yverdon · AlexandreJunod · Feb 28, 2024 · Mar 11, 2024 · Mar 12, 2024 · Mar 13, 2024
diff --git a/README.md b/README.md
@@ -15,8 +15,6 @@ git clone [email protected]:yverdon/geocity.git && cd geocity
 cp -n .env.example .env
 # start the stack
 docker-compose up --build -d --remove-orphans
-# run the migrations
-docker-compose run web scripts/migrate.sh
 ```
 
 **Load demo data**

diff --git a/geocity/apps/accounts/admin.py b/geocity/apps/accounts/admin.py
@@ -1,6 +1,7 @@
 from django import forms
 from django.conf import settings
 from django.contrib import admin, messages
+from django.contrib.auth.admin import GroupAdmin as BaseGroupAdmin
 from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
 from django.contrib.auth.forms import UserChangeForm
 from django.contrib.auth.models import Group, Permission, User
@@ -515,7 +516,7 @@ def formfield_for_foreignkey(self, db_field, request, **kwargs):
         return super().formfield_for_foreignkey(db_field, request, **kwargs)
 
 
-class GroupAdmin(admin.ModelAdmin):
+class GroupAdmin(BaseGroupAdmin):
     inlines = (PermitDepartmentInline, UserInline)
     form = GroupAdminForm
     list_display = [

diff --git a/geocity/apps/api/serializers.py b/geocity/apps/api/serializers.py
@@ -4,6 +4,7 @@
 
 from django.contrib.gis.geos import GEOSGeometry
 from django.db.models import Max, Min, Q
+from django.urls import reverse
 from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework_gis import serializers as gis_serializers
@@ -159,15 +160,21 @@ def get_form_fields(
                     f'{field["form__name"]} ({field["form__category__name"]})'
                 )
 
-                fields_dict[field["form__api_name"]] = {
-                    # Put the title
-                    "title": {
-                        "form": field["form__name"],
-                        "category": field["form__category__name"],
-                        "form_category": form_category,
-                    },
-                    "fields": {
-                        field["field_values__field__api_name"]: {
+                if not field["form__api_name"] in fields_dict:
+                    fields_dict[field["form__api_name"]] = {
+                        "title": {
+                            "form": field["form__name"],
+                            "category": field["form__category__name"],
+                            "form_category": form_category,
+                        },
+                        "fields": {},
+                    }
+
+                if field["field_values__field__name"]:
+                    fields_dict[field["form__api_name"]]["fields"][
+                        field["field_values__field__api_name"]
+                    ] = (
+                        {
                             "name": field["field_values__field__name"],
                             "value": get_field_value_based_on_field(field).url,
                         }
@@ -178,11 +185,8 @@ def get_form_fields(
                             "name": field["field_values__field__name"],
                             "value": field["field_values__value__val"],
                         }
-                        for field in form_fields
-                        if field["form_id"] == field["form_id"]
-                        and field["field_values__field__name"]
-                    },
-                }
+                    )
+
     return fields_dict
 
 
@@ -924,7 +928,6 @@ def get_agenda_form_fields(value, detailed, available_filters):
     if "poster" in result["properties"]:
         # _, used to remove permit_requests_uploads/ without using a replace. May change in the future, if it's removed from stored path
         _, submission_id, image_name = result["properties"]["poster"].split("/")
-        from django.urls import reverse
 
         src = Submission.get_absolute_url(
             reverse(

diff --git a/geocity/apps/api/views.py b/geocity/apps/api/views.py
@@ -528,7 +528,7 @@ def image_thumbor_display(request, submission_id, image_name):
     if fit:
         thumbor_params += f"{fit}/"
 
-    thumbor_params += f"{width}x{height}/filters:format({format})"
+    thumbor_params += f"{width}x{height}/smart/filters:format({format})"
 
     if settings.USE_THUMBOR:
         try:

diff --git a/geocity/apps/submissions/models.py b/geocity/apps/submissions/models.py
@@ -5,6 +5,7 @@
 import os
 import tempfile
 import urllib.parse
+import uuid
 import zipfile
 from datetime import date, datetime, timedelta
 
@@ -749,7 +750,12 @@ def set_field_value(self, form, field, value):
                 directory = "permit_requests_uploads/{}".format(self.pk)
                 ext = os.path.splitext(value.name)[1]
                 upper_ext = ext[1:].upper()
-                path = os.path.join(directory, "{}_{}{}".format(form.pk, field.pk, ext))
+
+                # Use uuid for file names to prevent thumbor to keep in cache a new file that uses the same name
+                file_uuid = uuid.uuid4()
+                path = os.path.join(
+                    directory, "{}_{}_{}{}".format(form.pk, field.pk, file_uuid, ext)
+                )
 
                 private_storage.save(path, value)
                 # Postprocess images: remove all exif metadata from for better security and user privacy

diff --git a/geocity/apps/submissions/templates/submissions/submission_detail.html b/geocity/apps/submissions/templates/submissions/submission_detail.html
@@ -43,7 +43,7 @@ <h1>
     <div class="row floating-elem">
       <div class="col">
 
-        {% if not submission.author.userprofile.is_anonymous %}
+        {% if submission.author and not submission.author.userprofile.is_temporary %}
 
         <dl>
           <dd>
@@ -119,11 +119,15 @@ <h4>{% translate "Historique" %}</h4>
                     <div class="row-1">
                       <i class="fa fa-circle status{{archive.status}}"></i>
                       {{ archive.history_date }}
-                      <b>{% translate "Demande soumise par" %}</b>
-                    </div>
-                    <div class="row-2 history_user">
-                      <b>{{ archive.history_user.get_full_name }}</b>
-                    </div>
+                      {% if archive.history_user and not archive.history_user.userprofile.is_temporary %}
+                          <b>{% translate "Demande soumise par" %}</b>
+                        </div>
+                        <div class="row-2 history_user">
+                          <b>{{ archive.history_user.get_full_name }}</b>
+                        </div>
+                      {% else %}
+                        </div>
+                      {% endif %}
                   </li>
                 {% else %}
                   <li>
@@ -134,9 +138,11 @@ <h4>{% translate "Historique" %}</h4>
                     <div class="row-2 status_display">
                       <b>{{ archive.get_status_display }}</b>
                     </div>
-                    <div class="row-2 history_user">
-                      ({{ archive.history_user.get_full_name }})
-                    </div>
+                    {% if archive.history_user and not archive.history_user.userprofile.is_temporary %}
+                      <div class="row-2 history_user">
+                        ({{ archive.history_user.get_full_name }})
+                      </div>
+                    {% endif %}
                   </li>
                 {% endif %}
               {% endfor %}

diff --git a/geocity/apps/submissions/templates/tables/_submission_author_details.html b/geocity/apps/submissions/templates/tables/_submission_author_details.html
@@ -1,7 +1,7 @@
 {% load i18n %}
 {% load submissions_extras %}
 
-{% if not record.author.userprofile.is_anonymous %}
+{% if not record.author.userprofile.is_temporary %}
   {{ record.author.email }} / {{ record.author.userprofile.phone_first }} / {{ record.author.userprofile.address }}, {{ record.author.userprofile.zipcode }} {{ record.author.userprofile.city }}
 {% else %}
   —

diff --git a/geocity/apps/submissions/templates/tables/_submission_author_fullname.html b/geocity/apps/submissions/templates/tables/_submission_author_fullname.html
@@ -1,7 +1,7 @@
 {% load i18n %}
 {% load submissions_extras %}
 
-{% if not record.author.userprofile.is_anonymous %}
+{% if not record.author.userprofile.is_temporary %}
   {{ record.author.userprofile }}
 {% else %}
   —

diff --git a/geocity/apps/submissions/templates/tables/_submission_author_iban.html b/geocity/apps/submissions/templates/tables/_submission_author_iban.html
@@ -1,7 +1,7 @@
 {% load i18n %}
 {% load submissions_extras %}
 
-{% if not record.author.userprofile.is_anonymous and record.author.userprofile.iban %}
+{% if not record.author.userprofile.is_temporary and record.author.userprofile.iban %}
   {{ record.author.userprofile.iban }}
 {% else %}
   —

diff --git a/geocity/apps/submissions/views.py b/geocity/apps/submissions/views.py
@@ -954,6 +954,20 @@ def archive(self):
                     submission = get_submission_for_user_or_404(
                         self.request.user, submission_id
                     )
+
+                    # Prevent from archiving a submission where user isn't pilot.
+                    # User could be pilot for other submissions and validator for the one he's trying to archive
+                    if not permissions.is_backoffice_of_submission(
+                        self.request.user, submission
+                    ):
+                        return JsonResponse(
+                            data={
+                                "error": True,
+                                "message": f"{self.permission_error_message} (N°{submission_id})",
+                            },
+                            status=403,
+                        )
+
                     submission.archive(self.request.user)
         except Exception:
             return JsonResponse(

diff --git a/scripts/migrate.sh b/scripts/migrate.sh