multiline support for RSA key in env

.env_example

@@ -21,3 +21,6 @@ EMAIL_PASSWORD=CHANGE_ME
 # Wiki configuration
 WIKI_USER=NoteKfet2020
 WIKI_PASSWORD=
+
+# OIDC
+OIDC_RSA_PRIVATE_KEY=CHANGE_ME

README.md

@@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions,
 6. (Optionnel) **Création d'une clé privée OpenID Connect**
 
 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ
-emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+`OIDC_RSA_PRIVATE_KEY`.
 
 7.  Enjoy :
 
@@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
 7. **Création d'une clé privée OpenID Connect**
 
 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ
-emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+`OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`).
 
 8.  *Enjoy \o/*
 

apps/activity/migrations/0007_alter_guest_activity.py

@@ -1,19 +0,0 @@
-# Generated by Django 4.2.20 on 2025-05-08 19:07
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('activity', '0006_guest_school'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='guest',
-            name='activity',
-            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='+', to='activity.activity'),
-        ),
-    ]

apps/activity/models.py

@@ -234,7 +234,7 @@ class Guest(models.Model):
     """
     activity = models.ForeignKey(
         Activity,
-        on_delete=models.CASCADE,
+        on_delete=models.PROTECT,
         related_name='+',
     )
 

apps/activity/templates/activity/activity_detail.html

@@ -95,23 +95,5 @@ SPDX-License-Identifier: GPL-3.0-or-later
             errMsg(xhr.responseJSON);
         });
     });
-    $("#delete_activity").click(function () {
-        if (!confirm("{% trans 'Are you sure you want to delete this activity?' %}")) {
-            return;
-        }
-
-        $.ajax({
-            url: "/api/activity/activity/{{ activity.pk }}/",
-            type: "DELETE",
-            headers: {
-                "X-CSRFTOKEN": CSRF_TOKEN
-            }
-        }).done(function () {
-            addMsg("{% trans 'Activity deleted' %}", "success");
-            window.location.href = "/activity/";  // Redirige vers la liste des activités
-        }).fail(function (xhr) {
-            errMsg(xhr.responseJSON);
-        });
-    });
 </script>
 {% endblock %}

apps/activity/templates/activity/activity_entry.html

@@ -38,7 +38,6 @@ SPDX-License-Identifier: GPL-3.0-or-later
 </a>
 
 <input id="alias" type="text" class="form-control" placeholder="Nom/note ...">
-<button id="trigger" class="btn btn-secondary">Click me !</button>
 
 <hr>
 
@@ -64,46 +63,15 @@ SPDX-License-Identifier: GPL-3.0-or-later
         refreshBalance();
     }
 
-    function process_qrcode() {
-        let name = alias_obj.val();
-        $.get("/api/note/note?search=" + name + "&format=json").done(
-            function (res) {
-                let note = res.results[0];
-                $.post("/api/activity/entry/?format=json", {
-                    csrfmiddlewaretoken: CSRF_TOKEN,
-                    activity: {{ activity.id }},
-                    note: note.id,
-                    guest: null
-                }).done(function () {
-                    addMsg(interpolate(gettext(
-                        "Entry made for %s whose balance is %s €"),
-                        [note.name, note.balance / 100]), "success", 4000);
-                    reloadTable(true);
-                }).fail(function (xhr) {
-                    errMsg(xhr.responseJSON, 4000);
-                });
-            }).fail(function (xhr) {
-                errMsg(xhr.responseJSON, 4000);
-            });
-    }
-
     alias_obj.keyup(function(event) {
         let code = event.originalEvent.keyCode
         if (65 <= code <= 122 || code === 13) {
             debounce(reloadTable)()
         }
-        if (code === 0)
-            process_qrcode();
     });
 
     $(document).ready(init);
 
-    alias_obj2 = document.getElementById("alias");
-    $("#trigger").click(function (e) {
-        addMsg("Clicked", "success", 1000);
-        alias_obj.val(alias_obj.val() + "\0");
-        alias_obj2.dispatchEvent(new KeyboardEvent('keyup'));
-    })
     function init() {
         $(".table-row").click(function (e) {
             let target = e.target.parentElement;
@@ -200,4 +168,4 @@ SPDX-License-Identifier: GPL-3.0-or-later
         });
     }
 </script>
-{% endblock %}
+{% endblock %}

apps/activity/templates/activity/includes/activity_info.html

@@ -70,10 +70,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
             {% if ".change_"|has_perm:activity %}
                 <a class="btn btn-primary btn-sm my-1" href="{% url 'activity:activity_update' pk=activity.pk %}" data-turbolinks="false"> {% trans "edit"|capfirst %}</a>
             {% endif %}
-            {% if not activity.valid and ".delete_"|has_perm:activity %}
+            {% if activity.activity_type.can_invite and not activity_started %}
-                <a class="btn btn-danger btn-sm my-1" id="delete_activity"> {% trans "delete"|capfirst %} </a>
-            {% endif %}
-            {% if activity.activity_type.can_invite and not activity_started and activity.valid %}
                 <a class="btn btn-primary btn-sm my-1" href="{% url 'activity:activity_invite' pk=activity.pk %}" data-turbolinks="false"> {% trans "Invite" %}</a>
             {% endif %}
         {% endif %}

apps/activity/urls.py

@@ -15,5 +15,4 @@ urlpatterns = [
     path('<int:pk>/update/', views.ActivityUpdateView.as_view(), name='activity_update'),
     path('new/', views.ActivityCreateView.as_view(), name='activity_create'),
     path('calendar.ics', views.CalendarView.as_view(), name='calendar_ics'),
-    path('<int:pk>/delete', views.ActivityDeleteView.as_view(), name='delete_activity'),
 ]

apps/activity/views.py

@@ -9,7 +9,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import F, Q
-from django.http import HttpResponse, JsonResponse
+from django.http import HttpResponse
 from django.urls import reverse_lazy
 from django.utils import timezone
 from django.utils.decorators import method_decorator
@@ -153,34 +153,6 @@ class ActivityUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         return reverse_lazy('activity:activity_detail', kwargs={"pk": self.kwargs["pk"]})
 
 
-class ActivityDeleteView(View):
-    """
-    Deletes an Activity
-    """
-    def delete(self, request, pk):
-        try:
-            activity = Activity.objects.get(pk=pk)
-            activity.delete()
-            return JsonResponse({"message": "Activity deleted"})
-        except Activity.DoesNotExist:
-            return JsonResponse({"error": "Activity not found"}, status=404)
-
-    def dispatch(self, *args, **kwargs):
-        """
-        Don't display the delete button if the user has no right to delete.
-        """
-        if not self.request.user.is_authenticated:
-            return self.handle_no_permission()
-
-        activity = Activity.objects.get(pk=self.kwargs["pk"])
-        if not PermissionBackend.check_perm(self.request, "activity.delete_activity", activity):
-            raise PermissionDenied(_("You are not allowed to delete this activity."))
-
-        if activity.valid:
-            raise PermissionDenied(_("This activity is valid."))
-        return super().dispatch(*args, **kwargs)
-
-
 class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
     """
     Invite a Guest, The rules to invites someone are defined in `forms:activity.GuestForm`

apps/food/views.py

@@ -169,8 +169,7 @@ class BasicFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
     template_name = "food/food_update.html"
 
     def get_sample_object(self):
-        # We choose a club which may work or BDE else
+        return BasicFood(
-        food = BasicFood(
             name="",
             owner_id=1,
             expiry_date=timezone.now(),
@@ -179,14 +178,6 @@ class BasicFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
             date_type='DLC',
         )
 
-        for membership in self.request.user.memberships.all():
-            club_id = membership.club.id
-            food.owner_id = club_id
-            if PermissionBackend.check_perm(self.request, "food.add_basicfood", food):
-                return food
-
-        return food
-
     @transaction.atomic
     def form_valid(self, form):
         if QRCode.objects.filter(qr_code_number=self.kwargs['slug']).count() > 0:
@@ -237,22 +228,13 @@ class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
     template_name = "food/food_update.html"
 
     def get_sample_object(self):
-        # We choose a club which may work or BDE else
+        return TransformedFood(
-        food = TransformedFood(
             name="",
             owner_id=1,
             expiry_date=timezone.now(),
             is_ready=True,
         )
 
-        for membership in self.request.user.memberships.all():
-            club_id = membership.club.id
-            food.owner_id = club_id
-            if PermissionBackend.check_perm(self.request, "food.add_transformedfood", food):
-                return food
-
-        return food
-
     @transaction.atomic
     def form_valid(self, form):
         form.instance.expiry_date = timezone.now() + timedelta(days=3)
@@ -264,10 +246,10 @@ class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
         return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
 
 
-MAX_FORMS = 100
+MAX_FORMS = 10
 
 
-class ManageIngredientsView(LoginRequiredMixin, UpdateView):
+class ManageIngredientsView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
     """
     A view to manage ingredient for a transformed food
     """
@@ -298,14 +280,6 @@ class ManageIngredientsView(LoginRequiredMixin, UpdateView):
                     ingredient.end_of_life = _('Fully used in {meal}'.format(
                         meal=self.object.name))
                     ingredient.save()
-        # We recalculate new expiry date and allergens
-        self.object.expiry_date = self.object.creation_date + self.object.shelf_life
-        self.object.allergens.clear()
-
-        for ingredient in self.object.ingredients.iterator():
-            if not (ingredient.polymorphic_ctype.model == 'basicfood' and ingredient.date_type == 'DDM'):
-                self.object.expiry_date = min(self.object.expiry_date, ingredient.expiry_date)
-            self.object.allergens.set(self.object.allergens.union(ingredient.allergens.all()))
 
         self.object.save(old_ingredients=old_ingredients, old_allergens=old_allergens)
         return HttpResponseRedirect(self.get_success_url())

apps/member/migrations/0014_create_bda.py

@@ -1,46 +0,0 @@
-from django.db import migrations
-
-def create_bda(apps, schema_editor):
-    """
-    The club BDA is now pre-injected.
-    """
-    Club = apps.get_model("member", "club")
-    NoteClub = apps.get_model("note", "noteclub")
-    Alias = apps.get_model("note", "alias")
-    ContentType = apps.get_model('contenttypes', 'ContentType')
-    polymorphic_ctype_id = ContentType.objects.get_for_model(NoteClub).id
-    
-    Club.objects.get_or_create(
-        id=10,
-        name="BDA",
-        email="bda.ensparissaclay@gmail.com",
-        require_memberships=True,
-        membership_fee_paid=750,
-        membership_fee_unpaid=750,
-        membership_duration=396,
-        membership_start="2024-08-01",
-        membership_end="2025-09-30",
-    )
-    NoteClub.objects.get_or_create(
-        id=1937,
-        club_id=10,
-        polymorphic_ctype_id=polymorphic_ctype_id,
-    )
-    Alias.objects.get_or_create(
-        id=1937,
-        note_id=1937,
-        name="BDA",
-        normalized_name="bda",
-    )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('member', '0013_auto_20240801_1436'),
-    ]
-    
-    operations = [
-        migrations.RunPython(create_bda),
-    ]
-

apps/member/templates/member/includes/profile_info.html

@@ -60,10 +60,7 @@
 {% if user_object.pk == user.pk %}
     <div class="text-center">
         <a class="small badge badge-secondary" href="{% url 'member:auth_token' %}">
-            <i class="fa fa-cogs"></i>&nbsp;{% trans 'API token' %}
+            <i class="fa fa-cogs"></i>{% trans 'API token' %}
-        </a>
-        <a class="small badge badge-secondary" href="{% url 'member:qr_code' user_object.pk %}">
-            <i class="fa fa-qrcode"></i>&nbsp;{% trans 'QR Code' %}
         </a>
     </div>
 {% endif %}

apps/member/templates/member/qr_code.html

@@ -1,36 +0,0 @@
-{% extends "base.html" %}
-{% comment %}
-SPDX-License-Identifier: GPL-3.0-or-later
-{% endcomment %}
-{% load i18n %}
-
-{% block content %}
-<div class="card bg-light">
-  	<h3 class="card-header text-center">
-		{% trans "QR Code for" %} {{ user_object.username }} ({{ user_object.first_name }} {{user_object.last_name }})
-  	</h3>
-  	<div class="text-center" id="qrcode">
-  	</div>
-</div>
-
-
-{% endblock %}
-
-{% block extrajavascript %}
-<script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js" integrity="sha512-CNgIRecGo7nphbeZ04Sc13ka07paqdeTu0WR1IM4kNcpmBAUSHSQX0FslNhTDadL4O5SAGapGt4FodqL8My0mA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-<script>
-	var qrc = new QRCode(document.getElementById("qrcode"), {
-		text: "{{ user_object.pk }}\0",
-		width: 1024,
-		height: 1024
-	});
-</script>
-{% endblock %}
-
-{% block extracss %}
-<style>
-img {
-    width: 100%
-}
-</style>
-{% endblock %}

apps/member/urls.py

@@ -25,5 +25,4 @@ urlpatterns = [
     path('user/<int:pk>/aliases/', views.ProfileAliasView.as_view(), name="user_alias"),
     path('user/<int:pk>/trust', views.ProfileTrustView.as_view(), name="user_trust"),
     path('manage-auth-token/', views.ManageAuthTokens.as_view(), name='auth_token'),
-    path('user/<int:pk>/qr_code/', views.QRCodeView.as_view(), name='qr_code'),
 ]

apps/member/views.py

@@ -402,14 +402,6 @@ class ManageAuthTokens(LoginRequiredMixin, TemplateView):
         context['token'] = Token.objects.get_or_create(user=self.request.user)[0]
         return context
 
-class QRCodeView(LoginRequiredMixin, DetailView):
-    """
-    Affiche le QR Code
-    """
-    model = User
-    context_object_name = "user_object"
-    template_name = "member/qr_code.html"
-    extra_context = {"title": _("QR Code")}
 
 # ******************************* #
 #              CLUB               #

apps/permission/fixtures/initial.json

@@ -4091,8 +4091,8 @@
                 158,
                 159,
                 160,
-                212,
+		212,
-                222
+		222
             ]
         }
     },
@@ -4133,14 +4133,14 @@
                 50,
                 141,
                 169,
-                217,
+		217,
-                218,
+		218,
-                219,
+		219,
-                220,
+		220,
-                221,
+		221,
-                247,
+		247,
-                258,
+		258,
-                259
+		259
             ]
         }
     },
@@ -4152,8 +4152,8 @@
             "name": "Pr\u00e9sident\u22c5e de club",
             "permissions": [
                 62,
-                135,
+                142,
-                142
+                135
             ]
         }
     },
@@ -4538,8 +4538,8 @@
             "name": "GC anti-VSS",
             "permissions": [
                 42,
-                135,
+		135,
-                150,
+		150,
                 163,
                 164
             ]
@@ -4555,140 +4555,13 @@
                 137,
                 211,
                 212,
-                213,
+		213,
-                214,
+		214,
-                215,
+		215,
-                216
+		216
             ]
         }
     },  
-    {
-        "model": "permission.role",
-        "pk": 23,
-            "fields": {
-            "for_club": 2,
-            "name": "Darbonne",
-            "permissions": [
-                30,
-                31,
-                32
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 24,
-            "fields": {
-            "for_club": null,
-            "name": "Staffeur⋅euse (S&L,Respo Tech,...)",
-            "permissions": []
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 25,
-            "fields": {
-            "for_club": null,
-            "name": "Référent⋅e Bus",
-            "permissions": [
-                22,
-                84,
-                115,
-                117,
-                118,
-                119,
-                120,
-                121,
-                122
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 28,
-            "fields": {
-            "for_club": 10,
-            "name": "Trésorièr⸱e BDA",
-            "permissions": [
-                55,
-                56,
-                57,
-                58,
-                135,
-                143,
-                176,
-                177,
-                178,
-                243,
-                260,
-                261,
-                262,
-                263,
-                264,
-                265,
-                266,
-                267,
-                268,
-                269
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 30,
-            "fields": {
-            "for_club": 10,
-            "name": "Respo sorties",
-            "permissions": [
-                49, 
-                62, 
-                141, 
-                241, 
-                242, 
-                243
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 31,
-            "fields": {
-            "for_club": 1,
-            "name": "Respo comm",
-            "permissions": [
-                135,
-                244
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 32,
-            "fields": {
-            "for_club": 10,
-            "name": "Respo comm Art",
-            "permissions": [
-                135,
-                245
-            ]
-        }
-    }, 
-    {
-        "model": "permission.role",
-        "pk": 33,
-            "fields": {
-            "for_club": 10,
-            "name": "Respo Jam",
-            "permissions": [
-                247, 
-                250, 
-                251, 
-                252, 
-                253, 
-                254
-            ]
-        }
-    }, 
     {
         "model": "wei.weirole",
         "pk": 12,
@@ -4723,15 +4596,5 @@
         "model": "wei.weirole",
         "pk": 18,
         "fields": {}
-    },
-    {
-        "model": "wei.weirole",
-        "pk": 24,
-        "fields": {}
-    },
-    {
-        "model": "wei.weirole",
-        "pk": 25,
-        "fields": {}
     }
 ]

apps/permission/scopes.py

@@ -1,5 +1,6 @@
 # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import BaseScopes
 from member.models import Club
@@ -18,21 +19,27 @@ class PermissionScopes(BaseScopes):
     """
 
     def get_all_scopes(self):
-        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                for p in Permission.objects.all() for club in Club.objects.all()}
+                  for p in Permission.objects.all() for club in Club.objects.all()}
+        scopes['openid'] = "OpenID Connect"
+        return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
+        scopes = [f"{p.id}_{p.membership.club.id}"
-                for t in Permission.PERMISSION_TYPES
+                  for t in Permission.PERMISSION_TYPES
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes.append('openid')
+        return scopes
 
     def get_default_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
+        scopes = [f"{p.id}_{p.membership.club.id}"
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+        scopes.append('openid')
+        return scopes
 
 
 class PermissionOAuth2Validator(OAuth2Validator):
@@ -49,6 +56,10 @@ class PermissionOAuth2Validator(OAuth2Validator):
             "email": request.user.email,
         }
 
+    def get_discovery_claims(self, request):
+        claims = super().get_discovery_claims(self)
+        return claims + ["name", "normalized_name", "email"]
+
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
         User can request as many scope as he wants, including invalid scopes,
@@ -66,6 +77,8 @@ class PermissionOAuth2Validator(OAuth2Validator):
                 if scope in scopes:
                     valid_scopes.add(scope)
 
-        request.scopes = valid_scopes
+        if 'openid' in scopes:
+            valid_scopes.add('openid')
 
+        request.scopes = valid_scopes
         return valid_scopes

apps/permission/signals.py

@@ -19,6 +19,7 @@ EXCLUDED = [
     'oauth2_provider.accesstoken',
     'oauth2_provider.grant',
     'oauth2_provider.refreshtoken',
+    'oauth2_provider.idtoken',
     'sessions.session',
 ]
 

apps/permission/views.py

@@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
             available_scopes = scopes.get_available_scopes(app)
             context["scopes"][app] = OrderedDict()
             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
-            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
             for k, v in items:
                 context["scopes"][app][k] = v
 

note_kfet/settings/base.py

@@ -270,7 +270,7 @@ OAUTH2_PROVIDER = {
     'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
     'OIDC_ENABLED': True,
     'OIDC_RSA_PRIVATE_KEY':
-        os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
+        os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
     'SCOPES': { 'openid': "OpenID Connect scope" },
 }