parent_membership.roles.set(Role.objects.filter(name="Membre de club").all())
            parent_membership.save()

-    def save(self, *args, **kwargs):
-        """
-        Calculate fee and end date before saving the membership and creating the transaction if needed.
-        """
-        created = not self.pk
-        if not created:
-            for role in self.roles.all():
-                club = role.for_club
-                if club is not None:
-                    if club.pk != self.club_id:
-                        raise ValidationError(_('The role {role} does not apply to the club {club}.')
-                                              .format(role=role.name, club=club.name))
-        else:
-            if Membership.objects.filter(
-                    user=self.user,
-                    club=self.club,
-                    date_start__lte=self.date_start,
-                    date_end__gte=self.date_start,
-            ).exists():
-                raise ValidationError(_('User is already a member of the club'))
-
-            if self.club.parent_club is not None:
-                # Check that the user is already a member of the parent club if the membership is created
-                if not Membership.objects.filter(
-                    user=self.user,
-                    club=self.club.parent_club,
-                    date_start__gte=self.club.parent_club.membership_start,
-                ).exists():
-                    if hasattr(self, '_force_renew_parent') and self._force_renew_parent:
-                        self.renew_parent()
-                    else:
-                        raise ValidationError(_('User is not a member of the parent club')
-                                              + ' ' + self.club.parent_club.name)
-
-            self.fee = self.club.membership_fee_paid if self.user.profile.paid else self.club.membership_fee_unpaid
-
-            self.date_end = self.date_start + datetime.timedelta(days=self.club.membership_duration) \
-                if self.club.membership_duration is not None else self.date_start + datetime.timedelta(days=424242)
-            if self.club.membership_end is not None and self.date_end > self.club.membership_end:
-                self.date_end = self.club.membership_end
-
-        super().save(*args, **kwargs)
-
-        self.make_transaction()
-
    def make_transaction(self):
        """
        Create Membership transaction associated to this membership.
@ -475,19 +500,16 @@ class Membership(models.Model):
                # to treasurers.
                transaction.valid = False
                from treasury.models import SogeCredit
-                soge_credit = SogeCredit.objects.get_or_create(user=self.user)[0]
-                soge_credit.refresh_from_db()
+                if SogeCredit.objects.filter(user=self.user).exists():
+                    soge_credit = SogeCredit.objects.get(user=self.user)
+                else:
+                    soge_credit = SogeCredit(user=self.user)
+                    soge_credit._force_save = True
+                    soge_credit.save(force_insert=True)
+                    soge_credit.refresh_from_db()
                transaction.save(force_insert=True)
                transaction.refresh_from_db()
                soge_credit.transactions.add(transaction)
                soge_credit.save()
            else:
                transaction.save(force_insert=True)
-
-    def __str__(self):
-        return _("Membership of {user} for the club {club}").format(user=self.user.username, club=self.club.name, )
-
-    class Meta:
-        verbose_name = _('membership')
-        verbose_name_plural = _('memberships')
-        indexes = [models.Index(fields=['user'])]
--- a/apps/member/signals.py
+++ b/apps/member/signals.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later


--- a/apps/member/static/member/js/alias.js
+++ b/apps/member/static/member/js/alias.js
@ -14,7 +14,7 @@ function create_alias (e) {
  }).done(function () {
    // Reload table
    $('#alias_table').load(location.pathname + ' #alias_table')
-    addMsg('Alias ajouté', 'success')
+    addMsg(gettext('Alias successfully added'), 'success')
  }).fail(function (xhr, _textStatus, _error) {
    errMsg(xhr.responseJSON)
  })
@ -22,7 +22,7 @@ function create_alias (e) {

 /**
 * On click of "delete", delete the alias
- * @param Integer button_id Alias id to remove
+ * @param button_id:Integer Alias id to remove
 */
 function delete_button (button_id) {
  $.ajax({
@ -30,7 +30,7 @@ function delete_button (button_id) {
    method: 'DELETE',
    headers: { 'X-CSRFTOKEN': CSRF_TOKEN }
  }).done(function () {
-    addMsg('Alias supprimé', 'success')
+    addMsg(gettext('Alias successfully deleted'), 'success')
    $('#alias_table').load(location.pathname + ' #alias_table')
  }).fail(function (xhr, _textStatus, _error) {
    errMsg(xhr.responseJSON)
--- a/apps/member/static/member/js/trust.js
+++ b/apps/member/static/member/js/trust.js
@ -0,0 +1,64 @@
+/**
+ * On form submit, create a new friendship
+ */
+function form_create_trust (e) {
+  // Do not submit HTML form
+  e.preventDefault()
+
+  // Get data and send to API
+  const formData = new FormData(e.target)
+  $.getJSON('/api/note/alias/'+formData.get('trusted') + '/',
+    function (trusted_alias) {
+      if ((trusted_alias.note == formData.get('trusting')))
+      {
+         addMsg(gettext("You can't add yourself as a friend"), "danger")
+         return
+      }
+      create_trust(formData.get('trusting'), trusted_alias.note)
+    }).fail(function (xhr, _textStatus, _error) {
+        errMsg(xhr.responseJSON)
+    })
+}
+
+/**
+ * Create a trust between users
+ * @param trusting:Integer trusting note id
+ * @param trusted:Integer trusted note id
+ */
+function create_trust(trusting, trusted) {
+  $.post('/api/note/trust/', {
+      trusting: trusting,
+      trusted: trusted,
+      csrfmiddlewaretoken: CSRF_TOKEN
+  }).done(function () {
+  // Reload tables
+  $('#trust_table').load(location.pathname + ' #trust_table')
+  $('#trusted_table').load(location.pathname + ' #trusted_table')
+    addMsg(gettext('Friendship successfully added'), 'success')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+/**
+ * On click of "delete", delete the trust
+ * @param button_id:Integer Trust id to remove
+ */
+function delete_button (button_id) {
+  $.ajax({
+    url: '/api/note/trust/' + button_id + '/',
+    method: 'DELETE',
+    headers: { 'X-CSRFTOKEN': CSRF_TOKEN }
+  }).done(function () {
+    addMsg(gettext('Friendship successfully deleted'), 'success')
+    $('#trust_table').load(location.pathname + ' #trust_table')
+    $('#trusted_table').load(location.pathname + ' #trusted_table')
+  }).fail(function (xhr, _textStatus, _error) {
+    errMsg(xhr.responseJSON)
+  })
+}
+
+$(document).ready(function () {
+  // Attach event
+  document.getElementById('form_trust').addEventListener('submit', form_create_trust)
+})
--- a/apps/member/tables.py
+++ b/apps/member/tables.py
@ -1,4 +1,4 @@
-# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

 from datetime import date
@ -9,7 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from django.urls import reverse_lazy
 from django.utils.html import format_html
 from note.templatetags.pretty_money import pretty_money
-from note_kfet.middlewares import get_current_authenticated_user
+from note_kfet.middlewares import get_current_request
 from permission.backends import PermissionBackend

 from .models import Club, Membership
@ -31,7 +31,8 @@ class ClubTable(tables.Table):
        row_attrs = {
            'class': 'table-row',
            'id': lambda record: "row-" + str(record.pk),
-            'data-href': lambda record: record.pk
+            'data-href': lambda record: record.pk,
+            'style': 'cursor:pointer',
        }


@ -43,11 +44,27 @@ class UserTable(tables.Table):

    section = tables.Column(accessor='profile__section')

+    # Override the column to let replace the URL
+    email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
+
    balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))

+    def render_email(self, record, value):
+        # Replace the email by a dash if the user can't see the profile detail
+        # Replace also the URL
+        if not PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile):
+            value = "—"
+            record.email = value
+        return value
+
+    def render_section(self, record, value):
+        return value \
+            if PermissionBackend.check_perm(get_current_request(), "member.view_profile", record.profile) \
+            else "—"
+
    def render_balance(self, record, value):
        return pretty_money(value)\
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"
+            if PermissionBackend.check_perm(get_current_request(), "note.view_note", record.note) else "—"

    class Meta:
        attrs = {
@ -58,7 +75,8 @@ class UserTable(tables.Table):
        model = User
        row_attrs = {
            'class': 'table-row',
-            'data-href': lambda record: record.pk
+            'data-href': lambda record: record.pk,
+            'style': 'cursor:pointer',
        }


@ -77,7 +95,7 @@ class MembershipTable(tables.Table):
    def render_user(self, value):
        # If the user has the right, link the displayed user with the page of its detail.
        s = value.username
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
            s = format_html("<a href={url}>{name}</a>",
                            url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)

@ -86,7 +104,7 @@ class MembershipTable(tables.Table):
    def render_club(self, value):
        # If the user has the right, link the displayed club with the page of its detail.
        s = value.name
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_club", value):
+        if PermissionBackend.check_perm(get_current_request(), "member.view_club", value):
            s = format_html("<a href={url}>{name}</a>",
                            url=reverse_lazy('member:club_detail', kwargs={"pk": value.pk}), name=s)

@ -102,7 +120,7 @@ class MembershipTable(tables.Table):
                    club=record.club,
                    user=record.user,
                    date_start__gte=record.club.membership_start,
-                    date_end__lte=record.club.membership_end,
+                    date_end__lte=record.club.membership_end or date(9999, 12, 31),
            ).exists():  # If the renew is not yet performed
                empty_membership = Membership(
                    club=record.club,
@ -111,8 +129,8 @@ class MembershipTable(tables.Table):
                    date_end=date.today(),
                    fee=0,
                )
-                if PermissionBackend.check_perm(get_current_authenticated_user(),
-                                                "member:add_membership", empty_membership):  # If the user has right
+                if PermissionBackend.check_perm(get_current_request(),
+                                                "member.add_membership", empty_membership):  # If the user has right
                    renew_url = reverse_lazy('member:club_renew_membership',
                                             kwargs={"pk": record.pk})
                    t = format_html(
@ -126,7 +144,7 @@ class MembershipTable(tables.Table):
        # If the user has the right to manage the roles, display the link to manage them
        roles = record.roles.all()
        s = ", ".join(str(role) for role in roles)
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "member.change_membership_roles", record):
+        if PermissionBackend.check_perm(get_current_request(), "member.change_membership_roles", record):
            s = format_html("<a href='" + str(reverse_lazy("member:club_manage_roles", kwargs={"pk": record.pk}))
                            + "'>" + s + "</a>")
        return s
@ -149,7 +167,7 @@ class ClubManagerTable(tables.Table):
    def render_user(self, value):
        # If the user has the right, link the displayed user with the page of its detail.
        s = value.username
-        if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
+        if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
            s = format_html("<a href={url}>{name}</a>",
                            url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)

--- a/apps/member/templates/member/add_members.html
+++ b/apps/member/templates/member/add_members.html
@ -13,15 +13,29 @@ SPDX-License-Identifier: GPL-3.0-or-later
        {% if additional_fee_renewal %}
        <div class="alert alert-warning">
            {% if renewal %}
-            {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
-            The user is not a member of the club·s {{ clubs }}. An additional fee of {{ pretty_fee }}
-            will be charged to renew automatically the membership in this/these club·s.
-            {% endblocktrans %}
+                {% if club.name == "Kfet" %} {# Auto-renewal #}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                    The user is not a member of the club·s {{ clubs }}. An additional fee of {{ pretty_fee }}
+                    will be charged to renew automatically the membership in this/these club·s.
+                    {% endblocktrans %}
+                {% else %}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                        The user is not a member of the club·s {{ clubs }}. Please create the required memberships,
+                        otherwise it will fail.
+                    {% endblocktrans %}
+                {% endif %}
            {% else %}
-            {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
-            This club has parents {{ clubs }}. An additional fee of {{ pretty_fee }}
-            will be charged to adhere automatically to this/these club·s.
-            {% endblocktrans %}
+                {% if club.name == "Kfet" %}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                    This club has parents {{ clubs }}. An additional fee of {{ pretty_fee }}
+                    will be charged to adhere automatically to this/these club·s.
+                    {% endblocktrans %}
+                {% else %}
+                    {% blocktrans trimmed with clubs=clubs_renewal|join:", " pretty_fee=additional_fee_renewal|pretty_money %}
+                        This club has parents {{ clubs }}. Please make sure that the user is a member of this or these club·s,
+                        otherwise the creation of this membership will fail.
+                    {% endblocktrans %}
+                {% endif %}
            {% endif %}
        </div>
        {% endif %}
--- a/apps/member/templates/member/includes/club_info.html
+++ b/apps/member/templates/member/includes/club_info.html
@ -48,7 +48,7 @@
    <dd class="col-xl-6">
        <a class="badge badge-secondary" href="{% url 'member:club_alias' club.pk %}">
            <i class="fa fa-edit"></i>
-            {% trans 'Manage aliases' %} ({{ club.note.alias_set.all|length }})
+            {% trans 'Manage aliases' %} ({{ club.note.alias.all|length }})
        </a>
    </dd>

--- a/apps/member/templates/member/includes/profile_info.html
+++ b/apps/member/templates/member/includes/profile_info.html
@ -21,33 +21,43 @@
    <dd class="col-xl-6">
        <a class="badge badge-secondary" href="{% url 'member:user_alias' user_object.pk %}">
            <i class="fa fa-edit"></i>
-            {% trans 'Manage aliases' %} ({{ user_object.note.alias_set.all|length }})
+            {% trans 'Manage aliases' %} ({{ user_object.note.alias.all|length }})
        </a>
    </dd>

-    <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
-
-    <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
-
-    <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
-    <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+    <dt class="col-xl-6">{% trans 'friendships'|capfirst %}</dt>
+    <dd class="col-xl-6">
+        <a class="badge badge-secondary" href="{% url 'member:user_trust' user_object.pk %}">
+            <i class="fa fa-edit"></i>
+            {% trans 'Manage friendships' %} ({{ user_object.note.trusting.all|length }})
+        </a>
    </dd>

-    <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+    {% if "member.view_profile"|has_perm:user_object.profile %}
+        <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.section }}</dd>

-    {% if "note.view_note"|has_perm:user_object.note %}
-    <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+        <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
+        <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>

-    <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
-    <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+        <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
+        <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+        </dd>
+
+        <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+
+        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+    {% endif %}
+
+    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
    {% endif %}
 </dl>

-{% if user_object.pk == user_object.pk %}
+{% if user_object.pk == user.pk %}
    <div class="text-center">
        <a class="small badge badge-secondary" href="{% url 'member:auth_token' %}">
            <i class="fa fa-cogs"></i>{% trans 'API token' %}
--- a/apps/member/templates/member/manage_auth_tokens.html
+++ b/apps/member/templates/member/manage_auth_tokens.html
@ -5,32 +5,98 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% load i18n %}

 {% block content %}
-<div class="alert alert-info">
-    <h4>À quoi sert un jeton d'authentification ?</h4>
+<div class="row mt-4">
+    <div class="col-xl-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <h3>{% trans "Token authentication" %}</h3>
+            </div>
+            <div class="card-body">
+                <div class="alert alert-info">
+                    <h4>À quoi sert un jeton d'authentification ?</h4>

-    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a>.<br />
-    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
-    pour pouvoir vous identifier.<br /><br />
+                    Un jeton vous permet de vous connecter à <a href="/api/">l'API de la Note Kfet</a> via votre propre compte
+                    depuis un client externe.<br />
+                    Il suffit pour cela d'ajouter en en-tête de vos requêtes <code>Authorization: Token &lt;TOKEN&gt;</code>
+                    pour pouvoir vous identifier.<br /><br />

-    Une documentation de l'API arrivera ultérieurement.
+                    La documentation de l'API est disponible ici :
+                    <a href="/doc/api/">{{ request.scheme }}://{{ request.get_host }}/doc/api/</a>.
+                </div>
+
+                <div class="alert alert-info">
+                    <strong>{%trans  'Token' %} :</strong>
+                    {% if 'show' in request.GET %}
+                    {{ token.key }} (<a href="?">cacher</a>)
+                    {% else %}
+                    <em>caché</em> (<a href="?show">montrer</a>)
+                    {% endif %}
+                    <br />
+                    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
+                </div>
+
+                <div class="alert alert-warning">
+                    <strong>{% trans "Warning" %} :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
+                </div>
+            </div>
+            <div class="card-footer text-center">
+                <a href="?regenerate">
+                    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
+                </a>
+            </div>
+        </div>
+    </div>
+
+    <div class="col-xl-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <h3>{% trans "OAuth2 authentication" %}</h3>
+            </div>
+            <div class="card-header">
+                <div class="alert alert-info">
+                    <p>
+                        La Note Kfet implémente également le protocole <a href="https://oauth.net/2/">OAuth2</a>, afin de
+                        permettre à des applications tierces d'interagir avec la Note en récoltant des informations
+                        (de connexion par exemple) voir en permettant des modifications à distance, par exemple lorsqu'il
+                        s'agit d'avoir un site marchand sur lequel faire des transactions via la Note Kfet.
+                    </p>
+
+                    <p>
+                        L'usage de ce protocole est recommandé pour tout usage non personnel, car permet de mieux cibler
+                        les droits dont on a besoin, en restreignant leur usage par jeton généré.
+                    </p>
+
+                    <p>
+                        La documentation vis-à-vis de l'usage de ce protocole est disponible ici :
+                        <a href="/doc/external_services/oauth2/">{{ request.scheme }}://{{ request.get_host }}/doc/external_services/oauth2/</a>.
+                    </p>
+                </div>
+
+                Liste des URL à communiquer à votre application :
+
+                <ul>
+                    <li>
+                        {% trans "Authorization:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:authorize' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:token' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Revoke Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:revoke-token' %}</a>
+                    </li>
+                    <li>
+                        {% trans "Introspect Token:" %}
+                        <a href="{% url 'oauth2_provider:authorize' %}">{{ request.scheme }}://{{ request.get_host }}{% url 'oauth2_provider:introspect' %}</a>
+                    </li>
+                </ul>
+            </div>
+            <div class="card-footer text-center">
+                <a class="btn btn-primary" href="{% url 'oauth2_provider:list' %}">{% trans "Show my applications" %}</a>
+            </div>
+        </div>
+    </div>
 </div>
-
-<div class="alert alert-info">
-    <strong>{%trans  'Token' %} :</strong>
-    {% if 'show' in request.GET %}
-    {{ token.key }} (<a href="?">cacher</a>)
-    {% else %}
-    <em>caché</em> (<a href="?show">montrer</a>)
-    {% endif %}
-    <br />
-    <strong>{%trans  'Created' %} :</strong> {{ token.created }}
-</div>
-
-<div class="alert alert-warning">
-    <strong>Attention :</strong> regénérer le jeton va révoquer tout accès autorisé à l'API via ce jeton !
-</div>
-
-<a href="?regenerate">
-    <button class="btn btn-primary">{% trans 'Regenerate token' %}</button>
-</a>
 {% endblock %}
--- a/apps/member/templates/member/profile_trust.html
+++ b/apps/member/templates/member/profile_trust.html
@ -0,0 +1,48 @@
+{% extends "member/base.html" %}
+{% comment %}
+SPDX-License-Identifier: GPL-3.0-or-later
+{% endcomment %}
+{% load static django_tables2 i18n %}
+
+{% block profile_content %}
+<div class="card bg-light mb-3">
+    <h3 class="card-header text-center">
+        {% trans "Add friends" %}
+    </h3>
+    <div class="card-body">
+        {% if can_create %}
+            <form class="input-group" method="POST" id="form_trust">
+                {% csrf_token %}
+                <input type="hidden" name="trusting" value="{{ object.note.pk }}">
+                {%include "autocomplete_model.html" %}
+                <div class="input-group-append">
+                    <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
+                </div>
+            </form>
+        {% endif %}
+    </div>
+    {% render_table trusting %}
+</div>
+
+<div class="alert alert-warning card mb-3">
+    {% blocktrans trimmed %}
+        Adding someone as a friend enables them to initiate transactions coming
+        from your account (while keeping your balance positive). This is
+        designed to simplify using note kfet transfers to transfer money between
+        users. The intent is that one person can make all transfers for a group of
+        friends without needing additional rights among them.
+    {% endblocktrans %}
+</div>
+
+<div class="card bg-light mb-3">
+    <h3 class="card-header text-center">
+        {% trans "People having you as a friend" %}
+    </h3>
+    {% render_table trusted_by %}
+</div>
+{% endblock %}
+
+{% block extrajavascript %}
+<script src="{% static "member/js/trust.js" %}"></script>
+<script src="{% static "js/autocomplete_model.js" %}"></script>
+{% endblock%}
--- a/apps/member/templates/member/user_list.html
+++ b/apps/member/templates/member/user_list.html
@ -5,7 +5,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% load i18n perms %}

 {% block content %}
-{% if "member.change_profile_registration_valid"|has_perm:user %}
+{% if can_manage_registrations %}
 <a class="btn btn-block btn-secondary mb-3" href="{% url 'registration:future_user_list' %}">
    <i class="fa fa-user-plus"></i> {% trans "Registrations" %}
 </a>
--- a/Show More
+++ b/Show More