tag-v0.1.0-coming-soon

Add a coming soon page bind to the
regie.numerique.gouv.fr domain.

.dockerignore

@@ -0,0 +1,36 @@
+# Python
+__pycache__
+*.pyc
+**/__pycache__
+**/*.pyc
+venv
+.venv
+
+# System-specific files
+.DS_Store
+**/.DS_Store
+
+# Docker
+docker compose.*
+env.d
+
+# Docs
+docs
+*.md
+*.log
+
+# Development/test cache & configurations
+data
+.cache
+.circleci
+.git
+.vscode
+.iml
+.idea
+db.sqlite3
+.mypy_cache
+.pylint.d
+.pytest_cache
+
+# Frontend dependencies
+node_modules

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,6 @@
+<!---
+Thanks for filing an issue 😄 ! Before you submit, please read the following:
+
+Check the other issue templates if you are trying to submit a bug report, feature request, or question
+Search open/closed issues before submitting since someone might have asked the same thing before!
+-->

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,28 @@
+---
+name: 🐛 Bug Report
+about: If something is not working as expected 🤔.
+
+---
+
+## Bug Report
+
+**Problematic behavior**
+A clear and concise description of the behavior.
+
+**Expected behavior/code**
+A clear and concise description of what you expected to happen (or code).
+
+**Steps to Reproduce**
+1. Do this...
+2. Then this...
+3. And then the bug happens!
+
+**Environment**
+- People version:
+- Platform:
+
+**Possible Solution**
+<!--- Only if you have suggestions on a fix for the bug -->
+
+**Additional context/Screenshots**
+Add any other context about the problem here. If applicable, add screenshots to help explain.

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -0,0 +1,23 @@
+---
+name: ✨ Feature Request
+about: I have a suggestion (and may want to build it 💪)!
+
+---
+
+## Feature Request
+
+**Is your feature request related to a problem or unsupported use case? Please describe.**
+A clear and concise description of what the problem is. For example: I need to do some task and I have an issue...
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen. Add any considered drawbacks.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Discovery, Documentation, Adoption, Migration Strategy**
+If you can, explain how users will be able to use this and possibly write out a version the docs (if applicable).
+Maybe a screenshot or design?
+
+**Do you want to work on it through a Pull Request?**
+<!-- Make sure to coordinate with us before you spend too much time working on an implementation! -->

.github/ISSUE_TEMPLATE/Support_question.md

@@ -0,0 +1,22 @@
+---
+name: 🤗 Support Question
+about: If you have a question 💬, or something was not clear from the docs!
+
+---
+
+<!-- ^ Click "Preview" for a nicer view! ^
+We primarily use GitHub as an issue tracker. If however you're encountering an issue not covered in the docs, we may be able to help! -->
+
+---
+
+Please make sure you have read our [main Readme](https://github.com/numerique-gouv/people).
+
+Also make sure it was not already answered in [an open or close issue](https://github.com/numerique-gouv/people/issues).
+
+If your question was not covered, and you feel like it should be, fire away! We'd love to improve our docs! 👌
+
+**Topic**
+What's the general area of your question: for example, docker setup, database schema, search functionality,...
+
+**Question**
+Try to be as specific as possible so we can help you as best we can. Please be patient 🙏

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,11 @@
+## Purpose
+
+Description...
+
+
+## Proposal
+
+Description...
+
+- [] item 1...
+- [] item 2...

.github/workflows/deploy.yml

@@ -0,0 +1,52 @@
+name: Deploy
+
+on:
+  push:
+    tags:
+      - 'preprod'
+      - 'production'
+
+
+jobs:
+  notify-argocd:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: secrets/numerique-gouv/people/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Call argocd github webhook
+        run: |
+          data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
+          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
+          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
+          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_PRODUCTION_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
+          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_PRODUCTION_WEBHOOK_URL
+
+  start-test-on-preprod:
+    needs:
+      - notify-argocd
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.ref, 'refs/tags/preprod')
+    steps:
+      -
+        name: Debug
+        run: |
+          echo "Start test when preprod is ready"

.github/workflows/docker-hub.yml

@@ -0,0 +1,138 @@
+name: Docker Hub Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  DOCKER_USER: 1001:127
+
+jobs:
+  build-and-push-backend:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: lasuite/people-backend
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: secrets/numerique-gouv/people/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: backend-production
+          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-and-push-frontend:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: lasuite/people-frontend
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: secrets/numerique-gouv/people/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: frontend-production
+          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  notify-argocd:
+    needs:
+      - build-and-push-frontend
+      - build-and-push-backend
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: secrets/numerique-gouv/people/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Call argocd github webhook
+        run: |
+          data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
+          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
+          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL

.github/workflows/people.yml

@@ -0,0 +1,384 @@
+name: People Workflow
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  lint-git:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request' # Makes sense only for pull requests
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+            fetch-depth: 0
+      - name: show
+        run: git log
+      - name: Enforce absence of print statements in code
+        run: |
+          ! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude)**/people.yml' | grep "print("
+      - name: Check absence of fixup commits
+        run: |
+          ! git log | grep 'fixup!'
+      - name: Install gitlint
+        run: pip install --user requests gitlint
+      - name: Lint commit messages added to main
+        run: ~/.local/bin/gitlint --commits origin/${{ github.event.pull_request.base.ref }}..HEAD
+
+  check-changelog:
+    runs-on: ubuntu-latest
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'noChangeLog') == false &&
+      github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+            fetch-depth: 0
+      - name: Check that the CHANGELOG has been modified in the current branch
+        run: git whatchanged --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG
+
+  lint-changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Check CHANGELOG max line length
+        run: |
+          max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
+          if [ $max_line_length -ge 80 ]; then
+            echo "ERROR: CHANGELOG has lines longer than 80 characters."
+            exit 1
+          fi
+
+  install-front:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+
+      - name: Restore the frontend cache
+        uses: actions/cache@v4
+        id: front-node_modules
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+
+      - name: Install dependencies
+        if: steps.front-node_modules.outputs.cache-hit != 'true'
+        run: cd src/frontend/ && yarn install --frozen-lockfile
+
+      - name: Cache install frontend
+        if: steps.front-node_modules.outputs.cache-hit != 'true'
+        uses: actions/cache@v4
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+
+  build-front:
+    runs-on: ubuntu-latest
+    needs: install-front
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Restore the frontend cache
+        uses: actions/cache@v4
+        id: front-node_modules
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+
+      - name: Build CI App
+        run: cd src/frontend/ && yarn ci:build
+
+      - name: Cache build frontend
+        uses: actions/cache@v4
+        with:
+          path: src/frontend/apps/desk/out/
+          key: build-front-${{ github.run_id }}
+
+  test-front:
+    runs-on: ubuntu-latest
+    needs: install-front
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Restore the frontend cache
+        uses: actions/cache@v4
+        id: front-node_modules
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+
+      - name: Test App
+        run: cd src/frontend/ && yarn app:test
+
+  lint-front:
+    runs-on: ubuntu-latest
+    needs: install-front
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Restore the frontend cache
+        uses: actions/cache@v4
+        id: front-node_modules
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+        
+      - name: Check linting
+        run: cd src/frontend/ && yarn lint
+
+  test-e2e:
+    runs-on: ubuntu-latest
+    needs: [build-mails, build-front]
+    timeout-minutes: 10
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+            
+      - name: Set services env variables
+        run: |
+          make create-env-files
+          cat env.d/development/common.e2e.dist >> env.d/development/common
+
+      - name: Download mails' templates
+        uses: actions/download-artifact@v4
+        with:
+          name: mails-templates
+          path: src/backend/core/templates/mail
+
+      - name: Restore the frontend cache
+        uses: actions/cache@v4
+        id: front-node_modules
+        with:
+          path: 'src/frontend/**/node_modules'
+          key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
+
+      - name: Restore the build cache
+        uses: actions/cache@v4
+        id: cache-build
+        with:
+          path: src/frontend/apps/desk/out/
+          key: build-front-${{ github.run_id }}
+    
+      - name: Build and Start Docker Servers
+        env:
+          DOCKER_BUILDKIT: 1
+          COMPOSE_DOCKER_CLI_BUILD: 1
+        run: |
+          docker-compose build --pull --build-arg BUILDKIT_INLINE_CACHE=1
+          make run
+        
+      - name: Apply DRF migrations
+        run: |
+          make migrate
+
+      - name: Add dummy data
+        run: |
+          make demo FLUSH_ARGS='--no-input'
+
+      - name: Install Playwright Browsers
+        run: cd src/frontend/apps/e2e && yarn install
+
+      - name: Run e2e tests
+        run: cd src/frontend/ && yarn e2e:test
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: src/frontend/apps/e2e/report/
+          retention-days: 7
+
+  build-mails:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: src/mail
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      - name: Install yarn
+        run: npm install -g yarn
+      - name: Install node dependencies
+        run: yarn install --frozen-lockfile
+      - name: Build mails
+        run: yarn build
+      - name: Persist mails' templates
+        uses: actions/upload-artifact@v4
+        with:
+            name: mails-templates
+            path: src/backend/core/templates/mail
+
+  lint-back:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: src/backend
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: Install development dependencies
+        run: pip install --user .[dev]
+      - name: Check code formatting with ruff
+        run: ~/.local/bin/ruff format . --diff
+      - name: Lint code with ruff
+        run: ~/.local/bin/ruff check .
+      - name: Lint code with pylint
+        run: ~/.local/bin/pylint .
+
+  test-back:
+    runs-on: ubuntu-latest
+    needs: build-mails
+    defaults:
+      run:
+        working-directory: src/backend
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: people
+          POSTGRES_USER: dinum
+          POSTGRES_PASSWORD: pass
+        ports:
+          - 5432:5432
+        # needed because the postgres container does not provide a healthcheck
+        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+
+    env:
+      DJANGO_CONFIGURATION: Test
+      DJANGO_SETTINGS_MODULE: people.settings
+      DJANGO_SECRET_KEY: ThisIsAnExampleKeyForTestPurposeOnly
+      OIDC_OP_JWKS_ENDPOINT: /endpoint-for-test-purpose-only
+      DB_HOST: localhost
+      DB_NAME: people
+      DB_USER: dinum
+      DB_PASSWORD: pass
+      DB_PORT: 5432
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Create writable /data
+        run: |
+          sudo mkdir -p /data/media && \
+          sudo mkdir -p /data/static
+      - name: Download mails' templates
+        uses: actions/download-artifact@v4
+        with:
+          name: mails-templates
+          path: src/backend/core/templates/mail
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: Install development dependencies
+        run: pip install --user .[dev]
+      - name: Install gettext (required to compile messages)
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gettext
+      - name: Generate a MO file from strings extracted from the project
+        run: python manage.py compilemessages
+      - name: Run tests
+        run: ~/.local/bin/pytest -n 2
+
+  i18n-crowdin:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Install gettext (required to make messages)
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gettext
+      
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install development dependencies
+        working-directory: src/backend
+        run: pip install --user .[dev]
+
+      - name: Generate the translation base file
+        run: ~/.local/bin/django-admin makemessages --keep-pot --all
+        
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: secrets/numerique-gouv/people/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+          cache: 'yarn'
+          cache-dependency-path: src/frontend/yarn.lock
+
+      - name: Install dependencies
+        run: cd src/frontend/ && yarn install --frozen-lockfile
+
+      - name: Download sources from Crowdin to stay synchronized
+        run: |
+          docker run \
+          --rm \
+          -e CROWDIN_API_TOKEN=$CROWDIN_API_TOKEN \
+          -e CROWDIN_PROJECT_ID=$CROWDIN_PROJECT_ID \
+          -e CROWDIN_BASE_PATH=$CROWDIN_BASE_PATH \
+          -v "${{ github.workspace }}:/app" \
+          crowdin/cli:3.16.0 \
+          crowdin download sources -c /app/crowdin/config.yml
+      
+      - name: Extract the frontend translation
+        run: make frontend-i18n-extract
+      
+      - name: Upload files to Crowdin
+        run: |
+          docker run \
+          --rm \
+          -e CROWDIN_API_TOKEN=$CROWDIN_API_TOKEN \
+          -e CROWDIN_PROJECT_ID=$CROWDIN_PROJECT_ID \
+          -e CROWDIN_BASE_PATH=$CROWDIN_BASE_PATH \
+          -v "${{ github.workspace }}:/app" \
+          crowdin/cli:3.16.0 \
+          crowdin upload sources -c /app/crowdin/config.yml

.gitignore

@@ -0,0 +1,82 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+.DS_Store
+.next/
+
+# Translations	# Translations
+*.pot
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+env.d/development/*
+!env.d/development/*.dist
+env.d/terraform
+
+# npm
+node_modules
+
+# Mails
+src/backend/core/templates/mail/
+
+# Typescript client
+src/frontend/tsclient
+
+# Swagger
+**/swagger.json
+
+# Logs
+*.log
+
+# Terraform
+.terraform
+*.tfstate
+*.tfstate.backup
+
+# Test & lint
+.coverage
+.pylint.d
+.pytest_cache
+db.sqlite3
+.mypy_cache
+
+# Site media
+/data/
+
+# IDEs
+.idea/
+.vscode/
+*.iml
+.devcontainer/
+.tool-versions

.gitlint

@@ -0,0 +1,78 @@
+# All these sections are optional, edit this file as you like.
+[general]
+# Ignore certain rules, you can reference them by their id or by their full name
+# ignore=title-trailing-punctuation, T3
+
+# verbosity should be a value between 1 and 3, the commandline -v flags take precedence over this
+# verbosity = 2
+
+# By default gitlint will ignore merge commits. Set to 'false' to disable.
+# ignore-merge-commits=true
+
+# By default gitlint will ignore fixup commits. Set to 'false' to disable.
+# ignore-fixup-commits=true
+
+# By default gitlint will ignore squash commits. Set to 'false' to disable.
+# ignore-squash-commits=true
+
+# Enable debug mode (prints more output). Disabled by default.
+# debug=true
+
+# Set the extra-path where gitlint will search for user defined rules
+# See http://jorisroovers.github.io/gitlint/user_defined_rules for details
+extra-path=gitlint/
+
+# [title-max-length]
+# line-length=80
+
+[title-must-not-contain-word]
+# Comma-separated list of words that should not occur in the title. Matching is case
+# insensitive. It's fine if the keyword occurs as part of a larger word (so "WIPING"
+# will not cause a violation, but "WIP: my title" will.
+words=wip
+
+#[title-match-regex]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit-msg title must be matched to.
+# Note that the regex can contradict with other rules if not used correctly
+# (e.g. title-must-not-contain-word).
+#regex=
+
+# [B1]
+# B1 = body-max-line-length
+# line-length=120
+# [body-min-length]
+# min-length=5
+
+# [body-is-missing]
+# Whether to ignore this rule on merge commits (which typically only have a title)
+# default = True
+# ignore-merge-commits=false
+
+# [body-changed-file-mention]
+# List of files that need to be explicitly mentioned in the body when they are changed
+# This is useful for when developers often erroneously edit certain files or git submodules.
+# By specifying this rule, developers can only change the file when they explicitly reference
+# it in the commit message.
+# files=gitlint/rules.py,README.md
+
+# [author-valid-email]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit author email address should be matched to
+# For example, use the following regex if you only want to allow email addresses from foo.com
+# regex=[^@]+@foo.com
+
+[ignore-by-title]
+# Allow empty body & wrong title pattern only when bots (pyup/greenkeeper)
+# upgrade dependencies
+regex=^(⬆️.*|Update (.*) from (.*) to (.*)|(chore|fix)\(package\): update .*)$
+ignore=B6,UC1
+
+# [ignore-by-body]
+# Ignore certain rules for commits of which the body has a line that matches a regex
+# E.g. Match bodies that have a line that that contain "release"
+# regex=(.*)release(.*)
+#
+# Ignore certain rules, you can reference them by their id or by their full name
+# Use 'all' to ignore all rules
+# ignore=T1,body-min-length

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "secrets"]
+	path = secrets
+	url = ../secrets

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
+and this project adheres to
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]

Dockerfile

@@ -0,0 +1,199 @@
+# Django People
+
+# ---- base image to inherit from ----
+FROM python:3.10-slim-bullseye as base
+
+# Upgrade pip to its latest release to speed up dependencies installation
+RUN python -m pip install --upgrade pip
+
+# Upgrade system packages to install security updates
+RUN apt-get update && \
+  apt-get -y upgrade && \
+  rm -rf /var/lib/apt/lists/*
+
+### ---- Front-end dependencies image ----
+FROM node:20 as frontend-deps
+
+WORKDIR /deps
+
+COPY ./src/frontend/package.json ./package.json
+COPY ./src/frontend/yarn.lock ./yarn.lock
+COPY ./src/frontend/apps/desk/package.json ./apps/desk/package.json
+COPY ./src/frontend/packages/i18n/package.json ./packages/i18n/package.json
+COPY ./src/frontend/packages/eslint-config-people/package.json ./packages/eslint-config-people/package.json
+
+RUN yarn --frozen-lockfile
+
+### ---- Front-end builder dev image ----
+FROM node:20 as frontend-builder-dev
+
+WORKDIR /builder
+
+COPY --from=frontend-deps /deps/node_modules ./node_modules
+COPY ./src/frontend .
+
+WORKDIR ./apps/desk
+
+### ---- Front-end builder image ----
+FROM frontend-builder-dev as frontend-builder
+
+RUN yarn build
+
+# ---- Front-end image ----
+FROM nginxinc/nginx-unprivileged:1.25 as frontend-production
+
+# Un-privileged user running the application
+ARG DOCKER_USER
+USER ${DOCKER_USER}
+
+COPY --from=frontend-builder \
+    /builder/apps/desk/out \
+    /usr/share/nginx/html
+
+COPY ./src/frontend/apps/desk/conf/default.conf /etc/nginx/conf.d
+
+# Copy entrypoint
+COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
+
+ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
+
+CMD ["nginx", "-g", "daemon off;"]
+
+
+# ---- Back-end builder image ----
+FROM base as back-builder
+
+WORKDIR /builder
+
+# Copy required python dependencies
+COPY ./src/backend /builder
+
+RUN mkdir /install && \
+  pip install --prefix=/install .
+
+
+# ---- mails ----
+FROM node:20 as mail-builder
+
+COPY ./src/mail /mail/app
+
+WORKDIR /mail/app
+
+RUN yarn install --frozen-lockfile && \
+    yarn build
+
+
+# ---- static link collector ----
+FROM base as link-collector
+ARG PEOPLE_STATIC_ROOT=/data/static
+
+# Install libpangocairo & rdfind
+RUN apt-get update && \
+    apt-get install -y \
+      libpangocairo-1.0-0 \
+      rdfind && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy installed python dependencies
+COPY --from=back-builder /install /usr/local
+
+# Copy people application (see .dockerignore)
+COPY ./src/backend /app/
+
+WORKDIR /app
+
+# collectstatic
+RUN DJANGO_CONFIGURATION=Build DJANGO_JWT_PRIVATE_SIGNING_KEY=Dummy \
+    python manage.py collectstatic --noinput
+
+# Replace duplicated file by a symlink to decrease the overall size of the
+# final image
+RUN rdfind -makesymlinks true -followsymlinks true -makeresultsfile false ${PEOPLE_STATIC_ROOT}
+
+# ---- Core application image ----
+FROM base as core
+
+ENV PYTHONUNBUFFERED=1
+
+# Install required system libs
+RUN apt-get update && \
+    apt-get install -y \
+      gettext \
+      libcairo2 \
+      libffi-dev \
+      libgdk-pixbuf2.0-0 \
+      libpango-1.0-0 \
+      libpangocairo-1.0-0 \
+      shared-mime-info && \
+  rm -rf /var/lib/apt/lists/*
+
+# Copy entrypoint
+COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
+
+# Give the "root" group the same permissions as the "root" user on /etc/passwd
+# to allow a user belonging to the root group to add new users; typically the
+# docker user (see entrypoint).
+RUN chmod g=u /etc/passwd
+
+# Copy installed python dependencies
+COPY --from=back-builder /install /usr/local
+
+# Copy people application (see .dockerignore)
+COPY ./src/backend /app/
+
+WORKDIR /app
+
+# We wrap commands run in this container by the following entrypoint that
+# creates a user on-the-fly with the container user ID (see USER) and root group
+# ID.
+ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
+
+# ---- Development image ----
+FROM core as backend-development
+
+# Switch back to the root user to install development dependencies
+USER root:root
+
+# Install psql
+RUN apt-get update && \
+    apt-get install -y postgresql-client && \
+    rm -rf /var/lib/apt/lists/*
+
+# Uninstall people and re-install it in editable mode along with development
+# dependencies
+RUN pip uninstall -y people
+RUN pip install -e .[dev]
+
+# Restore the un-privileged user running the application
+ARG DOCKER_USER
+USER ${DOCKER_USER}
+
+# Target database host (e.g. database engine following docker compose services
+# name) & port
+ENV DB_HOST=postgresql \
+    DB_PORT=5432
+
+# Run django development server
+CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
+
+# ---- Production image ----
+FROM core as backend-production
+
+ARG PEOPLE_STATIC_ROOT=/data/static
+
+# Gunicorn
+RUN mkdir -p /usr/local/etc/gunicorn
+COPY docker/files/usr/local/etc/gunicorn/people.py /usr/local/etc/gunicorn/people.py
+
+# Un-privileged user running the application
+ARG DOCKER_USER
+USER ${DOCKER_USER}
+
+# Copy statics
+COPY --from=link-collector ${PEOPLE_STATIC_ROOT} ${PEOPLE_STATIC_ROOT}
+
+# Copy people mails
+COPY --from=mail-builder /mail/backend/core/templates/mail /app/core/templates/mail
+
+# The default command runs gunicorn WSGI server in people's main module
+CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/people.py", "people.wsgi:application"]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Direction Interministérielle du Numérique du Gouvernement Français
+Copyright (c) 2023 Direction Interministérielle du Numérique - Gouvernement Français
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -0,0 +1,340 @@
+# /!\ /!\ /!\ /!\ /!\ /!\ /!\ DISCLAIMER /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
+#
+# This Makefile is only meant to be used for DEVELOPMENT purpose as we are
+# changing the user id that will run in the container.
+#
+# PLEASE DO NOT USE IT FOR YOUR CI/PRODUCTION/WHATEVER...
+#
+# /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
+#
+# Note to developers:
+#
+# While editing this file, please respect the following statements:
+#
+# 1. Every variable should be defined in the ad hoc VARIABLES section with a
+#    relevant subsection
+# 2. Every new rule should be defined in the ad hoc RULES section with a
+#    relevant subsection depending on the targeted service
+# 3. Rules should be sorted alphabetically within their section
+# 4. When a rule has multiple dependencies, you should:
+#    - duplicate the rule name to add the help string (if required)
+#    - write one dependency per line to increase readability and diffs
+# 5. .PHONY rule statement should be written after the corresponding rule
+# ==============================================================================
+# VARIABLES
+
+BOLD := \033[1m
+RESET := \033[0m
+GREEN := \033[1;32m
+
+
+# -- Database
+
+DB_HOST            = postgresql
+DB_PORT            = 5432
+
+# -- Docker
+# Get the current user ID to use for docker run and docker exec commands
+DOCKER_UID          = $(shell id -u)
+DOCKER_GID          = $(shell id -g)
+DOCKER_USER         = $(DOCKER_UID):$(DOCKER_GID)
+COMPOSE             = DOCKER_USER=$(DOCKER_USER) docker compose
+COMPOSE_EXEC        = $(COMPOSE) exec
+COMPOSE_EXEC_APP    = $(COMPOSE_EXEC) app-dev
+COMPOSE_RUN         = $(COMPOSE) run --rm
+COMPOSE_RUN_APP     = $(COMPOSE_RUN) app-dev
+COMPOSE_RUN_CROWDIN = $(COMPOSE_RUN) crowdin crowdin
+WAIT_DB             = @$(COMPOSE_RUN) dockerize -wait tcp://$(DB_HOST):$(DB_PORT) -timeout 60s
+WAIT_KC_DB          = $(COMPOSE_RUN) dockerize -wait tcp://kc_postgresql:5432 -timeout 60s
+
+# -- Backend
+MANAGE              = $(COMPOSE_RUN_APP) python manage.py
+MAIL_YARN           = $(COMPOSE_RUN) -w /app/src/mail node yarn
+TSCLIENT_YARN       = $(COMPOSE_RUN) -w /app/src/tsclient node yarn
+
+# -- Frontend
+PATH_FRONT          = ./src/frontend
+PATH_FRONT_DESK     = $(PATH_FRONT)/apps/desk
+
+# ==============================================================================
+# RULES
+
+default: help
+
+data/media:
+	@mkdir -p data/media
+
+data/static:
+	@mkdir -p data/static
+
+# -- Project
+
+create-env-files: ## Copy the dist env files to env files
+create-env-files: \
+	env.d/development/common \
+	env.d/development/crowdin \
+	env.d/development/postgresql \
+	env.d/development/kc_postgresql
+.PHONY: create-env-files
+
+bootstrap: ## Prepare Docker images for the project and install frontend dependencies
+bootstrap: \
+	data/media \
+	data/static \
+	create-env-files \
+	build \
+	run \
+	migrate \
+	back-i18n-compile \
+	mails-install \
+	mails-build \
+	install-front-desk
+.PHONY: bootstrap
+
+# -- Docker/compose
+build: ## build the app-dev container
+	@$(COMPOSE) build app-dev
+.PHONY: build
+
+down: ## stop and remove containers, networks, images, and volumes
+	@$(COMPOSE) down
+.PHONY: down
+
+logs: ## display app-dev logs (follow mode)
+	@$(COMPOSE) logs -f app-dev
+.PHONY: logs
+
+run: ## start the wsgi (production) and development server
+	@$(COMPOSE) up --force-recreate -d nginx
+	@$(COMPOSE) up --force-recreate -d app-dev
+	@$(COMPOSE) up --force-recreate -d celery-dev
+	@$(COMPOSE) up --force-recreate -d keycloak
+	@echo "Wait for postgresql to be up..."
+	@$(WAIT_KC_DB)
+	@$(WAIT_DB)
+.PHONY: run
+
+status: ## an alias for "docker compose ps"
+	@$(COMPOSE) ps
+.PHONY: status
+
+stop: ## stop the development server using Docker
+	@$(COMPOSE) stop
+.PHONY: stop
+
+# -- Backend
+
+demo: ## flush db then create a demo for load testing purpose
+	@$(MAKE) resetdb
+	@$(MANAGE) create_demo
+.PHONY: demo
+
+# Nota bene: Black should come after isort just in case they don't agree...
+lint: ## lint back-end python sources
+lint: \
+  lint-ruff-format \
+  lint-ruff-check \
+  lint-pylint
+.PHONY: lint
+
+lint-ruff-format: ## format back-end python sources with ruff
+	@echo 'lint:ruff-format started…'
+	@$(COMPOSE_RUN_APP) ruff format .
+.PHONY: lint-ruff-format
+
+lint-ruff-check: ## lint back-end python sources with ruff
+	@echo 'lint:ruff-check started…'
+	@$(COMPOSE_RUN_APP) ruff check . --fix
+.PHONY: lint-ruff-check
+
+lint-pylint: ## lint back-end python sources with pylint only on changed files from main
+	@echo 'lint:pylint started…'
+	bin/pylint --diff-only=origin/main
+.PHONY: lint-pylint
+
+test: ## run project tests
+	@$(MAKE) test-back-parallel
+.PHONY: test
+
+test-back: ## run back-end tests
+	@args="$(filter-out $@,$(MAKECMDGOALS))" && \
+	bin/pytest $${args:-${1}}
+.PHONY: test-back
+
+test-back-parallel: ## run all back-end tests in parallel
+	@args="$(filter-out $@,$(MAKECMDGOALS))" && \
+	bin/pytest -n auto $${args:-${1}}
+.PHONY: test-back-parallel
+
+makemigrations:  ## run django makemigrations for the people project.
+	@echo "$(BOLD)Running makemigrations$(RESET)"
+	@$(COMPOSE) up -d postgresql
+	@$(WAIT_DB)
+	@$(MANAGE) makemigrations $(ARGS)
+.PHONY: makemigrations
+
+migrate:  ## run django migrations for the people project.
+	@echo "$(BOLD)Running migrations$(RESET)"
+	@$(COMPOSE) up -d postgresql
+	@$(WAIT_DB)
+	@$(MANAGE) migrate $(ARGS)
+.PHONY: migrate
+
+showmigrations:  ## run django showmigrations for the people project.
+	@echo "$(BOLD)Running showmigrations$(RESET)"
+	@$(COMPOSE) up -d postgresql
+	@$(WAIT_DB)
+	@$(MANAGE) showmigrations $(ARGS)
+.PHONY: showmigrations
+
+superuser: ## Create an admin superuser with password "admin"
+	@echo "$(BOLD)Creating a Django superuser$(RESET)"
+	@$(MANAGE) createsuperuser --admin_email admin@example.com --password admin
+.PHONY: superuser
+
+back-i18n-compile: ## compile the gettext files
+	@$(MANAGE) compilemessages --ignore="venv/**/*"
+.PHONY: back-i18n-compile
+
+back-i18n-generate: ## create the .pot files used for i18n
+	@$(MANAGE) makemessages -a --keep-pot
+.PHONY: back-i18n-generate
+
+shell: ## connect to database shell
+	@$(MANAGE) shell #_plus
+.PHONY: dbshell
+
+# -- Database
+
+dbshell: ## connect to database shell
+	docker compose exec app-dev python manage.py dbshell
+.PHONY: dbshell
+
+resetdb: FLUSH_ARGS ?=
+resetdb: ## flush database and create a superuser "admin"
+	@echo "$(BOLD)Flush database$(RESET)"
+	@$(MANAGE) flush $(FLUSH_ARGS)
+	@${MAKE} superuser
+.PHONY: resetdb
+
+env.d/development/common:
+	cp -n env.d/development/common.dist env.d/development/common
+
+env.d/development/postgresql:
+	cp -n env.d/development/postgresql.dist env.d/development/postgresql
+
+env.d/development/kc_postgresql:
+	cp -n env.d/development/kc_postgresql.dist env.d/development/kc_postgresql
+
+# -- Internationalization
+
+env.d/development/crowdin:
+	cp -n env.d/development/crowdin.dist env.d/development/crowdin
+
+crowdin-download: ## Download translated message from Crowdin
+	@$(COMPOSE_RUN_CROWDIN) download -c crowdin/config.yml
+.PHONY: crowdin-download
+
+crowdin-download-sources: ## Download sources from Crowdin
+	@$(COMPOSE_RUN_CROWDIN) download sources -c crowdin/config.yml
+.PHONY: crowdin-download-sources
+
+crowdin-upload: ## Upload source translations to Crowdin
+	@$(COMPOSE_RUN_CROWDIN) upload sources -c crowdin/config.yml
+.PHONY: crowdin-upload
+
+i18n-compile: ## compile all translations
+i18n-compile: \
+	back-i18n-compile \
+	frontend-i18n-compile
+.PHONY: i18n-compile
+
+i18n-generate: ## create the .pot files and extract frontend messages
+i18n-generate: \
+	back-i18n-generate \
+	frontend-i18n-generate
+.PHONY: i18n-generate
+
+i18n-download-and-compile: ## download all translated messages and compile them to be used by all applications
+i18n-download-and-compile: \
+  crowdin-download \
+  i18n-compile
+.PHONY: i18n-download-and-compile
+
+i18n-generate-and-upload: ## generate source translations for all applications and upload them to Crowdin
+i18n-generate-and-upload: \
+  i18n-generate \
+  crowdin-upload
+.PHONY: i18n-generate-and-upload
+
+
+# -- Mail generator
+
+mails-build: ## Convert mjml files to html and text
+	@$(MAIL_YARN) build
+.PHONY: mails-build
+
+mails-build-html-to-plain-text: ## Convert html files to text
+	@$(MAIL_YARN) build-html-to-plain-text
+.PHONY: mails-build-html-to-plain-text
+
+mails-build-mjml-to-html:	## Convert mjml files to html and text
+	@$(MAIL_YARN) build-mjml-to-html
+.PHONY: mails-build-mjml-to-html
+
+mails-install: ## install the mail generator
+	@$(MAIL_YARN) install
+.PHONY: mails-install
+
+# -- TS client generator
+
+tsclient-install: ## Install the Typescript API client generator
+	@$(TSCLIENT_YARN) install
+.PHONY: tsclient-install
+
+tsclient: tsclient-install ## Generate a Typescript API client
+	@$(TSCLIENT_YARN) generate:api:client:local ../frontend/tsclient
+.PHONY: tsclient-install
+
+# -- Misc
+clean: ## restore repository state as it was freshly cloned
+	git clean -idx
+.PHONY: clean
+
+help:
+	@echo "$(BOLD)People Makefile"
+	@echo "Please use 'make $(BOLD)target$(RESET)' where $(BOLD)target$(RESET) is one of:"
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(firstword $(MAKEFILE_LIST)) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(GREEN)%-30s$(RESET) %s\n", $$1, $$2}'
+.PHONY: help
+
+# Front 
+install-front-desk: ## Install the frontend dependencies of app Desk  
+	cd $(PATH_FRONT_DESK) && yarn
+.PHONY: install-front-desk
+
+run-front-desk: ## Start app Desk  
+	cd $(PATH_FRONT_DESK) && yarn dev
+.PHONY: run-front-desk
+
+frontend-i18n-extract: ## Extract the frontend translation inside a json to be used for crowdin
+	cd $(PATH_FRONT) && yarn i18n:extract
+.PHONY: frontend-i18n-extract
+
+frontend-i18n-generate: ## Generate the frontend json files used for crowdin
+frontend-i18n-generate: \
+	crowdin-download-sources \
+	frontend-i18n-extract
+.PHONY: frontend-i18n-generate
+
+frontend-i18n-compile: ## Format the crowin json files used deploy to the apps
+	cd $(PATH_FRONT) && yarn i18n:deploy
+.PHONY: frontend-i18n-compile
+
+# -- K8S
+start-kind: ## Create the kubernetes cluster
+	./bin/start-kind.sh
+.PHONY: start-kind
+
+tilt-up: ## start tilt - k8s local development
+	tilt up -f ./bin/Tiltfile
+.PHONY: tilt-up

README.md

@@ -0,0 +1,98 @@
+# People
+
+People is an application to handle users and teams. 
+
+As of today, this project is **not yet ready for production**. Expect breaking changes.
+
+People is built on top of [Django Rest
+Framework](https://www.django-rest-framework.org/).
+
+## Getting started
+
+### Prerequisite
+
+Make sure you have a recent version of Docker and [Docker
+Compose](https://docs.docker.com/compose/install) installed on your laptop:
+
+```bash
+$ docker -v
+  Docker version 20.10.2, build 2291f61
+
+$ docker compose -v
+  docker compose version 1.27.4, build 40524192
+```
+
+> ⚠️ You may need to run the following commands with `sudo` but this can be
+> avoided by assigning your user to the `docker` group.
+
+### Project bootstrap
+
+The easiest way to start working on the project is to use GNU Make:
+
+```bash
+$ make bootstrap
+```
+
+This command builds the `app` container, installs dependencies, performs
+database migrations and compile translations. It's a good idea to use this
+command each time you are pulling code from the project repository to avoid
+dependency-related or migration-related issues.
+
+Your Docker services should now be up and running 🎉
+
+Note that if you need to run them afterward, you can use the eponym Make rule:
+
+```bash
+$ make run
+```
+
+### Adding content
+
+You can create a basic demo site by running:
+
+    $ make demo
+
+Finally, you can check all available Make rules using:
+
+```bash
+$ make help
+```
+
+### Django admin
+
+You can access the Django admin site at
+[http://localhost:8071/admin](http://localhost:8071/admin).
+
+You first need to create a superuser account:
+
+```bash
+$ make superuser
+```
+
+You can then login with credentials `admin@example` / `admin`.
+
+### Run frontend
+
+Run the front with:
+
+```bash
+$ make run-front-desk
+```
+
+Then access at
+[http://localhost:3000](http://localhost:3000)
+
+user: people
+
+password: people
+
+
+## Contributing
+
+This project is intended to be community-driven, so please, do not hesitate to
+get in touch if you have any question related to our implementation or design
+decisions.
+
+## License
+
+This work is released under the MIT License (see [LICENSE](./LICENSE)).

UPGRADE.md

@@ -0,0 +1,17 @@
+# Upgrade
+
+All instructions to upgrade this project from one release to the next will be
+documented in this file. Upgrades must be run sequentially, meaning you should
+not skip minor/major releases while upgrading (fix releases can be skipped).
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+For most upgrades, you just need to run the django migrations with
+the following command inside your docker container:
+
+`python manage.py migrate`
+
+(Note : in your development environment, you can `make migrate`.)
+
+## [Unreleased]

bin/Tiltfile

@@ -0,0 +1,58 @@
+load('ext://uibutton', 'cmd_button', 'bool_input', 'location')
+load('ext://namespace', 'namespace_create', 'namespace_inject')
+namespace_create('desk')
+
+docker_build(
+    'localhost:5001/people-backend:latest',
+    context='..',
+    dockerfile='../Dockerfile',
+    only=['./src/backend', './src/mail', './docker'],
+    target = 'backend-production',
+    live_update=[
+        sync('../src/backend', '/app'),
+        run(
+            'pip install -r /app/requirements.txt',
+            trigger=['./api/requirements.txt']
+        )
+    ]
+)
+
+docker_build(
+    'localhost:5001/people-frontend:latest',
+    context='..',
+    dockerfile='../Dockerfile',
+    build_args={'ENV': 'dev'},
+    only=['./src/frontend', './src/mail', './docker'],
+    target = 'frontend-builder-dev',
+    live_update=[
+        sync('../src/frontend', '/builder'),
+    ]
+)
+
+k8s_yaml(local('cd ../src/helm && helmfile -n desk -e dev template .'))
+
+migration = '''
+set -eu
+# get k8s pod name from tilt resource name
+POD_NAME="$(tilt get kubernetesdiscovery desk-backend -ojsonpath='{.status.pods[0].name}')"
+kubectl -n desk exec "$POD_NAME" -- python manage.py makemigrations
+'''
+cmd_button('Make migration',
+           argv=['sh', '-c', migration],
+           resource='desk-backend',
+           icon_name='developer_board',
+           text='Run makemigration',
+)
+
+pod_migrate = '''
+set -eu
+# get k8s pod name from tilt resource name
+POD_NAME="$(tilt get kubernetesdiscovery desk-backend -ojsonpath='{.status.pods[0].name}')"
+kubectl -n desk exec "$POD_NAME" -- python manage.py migrate --no-input
+'''
+cmd_button('Migrate db',
+           argv=['sh', '-c', pod_migrate],
+           resource='desk-backend',
+           icon_name='developer_board',
+           text='Run database migration',
+)

bin/_config.sh

@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+REPO_DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd)"
+UNSET_USER=0
+
+TERRAFORM_DIRECTORY="./env.d/terraform"
+COMPOSE_FILE="${REPO_DIR}/docker-compose.yml"
+COMPOSE_PROJECT="people"
+
+
+# _set_user: set (or unset) default user id used to run docker commands
+#
+# usage: _set_user
+#
+# You can override default user ID (the current host user ID), by defining the
+# USER_ID environment variable.
+#
+# To avoid running docker commands with a custom user, please set the
+# $UNSET_USER environment variable to 1.
+function _set_user() {
+
+    if [ $UNSET_USER -eq 1 ]; then
+        USER_ID=""
+        return
+    fi
+
+    # USER_ID = USER_ID or `id -u` if USER_ID is not set
+    USER_ID=${USER_ID:-$(id -u)}
+
+    echo "🙋(user) ID: ${USER_ID}"
+}
+
+# docker_compose: wrap docker compose command
+#
+# usage: docker_compose [options] [ARGS...]
+#
+# options: docker compose command options
+# ARGS   : docker compose command arguments
+function _docker_compose() {
+
+    echo "🐳(compose) project: '${COMPOSE_PROJECT}' file: '${COMPOSE_FILE}'"
+    docker compose \
+        -p "${COMPOSE_PROJECT}" \
+        -f "${COMPOSE_FILE}" \
+        --project-directory "${REPO_DIR}" \
+        "$@"
+}
+
+# _dc_run: wrap docker compose run command
+#
+# usage: _dc_run [options] [ARGS...]
+#
+# options: docker compose run command options
+# ARGS   : docker compose run command arguments
+function _dc_run() {
+    _set_user
+
+    user_args="--user=$USER_ID"
+    if [ -z $USER_ID ]; then
+        user_args=""
+    fi
+
+    _docker_compose run --rm $user_args "$@"
+}
+
+# _dc_exec: wrap docker compose exec command
+#
+# usage: _dc_exec [options] [ARGS...]
+#
+# options: docker compose exec command options
+# ARGS   : docker compose exec command arguments
+function _dc_exec() {
+    _set_user
+
+    echo "🐳(compose) exec command: '\$@'"
+
+    user_args="--user=$USER_ID"
+    if [ -z $USER_ID ]; then
+        user_args=""
+    fi
+
+    _docker_compose exec $user_args "$@"
+}
+
+# _django_manage: wrap django's manage.py command with docker compose
+#
+# usage : _django_manage [ARGS...]
+#
+# ARGS : django's manage.py command arguments
+function _django_manage() {
+    _dc_run "app-dev" python manage.py "$@"
+}
+
+# _set_openstack_project: select an OpenStack project from the openrc files defined in the
+# terraform directory.
+#
+# usage: _set_openstack_project
+#
+# If necessary the script will prompt the user to choose a project from those available
+function _set_openstack_project() {
+
+    declare prompt
+    declare -a projects
+    declare -i default=1
+    declare -i choice=0
+    declare -i n_projects
+
+    # List projects by looking in the "./env.d/terraform" directory
+    # and store them in an array
+    read -r -a projects <<< "$(
+        find "${TERRAFORM_DIRECTORY}" -maxdepth 1 -mindepth 1 -type d |
+        sed 's|'"${TERRAFORM_DIRECTORY}\/"'||' |
+        xargs
+    )"
+    nb_projects=${#projects[@]}
+
+    if [[ ${nb_projects} -le 0 ]]; then
+        echo "There are no OpenStack projects defined..." >&2
+        echo "To add one, create a subdirectory in \"${TERRAFORM_DIRECTORY}\" with the name" \
+            "of your project and copy your \"openrc.sh\" file into it." >&2
+        exit 10
+    fi
+
+    if [[ ${nb_projects} -gt 1 ]]; then
+        prompt="Select an OpenStack project to target:\\n"
+        for (( i=0; i<nb_projects; i++ )); do
+            prompt+="[$((i+1))] ${projects[$i]}"
+            if [[ $((i+1)) -eq ${default} ]]; then
+                prompt+=" (default)"
+            fi
+            prompt+="\\n"
+        done
+        prompt+="If your OpenStack project is not listed, add it to the \"env.d/terraform\" directory.\\n"
+        prompt+="Your choice: "
+        read -r -p "$(echo -e "${prompt}")" choice
+
+        if [[ ${choice} -gt nb_projects ]]; then
+            (>&2 echo "Invalid choice ${choice} (should be <= ${nb_projects})")
+            exit 11
+        fi
+
+        if [[ ${choice} -le 0 ]]; then
+            choice=${default}
+        fi
+    fi
+
+    project=${projects[$((choice-1))]}
+    # Check that the openrc.sh file exists for this project
+    if [ ! -f "${TERRAFORM_DIRECTORY}/${project}/openrc.sh" ]; then
+        (>&2 echo "Missing \"openrc.sh\" file in \"${TERRAFORM_DIRECTORY}/${project}\". Check documentation.")
+        exit 12
+    fi
+
+    echo "${project}"
+}

bin/compose

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_docker_compose "$@"

bin/manage

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_django_manage "$@"

bin/pylint

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+declare diff_from
+declare -a paths
+declare -a args
+
+# Parse options
+for arg in "$@"
+do
+    case $arg in
+        --diff-only=*)
+            diff_from="${arg#*=}"
+            shift
+            ;;
+        -*)
+            args+=("$arg")
+            shift
+            ;;
+        *)
+            paths+=("$arg")
+            shift
+            ;;
+    esac
+done
+
+if [[ -n "${diff_from}" ]]; then
+    # Run pylint only on modified files located in src/backend
+    # (excluding deleted files and migration files)
+    # shellcheck disable=SC2207
+    paths=($(git diff "${diff_from}" --name-only --diff-filter=d -- src/backend ':!**/migrations/*.py' | grep -E '^src/backend/.*\.py$'))
+fi
+
+# Fix docker vs local path when project sources are mounted as a volume
+read -ra paths <<< "$(echo "${paths[@]}" | sed "s|src/backend/||g")"
+_dc_run app-dev pylint "${paths[@]}" "${args[@]}"

bin/pytest

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run \
+    -e DJANGO_CONFIGURATION=Test \
+    app-dev \
+    pytest "$@"

bin/start-kind.sh

@@ -0,0 +1,102 @@
+#!/bin/sh
+set -o errexit
+
+CURRENT_DIR=$(pwd)
+
+# 0. Create ca
+echo "0. Create ca"
+mkcert -install
+cd /tmp
+mkcert "127.0.0.1.nip.io" "*.127.0.0.1.nip.io"
+cd $CURRENT_DIR
+
+# 1. Create registry container unless it already exists
+echo "1. Create registry container unless it already exists"
+reg_name='kind-registry'
+reg_port='5001'
+if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+	docker run \
+		-d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
+		registry:2
+fi
+
+# 2. Create kind cluster with containerd registry config dir enabled
+echo "2. Create kind cluster with containerd registry config dir enabled"
+# TODO: kind will eventually enable this by default and this patch will
+# be unnecessary.
+#
+# See:
+# https://github.com/kubernetes-sigs/kind/issues/2875
+# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
+# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
+cat <<EOF | kind create cluster --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry]
+    config_path = "/etc/containerd/certs.d"
+nodes:
+- role: control-plane
+  image: kindest/node:v1.27.3
+  kubeadmConfigPatches:
+  - |
+    kind: InitConfiguration
+    nodeRegistration:
+      kubeletExtraArgs:
+        node-labels: "ingress-ready=true"
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 443
+    protocol: TCP
+- role: worker
+  image: kindest/node:v1.27.3
+- role: worker
+  image: kindest/node:v1.27.3
+EOF
+
+# 3. Add the registry config to the nodes
+echo "3. Add the registry config to the nodes"
+#
+# This is necessary because localhost resolves to loopback addresses that are
+# network-namespace local.
+# In other words: localhost in the container is not localhost on the host.
+#
+# We want a consistent name that works from both ends, so we tell containerd to
+# alias localhost:${reg_port} to the registry container when pulling images
+REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
+for node in $(kind get nodes); do
+	docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
+	cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
+[host."http://${reg_name}:5000"]
+EOF
+done
+
+# 4. Connect the registry to the cluster network if not already connected
+echo "4. Connect the registry to the cluster network if not already connected"
+# This allows kind to bootstrap the network but ensures they're on the same network
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+	docker network connect "kind" "${reg_name}"
+fi
+
+# 5. Document the local registry
+echo "5. Document the local registry"
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+kubectl -n ingress-nginx create secret tls mkcert --key /tmp/127.0.0.1.nip.io+1-key.pem --cert /tmp/127.0.0.1.nip.io+1.pem
+kubectl -n ingress-nginx patch deployments.apps ingress-nginx-controller --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--default-ssl-certificate=ingress-nginx/mkcert"}]'

bin/state

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+project=$(_set_openstack_project)
+echo "Using \"${project}\" project..."
+
+source "${TERRAFORM_DIRECTORY}/${project}/openrc.sh"
+
+# Run Terraform commands in the Hashicorp docker container via docker compose
+# shellcheck disable=SC2068
+DOCKER_USER="$(id -u):$(id -g)" \
+    PROJECT="${project}" \
+    docker compose run --rm \
+    -e OS_AUTH_URL \
+    -e OS_IDENTITY_API_VERSION \
+    -e OS_USER_DOMAIN_NAME \
+    -e OS_PROJECT_DOMAIN_NAME \
+    -e OS_TENANT_ID \
+    -e OS_TENANT_NAME \
+    -e OS_USERNAME \
+    -e OS_PASSWORD \
+    -e OS_REGION_NAME \
+    terraform-state "$@"

bin/terraform

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+project=$(_set_openstack_project)
+echo "Using \"${project}\" project..."
+
+source "${TERRAFORM_DIRECTORY}/${project}/openrc.sh"
+
+# Run Terraform commands in the Hashicorp docker container via docker compose
+# shellcheck disable=SC2068
+DOCKER_USER="$(id -u):$(id -g)" \
+    PROJECT="${project}" \
+    docker compose run --rm \
+    -e OS_AUTH_URL \
+    -e OS_IDENTITY_API_VERSION \
+    -e OS_USER_DOMAIN_NAME \
+    -e OS_PROJECT_DOMAIN_NAME \
+    -e OS_TENANT_ID \
+    -e OS_TENANT_NAME \
+    -e OS_USERNAME \
+    -e OS_PASSWORD \
+    -e OS_REGION_NAME \
+    -e TF_VAR_user_name \
+    terraform "$@"

bin/update_openapi_schema

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run \
+    -e DJANGO_CONFIGURATION=Test \
+    app-dev \
+    python manage.py spectacular \
+    --api-version 'v1.0' \
+    --urlconf 'people.api_urls' \
+    --format openapi-json \
+    --file /app/core/tests/swagger/swagger.json

crowdin/config.yml

@@ -0,0 +1,30 @@
+#
+# Your crowdin's credentials
+#
+api_token_env: CROWDIN_API_TOKEN
+project_id_env: CROWDIN_PROJECT_ID
+base_path_env: CROWDIN_BASE_PATH
+
+#
+# Choose file structure in crowdin
+# e.g. true or false
+#
+preserve_hierarchy: true
+
+#
+# Files configuration
+#
+files:
+  [
+    {
+      source: "/backend/locale/django.pot",
+      dest: "/backend.pot",
+      translation: "/backend/locale/%locale_with_underscore%/LC_MESSAGES/django.po",
+    },
+    {
+      source: "/frontend/packages/i18n/locales/desk/translations-crowdin.json",
+      dest: "/desk.json",
+      translation: "/frontend/packages/i18n/locales/desk/%two_letters_code%/translations.json",
+      skip_untranslated_strings: true,
+    },
+  ]

docker-compose.yml

@@ -0,0 +1,170 @@
+version: '3.8'
+
+services:
+  postgresql:
+    image: postgres:16
+    env_file:
+      - env.d/development/postgresql
+    ports:
+      - "15432:5432"
+
+  redis:
+    image: redis:5
+
+  mailcatcher:
+    image: sj26/mailcatcher:latest
+    ports:
+      - "1081:1080"
+
+  app-dev:
+    build:
+      context: .
+      target: backend-development
+      args:
+        DOCKER_USER: ${DOCKER_USER:-1000}
+    user: ${DOCKER_USER:-1000}
+    image: people:backend-development
+    environment:
+      - PYLINTHOME=/app/.pylint.d
+      - DJANGO_CONFIGURATION=Development
+    env_file:
+      - env.d/development/common
+      - env.d/development/postgresql
+    ports:
+      - "8071:8000"
+    volumes:
+      - ./src/backend:/app
+      - ./data/media:/data/media
+      - ./data/static:/data/static
+    depends_on:
+        - postgresql
+        - mailcatcher
+        - redis
+  
+  celery-dev:
+    user: ${DOCKER_USER:-1000}
+    image: people:backend-development
+    command: ["celery", "-A", "people.celery_app", "worker", "-l", "DEBUG"]
+    environment:
+      - DJANGO_CONFIGURATION=Development
+    env_file:
+      - env.d/development/common
+      - env.d/development/postgresql
+    volumes:
+      - ./src/backend:/app
+      - ./data/media:/data/media
+      - ./data/static:/data/static
+    depends_on:
+      - app-dev
+
+  app:
+    build:
+      context: .
+      target: backend-production
+      args:
+        DOCKER_USER: ${DOCKER_USER:-1000}
+    user: ${DOCKER_USER:-1000}
+    image: people:backend-production
+    environment:
+      - DJANGO_CONFIGURATION=Demo
+    env_file:
+      - env.d/development/common
+      - env.d/development/postgresql
+    volumes:
+      - ./data/media:/data/media
+    depends_on:
+      - postgresql
+      - redis
+
+  celery:
+    user: ${DOCKER_USER:-1000}
+    image: people:backend-production
+    command: ["celery", "-A", "people.celery_app", "worker", "-l", "INFO"]
+    environment:
+      - DJANGO_CONFIGURATION=Demo
+    env_file:
+      - env.d/development/common
+      - env.d/development/postgresql
+    depends_on:
+      - app
+
+  nginx:
+    image: nginx:1.25
+    ports:
+      - "8083:8083"
+    volumes:
+      - ./docker/files/etc/nginx/conf.d:/etc/nginx/conf.d:ro
+    depends_on:
+      - app
+      - keycloak
+
+  dockerize:
+    image: jwilder/dockerize
+
+  crowdin:
+    image: crowdin/cli:3.16.0
+    volumes:
+      - ".:/app"
+    env_file:
+      - env.d/development/crowdin
+    user: "${DOCKER_USER:-1000}"
+    working_dir: /app
+
+  node:
+    image: node:18
+    user: "${DOCKER_USER:-1000}"
+    environment:
+      HOME: /tmp
+    volumes:
+      - ".:/app"
+
+  terraform-state:
+    image: hashicorp/terraform:1.6
+    environment:
+      - TF_WORKSPACE=${PROJECT:-} # avoid env conflict in local state
+    user: ${DOCKER_USER:-1000}
+    working_dir: /app
+    volumes:
+      - ./src/terraform/create_state_bucket:/app
+
+  terraform:
+    image: hashicorp/terraform:1.6
+    user: ${DOCKER_USER:-1000}
+    working_dir: /app
+    volumes:
+      - ./src/terraform:/app
+
+  kc_postgresql:
+      image: postgres:14.3
+      ports:
+        - "5433:5432"
+      env_file:
+        - env.d/development/kc_postgresql
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:20.0.1
+    volumes:
+      - ./docker/auth/realm.json:/opt/keycloak/data/import/realm.json
+    command:
+      - start-dev
+      - --features=preview
+      - --import-realm
+      - --proxy=edge
+      - --hostname-url=http://localhost:8083
+      - --hostname-admin-url=http://localhost:8083/
+      - --hostname-strict=false
+      - --hostname-strict-https=false
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB: postgres
+      KC_DB_URL_HOST: kc_postgresql
+      KC_DB_URL_DATABASE: keycloak
+      KC_DB_PASSWORD: pass
+      KC_DB_USERNAME: people
+      KC_DB_SCHEMA: public
+      PROXY_ADDRESS_FORWARDING: 'true'
+    ports:
+      - "8080:8080"
+    depends_on:
+      - kc_postgresql

docker/files/etc/nginx/conf.d/default.conf

@@ -0,0 +1,13 @@
+
+server {
+    listen 8083;
+    server_name localhost;
+    charset utf-8;
+
+    location / {
+        proxy_pass http://keycloak:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}

docker/files/usr/local/bin/entrypoint

@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# The container user (see USER in the Dockerfile) is an un-privileged user that
+# does not exists and is not created during the build phase (see Dockerfile).
+# Hence, we use this entrypoint to wrap commands that will be run in the
+# container to create an entry for this user in the /etc/passwd file.
+#
+# The following environment variables may be passed to the container to
+# customize running user account:
+#
+#   * USER_NAME: container user name (default: default)
+#   * HOME     : container user home directory (default: none)
+#
+# To pass environment variables, you can either use the -e option of the docker run command:
+#
+#     docker run --rm -e USER_NAME=foo -e HOME='/home/foo' people:latest python manage.py migrate
+#
+# or define new variables in an environment file to use with docker or docker compose:
+#
+#     # env.d/production
+#     USER_NAME=foo
+#     HOME=/home/foo
+#
+#     docker run --rm --env-file env.d/production people:latest python manage.py migrate
+#
+
+echo "🐳(entrypoint) creating user running in the container..."
+if ! whoami > /dev/null 2>&1; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):$(id -g):${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+echo "🐳(entrypoint) running your command: ${*}"
+exec "$@"

docker/files/usr/local/etc/gunicorn/people.py

@@ -0,0 +1,16 @@
+# Gunicorn-django settings
+bind = ["0.0.0.0:8000"]
+name = "people"
+python_path = "/app"
+
+# Run
+graceful_timeout = 90
+timeout = 90
+workers = 3
+
+# Logging
+# Using '-' for the access log file makes gunicorn log accesses to stdout
+accesslog = "-"
+# Using '-' for the error log file makes gunicorn log errors to stderr
+errorlog = "-"
+loglevel = "info"

docs/models.md

@@ -0,0 +1,235 @@
+# What is People?
+
+Space Odyssey is a dynamic organization. They use the People application to enhance teamwork and
+streamline communication among  their co-workers. Let's explore how this application helps them
+interact efficiently.
+
+Let's see how we could interact with Django's shell to recreate David's environment in the app.
+
+## Base contacts from the organization records
+
+David Bowman is an exemplary employee at Space Odyssey Corporation. His email is
+`david.bowman@spaceodyssey.com` and he is registered in the organization's records via a base
+contact as follows:
+
+```python
+david_base_contact = Contact.objects.create(
+    full_name="David Bowman",
+    short_name="David",
+    data={
+        "emails": [
+            {"type": "Work", "value": "david.bowman@spaceodyssey.com"},
+        ],
+        "phones": [
+            {"type": "Work", "value": "(123) 456-7890"},
+        ],
+        "addresses": [
+            {
+                "type": "Work",
+                "street": "123 Main St",
+                "city": "Cityville",
+                "state": "CA",
+                "zip": "12345",
+                "country": "USA",
+            }
+        ],
+        "links": [
+            {"type": "Website", "value": "http://www.spaceodyssey.com"},
+            {"type": "Twitter", "value": "https://www.twitter.com/dbowman"},
+        ],
+        "organizations": [
+            {
+                "name": "Space Odyssey Corporation",
+                "department": "IT",
+                "jobTitle": "AI Engineer",
+            },
+        ],
+    }
+)
+```
+
+When David logs-in to the People application for the first time using the corporation's OIDC
+Single Sign-On service. A user is created for him on the fly by the system, together with an
+identity record representing the OIDC session:
+
+```python
+david_user = User.objects.create(
+    language="en-us",
+    timezone="America/Los_Angeles",
+)
+david_identity = Identity.objects.create(
+  "user": david_user,
+  "sub": "2a1b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
+  "email" : "david.bowman@spaceodyssey.com",
+  "is_main": True,
+)
+```
+
+## Profile contact
+
+The system identifies Dave through the email associated with his OIDC session and prompts him to
+confirm the details of the base contact stored in the database.
+
+When David confirms, giving an alternative short name that he prefers, a contact override is
+created on top of the organization's base contact. This new contact is marked as David's profile
+on the user:
+
+```python
+david_contact = Contact.objects.create(
+    base=david_base_contact,
+    owner=david_user,
+    full_name="David Bowman",
+    short_name="Dave",
+    data={}
+)
+david_user.profile_contact = david_contact
+david_user.save()
+```
+
+If Dave had not had any existing contact in the organization's records, the profile contact would
+have been created independently, without any connection to a base contact:
+
+```python
+david_contact = Contact.objects.create(
+    base=None,
+    owner=david_user,
+    full_name="David Bowman",
+    short_name="Dave",
+    data={}
+)
+```
+
+Now, Dave feels like sharing his mobile phone number with his colleagues. He can do this
+by editing his contact in the application:
+
+```python
+contact.data["phones"] = [
+    {"type": "Mobile", "value": "(123) 456-7890"},
+]
+contact.save()
+```
+
+## Contact override
+
+During a Space conference he attended, Dave met Dr Ryan Stone, a medical engineer who gave him
+her professional email address. Ryan is already present in the system but her email is missing.
+Dave can add it to his private version of the contact:
+
+```python
+ryan_base_contact = Contact.objects.create(
+    full_name="Ryan Stone",
+    data={}
+)
+ryan_contact = Contact.objects.create(
+    base=ryan_base_contact,
+    owner=david_user,
+    full_name="Ryan Stone",
+    short_name="Dr Ryan",
+    data={
+        "emails": [
+            {"type": "Work", "value": "ryan.stone@hubblestation.com"},
+        ],
+    }
+)
+```
+
+## Team Collaboration
+
+Dave wants to form a team with Ryan and other colleagues to work together better on using the organization's digital tools for their projects.
+
+Dave would like to create a team with Ryan and some other colleagues, to enhance collaboration
+throughout their projects:
+
+```python
+projectx = Team.objects.create(name="Project X")
+```
+
+A team can for example be used to create an email alias or to define role based access rights
+(RBAC) in a specific application or all applications of the organization's digital Suite.
+
+Having created he team, Dave is automatically assigned the "owner" role. He invites Ryan,
+granting an "administrator" role to her so she can invite her own colleagues. Both of them can
+then proceed to invite other colleagues as simple members. If Ryan wants, she can upgrade a
+colleague to "administrator" but only David can upgrade someone to the "owner" status:
+
+```python
+TeamAccess.objects.create(user=david_user, team=projectx, role="owner")
+TeamAccess.objects.create(user=ryan_user, team=projectx, role="administrator")
+TeamAccess.objects.create(user=julie_user, team=projectx, role="member")
+```
+
+| Role                              | Member | Administrator | Owner |
+|-----------------------------------|--------|---------------|-------|
+| Can view team                     | ✔      | ✔             | ✔     |
+| Can set roles except for owners   |        | ✔             | ✔     |
+| Can set roles for owners          |        |               | ✔     |
+| Can delete team                   |        |               | ✔     |
+
+Importantly, the system ensures that there is always at least one owner left to maintain control
+of the team.
+
+# Models overview
+
+The following graph represents the application's models and their relationships:
+
+```mermaid
+erDiagram
+  %% Models
+
+  Contact {
+    UUID id PK
+    Contact base
+    User owner
+    string full_name
+    string short_name
+    json data
+    DateTime created_at
+    DateTime updated_at
+  }
+
+  User {
+    UUID id PK
+    Contact profile_contact
+    string language
+    string timezone
+    boolean is_device
+    boolean is_staff
+    boolean is_active
+    DateTime created_at
+    DateTime updated_at
+  }
+
+  Identity {
+    UUID id PK
+    User user
+    string sub
+    Email email
+    boolean is_main
+    DateTime created_at
+    DateTime updated_at
+  }
+
+  Team {
+    UUID id PK
+    string name
+    DateTime created_at
+    DateTime updated_at
+  }
+
+  TeamAccess {
+    UUID id PK
+    Team team
+    User user
+    string role
+    DateTime created_at
+    DateTime updated_at
+  }
+
+  %% Relations
+  User ||--o{ Contact : "owns"
+  Contact ||--o{ User : "profile for"
+  User ||--o{ TeamAccess : ""
+  Team ||--o{ TeamAccess : ""
+  Identity ||--o{ User : "connects"
+  Contact }o--|| Contact : "overrides"
+```

docs/tsclient.md

@@ -0,0 +1,25 @@
+# Api client TypeScript
+
+The backend application can automatically create a TypeScript client to be used in frontend
+applications. It is used in the People front application itself.
+
+This client is made with [openapi-typescript-codegen](https://github.com/ferdikoomen/openapi-typescript-codegen)
+and People's backend OpenAPI schema (available [here](http://localhost:8071/v1.0/swagger/) if you have the backend running).
+
+## Requirements
+
+We'll need the online OpenAPI schema generated by swagger. Therefore you will first need to
+install the backend application.
+
+## Install openApiClientJs
+
+```sh
+$ cd src/tsclient
+$ yarn install
+```
+
+## Generate the client
+
+```sh
+yarn generate:api:client:local <output_path_for_generated_client>
+```

env.d/development/common.dist

@@ -0,0 +1,35 @@
+# Django
+DJANGO_ALLOWED_HOSTS=*
+DJANGO_SECRET_KEY=ThisIsAnExampleKeyForDevPurposeOnly
+DJANGO_SETTINGS_MODULE=people.settings
+DJANGO_SUPERUSER_PASSWORD=admin
+
+# Python
+PYTHONPATH=/app
+
+# People settings
+
+# Mail
+DJANGO_EMAIL_HOST="mailcatcher"
+DJANGO_EMAIL_PORT=1025
+
+# Backend url
+PEOPLE_BASE_URL="http://localhost:8072"
+
+# OIDC
+OIDC_OP_JWKS_ENDPOINT=http://nginx:8083/realms/people/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=http://localhost:8083/realms/people/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=http://nginx:8083/realms/people/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=http://nginx:8083/realms/people/protocol/openid-connect/userinfo
+
+OIDC_RP_CLIENT_ID=people
+OIDC_RP_CLIENT_SECRET=ThisIsAnExampleKeyForDevPurposeOnly
+OIDC_RP_SIGN_ALGO=RS256
+OIDC_RP_SCOPES="openid email"
+
+LOGIN_REDIRECT_URL=http://localhost:3000
+LOGIN_REDIRECT_URL_FAILURE=http://localhost:3000
+LOGOUT_REDIRECT_URL=http://localhost:3000
+
+OIDC_REDIRECT_ALLOWED_HOSTS=["http://localhost:8083", "http://localhost:3000"]
+OIDC_AUTH_REQUEST_EXTRA_PARAMS={"acr_values": "eidas1"}

env.d/development/common.e2e.dist

@@ -0,0 +1,3 @@
+# For the CI job test-e2e
+SUSTAINED_THROTTLE_RATES="200/hour"
+BURST_THROTTLE_RATES="200/minute"

env.d/development/crowdin.dist

@@ -0,0 +1,3 @@
+CROWDIN_API_TOKEN=Your-Api-Token
+CROWDIN_PROJECT_ID=Your-Project-Id
+CROWDIN_BASE_PATH=/app/src

env.d/development/kc_postgresql.dist

@@ -0,0 +1,11 @@
+# Postgresql db container configuration
+POSTGRES_DB=keycloak
+POSTGRES_USER=people
+POSTGRES_PASSWORD=pass
+
+# App database configuration
+DB_HOST=kc_postgresql
+DB_NAME=keycloak
+DB_USER=people
+DB_PASSWORD=pass
+DB_PORT=5433

env.d/development/postgresql.dist

@@ -0,0 +1,11 @@
+# Postgresql db container configuration
+POSTGRES_DB=people
+POSTGRES_USER=dinum
+POSTGRES_PASSWORD=pass
+
+# App database configuration
+DB_HOST=postgresql
+DB_NAME=people
+DB_USER=dinum
+DB_PASSWORD=pass
+DB_PORT=5432

gitlint/gitlint_emoji.py

@@ -0,0 +1,37 @@
+"""
+Gitlint extra rule to validate that the message title is of the form
+"<gitmoji>(<scope>) <subject>"
+"""
+from __future__ import unicode_literals
+
+import re
+
+import requests
+
+from gitlint.rules import CommitMessageTitle, LineRule, RuleViolation
+
+
+class GitmojiTitle(LineRule):
+    """
+    This rule will enforce that each commit title is of the form "<gitmoji>(<scope>) <subject>"
+    where gitmoji is an emoji from the list defined in https://gitmoji.carloscuesta.me and
+    subject should be all lowercase
+    """
+
+    id = "UC1"
+    name = "title-should-have-gitmoji-and-scope"
+    target = CommitMessageTitle
+
+    def validate(self, title, _commit):
+        """
+        Download the list possible gitmojis from the project's GitHub repository and check that
+        title contains one of them.
+        """
+        gitmojis = requests.get(
+            "https://raw.githubusercontent.com/carloscuesta/gitmoji/master/packages/gitmojis/src/gitmojis.json"
+        ).json()["gitmojis"]
+        emojis = [item["emoji"] for item in gitmojis]
+        pattern = r"^({:s})\(.*\)\s[a-z].*$".format("|".join(emojis))
+        if not re.search(pattern, title):
+            violation_msg = 'Title does not match regex "<gitmoji>(<scope>) <subject>"'
+            return [RuleViolation(self.id, violation_msg, title)]

renovate.json

@@ -0,0 +1,19 @@
+{
+  "extends": ["github>numerique-gouv/renovate-configuration"],
+  "dependencyDashboard": true,
+  "labels": ["dependencies", "noChangeLog"],
+  "packageRules": [
+    {
+      "enabled": false,
+      "groupName": "ignored python dependencies",
+      "matchManagers": ["pep621"],
+      "matchPackageNames": []
+    },
+    {
+      "enabled": false,
+      "groupName": "ignored js dependencies",
+      "matchManagers": ["npm"],
+      "matchPackageNames": ["node", "node-fetch", "i18next-parser", "eslint"]
+    }
+  ]
+}

scripts/install-pre-commit-hook.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/"
+PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit"
+
+cat <<'EOF' >$PRE_COMMIT_FILE
+#!/bin/bash
+
+# directories containing potential secrets
+DIRS="."
+
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+# allow to read user input, assigns stdin to keyboard
+exec </dev/tty
+
+for d in $DIRS; do
+	# find files containing secrets that should be encrypted
+	for f in $(find "${d}" -type f -regex ".*\.enc\..*"); do
+		if ! $(grep -q "unencrypted_suffix" $f); then
+			printf '\xF0\x9F\x92\xA5 '
+			echo "File $f has non encrypted secrets!"
+			exit 1
+		fi
+	done
+done
+EOF
+
+chmod +x $PRE_COMMIT_FILE

scripts/update-git-submodule.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+git submodule update --init --recursive
+git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'

src/backend/.pylintrc

@@ -0,0 +1,472 @@
+[MASTER]
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code
+extension-pkg-whitelist=
+
+# Add files or directories to the blacklist. They should be base names, not
+# paths.
+ignore=migrations
+
+# Add files or directories matching the regex patterns to the blacklist. The
+# regex matches against base names, not paths.
+ignore-patterns=
+
+# Python code to execute, usually for sys.path manipulation such as
+# pygtk.require().
+#init-hook=
+
+# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
+# number of processors available to use.
+jobs=0
+
+# List of plugins (as comma separated values of python modules names) to load,
+# usually to register additional checkers.
+load-plugins=pylint_django,pylint.extensions.no_self_use
+
+# Pickle collected data for later comparisons.
+persistent=yes
+
+# Specify a configuration file.
+#rcfile=
+
+# When enabled, pylint would attempt to guess common misconfiguration and emit
+# user-friendly hints instead of false-positive error messages
+suggestion-mode=yes
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+
+[MESSAGES CONTROL]
+
+# Only show warnings with the listed confidence levels. Leave empty to show
+# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
+confidence=
+
+# Disable the message, report, category or checker with the given id(s). You
+# can either give multiple identifiers separated by comma (,) or put this
+# option multiple times (only on the command line, not in the configuration
+# file where it should appear only once).You can also use "--disable=all" to
+# disable everything first and then reenable specific checks. For example, if
+# you want to run only the similarities checker, you can use "--disable=all
+# --enable=similarities". If you want to run only the classes checker, but have
+# no Warning level messages displayed, use"--disable=all --enable=classes
+# --disable=W"
+disable=bad-inline-option,
+        deprecated-pragma,
+        django-not-configured,
+        file-ignored,
+        locally-disabled,
+        no-self-use,
+        raw-checker-failed,
+        suppressed-message,
+        useless-suppression
+
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time (only on the command line, not in the configuration file where
+# it should appear only once). See also the "--disable" option for examples.
+enable=c-extension-no-member
+
+
+[REPORTS]
+
+# Python expression which should return a note less than 10 (10 is the highest
+# note). You have access to the variables errors warning, statement which
+# respectively contain the number of errors / warnings messages and the total
+# number of statements analyzed. This is used by the global evaluation report
+# (RP0004).
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details
+#msg-template=
+
+# Set the output format. Available formats are text, parseable, colorized, json
+# and msvs (visual studio).You can also give a reporter class, eg
+# mypackage.mymodule.MyReporterClass.
+output-format=text
+
+# Tells whether to display a full report or only the messages
+reports=no
+
+# Activate the evaluation score.
+score=yes
+
+
+[REFACTORING]
+
+# Maximum number of nested blocks for function / method body
+max-nested-blocks=5
+
+# Complete name of functions that never returns. When checking for
+# inconsistent-return-statements if a never returning function is called then
+# it will be considered as an explicit return statement and no message will be
+# printed.
+never-returning-functions=optparse.Values,sys.exit
+
+
+[LOGGING]
+
+# Logging modules to check that the string format arguments are in logging
+# function parameter format
+logging-modules=logging
+
+
+[SPELLING]
+
+# Limits count of emitted suggestions for spelling mistakes
+max-spelling-suggestions=4
+
+# Spelling dictionary name. Available dictionaries: none. To make it working
+# install python-enchant package.
+spelling-dict=
+
+# List of comma separated words that should not be checked.
+spelling-ignore-words=
+
+# A path to a file that contains private dictionary; one word per line.
+spelling-private-dict-file=
+
+# Tells whether to store unknown words to indicated private dictionary in
+# --spelling-private-dict-file option instead of raising a message.
+spelling-store-unknown-words=no
+
+
+[MISCELLANEOUS]
+
+# List of note tags to take in consideration, separated by a comma.
+notes=FIXME,
+      XXX,
+      TODO
+
+
+[TYPECHECK]
+
+# List of decorators that produce context managers, such as
+# contextlib.contextmanager. Add to this list to register other decorators that
+# produce valid context managers.
+contextmanager-decorators=contextlib.contextmanager
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E1101 when accessed. Python regular
+# expressions are accepted.
+generated-members=
+
+# Tells whether missing members accessed in mixin class should be ignored. A
+# mixin class is detected if its name ends with "mixin" (case insensitive).
+ignore-mixin-members=yes
+
+# This flag controls whether pylint should warn about no-member and similar
+# checks whenever an opaque object is returned when inferring. The inference
+# can return multiple potential results while evaluating a Python object, but
+# some branches might not be evaluated, which results in partial inference. In
+# that case, it might be useful to still emit no-member and other checks for
+# the rest of the inferred objects.
+ignore-on-opaque-inference=yes
+
+# List of class names for which member attributes should not be checked (useful
+# for classes with dynamically set attributes). This supports the use of
+# qualified names.
+ignored-classes=optparse.Values,thread._local,_thread._local,responses,
+                Team,Contact
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis. It
+# supports qualified module names, as well as Unix pattern matching.
+ignored-modules=
+
+# Show a hint with possible names when a member name was not found. The aspect
+# of finding the hint is based on edit distance.
+missing-member-hint=yes
+
+# The minimum edit distance a name should have in order to be considered a
+# similar match for a missing member name.
+missing-member-hint-distance=1
+
+# The total number of similar names that should be taken in consideration when
+# showing a hint for a missing member.
+missing-member-max-choices=1
+
+
+[VARIABLES]
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid to define new builtins when possible.
+additional-builtins=
+
+# Tells whether unused global variables should be treated as a violation.
+allow-global-unused-variables=yes
+
+# List of strings which can identify a callback function by name. A callback
+# name must start or end with one of those strings.
+callbacks=cb_,
+          _cb
+
+# A regular expression matching the name of dummy variables (i.e. expectedly
+# not used).
+dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
+
+# Argument names that match this expression will be ignored. Default to name
+# with leading underscore
+ignored-argument-names=_.*|^ignored_|^unused_
+
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# List of qualified module names which can have objects that can redefine
+# builtins.
+redefining-builtins-modules=six.moves,past.builtins,future.builtins
+
+
+[FORMAT]
+
+# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
+expected-line-ending-format=
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+
+# Number of spaces of indent required inside a hanging  or continued line.
+indent-after-paren=4
+
+# String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
+# tab).
+indent-string='    '
+
+# Maximum number of characters on a single line.
+max-line-length=100
+
+# Maximum number of lines in a module
+max-module-lines=1000
+
+# Allow the body of a class to be on the same line as the declaration if body
+# contains single statement.
+single-line-class-stmt=no
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=no
+
+
+[SIMILARITIES]
+
+# Ignore comments when computing similarities.
+ignore-comments=yes
+
+# Ignore docstrings when computing similarities.
+ignore-docstrings=yes
+
+# Ignore imports when computing similarities.
+ignore-imports=yes
+
+# Minimum lines number of a similarity.
+# First implementations of CMS wizards have common fields we do not want to factorize for now
+min-similarity-lines=35
+
+
+[BASIC]
+
+# Naming style matching correct argument names
+argument-naming-style=snake_case
+
+# Regular expression matching correct argument names. Overrides argument-
+# naming-style
+#argument-rgx=
+
+# Naming style matching correct attribute names
+attr-naming-style=snake_case
+
+# Regular expression matching correct attribute names. Overrides attr-naming-
+# style
+#attr-rgx=
+
+# Bad variable names which should always be refused, separated by a comma
+bad-names=foo,
+          bar,
+          baz,
+          toto,
+          tutu,
+          tata
+
+# Naming style matching correct class attribute names
+class-attribute-naming-style=any
+
+# Regular expression matching correct class attribute names. Overrides class-
+# attribute-naming-style
+#class-attribute-rgx=
+
+# Naming style matching correct class names
+class-naming-style=PascalCase
+
+# Regular expression matching correct class names. Overrides class-naming-style
+#class-rgx=
+
+# Naming style matching correct constant names
+const-naming-style=UPPER_CASE
+
+# Regular expression matching correct constant names. Overrides const-naming-
+# style
+const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__)|urlpatterns|logger)$
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=-1
+
+# Naming style matching correct function names
+function-naming-style=snake_case
+
+# Regular expression matching correct function names. Overrides function-
+# naming-style
+#function-rgx=
+
+# Good variable names which should always be accepted, separated by a comma
+good-names=i,
+           j,
+           k,
+           cm,
+           ex,
+           Run,
+           _
+
+# Include a hint for the correct naming format with invalid-name
+include-naming-hint=no
+
+# Naming style matching correct inline iteration names
+inlinevar-naming-style=any
+
+# Regular expression matching correct inline iteration names. Overrides
+# inlinevar-naming-style
+#inlinevar-rgx=
+
+# Naming style matching correct method names
+method-naming-style=snake_case
+
+# Regular expression matching correct method names. Overrides method-naming-
+# style
+method-rgx=([a-z_][a-z0-9_]{2,50}|setUp|set[Uu]pClass|tearDown|tear[Dd]ownClass|assert[A-Z]\w*|maxDiff|test_[a-z0-9_]+)$
+
+# Naming style matching correct module names
+module-naming-style=snake_case
+
+# Regular expression matching correct module names. Overrides module-naming-
+# style
+#module-rgx=
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=^_
+
+# List of decorators that produce properties, such as abc.abstractproperty. Add
+# to this list to register other decorators that produce valid properties.
+property-classes=abc.abstractproperty
+
+# Naming style matching correct variable names
+variable-naming-style=snake_case
+
+# Regular expression matching correct variable names. Overrides variable-
+# naming-style
+#variable-rgx=
+
+
+[IMPORTS]
+
+# Allow wildcard imports from modules that define __all__.
+allow-wildcard-with-all=no
+
+# Analyse import fallback blocks. This can be used to support both Python 2 and
+# 3 compatible code, which means that the block might have code that exists
+# only in one or another interpreter, leading to false positives when analysed.
+analyse-fallback-blocks=no
+
+# Deprecated modules which should not be used, separated by a comma
+deprecated-modules=optparse,tkinter.tix
+
+# Create a graph of external dependencies in the given file (report RP0402 must
+# not be disabled)
+ext-import-graph=
+
+# Create a graph of every (i.e. internal and external) dependencies in the
+# given file (report RP0402 must not be disabled)
+import-graph=
+
+# Create a graph of internal dependencies in the given file (report RP0402 must
+# not be disabled)
+int-import-graph=
+
+# Force import order to recognize a module as part of the standard
+# compatibility libraries.
+known-standard-library=
+
+# Force import order to recognize a module as part of a third party library.
+known-third-party=enchant
+
+
+[CLASSES]
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,
+                      __new__,
+                      setUp
+
+# List of member names, which should be excluded from the protected access
+# warning.
+exclude-protected=_asdict,
+                  _fields,
+                  _replace,
+                  _source,
+                  _make
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=mcs
+
+
+[DESIGN]
+
+# Maximum number of arguments for function / method
+max-args=5
+
+# Maximum number of attributes for a class (see R0902).
+max-attributes=7
+
+# Maximum number of boolean expressions in a if statement
+max-bool-expr=5
+
+# Maximum number of branch for function / method body
+max-branches=12
+
+# Maximum number of locals for function / method body
+max-locals=15
+
+# Maximum number of parents for a class (see R0901).
+max-parents=7
+
+# Maximum number of public methods for a class (see R0904).
+max-public-methods=20
+
+# Maximum number of return / yield for function / method body
+max-returns=6
+
+# Maximum number of statements in function / method body
+max-statements=50
+
+# Minimum number of public methods for a class (see R0903).
+min-public-methods=0
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when being caught. Defaults to
+# "Exception"
+overgeneral-exceptions=builtins.Exception

src/backend/MANIFEST.in

@@ -0,0 +1,3 @@
+include LICENSE
+include README.md
+recursive-include src/backend/people *.html *.png *.gif *.css *.ico *.jpg *.jpeg *.po *.mo *.eot *.svg *.ttf *.woff *.woff2

src/backend/core/admin.py

@@ -0,0 +1,173 @@
+"""Admin classes and registrations for People's core app."""
+
+from django import forms
+from django.contrib import admin
+from django.contrib.auth import admin as auth_admin
+from django.utils.translation import gettext_lazy as _
+
+from . import models
+
+
+class IdentityFormSet(forms.BaseInlineFormSet):
+    """
+    Make the "is_main" field readonly when it is True so that declaring another identity
+    works in the admin.
+    """
+
+    def add_fields(self, form, index):
+        """Disable the "is_main" field when it is set to True"""
+        super().add_fields(form, index)
+        is_main_value = form.instance.is_main if form.instance else False
+        form.fields["is_main"].disabled = is_main_value
+
+
+class IdentityInline(admin.TabularInline):
+    """Inline admin class for user identities."""
+
+    fields = (
+        "sub",
+        "email",
+        "is_main",
+        "created_at",
+        "updated_at",
+    )
+    formset = IdentityFormSet
+    model = models.Identity
+    extra = 0
+    readonly_fields = ("email", "created_at", "sub", "updated_at")
+
+    def has_add_permission(self, request, obj):
+        """
+        Identities are automatically created on successful OIDC logins.
+        Disable creating identities via the admin.
+        """
+        return False
+
+
+class TeamAccessInline(admin.TabularInline):
+    """Inline admin class for team accesses."""
+
+    extra = 0
+    autocomplete_fields = ["user", "team"]
+    model = models.TeamAccess
+    readonly_fields = ("created_at", "updated_at")
+
+
+class TeamWebhookInline(admin.TabularInline):
+    """Inline admin class for team webhooks."""
+
+    extra = 0
+    autocomplete_fields = ["team"]
+    model = models.TeamWebhook
+    readonly_fields = ("created_at", "updated_at")
+
+
+@admin.register(models.User)
+class UserAdmin(auth_admin.UserAdmin):
+    """Admin class for the User model"""
+
+    fieldsets = (
+        (
+            None,
+            {
+                "fields": (
+                    "id",
+                    "password",
+                )
+            },
+        ),
+        (_("Personal info"), {"fields": ("admin_email", "language", "timezone")}),
+        (
+            _("Permissions"),
+            {
+                "fields": (
+                    "is_active",
+                    "is_device",
+                    "is_staff",
+                    "is_superuser",
+                    "groups",
+                    "user_permissions",
+                ),
+            },
+        ),
+        (_("Important dates"), {"fields": ("created_at", "updated_at")}),
+    )
+    add_fieldsets = (
+        (
+            None,
+            {
+                "classes": ("wide",),
+                "fields": ("admin_email", "password1", "password2"),
+            },
+        ),
+    )
+    inlines = (IdentityInline, TeamAccessInline)
+    list_display = (
+        "admin_email",
+        "created_at",
+        "updated_at",
+        "is_active",
+        "is_device",
+        "is_staff",
+        "is_superuser",
+    )
+    list_filter = ("is_staff", "is_superuser", "is_device", "is_active")
+    ordering = ("is_active", "-is_superuser", "-is_staff", "-is_device", "-updated_at")
+    readonly_fields = ("id", "created_at", "updated_at")
+    search_fields = ("id", "admin_email", "identities__sub", "identities__email")
+
+
+@admin.register(models.Team)
+class TeamAdmin(admin.ModelAdmin):
+    """Team admin interface declaration."""
+
+    inlines = (TeamAccessInline, TeamWebhookInline)
+    list_display = (
+        "name",
+        "slug",
+        "created_at",
+        "updated_at",
+    )
+    search_fields = ("name",)
+
+
+@admin.register(models.Invitation)
+class InvitationAdmin(admin.ModelAdmin):
+    """Admin interface to handle invitations."""
+
+    fields = (
+        "email",
+        "team",
+        "role",
+        "created_at",
+        "issuer",
+    )
+    readonly_fields = (
+        "created_at",
+        "is_expired",
+        "issuer",
+    )
+    list_display = (
+        "email",
+        "team",
+        "created_at",
+        "is_expired",
+    )
+
+    def get_readonly_fields(self, request, obj=None):
+        if obj:
+            # all fields read only = disable update
+            return self.fields
+        return self.readonly_fields
+
+    def change_view(self, request, object_id, form_url="", extra_context=None):
+        """Custom edit form. Remove 'save' buttons."""
+        extra_context = extra_context or {}
+        extra_context["show_save_and_continue"] = False
+        extra_context["show_save"] = False
+        extra_context["show_save_and_add_another"] = False
+        return super().change_view(request, object_id, extra_context=extra_context)
+
+    def save_model(self, request, obj, form, change):
+        obj.issuer = request.user
+        obj.save()

src/backend/core/api/__init__.py

@@ -0,0 +1,42 @@
+"""People core API endpoints"""
+
+from django.conf import settings
+from django.core.exceptions import ValidationError
+
+from rest_framework import exceptions as drf_exceptions
+from rest_framework import views as drf_views
+from rest_framework.decorators import api_view
+from rest_framework.response import Response
+
+
+def exception_handler(exc, context):
+    """Handle Django ValidationError as an accepted exception.
+
+    For the parameters, see ``exception_handler``
+    This code comes from twidi's gist:
+    https://gist.github.com/twidi/9d55486c36b6a51bdcb05ce3a763e79f
+    """
+    if isinstance(exc, ValidationError):
+        if hasattr(exc, "message_dict"):
+            detail = exc.message_dict
+        elif hasattr(exc, "message"):
+            detail = exc.message
+        elif hasattr(exc, "messages"):
+            detail = exc.messages
+        else:
+            detail = ""
+
+        exc = drf_exceptions.ValidationError(detail=detail)
+
+    return drf_views.exception_handler(exc, context)
+
+
+# pylint: disable=unused-argument
+@api_view(["GET"])
+def get_frontend_configuration(request):
+    """Returns the frontend configuration dict as configured in settings."""
+    frontend_configuration = {
+        "LANGUAGE_CODE": settings.LANGUAGE_CODE,
+    }
+    frontend_configuration.update(settings.FRONTEND_CONFIGURATION)
+    return Response(frontend_configuration)

src/backend/core/api/permissions.py

@@ -0,0 +1,55 @@
+"""Permission handlers for the People core app."""
+
+from django.core import exceptions
+
+from rest_framework import permissions
+
+
+class IsAuthenticated(permissions.BasePermission):
+    """
+    Allows access only to authenticated users. Alternative method checking the presence
+    of the auth token to avoid hitting the database.
+    """
+
+    def has_permission(self, request, view):
+        return bool(request.auth) if request.auth else request.user.is_authenticated
+
+
+class IsSelf(IsAuthenticated):
+    """
+    Allows access only to authenticated users. Alternative method checking the presence
+    of the auth token to avoid hitting the database.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        """Write permissions are only allowed to the user itself."""
+        return obj == request.user
+
+
+class IsOwnedOrPublic(IsAuthenticated):
+    """
+    Allows access to authenticated users only for objects that are owned or not related
+    to any user via the "owner" field.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        """Unsafe permissions are only allowed for the owner of the object."""
+        if obj.owner == request.user:
+            return True
+
+        if request.method in permissions.SAFE_METHODS and obj.owner is None:
+            return True
+
+        try:
+            return obj.user == request.user
+        except exceptions.ObjectDoesNotExist:
+            return False
+
+
+class AccessPermission(IsAuthenticated):
+    """Permission class for access objects."""
+
+    def has_object_permission(self, request, view, obj):
+        """Check permission for a given object."""
+        abilities = obj.get_abilities(request.user)
+        return abilities.get(request.method.lower(), False)

src/backend/core/api/serializers.py

@@ -0,0 +1,239 @@
+"""Client serializers for the People core app."""
+
+from rest_framework import exceptions, serializers
+from timezone_field.rest_framework import TimeZoneSerializerField
+
+from core import models
+
+
+class ContactSerializer(serializers.ModelSerializer):
+    """Serialize contacts."""
+
+    class Meta:
+        model = models.Contact
+        fields = [
+            "id",
+            "base",
+            "data",
+            "full_name",
+            "owner",
+            "short_name",
+        ]
+        read_only_fields = ["id", "owner"]
+
+    def update(self, instance, validated_data):
+        """Make "base" field readonly but only for update/patch."""
+        validated_data.pop("base", None)
+        return super().update(instance, validated_data)
+
+
+class DynamicFieldsModelSerializer(serializers.ModelSerializer):
+    """
+    A ModelSerializer that takes an additional `fields` argument that
+    controls which fields should be displayed.
+    """
+
+    def __init__(self, *args, **kwargs):
+        # Don't pass the 'fields' arg up to the superclass
+        fields = kwargs.pop("fields", None)
+
+        # Instantiate the superclass normally
+        super().__init__(*args, **kwargs)
+
+        if fields is not None:
+            # Drop any fields that are not specified in the `fields` argument.
+            allowed = set(fields)
+            existing = set(self.fields)
+            for field_name in existing - allowed:
+                self.fields.pop(field_name)
+
+
+class UserSerializer(DynamicFieldsModelSerializer):
+    """Serialize users."""
+
+    timezone = TimeZoneSerializerField(use_pytz=False, required=True)
+    email = serializers.ReadOnlyField()
+    name = serializers.ReadOnlyField()
+
+    class Meta:
+        model = models.User
+        fields = [
+            "id",
+            "email",
+            "language",
+            "name",
+            "timezone",
+            "is_device",
+            "is_staff",
+        ]
+        read_only_fields = ["id", "name", "email", "is_device", "is_staff"]
+
+
+class TeamAccessSerializer(serializers.ModelSerializer):
+    """Serialize team accesses."""
+
+    abilities = serializers.SerializerMethodField(read_only=True)
+
+    class Meta:
+        model = models.TeamAccess
+        fields = ["id", "user", "role", "abilities"]
+        read_only_fields = ["id", "abilities"]
+
+    def update(self, instance, validated_data):
+        """Make "user" field is readonly but only on update."""
+        validated_data.pop("user", None)
+        return super().update(instance, validated_data)
+
+    def get_abilities(self, access) -> dict:
+        """Return abilities of the logged-in user on the instance."""
+        request = self.context.get("request")
+        if request:
+            return access.get_abilities(request.user)
+        return {}
+
+    def validate(self, attrs):
+        """
+        Check access rights specific to writing (create/update)
+        """
+        request = self.context.get("request")
+        user = getattr(request, "user", None)
+        role = attrs.get("role")
+
+        # Update
+        if self.instance:
+            can_set_role_to = self.instance.get_abilities(user)["set_role_to"]
+
+            if role and role not in can_set_role_to:
+                message = (
+                    f"You are only allowed to set role to {', '.join(can_set_role_to)}"
+                    if can_set_role_to
+                    else "You are not allowed to set this role for this team."
+                )
+                raise exceptions.PermissionDenied(message)
+
+        # Create
+        else:
+            try:
+                team_id = self.context["team_id"]
+            except KeyError as exc:
+                raise exceptions.ValidationError(
+                    "You must set a team ID in kwargs to create a new team access."
+                ) from exc
+
+            if not models.TeamAccess.objects.filter(
+                team=team_id,
+                user=user,
+                role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
+            ).exists():
+                raise exceptions.PermissionDenied(
+                    "You are not allowed to manage accesses for this team."
+                )
+
+            if (
+                role == models.RoleChoices.OWNER
+                and not models.TeamAccess.objects.filter(
+                    team=team_id,
+                    user=user,
+                    role=models.RoleChoices.OWNER,
+                ).exists()
+            ):
+                raise exceptions.PermissionDenied(
+                    "Only owners of a team can assign other users as owners."
+                )
+
+        attrs["team_id"] = self.context["team_id"]
+        return attrs
+
+
+class TeamAccessReadOnlySerializer(TeamAccessSerializer):
+    """Serialize team accesses for list and retrieve actions."""
+
+    user = UserSerializer(read_only=True, fields=["id", "name", "email"])
+
+    class Meta:
+        model = models.TeamAccess
+        fields = [
+            "id",
+            "user",
+            "role",
+            "abilities",
+        ]
+        read_only_fields = [
+            "id",
+            "user",
+            "role",
+            "abilities",
+        ]
+
+
+class TeamSerializer(serializers.ModelSerializer):
+    """Serialize teams."""
+
+    abilities = serializers.SerializerMethodField(read_only=True)
+    slug = serializers.SerializerMethodField()
+
+    class Meta:
+        model = models.Team
+        fields = [
+            "id",
+            "name",
+            "accesses",
+            "abilities",
+            "slug",
+            "created_at",
+            "updated_at",
+        ]
+        read_only_fields = [
+            "id",
+            "accesses",
+            "abilities",
+            "slug",
+            "created_at",
+            "updated_at",
+        ]
+
+    def get_abilities(self, team) -> dict:
+        """Return abilities of the logged-in user on the instance."""
+        request = self.context.get("request")
+        if request:
+            return team.get_abilities(request.user)
+        return {}
+
+    def get_slug(self, instance):
+        """Return slug from the team's name."""
+        return instance.get_slug()
+
+
+class InvitationSerializer(serializers.ModelSerializer):
+    """Serialize invitations."""
+
+    class Meta:
+        model = models.Invitation
+        fields = ["id", "created_at", "email", "team", "role", "issuer", "is_expired"]
+        read_only_fields = ["id", "created_at", "team", "issuer", "is_expired"]
+
+    def validate(self, attrs):
+        """Validate and restrict invitation to new user based on email."""
+
+        request = self.context.get("request")
+        user = getattr(request, "user", None)
+
+        try:
+            team_id = self.context["team_id"]
+        except KeyError as exc:
+            raise exceptions.ValidationError(
+                "You must set a team ID in kwargs to create a new team invitation."
+            ) from exc
+
+        if not models.TeamAccess.objects.filter(
+            team=team_id,
+            user=user,
+            role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
+        ).exists():
+            raise exceptions.PermissionDenied(
+                "You are not allowed to manage invitation for this team."
+            )
+
+        attrs["team_id"] = team_id
+        attrs["issuer"] = user
+        return attrs

src/backend/core/api/viewsets.py

@@ -0,0 +1,498 @@
+"""API endpoints"""
+
+from django.contrib.postgres.search import TrigramSimilarity
+from django.db.models import Func, Max, OuterRef, Prefetch, Q, Subquery, Value
+from django.db.models.functions import Coalesce
+
+from rest_framework import (
+    decorators,
+    exceptions,
+    filters,
+    mixins,
+    pagination,
+    response,
+    throttling,
+    viewsets,
+)
+
+from core import models
+
+from . import permissions, serializers
+
+SIMILARITY_THRESHOLD = 0.04
+
+
+class NestedGenericViewSet(viewsets.GenericViewSet):
+    """
+    A generic Viewset aims to be used in a nested route context.
+    e.g: `/api/v1.0/resource_1/<resource_1_pk>/resource_2/<resource_2_pk>/`
+
+    It allows to define all url kwargs and lookup fields to perform the lookup.
+    """
+
+    lookup_fields: list[str] = ["pk"]
+    lookup_url_kwargs: list[str] = []
+
+    def __getattribute__(self, item):
+        """
+        This method is overridden to allow to get the last lookup field or lookup url kwarg
+        when accessing the `lookup_field` or `lookup_url_kwarg` attribute. This is useful
+        to keep compatibility with all methods used by the parent class `GenericViewSet`.
+        """
+        if item in ["lookup_field", "lookup_url_kwarg"]:
+            return getattr(self, item + "s", [None])[-1]
+
+        return super().__getattribute__(item)
+
+    def get_queryset(self):
+        """
+        Get the list of items for this view.
+
+        `lookup_fields` attribute is enumerated here to perform the nested lookup.
+        """
+        queryset = super().get_queryset()
+
+        # The last lookup field is removed to perform the nested lookup as it corresponds
+        # to the object pk, it is used within get_object method.
+        lookup_url_kwargs = (
+            self.lookup_url_kwargs[:-1]
+            if self.lookup_url_kwargs
+            else self.lookup_fields[:-1]
+        )
+
+        filter_kwargs = {}
+        for index, lookup_url_kwarg in enumerate(lookup_url_kwargs):
+            if lookup_url_kwarg not in self.kwargs:
+                raise KeyError(
+                    f"Expected view {self.__class__.__name__} to be called with a URL "
+                    f'keyword argument named "{lookup_url_kwarg}". Fix your URL conf, or '
+                    "set the `.lookup_fields` attribute on the view correctly."
+                )
+
+            filter_kwargs.update(
+                {self.lookup_fields[index]: self.kwargs[lookup_url_kwarg]}
+            )
+
+        return queryset.filter(**filter_kwargs)
+
+
+class SerializerPerActionMixin:
+    """
+    A mixin to allow to define serializer classes for each action.
+
+    This mixin is useful to avoid to define a serializer class for each action in the
+    `get_serializer_class` method.
+    """
+
+    serializer_classes: dict[str, type] = {}
+    default_serializer_class: type = None
+
+    def get_serializer_class(self):
+        """
+        Return the serializer class to use depending on the action.
+        """
+        return self.serializer_classes.get(self.action, self.default_serializer_class)
+
+
+class Pagination(pagination.PageNumberPagination):
+    """Pagination to display no more than 100 objects per page sorted by creation date."""
+
+    max_page_size = 100
+    page_size_query_param = "page_size"
+
+
+class BurstRateThrottle(throttling.UserRateThrottle):
+    """
+    Throttle rate for minutes. See DRF section in settings for default value.
+    """
+
+    scope = "burst"
+
+
+class SustainedRateThrottle(throttling.UserRateThrottle):
+    """
+    Throttle rate for hours. See DRF section in settings for default value.
+    """
+
+    scope = "sustained"
+
+
+# pylint: disable=too-many-ancestors
+class ContactViewSet(
+    mixins.CreateModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    viewsets.GenericViewSet,
+):
+    """Contact ViewSet"""
+
+    permission_classes = [permissions.IsOwnedOrPublic]
+    queryset = models.Contact.objects.all()
+    serializer_class = serializers.ContactSerializer
+    throttle_classes = [BurstRateThrottle, SustainedRateThrottle]
+
+    def list(self, request, *args, **kwargs):
+        """Limit listed users by a query with throttle protection."""
+        user = self.request.user
+        queryset = self.filter_queryset(self.get_queryset())
+
+        # Exclude contacts that:
+        queryset = queryset.filter(
+            # - belong to another user (keep public and owned contacts)
+            Q(owner__isnull=True) | Q(owner=user),
+            # - are profile contacts for a user
+            user__isnull=True,
+            # - are overriden base contacts
+            overriding_contacts__isnull=True,
+        )
+
+        # Search by case-insensitive and accent-insensitive trigram similarity
+        if query := self.request.GET.get("q", ""):
+            query = Func(Value(query), function="unaccent")
+            similarity = TrigramSimilarity(
+                Func("full_name", function="unaccent"),
+                query,
+            ) + TrigramSimilarity(Func("short_name", function="unaccent"), query)
+            queryset = (
+                queryset.annotate(similarity=similarity)
+                .filter(
+                    similarity__gte=0.05
+                )  # Value determined by testing (test_api_contacts.py)
+                .order_by("-similarity")
+            )
+
+        serializer = self.get_serializer(queryset, many=True)
+        return response.Response(serializer.data)
+
+    def perform_create(self, serializer):
+        """Set the current user as owner of the newly created contact."""
+        user = self.request.user
+        serializer.validated_data["owner"] = user
+        return super().perform_create(serializer)
+
+
+class UserViewSet(
+    mixins.UpdateModelMixin, viewsets.GenericViewSet, mixins.ListModelMixin
+):
+    """
+    User viewset for all interactions with user infos and teams.
+
+    GET /api/users/&q=query
+        Return a list of users whose email matches the query. Similarity is
+        calculated using trigram similarity, allowing for partial,
+        case-insensitive matches and accented queries.
+    """
+
+    permission_classes = [permissions.IsSelf]
+    queryset = models.User.objects.all().order_by("-created_at")
+    serializer_class = serializers.UserSerializer
+    throttle_classes = [BurstRateThrottle, SustainedRateThrottle]
+    pagination_class = Pagination
+
+    def get_queryset(self):
+        """Limit listed users by a query. Pagination and throttle protection apply."""
+        queryset = self.queryset
+
+        if self.action == "list":
+            # Exclude inactive contacts
+            queryset = queryset.filter(
+                is_active=True,
+            ).prefetch_related(
+                Prefetch(
+                    "identities",
+                    queryset=models.Identity.objects.filter(is_main=True),
+                    to_attr="_identities_main",
+                )
+            )
+
+            # Exclude all users already in the given team
+            if team_id := self.request.GET.get("team_id", ""):
+                queryset = queryset.exclude(teams__id=team_id)
+
+            # Search by case-insensitive and accent-insensitive trigram similarity
+            if query := self.request.GET.get("q", ""):
+                similarity = Max(
+                    TrigramSimilarity(
+                        Coalesce(
+                            Func("identities__email", function="unaccent"), Value("")
+                        ),
+                        Func(Value(query), function="unaccent"),
+                    )
+                    + TrigramSimilarity(
+                        Coalesce(
+                            Func("identities__name", function="unaccent"), Value("")
+                        ),
+                        Func(Value(query), function="unaccent"),
+                    )
+                )
+                queryset = (
+                    queryset.annotate(similarity=similarity)
+                    .filter(similarity__gte=SIMILARITY_THRESHOLD)
+                    .order_by("-similarity")
+                )
+
+        return queryset
+
+    @decorators.action(
+        detail=False,
+        methods=["get"],
+        url_name="me",
+        url_path="me",
+    )
+    def get_me(self, request):
+        """
+        Return information on currently logged user
+        """
+        user = request.user
+        return response.Response(
+            self.serializer_class(user, context={"request": request}).data
+        )
+
+
+class TeamViewSet(
+    mixins.CreateModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    viewsets.GenericViewSet,
+):
+    """Team ViewSet"""
+
+    permission_classes = [permissions.AccessPermission]
+    serializer_class = serializers.TeamSerializer
+    filter_backends = [filters.OrderingFilter]
+    ordering_fields = ["created_at"]
+    ordering = ["-created_at"]
+    queryset = models.Team.objects.all()
+
+    def get_queryset(self):
+        """Custom queryset to get user related teams."""
+        user_role_query = models.TeamAccess.objects.filter(
+            user=self.request.user, team=OuterRef("pk")
+        ).values("role")[:1]
+        return models.Team.objects.filter(accesses__user=self.request.user).annotate(
+            user_role=Subquery(user_role_query)
+        )
+
+    def perform_create(self, serializer):
+        """Set the current user as owner of the newly created team."""
+        team = serializer.save()
+        models.TeamAccess.objects.create(
+            team=team,
+            user=self.request.user,
+            role=models.RoleChoices.OWNER,
+        )
+
+
+class TeamAccessViewSet(
+    mixins.CreateModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    viewsets.GenericViewSet,
+):
+    """
+    API ViewSet for all interactions with team accesses.
+
+    GET /api/v1.0/teams/<team_id>/accesses/:<team_access_id>
+        Return list of all team accesses related to the logged-in user or one
+        team access if an id is provided.
+
+    POST /api/v1.0/teams/<team_id>/accesses/ with expected data:
+        - user: str
+        - role: str [owner|admin|member]
+        Return newly created team access
+
+    PUT /api/v1.0/teams/<team_id>/accesses/<team_access_id>/ with expected data:
+        - role: str [owner|admin|member]
+        Return updated team access
+
+    PATCH /api/v1.0/teams/<team_id>/accesses/<team_access_id>/ with expected data:
+        - role: str [owner|admin|member]
+        Return partially updated team access
+
+    DELETE /api/v1.0/teams/<team_id>/accesses/<team_access_id>/
+        Delete targeted team access
+    """
+
+    lookup_field = "pk"
+    pagination_class = Pagination
+    permission_classes = [permissions.AccessPermission]
+    queryset = (
+        models.TeamAccess.objects.all().select_related("user").order_by("-created_at")
+    )
+    list_serializer_class = serializers.TeamAccessReadOnlySerializer
+    detail_serializer_class = serializers.TeamAccessSerializer
+
+    filter_backends = [filters.OrderingFilter]
+    ordering = ["role"]
+    ordering_fields = ["role", "email", "name"]
+
+    def get_permissions(self):
+        """User only needs to be authenticated to list team accesses"""
+        if self.action == "list":
+            permission_classes = [permissions.IsAuthenticated]
+        else:
+            return super().get_permissions()
+
+        return [permission() for permission in permission_classes]
+
+    def get_serializer_context(self):
+        """Extra context provided to the serializer class."""
+        context = super().get_serializer_context()
+        context["team_id"] = self.kwargs["team_id"]
+        return context
+
+    def get_serializer_class(self):
+        if self.action in {"list", "retrieve"}:
+            return self.list_serializer_class
+        return self.detail_serializer_class
+
+    def get_queryset(self):
+        """Return the queryset according to the action."""
+        queryset = super().get_queryset()
+        queryset = queryset.filter(team=self.kwargs["team_id"])
+
+        if self.action in {"list", "retrieve"}:
+            # Determine which role the logged-in user has in the team
+            user_role_query = models.TeamAccess.objects.filter(
+                user=self.request.user, team=self.kwargs["team_id"]
+            ).values("role")[:1]
+
+            user_main_identity_query = models.Identity.objects.filter(
+                user=OuterRef("user_id"), is_main=True
+            )
+
+            queryset = (
+                # The logged-in user should be part of a team to see its accesses
+                queryset.filter(
+                    team__accesses__user=self.request.user,
+                )
+                .prefetch_related(
+                    Prefetch(
+                        "user__identities",
+                        queryset=models.Identity.objects.filter(is_main=True),
+                        to_attr="_identities_main",
+                    )
+                )
+                # Abilities are computed based on logged-in user's role and
+                # the user role on each team access
+                .annotate(
+                    user_role=Subquery(user_role_query),
+                    email=Subquery(user_main_identity_query.values("email")[:1]),
+                    name=Subquery(user_main_identity_query.values("name")[:1]),
+                )
+                .distinct()
+            )
+        return queryset
+
+    def destroy(self, request, *args, **kwargs):
+        """Forbid deleting the last owner access"""
+        instance = self.get_object()
+        team = instance.team
+
+        # Check if the access being deleted is the last owner access for the team
+        if instance.role == "owner" and team.accesses.filter(role="owner").count() == 1:
+            return response.Response(
+                {"detail": "Cannot delete the last owner access for the team."},
+                status=400,
+            )
+
+        return super().destroy(request, *args, **kwargs)
+
+    def perform_update(self, serializer):
+        """Check that we don't change the role if it leads to losing the last owner."""
+        instance = serializer.instance
+
+        # Check if the role is being updated and the new role is not "owner"
+        if (
+            "role" in self.request.data
+            and self.request.data["role"] != models.RoleChoices.OWNER
+        ):
+            team = instance.team
+            # Check if the access being updated is the last owner access for the team
+            if (
+                instance.role == models.RoleChoices.OWNER
+                and team.accesses.filter(role=models.RoleChoices.OWNER).count() == 1
+            ):
+                message = "Cannot change the role to a non-owner role for the last owner access."
+                raise exceptions.ValidationError({"role": message})
+
+        serializer.save()
+
+
+class InvitationViewset(
+    mixins.CreateModelMixin,
+    mixins.ListModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    viewsets.GenericViewSet,
+):
+    """API ViewSet for user invitations to team.
+
+    GET /api/v1.0/teams/<team_id>/invitations/:<invitation_id>/
+        Return list of invitations related to that team or or one
+        team access if an id is provided.
+
+    POST /api/v1.0/teams/<team_id>/invitations/ with expected data:
+        - email: str
+        - role: str [owner|admin|member]
+        - issuer : User, automatically added from user making query, if allowed
+        - team : Team, automatically added from requested URI
+        Return newly created invitation
+
+    PUT / PATCH : Not permitted. Instead of updating your invitation,
+        delete and create a new one.
+
+    DELETE  /api/v1.0/teams/<team_id>/invitations/<invitation_id>/
+        Delete targeted invitation
+    """
+
+    lookup_field = "id"
+    pagination_class = Pagination
+    permission_classes = [permissions.AccessPermission]
+    queryset = (
+        models.Invitation.objects.all().select_related("team").order_by("-created_at")
+    )
+    serializer_class = serializers.InvitationSerializer
+
+    def get_permissions(self):
+        """User only needs to be authenticated to list invitations"""
+        if self.action == "list":
+            permission_classes = [permissions.IsAuthenticated]
+        else:
+            return super().get_permissions()
+
+        return [permission() for permission in permission_classes]
+
+    def get_serializer_context(self):
+        """Extra context provided to the serializer class."""
+        context = super().get_serializer_context()
+        context["team_id"] = self.kwargs["team_id"]
+        return context
+
+    def get_queryset(self):
+        """Return the queryset according to the action."""
+        queryset = super().get_queryset()
+        queryset = queryset.filter(team=self.kwargs["team_id"])
+
+        if self.action == "list":
+            # Determine which role the logged-in user has in the team
+            user_role_query = models.TeamAccess.objects.filter(
+                user=self.request.user, team=self.kwargs["team_id"]
+            ).values("role")[:1]
+
+            queryset = (
+                # The logged-in user should be part of a team to see its accesses
+                queryset.filter(
+                    team__accesses__user=self.request.user,
+                )
+                # Abilities are computed based on logged-in user's role and
+                # the user role on each team access
+                .annotate(user_role=Subquery(user_role_query))
+                .distinct()
+            )
+        return queryset

src/backend/core/apps.py

@@ -0,0 +1,11 @@
+"""People Core application"""
+# from django.apps import AppConfig
+# from django.utils.translation import gettext_lazy as _
+
+
+# class CoreConfig(AppConfig):
+#     """Configuration class for the People core app."""
+
+#     name = "core"
+#     app_label = "core"
+#     verbose_name = _("People core application")

src/backend/core/authentication/backends.py

@@ -0,0 +1,122 @@
+"""Authentication Backends for the People core app."""
+
+from django.conf import settings
+from django.core.exceptions import SuspiciousOperation
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+import requests
+from mozilla_django_oidc.auth import (
+    OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
+)
+
+from core.models import Identity
+
+
+class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
+    """Custom OpenID Connect (OIDC) Authentication Backend.
+
+    This class overrides the default OIDC Authentication Backend to accommodate differences
+    in the User and Identity models, and handles signed and/or encrypted UserInfo response.
+    """
+
+    def get_userinfo(self, access_token, id_token, payload):
+        """Return user details dictionary.
+
+        Parameters:
+        - access_token (str): The access token.
+        - id_token (str): The id token (unused).
+        - payload (dict): The token payload (unused).
+
+        Note: The id_token and payload parameters are unused in this implementation,
+        but were kept to preserve base method signature.
+
+        Note: It handles signed and/or encrypted UserInfo Response. It is required by
+        Agent Connect, which follows the OIDC standard. It forces us to override the
+        base method, which deal with 'application/json' response.
+
+        Returns:
+        - dict: User details dictionary obtained from the OpenID Connect user endpoint.
+        """
+
+        user_response = requests.get(
+            self.OIDC_OP_USER_ENDPOINT,
+            headers={"Authorization": f"Bearer {access_token}"},
+            verify=self.get_settings("OIDC_VERIFY_SSL", True),
+            timeout=self.get_settings("OIDC_TIMEOUT", None),
+            proxies=self.get_settings("OIDC_PROXY", None),
+        )
+        user_response.raise_for_status()
+        userinfo = self.verify_token(user_response.text)
+        return userinfo
+
+    def get_or_create_user(self, access_token, id_token, payload):
+        """Return a User based on userinfo. Get or create a new user if no user matches the Sub.
+
+        Parameters:
+        - access_token (str): The access token.
+        - id_token (str): The ID token.
+        - payload (dict): The user payload.
+
+        Returns:
+        - User: An existing or newly created User instance.
+
+        Raises:
+        - Exception: Raised when user creation is not allowed and no existing user is found.
+        """
+
+        user_info = self.get_userinfo(access_token, id_token, payload)
+
+        # Compute user name from OIDC name fields as defined in settings
+        names_list = [
+            user_info[field]
+            for field in settings.USER_OIDC_FIELDS_TO_NAME
+            if user_info.get(field)
+        ]
+        user_info["name"] = " ".join(names_list) or None
+
+        sub = user_info.get("sub")
+        if sub is None:
+            raise SuspiciousOperation(
+                _("User info contained no recognizable user identification")
+            )
+
+        user = (
+            self.UserModel.objects.filter(identities__sub=sub)
+            .annotate(
+                identity_email=models.F("identities__email"),
+                identity_name=models.F("identities__name"),
+            )
+            .distinct()
+            .first()
+        )
+        if user:
+            email = user_info.get("email")
+            name = user_info.get("name")
+            if (
+                email
+                and email != user.identity_email
+                or name
+                and name != user.identity_name
+            ):
+                Identity.objects.filter(sub=sub).update(email=email, name=name)
+
+        elif self.get_settings("OIDC_CREATE_USER", True):
+            user = self.create_user(user_info)
+
+        return user
+
+    def create_user(self, claims):
+        """Return a newly created User instance."""
+        sub = claims.get("sub")
+        if sub is None:
+            raise SuspiciousOperation(
+                _("Claims contained no recognizable user identification")
+            )
+
+        user = self.UserModel.objects.create(password="!")  # noqa: S106
+        Identity.objects.create(
+            user=user, sub=sub, email=claims.get("email"), name=claims.get("name")
+        )
+
+        return user

src/backend/core/authentication/urls.py

@@ -0,0 +1,18 @@
+"""Authentication URLs for the People core app."""
+
+from django.urls import path
+
+from mozilla_django_oidc.urls import urlpatterns as mozzila_oidc_urls
+
+from .views import OIDCLogoutCallbackView, OIDCLogoutView
+
+urlpatterns = [
+    # Override the default 'logout/' path from Mozilla Django OIDC with our custom view.
+    path("logout/", OIDCLogoutView.as_view(), name="oidc_logout_custom"),
+    path(
+        "logout-callback/",
+        OIDCLogoutCallbackView.as_view(),
+        name="oidc_logout_callback",
+    ),
+    *mozzila_oidc_urls,
+]

src/backend/core/authentication/views.py

@@ -0,0 +1,137 @@
+"""Authentication Views for the People core app."""
+
+from urllib.parse import urlencode
+
+from django.contrib import auth
+from django.core.exceptions import SuspiciousOperation
+from django.http import HttpResponseRedirect
+from django.urls import reverse
+from django.utils import crypto
+
+from mozilla_django_oidc.utils import (
+    absolutify,
+)
+from mozilla_django_oidc.views import (
+    OIDCLogoutView as MozillaOIDCOIDCLogoutView,
+)
+
+
+class OIDCLogoutView(MozillaOIDCOIDCLogoutView):
+    """Custom logout view for handling OpenID Connect (OIDC) logout flow.
+
+    Adds support for handling logout callbacks from the identity provider (OP)
+    by initiating the logout flow if the user has an active session.
+
+    The Django session is retained during the logout process to persist the 'state' OIDC parameter.
+    This parameter is crucial for maintaining the integrity of the logout flow between this call
+    and the subsequent callback.
+    """
+
+    @staticmethod
+    def persist_state(request, state):
+        """Persist the given 'state' parameter in the session's 'oidc_states' dictionary
+
+        This method is used to store the OIDC state parameter in the session, according to the
+        structure expected by Mozilla Django OIDC's 'add_state_and_verifier_and_nonce_to_session'
+        utility function.
+        """
+
+        if "oidc_states" not in request.session or not isinstance(
+            request.session["oidc_states"], dict
+        ):
+            request.session["oidc_states"] = {}
+
+        request.session["oidc_states"][state] = {}
+        request.session.save()
+
+    def construct_oidc_logout_url(self, request):
+        """Create the redirect URL for interfacing with the OIDC provider.
+
+        Retrieves the necessary parameters from the session and constructs the URL
+        required to initiate logout with the OpenID Connect provider.
+
+        If no ID token is found in the session, the logout flow will not be initiated,
+        and the method will return the default redirect URL.
+
+        The 'state' parameter is generated randomly and persisted in the session to ensure
+        its integrity during the subsequent callback.
+        """
+
+        oidc_logout_endpoint = self.get_settings("OIDC_OP_LOGOUT_ENDPOINT")
+
+        if not oidc_logout_endpoint:
+            return self.redirect_url
+
+        reverse_url = reverse("oidc_logout_callback")
+        id_token = request.session.get("oidc_id_token", None)
+
+        if not id_token:
+            return self.redirect_url
+
+        query = {
+            "id_token_hint": id_token,
+            "state": crypto.get_random_string(self.get_settings("OIDC_STATE_SIZE", 32)),
+            "post_logout_redirect_uri": absolutify(request, reverse_url),
+        }
+
+        self.persist_state(request, query["state"])
+
+        return f"{oidc_logout_endpoint}?{urlencode(query)}"
+
+    def post(self, request):
+        """Handle user logout.
+
+        If the user is not authenticated, redirects to the default logout URL.
+        Otherwise, constructs the OIDC logout URL and redirects the user to start
+        the logout process.
+
+        If the user is redirected to the default logout URL, ensure her Django session
+        is terminated.
+        """
+
+        logout_url = self.redirect_url
+
+        if request.user.is_authenticated:
+            logout_url = self.construct_oidc_logout_url(request)
+
+        # If the user is not redirected to the OIDC provider, ensure logout
+        if logout_url == self.redirect_url:
+            auth.logout(request)
+
+        return HttpResponseRedirect(logout_url)
+
+
+class OIDCLogoutCallbackView(MozillaOIDCOIDCLogoutView):
+    """Custom view for handling the logout callback from the OpenID Connect (OIDC) provider.
+
+    Handles the callback after logout from the identity provider (OP).
+    Verifies the state parameter and performs necessary logout actions.
+
+    The Django session is maintained during the logout process to ensure the integrity
+    of the logout flow initiated in the previous step.
+    """
+
+    http_method_names = ["get"]
+
+    def get(self, request):
+        """Handle the logout callback.
+
+        If the user is not authenticated, redirects to the default logout URL.
+        Otherwise, verifies the state parameter and performs necessary logout actions.
+        """
+
+        if not request.user.is_authenticated:
+            return HttpResponseRedirect(self.redirect_url)
+
+        state = request.GET.get("state")
+
+        if state not in request.session.get("oidc_states", {}):
+            msg = "OIDC callback state not found in session `oidc_states`!"
+            raise SuspiciousOperation(msg)
+
+        del request.session["oidc_states"][state]
+        request.session.save()
+
+        auth.logout(request)
+
+        return HttpResponseRedirect(self.redirect_url)

src/backend/core/enums.py

@@ -0,0 +1,25 @@
+"""
+Core application enums declaration
+"""
+
+from django.conf import global_settings, settings
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+# Django sets `LANGUAGES` by default with all supported languages. We can use it for
+# the choice of languages which should not be limited to the few languages active in
+# the app.
+# pylint: disable=no-member
+ALL_LANGUAGES = getattr(
+    settings,
+    "ALL_LANGUAGES",
+    [(language, _(name)) for language, name in global_settings.LANGUAGES],
+)
+
+
+class WebhookStatusChoices(models.TextChoices):
+    """Defines the possible statuses in which a webhook can be."""
+
+    FAILURE = "failure", _("Failure")
+    PENDING = "pending", _("Pending")
+    SUCCESS = "success", _("Success")

src/backend/core/factories.py

@@ -0,0 +1,199 @@
+# ruff: noqa: S311
+"""
+Core application factories
+"""
+
+from django.conf import settings
+from django.contrib.auth.hashers import make_password
+
+import factory.fuzzy
+from faker import Faker
+
+from core import models
+
+fake = Faker()
+
+
+class BaseContactFactory(factory.django.DjangoModelFactory):
+    """A factory to create contacts for a user"""
+
+    class Meta:
+        model = models.Contact
+
+    full_name = factory.Faker("name")
+    short_name = factory.LazyAttributeSequence(
+        lambda o, n: o.full_name.split()[0] if o.full_name else f"user{n!s}"
+    )
+
+    data = factory.Dict(
+        {
+            "emails": factory.LazyAttribute(
+                lambda x: [
+                    {
+                        "type": fake.random_element(["Home", "Work", "Other"]),
+                        "value": fake.email(),
+                    }
+                    for _ in range(fake.random_int(1, 3))
+                ]
+            ),
+            "phones": factory.LazyAttribute(
+                lambda x: [
+                    {
+                        "type": fake.random_element(
+                            [
+                                "Mobile",
+                                "Home",
+                                "Work",
+                                "Main",
+                                "Work Fax",
+                                "Home Fax",
+                                "Pager",
+                                "Other",
+                            ]
+                        ),
+                        "value": fake.phone_number(),
+                    }
+                    for _ in range(fake.random_int(1, 3))
+                ]
+            ),
+            "addresses": factory.LazyAttribute(
+                lambda x: [
+                    {
+                        "type": fake.random_element(["Home", "Work", "Other"]),
+                        "street": fake.street_address(),
+                        "city": fake.city(),
+                        "state": fake.state(),
+                        "zip": fake.zipcode(),
+                        "country": fake.country(),
+                    }
+                    for _ in range(fake.random_int(1, 3))
+                ]
+            ),
+            "links": factory.LazyAttribute(
+                lambda x: [
+                    {
+                        "type": fake.random_element(
+                            [
+                                "Profile",
+                                "Blog",
+                                "Website",
+                                "Twitter",
+                                "Facebook",
+                                "Instagram",
+                                "LinkedIn",
+                                "Other",
+                            ]
+                        ),
+                        "value": fake.url(),
+                    }
+                    for _ in range(fake.random_int(1, 3))
+                ]
+            ),
+            "customFields": factory.LazyAttribute(
+                lambda x: {
+                    f"custom_field_{i:d}": fake.word()
+                    for i in range(fake.random_int(1, 3))
+                },
+            ),
+            "organizations": factory.LazyAttribute(
+                lambda x: [
+                    {
+                        "name": fake.company(),
+                        "department": fake.word(),
+                        "jobTitle": fake.job(),
+                    }
+                    for _ in range(fake.random_int(1, 3))
+                ]
+            ),
+        }
+    )
+
+
+class ContactFactory(BaseContactFactory):
+    """A factory to create contacts for a user"""
+
+    class Meta:
+        model = models.Contact
+
+    base = factory.SubFactory("core.factories.ContactFactory", base=None, owner=None)
+    owner = factory.SubFactory("core.factories.UserFactory", profile_contact=None)
+
+
+class UserFactory(factory.django.DjangoModelFactory):
+    """A factory to create random users for testing purposes."""
+
+    class Meta:
+        model = models.User
+        django_get_or_create = ("admin_email",)
+
+    admin_email = factory.Faker("email")
+    language = factory.fuzzy.FuzzyChoice([lang[0] for lang in settings.LANGUAGES])
+    password = make_password("password")
+
+
+class IdentityFactory(factory.django.DjangoModelFactory):
+    """A factory to create identities for a user"""
+
+    class Meta:
+        model = models.Identity
+        django_get_or_create = ("sub",)
+
+    user = factory.SubFactory(UserFactory)
+    sub = factory.Sequence(lambda n: f"user{n!s}")
+    email = factory.Faker("email")
+    name = factory.Faker("name")
+
+
+class TeamFactory(factory.django.DjangoModelFactory):
+    """A factory to create teams"""
+
+    class Meta:
+        model = models.Team
+        django_get_or_create = ("name",)
+        skip_postgeneration_save = True
+
+    name = factory.Sequence(lambda n: f"team{n}")
+
+    @factory.post_generation
+    def users(self, create, extracted, **kwargs):
+        """Add users to team from a given list of users with or without roles."""
+        if not create or not extracted:
+            return
+        for user_entry in extracted:
+            if isinstance(user_entry, models.User):
+                TeamAccessFactory(team=self, user=user_entry)
+            else:
+                TeamAccessFactory(team=self, user=user_entry[0], role=user_entry[1])
+
+
+class TeamAccessFactory(factory.django.DjangoModelFactory):
+    """Create fake team user accesses for testing."""
+
+    class Meta:
+        model = models.TeamAccess
+
+    team = factory.SubFactory(TeamFactory)
+    user = factory.SubFactory(UserFactory)
+    role = factory.fuzzy.FuzzyChoice([r[0] for r in models.RoleChoices.choices])
+
+
+class TeamWebhookFactory(factory.django.DjangoModelFactory):
+    """Create fake team webhooks for testing."""
+
+    class Meta:
+        model = models.TeamWebhook
+
+    team = factory.SubFactory(TeamFactory)
+    url = factory.Sequence(lambda n: f"https://example.com/Groups/{n!s}")
+
+
+class InvitationFactory(factory.django.DjangoModelFactory):
+    """A factory to create invitations for a user"""
+
+    class Meta:
+        model = models.Invitation
+
+    team = factory.SubFactory(TeamFactory)
+    email = factory.Faker("email")
+    role = factory.fuzzy.FuzzyChoice([role[0] for role in models.RoleChoices.choices])
+    issuer = factory.SubFactory(UserFactory)

src/backend/core/jsonschema/contact_data.json

@@ -0,0 +1,130 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "title": "Contact Information",
+  "properties": {
+    "emails": {
+      "type": "array",
+      "title": "Emails",
+      "items": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "title": "Type",
+            "enum": ["Work", "Home", "Other"]
+          },
+          "value": {
+            "type": "string",
+            "title": "Email Address",
+            "format": "email"
+          }
+        },
+        "required": ["type", "value"]
+      }
+    },
+    "phones": {
+      "type": "array",
+      "title": "Phones",
+      "items": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "title": "Type",
+            "enum": ["Mobile", "Home", "Work", "Main", "Work Fax", "Home Fax", "Pager", "Other"]
+          },
+          "value": {
+            "type": "string",
+            "title": "Phone Number"
+          }
+        },
+        "required": ["type", "value"]
+      }
+    },
+    "addresses": {
+      "type": "array",
+      "title": "Addresses",
+      "items": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "title": "Type",
+            "enum": ["Home", "Work", "Other"]
+          },
+          "street": {
+            "type": "string",
+            "title": "Street"
+          },
+          "city": {
+            "type": "string",
+            "title": "City"
+          },
+          "state": {
+            "type": "string",
+            "title": "State"
+          },
+          "zip": {
+            "type": "string",
+            "title": "ZIP Code"
+          },
+          "country": {
+            "type": "string",
+            "title": "Country"
+          }
+        }
+      }
+    },
+    "links": {
+      "type": "array",
+      "title": "Links",
+      "items": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "title": "Type",
+            "enum": ["Profile", "Blog", "Website", "Twitter", "Facebook", "Instagram", "LinkedIn", "Other"]
+          },
+          "value": {
+            "type": "string",
+            "title": "URL",
+            "format": "uri"
+          }
+        },
+        "required": ["type", "value"]
+      }
+    },
+    "customFields": {
+      "type": "object",
+      "title": "Custom Fields",
+      "additionalProperties": {
+        "type": "string"
+      }
+    },
+    "organizations": {
+      "type": "array",
+      "title": "Organizations",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "title": "Organization Name"
+          },
+          "department": {
+            "type": "string",
+            "title": "Department"
+          },
+          "jobTitle": {
+            "type": "string",
+            "title": "Job Title"
+          }
+        },
+        "required": ["name"]
+      }
+    }
+  },
+  "additionalProperties": false
+}

src/backend/core/migrations/0001_initial.py

@@ -0,0 +1,188 @@
+# Generated by Django 5.0.3 on 2024-03-25 22:58
+
+import django.contrib.auth.models
+import django.core.validators
+import django.db.models.deletion
+import timezone_field.fields
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('auth', '0012_alter_user_first_name_max_length'),
+    ]
+
+    operations = [
+        migrations.RunSQL('CREATE EXTENSION IF NOT EXISTS pg_trgm;', 'DROP EXTENSION IF EXISTS pg_trgm;'),
+        migrations.RunSQL('CREATE EXTENSION IF NOT EXISTS unaccent;', 'DROP EXTENSION IF EXISTS unaccent;'),
+        migrations.CreateModel(
+            name='Team',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('name', models.CharField(max_length=100)),
+                ('slug', models.SlugField(editable=False, max_length=100, unique=True)),
+            ],
+            options={
+                'verbose_name': 'Team',
+                'verbose_name_plural': 'Teams',
+                'db_table': 'people_team',
+                'ordering': ('name',),
+            },
+        ),
+        migrations.CreateModel(
+            name='User',
+            fields=[
+                ('password', models.CharField(max_length=128, verbose_name='password')),
+                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
+                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('admin_email', models.EmailField(blank=True, max_length=254, null=True, unique=True, verbose_name='admin email address')),
+                ('language', models.CharField(choices="(('en-us', 'English'), ('fr-fr', 'French'))", default='en-us', help_text='The language in which the user wants to see the interface.', max_length=10, verbose_name='language')),
+                ('timezone', timezone_field.fields.TimeZoneField(choices_display='WITH_GMT_OFFSET', default='UTC', help_text='The timezone in which the user wants to see times.', use_pytz=False)),
+                ('is_device', models.BooleanField(default=False, help_text='Whether the user is a device or a real user.', verbose_name='device')),
+                ('is_staff', models.BooleanField(default=False, help_text='Whether the user can log into this admin site.', verbose_name='staff status')),
+                ('is_active', models.BooleanField(default=True, help_text='Whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
+                ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.group', verbose_name='groups')),
+                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.permission', verbose_name='user permissions')),
+            ],
+            options={
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+                'db_table': 'people_user',
+            },
+            managers=[
+                ('objects', django.contrib.auth.models.UserManager()),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Contact',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('full_name', models.CharField(blank=True, max_length=150, null=True, verbose_name='full name')),
+                ('short_name', models.CharField(blank=True, max_length=30, null=True, verbose_name='short name')),
+                ('data', models.JSONField(blank=True, help_text='A JSON object containing the contact information', verbose_name='contact information')),
+                ('base', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='overriding_contacts', to='core.contact')),
+                ('owner', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='contacts', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'contact',
+                'verbose_name_plural': 'contacts',
+                'db_table': 'people_contact',
+                'ordering': ('full_name', 'short_name'),
+            },
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='profile_contact',
+            field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='user', to='core.contact'),
+        ),
+        migrations.CreateModel(
+            name='Identity',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('sub', models.CharField(help_text='Required. 255 characters or fewer. Letters, numbers, and @/./+/-/_ characters only.', max_length=255, unique=True, validators=[django.core.validators.RegexValidator(message='Enter a valid sub. This value may contain only letters, numbers, and @/./+/-/_ characters.', regex='^[\\w.@+-]+\\Z')], verbose_name='sub')),
+                ('email', models.EmailField(blank=True, max_length=254, null=True, verbose_name='email address')),
+                ('name', models.CharField(blank=True, max_length=100, null=True, verbose_name='name')),
+                ('is_main', models.BooleanField(default=False, help_text='Designates whether the email is the main one.', verbose_name='main')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='identities', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'identity',
+                'verbose_name_plural': 'identities',
+                'db_table': 'people_identity',
+                'ordering': ('-is_main', 'email'),
+            },
+        ),
+        migrations.CreateModel(
+            name='Invitation',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('email', models.EmailField(max_length=254, verbose_name='email address')),
+                ('role', models.CharField(choices=[('member', 'Member'), ('administrator', 'Administrator'), ('owner', 'Owner')], default='member', max_length=20)),
+                ('issuer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='invitations', to=settings.AUTH_USER_MODEL)),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='invitations', to='core.team')),
+            ],
+            options={
+                'verbose_name': 'Team invitation',
+                'verbose_name_plural': 'Team invitations',
+                'db_table': 'people_invitation',
+            },
+        ),
+        migrations.CreateModel(
+            name='TeamAccess',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('role', models.CharField(choices=[('member', 'Member'), ('administrator', 'Administrator'), ('owner', 'Owner')], default='member', max_length=20)),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accesses', to='core.team')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accesses', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'Team/user relation',
+                'verbose_name_plural': 'Team/user relations',
+                'db_table': 'people_team_access',
+            },
+        ),
+        migrations.AddField(
+            model_name='team',
+            name='users',
+            field=models.ManyToManyField(related_name='teams', through='core.TeamAccess', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.CreateModel(
+            name='TeamWebhook',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, help_text='primary key for the record as UUID', primary_key=True, serialize=False, verbose_name='id')),
+                ('created_at', models.DateTimeField(auto_now_add=True, help_text='date and time at which a record was created', verbose_name='created at')),
+                ('updated_at', models.DateTimeField(auto_now=True, help_text='date and time at which a record was last updated', verbose_name='updated at')),
+                ('url', models.URLField(verbose_name='url')),
+                ('secret', models.CharField(blank=True, max_length=255, null=True, verbose_name='secret')),
+                ('status', models.CharField(choices=[('failure', 'Failure'), ('pending', 'Pending'), ('success', 'Success')], default='pending', max_length=10)),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='webhooks', to='core.team')),
+            ],
+            options={
+                'verbose_name': 'Team webhook',
+                'verbose_name_plural': 'Team webhooks',
+                'db_table': 'people_team_webhook',
+            },
+        ),
+        migrations.AddConstraint(
+            model_name='contact',
+            constraint=models.CheckConstraint(check=models.Q(('base__isnull', False), ('owner__isnull', True), _negated=True), name='base_owner_constraint', violation_error_message='A contact overriding a base contact must be owned.'),
+        ),
+        migrations.AddConstraint(
+            model_name='contact',
+            constraint=models.CheckConstraint(check=models.Q(('base', models.F('id')), _negated=True), name='base_not_self', violation_error_message='A contact cannot be based on itself.'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='contact',
+            unique_together={('owner', 'base')},
+        ),
+        migrations.AddConstraint(
+            model_name='identity',
+            constraint=models.UniqueConstraint(fields=('user', 'email'), name='unique_user_email', violation_error_message='This email address is already declared for this user.'),
+        ),
+        migrations.AddConstraint(
+            model_name='invitation',
+            constraint=models.UniqueConstraint(fields=('email', 'team'), name='email_and_team_unique_together'),
+        ),
+        migrations.AddConstraint(
+            model_name='teamaccess',
+            constraint=models.UniqueConstraint(fields=('user', 'team'), name='unique_team_user', violation_error_message='This user is already in this team.'),
+        ),
+    ]

src/backend/core/models.py

@@ -0,0 +1,678 @@
+"""
+Declare and configure the models for the People core application
+"""
+
+import json
+import os
+import smtplib
+import uuid
+from datetime import timedelta
+from logging import getLogger
+
+from django.conf import settings
+from django.contrib.auth import models as auth_models
+from django.contrib.auth.base_user import AbstractBaseUser
+from django.contrib.sites.models import Site
+from django.core import exceptions, mail, validators
+from django.db import models, transaction
+from django.template.loader import render_to_string
+from django.utils import timezone
+from django.utils.functional import lazy
+from django.utils.text import slugify
+from django.utils.translation import gettext_lazy as _
+from django.utils.translation import override
+
+import jsonschema
+from timezone_field import TimeZoneField
+
+from core.enums import WebhookStatusChoices
+from core.utils.webhooks import scim_synchronizer
+
+logger = getLogger(__name__)
+
+current_dir = os.path.dirname(os.path.abspath(__file__))
+contact_schema_path = os.path.join(current_dir, "jsonschema", "contact_data.json")
+with open(contact_schema_path, "r", encoding="utf-8") as contact_schema_file:
+    contact_schema = json.load(contact_schema_file)
+
+
+class RoleChoices(models.TextChoices):
+    """Defines the possible roles a user can have in a team."""
+
+    MEMBER = "member", _("Member")
+    ADMIN = "administrator", _("Administrator")
+    OWNER = "owner", _("Owner")
+
+
+class BaseModel(models.Model):
+    """
+    Serves as an abstract base model for other models, ensuring that records are validated
+    before saving as Django doesn't do it by default.
+
+    Includes fields common to all models: a UUID primary key and creation/update timestamps.
+    """
+
+    id = models.UUIDField(
+        verbose_name=_("id"),
+        help_text=_("primary key for the record as UUID"),
+        primary_key=True,
+        default=uuid.uuid4,
+        editable=False,
+    )
+    created_at = models.DateTimeField(
+        verbose_name=_("created at"),
+        help_text=_("date and time at which a record was created"),
+        auto_now_add=True,
+        editable=False,
+    )
+    updated_at = models.DateTimeField(
+        verbose_name=_("updated at"),
+        help_text=_("date and time at which a record was last updated"),
+        auto_now=True,
+        editable=False,
+    )
+
+    class Meta:
+        abstract = True
+
+    def save(self, *args, **kwargs):
+        """Call `full_clean` before saving."""
+        self.full_clean()
+        return super().save(*args, **kwargs)
+
+
+class Contact(BaseModel):
+    """User contacts"""
+
+    base = models.ForeignKey(
+        "self",
+        on_delete=models.SET_NULL,
+        related_name="overriding_contacts",
+        null=True,
+        blank=True,
+    )
+    owner = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="contacts",
+        null=True,
+        blank=True,
+    )
+    full_name = models.CharField(_("full name"), max_length=150, null=True, blank=True)
+    short_name = models.CharField(_("short name"), max_length=30, null=True, blank=True)
+
+    # avatar =
+    # notes =
+    data = models.JSONField(
+        _("contact information"),
+        help_text=_("A JSON object containing the contact information"),
+        blank=True,
+    )
+
+    class Meta:
+        db_table = "people_contact"
+        # indexes = [
+        #     GinIndex(
+        #         fields=["full_name", "short_name"],
+        #         name="names_gin_trgm_idx",
+        #         opclasses=['gin_trgm_ops', 'gin_trgm_ops']
+        #     ),
+        # ]
+        ordering = ("full_name", "short_name")
+        verbose_name = _("contact")
+        verbose_name_plural = _("contacts")
+        unique_together = ("owner", "base")
+        constraints = [
+            models.CheckConstraint(
+                check=~models.Q(base__isnull=False, owner__isnull=True),
+                name="base_owner_constraint",
+                violation_error_message="A contact overriding a base contact must be owned.",
+            ),
+            models.CheckConstraint(
+                check=~models.Q(base=models.F("id")),
+                name="base_not_self",
+                violation_error_message="A contact cannot be based on itself.",
+            ),
+        ]
+
+    def __str__(self):
+        return self.full_name or self.short_name
+
+    def clean(self):
+        """Validate fields."""
+        super().clean()
+
+        # Check if the contact points to a base contact that itself points to another base contact
+        if self.base_id and self.base.base_id:
+            raise exceptions.ValidationError(
+                "A contact cannot point to a base contact that itself points to a base contact."
+            )
+
+        # Validate the content of the "data" field against our jsonschema definition
+        try:
+            jsonschema.validate(self.data, contact_schema)
+        except jsonschema.ValidationError as e:
+            # Specify the property in the data in which the error occurred
+            field_path = ".".join(map(str, e.path))
+            error_message = f"Validation error in '{field_path:s}': {e.message}"
+            raise exceptions.ValidationError({"data": [error_message]}) from e
+
+
+class User(AbstractBaseUser, BaseModel, auth_models.PermissionsMixin):
+    """User model to work with OIDC only authentication."""
+
+    admin_email = models.EmailField(
+        _("admin email address"), unique=True, null=True, blank=True
+    )
+    profile_contact = models.OneToOneField(
+        Contact,
+        on_delete=models.SET_NULL,
+        related_name="user",
+        blank=True,
+        null=True,
+    )
+    language = models.CharField(
+        max_length=10,
+        choices=lazy(lambda: settings.LANGUAGES, tuple)(),
+        default=settings.LANGUAGE_CODE,
+        verbose_name=_("language"),
+        help_text=_("The language in which the user wants to see the interface."),
+    )
+    timezone = TimeZoneField(
+        choices_display="WITH_GMT_OFFSET",
+        use_pytz=False,
+        default=settings.TIME_ZONE,
+        help_text=_("The timezone in which the user wants to see times."),
+    )
+    is_device = models.BooleanField(
+        _("device"),
+        default=False,
+        help_text=_("Whether the user is a device or a real user."),
+    )
+    is_staff = models.BooleanField(
+        _("staff status"),
+        default=False,
+        help_text=_("Whether the user can log into this admin site."),
+    )
+    is_active = models.BooleanField(
+        _("active"),
+        default=True,
+        help_text=_(
+            "Whether this user should be treated as active. "
+            "Unselect this instead of deleting accounts."
+        ),
+    )
+
+    objects = auth_models.UserManager()
+
+    USERNAME_FIELD = "admin_email"
+    REQUIRED_FIELDS = []
+
+    class Meta:
+        db_table = "people_user"
+        verbose_name = _("user")
+        verbose_name_plural = _("users")
+
+    def __str__(self):
+        return (
+            str(self.profile_contact)
+            if self.profile_contact
+            else self.admin_email or str(self.id)
+        )
+
+    def _get_identities_main(self):
+        """Return a list with the main identity or an empty list."""
+        try:
+            return self._identities_main
+        except AttributeError:
+            return self.identities.filter(is_main=True)
+
+    @property
+    def name(self):
+        """Return main identity's name."""
+        try:
+            return self._get_identities_main()[0].name
+        except IndexError:
+            return None
+
+    @property
+    def email(self):
+        """Return main identity's email."""
+        try:
+            return self._get_identities_main()[0].email
+        except IndexError:
+            return None
+
+    def clean(self):
+        """Validate fields."""
+        super().clean()
+
+        if self.profile_contact_id and not self.profile_contact.owner == self:
+            raise exceptions.ValidationError(
+                "Users can only declare as profile a contact they own."
+            )
+
+    def email_user(self, subject, message, from_email=None, **kwargs):
+        """Email this user."""
+        email = self.email or self.admin_email
+        if not email:
+            raise ValueError("You must first set an email for the user.")
+        mail.send_mail(subject, message, from_email, [email], **kwargs)
+
+    @classmethod
+    def get_email_field_name(cls):
+        """
+        Raise error when trying to get email field name from the user as we are using
+        a separate Email model to allow several emails per user.
+        """
+        raise NotImplementedError(
+            "This feature is deactivated to allow several emails per user."
+        )
+
+
+class Identity(BaseModel):
+    """User identity"""
+
+    sub_validator = validators.RegexValidator(
+        regex=r"^[\w.@+-]+\Z",
+        message=_(
+            "Enter a valid sub. This value may contain only letters, "
+            "numbers, and @/./+/-/_ characters."
+        ),
+    )
+
+    user = models.ForeignKey(User, related_name="identities", on_delete=models.CASCADE)
+    sub = models.CharField(
+        _("sub"),
+        help_text=_(
+            "Required. 255 characters or fewer. Letters, numbers, and @/./+/-/_ characters only."
+        ),
+        max_length=255,
+        unique=True,
+        validators=[sub_validator],
+    )
+    email = models.EmailField(_("email address"), null=True, blank=True)
+    name = models.CharField(_("name"), max_length=100, null=True, blank=True)
+    is_main = models.BooleanField(
+        _("main"),
+        default=False,
+        help_text=_("Designates whether the email is the main one."),
+    )
+
+    class Meta:
+        db_table = "people_identity"
+        ordering = ("-is_main", "email")
+        verbose_name = _("identity")
+        verbose_name_plural = _("identities")
+        constraints = [
+            # Uniqueness
+            models.UniqueConstraint(
+                fields=["user", "email"],
+                name="unique_user_email",
+                violation_error_message=_(
+                    "This email address is already declared for this user."
+                ),
+            ),
+        ]
+
+    def __str__(self):
+        main_str = "[main]" if self.is_main else ""
+        id_str = self.email or self.sub
+        return f"{id_str:s}{main_str:s}"
+
+    def save(self, *args, **kwargs):
+        """
+        Saves identity, ensuring users always have exactly one main identity.
+        If it's a new identity, give its user access to the relevant teams.
+        """
+
+        if self._state.adding:
+            self._convert_valid_invitations()
+
+        super().save(*args, **kwargs)
+
+        # Ensure users always have one and only one main identity.
+        if self.is_main is True:
+            self.user.identities.exclude(id=self.id).update(is_main=False)
+
+    def _convert_valid_invitations(self):
+        """
+        Convert valid invitations to team accesses.
+        Expired invitations are ignored.
+        """
+
+        valid_invitations = Invitation.objects.filter(
+            email=self.email,
+            created_at__gte=(
+                timezone.now()
+                - timedelta(seconds=settings.INVITATION_VALIDITY_DURATION)
+            ),
+        ).select_related("team")
+
+        if not valid_invitations.exists():
+            return
+
+        TeamAccess.objects.bulk_create(
+            [
+                TeamAccess(user=self.user, team=invitation.team, role=invitation.role)
+                for invitation in valid_invitations
+            ]
+        )
+        valid_invitations.delete()
+
+    def clean(self):
+        """Normalize the email field and clean the 'is_main' field."""
+        if self.email:
+            self.email = User.objects.normalize_email(self.email)
+        if not self.user.identities.exclude(pk=self.pk).filter(is_main=True).exists():
+            if not self.created_at:
+                self.is_main = True
+            elif not self.is_main:
+                raise exceptions.ValidationError(
+                    {"is_main": "A user should have one and only one main identity."}
+                )
+        super().clean()
+
+
+class Team(BaseModel):
+    """
+    Represents the link between teams and users, specifying the role a user has in a team.
+    """
+
+    name = models.CharField(max_length=100)
+    slug = models.SlugField(max_length=100, unique=True, null=False, editable=False)
+
+    users = models.ManyToManyField(
+        User,
+        through="TeamAccess",
+        through_fields=("team", "user"),
+        related_name="teams",
+    )
+
+    class Meta:
+        db_table = "people_team"
+        ordering = ("name",)
+        verbose_name = _("Team")
+        verbose_name_plural = _("Teams")
+
+    def __str__(self):
+        return self.name
+
+    def save(self, *args, **kwargs):
+        """Override save function to compute the slug."""
+        self.slug = self.get_slug()
+        return super().save(*args, **kwargs)
+
+    def get_slug(self):
+        """Compute slug value from name."""
+        return slugify(self.name)
+
+    def get_abilities(self, user):
+        """
+        Compute and return abilities for a given user on the team.
+        """
+        is_owner_or_admin = False
+        role = None
+
+        if user.is_authenticated:
+            try:
+                role = self.user_role
+            except AttributeError:
+                try:
+                    role = self.accesses.filter(user=user).values("role")[0]["role"]
+                except (TeamAccess.DoesNotExist, IndexError):
+                    role = None
+
+            is_owner_or_admin = role in [RoleChoices.OWNER, RoleChoices.ADMIN]
+
+        return {
+            "get": bool(role),
+            "patch": is_owner_or_admin,
+            "put": is_owner_or_admin,
+            "delete": role == RoleChoices.OWNER,
+            "manage_accesses": is_owner_or_admin,
+        }
+
+
+class TeamAccess(BaseModel):
+    """Link table between teams and contacts."""
+
+    team = models.ForeignKey(
+        Team,
+        on_delete=models.CASCADE,
+        related_name="accesses",
+    )
+    user = models.ForeignKey(
+        User,
+        on_delete=models.CASCADE,
+        related_name="accesses",
+    )
+    role = models.CharField(
+        max_length=20, choices=RoleChoices.choices, default=RoleChoices.MEMBER
+    )
+
+    class Meta:
+        db_table = "people_team_access"
+        verbose_name = _("Team/user relation")
+        verbose_name_plural = _("Team/user relations")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["user", "team"],
+                name="unique_team_user",
+                violation_error_message=_("This user is already in this team."),
+            ),
+        ]
+
+    def __str__(self):
+        return f"{self.user!s} is {self.role:s} in team {self.team!s}"
+
+    def save(self, *args, **kwargs):
+        """
+        Override save function to fire webhooks on any addition or update
+        to a team access.
+        """
+
+        if self._state.adding:
+            self.team.webhooks.update(status=WebhookStatusChoices.PENDING)
+            with transaction.atomic():
+                instance = super().save(*args, **kwargs)
+                scim_synchronizer.add_user_to_group(self.team, self.user)
+        else:
+            instance = super().save(*args, **kwargs)
+
+        return instance
+
+    def delete(self, *args, **kwargs):
+        """
+        Override delete method to fire webhooks on  to team accesses.
+        Don't allow deleting a team access until it is successfully synchronized with all
+        its webhooks.
+        """
+        self.team.webhooks.update(status=WebhookStatusChoices.PENDING)
+        with transaction.atomic():
+            arguments = self.team, self.user
+            super().delete(*args, **kwargs)
+            scim_synchronizer.remove_user_from_group(*arguments)
+
+    def get_abilities(self, user):
+        """
+        Compute and return abilities for a given user taking into account
+        the current state of the object.
+        """
+        is_team_owner_or_admin = False
+        role = None
+
+        if user.is_authenticated:
+            try:
+                role = self.user_role
+            except AttributeError:
+                try:
+                    role = self._meta.model.objects.filter(
+                        team=self.team_id, user=user
+                    ).values("role")[0]["role"]
+                except (self._meta.model.DoesNotExist, IndexError):
+                    role = None
+
+            is_team_owner_or_admin = role in [RoleChoices.OWNER, RoleChoices.ADMIN]
+
+        if self.role == RoleChoices.OWNER:
+            can_delete = (
+                user.id == self.user_id
+                and self.team.accesses.filter(role=RoleChoices.OWNER).count() > 1
+            )
+            set_role_to = [RoleChoices.ADMIN, RoleChoices.MEMBER] if can_delete else []
+        else:
+            can_delete = is_team_owner_or_admin
+            set_role_to = []
+            if role == RoleChoices.OWNER:
+                set_role_to.append(RoleChoices.OWNER)
+            if is_team_owner_or_admin:
+                set_role_to.extend([RoleChoices.ADMIN, RoleChoices.MEMBER])
+
+        # Remove the current role as we don't want to propose it as an option
+        try:
+            set_role_to.remove(self.role)
+        except ValueError:
+            pass
+
+        return {
+            "delete": can_delete,
+            "get": bool(role),
+            "patch": bool(set_role_to),
+            "put": bool(set_role_to),
+            "set_role_to": set_role_to,
+        }
+
+
+class TeamWebhook(BaseModel):
+    """Webhooks fired on changes in teams."""
+
+    team = models.ForeignKey(Team, related_name="webhooks", on_delete=models.CASCADE)
+    url = models.URLField(_("url"))
+    secret = models.CharField(_("secret"), max_length=255, null=True, blank=True)
+    status = models.CharField(
+        max_length=10,
+        default=WebhookStatusChoices.PENDING,
+        choices=WebhookStatusChoices.choices,
+    )
+
+    class Meta:
+        db_table = "people_team_webhook"
+        verbose_name = _("Team webhook")
+        verbose_name_plural = _("Team webhooks")
+
+    def __str__(self):
+        return f"Webhook to {self.url} for {self.team}"
+
+    def get_headers(self):
+        """Build header dict from webhook object."""
+        headers = {"Content-Type": "application/json"}
+        if self.secret:
+            headers["Authorization"] = f"Bearer {self.secret:s}"
+        return headers
+
+
+class Invitation(BaseModel):
+    """User invitation to teams."""
+
+    email = models.EmailField(_("email address"), null=False, blank=False)
+    team = models.ForeignKey(
+        Team,
+        on_delete=models.CASCADE,
+        related_name="invitations",
+    )
+    role = models.CharField(
+        max_length=20, choices=RoleChoices.choices, default=RoleChoices.MEMBER
+    )
+    issuer = models.ForeignKey(
+        User,
+        on_delete=models.CASCADE,
+        related_name="invitations",
+    )
+
+    class Meta:
+        db_table = "people_invitation"
+        verbose_name = _("Team invitation")
+        verbose_name_plural = _("Team invitations")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["email", "team"], name="email_and_team_unique_together"
+            )
+        ]
+
+    def __str__(self):
+        return f"{self.email} invited to {self.team}"
+
+    def save(self, *args, **kwargs):
+        """Make invitations read-only."""
+        if self.created_at:
+            raise exceptions.PermissionDenied()
+        super().save(*args, **kwargs)
+
+        self.email_invitation()
+
+    def clean(self):
+        """Validate fields."""
+        super().clean()
+
+        # Check if an identity already exists for the provided email
+        if Identity.objects.filter(email=self.email).exists():
+            raise exceptions.ValidationError(
+                {"email": _("This email is already associated to a registered user.")}
+            )
+
+    @property
+    def is_expired(self):
+        """Calculate if invitation is still valid or has expired."""
+        if not self.created_at:
+            return None
+
+        validity_duration = timedelta(seconds=settings.INVITATION_VALIDITY_DURATION)
+        return timezone.now() > (self.created_at + validity_duration)
+
+    def get_abilities(self, user):
+        """Compute and return abilities for a given user."""
+        can_delete = False
+        role = None
+
+        if user.is_authenticated:
+            try:
+                role = self.user_role
+            except AttributeError:
+                try:
+                    role = self.team.accesses.filter(user=user).values("role")[0][
+                        "role"
+                    ]
+                except (self._meta.model.DoesNotExist, IndexError):
+                    role = None
+
+            can_delete = role in [RoleChoices.OWNER, RoleChoices.ADMIN]
+
+        return {
+            "delete": can_delete,
+            "get": bool(role),
+            "patch": False,
+            "put": False,
+        }
+
+    def email_invitation(self):
+        """Email invitation to the user."""
+        try:
+            with override(self.issuer.language):
+                template_vars = {
+                    "title": _("Invitation to join Desk!"),
+                    "site": Site.objects.get_current(),
+                }
+                msg_html = render_to_string("mail/html/invitation.html", template_vars)
+                msg_plain = render_to_string("mail/text/invitation.txt", template_vars)
+                mail.send_mail(
+                    _("Invitation to join Desk!"),
+                    msg_plain,
+                    settings.EMAIL_FROM,
+                    [self.email],
+                    html_message=msg_html,
+                    fail_silently=False,
+                )
+
+        except smtplib.SMTPException as exception:
+            logger.error("invitation to %s was not sent: %s", self.email, exception)

src/backend/core/templatetags/extra_tags.py

@@ -0,0 +1,58 @@
+"""Custom template tags for the core application of People."""
+
+import base64
+
+from django import template
+from django.contrib.staticfiles import finders
+
+from PIL import ImageFile as PillowImageFile
+
+register = template.Library()
+
+
+def image_to_base64(file_or_path, close=False):
+    """
+    Return the src string of the base64 encoding of an image represented by its path
+    or file opened or not.
+
+    Inspired by Django's "get_image_dimensions"
+    """
+    pil_parser = PillowImageFile.Parser()
+    if hasattr(file_or_path, "read"):
+        file = file_or_path
+        if file.closed and hasattr(file, "open"):
+            file_or_path.open()
+        file_pos = file.tell()
+        file.seek(0)
+    else:
+        try:
+            # pylint: disable=consider-using-with
+            file = open(file_or_path, "rb")
+        except OSError:
+            return ""
+        close = True
+
+    try:
+        image_data = file.read()
+        if not image_data:
+            return ""
+        pil_parser.feed(image_data)
+        if pil_parser.image:
+            mime_type = pil_parser.image.get_format_mimetype()
+            encoded_string = base64.b64encode(image_data)
+            return f"data:{mime_type:s};base64, {encoded_string.decode('utf-8'):s}"
+        return ""
+    finally:
+        if close:
+            file.close()
+        else:
+            file.seek(file_pos)
+
+
+@register.simple_tag
+def base64_static(path):
+    """Return a static file into a base64."""
+    full_path = finders.find(path)
+    if full_path:
+        return image_to_base64(full_path, True)
+    return ""

src/backend/core/tests/authentication/test_backends.py

@@ -0,0 +1,204 @@
+"""Unit tests for the Authentication Backends."""
+
+from django.core.exceptions import SuspiciousOperation
+
+import pytest
+
+from core import models
+from core.authentication.backends import OIDCAuthenticationBackend
+from core.factories import IdentityFactory
+
+pytestmark = pytest.mark.django_db
+
+
+def test_authentication_getter_existing_user_no_email(
+    django_assert_num_queries, monkeypatch
+):
+    """
+    If an existing user matches the user's info sub, the user should be returned.
+    """
+
+    klass = OIDCAuthenticationBackend()
+
+    # Create a user and its identity
+    identity = IdentityFactory(name=None)
+
+    # Create multiple identities for a user
+    for _ in range(5):
+        IdentityFactory(user=identity.user)
+
+    def get_userinfo_mocked(*args):
+        return {"sub": identity.sub}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    with django_assert_num_queries(1):
+        user = klass.get_or_create_user(
+            access_token="test-token", id_token=None, payload=None
+        )
+
+    identity.refresh_from_db()
+    assert user == identity.user
+
+
+def test_authentication_getter_existing_user_with_email(
+    django_assert_num_queries, monkeypatch
+):
+    """
+    When the user's info contains an email and targets an existing user,
+    """
+    klass = OIDCAuthenticationBackend()
+
+    identity = IdentityFactory(name="John Doe")
+
+    # Create multiple identities for a user
+    for _ in range(5):
+        IdentityFactory(user=identity.user)
+
+    assert models.User.objects.count() == 1
+
+    def get_userinfo_mocked(*args):
+        return {
+            "sub": identity.sub,
+            "email": identity.email,
+            "first_name": "John",
+            "last_name": "Doe",
+        }
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    # Only 1 query because email and names have not changed
+    with django_assert_num_queries(1):
+        user = klass.get_or_create_user(
+            access_token="test-token", id_token=None, payload=None
+        )
+
+    assert models.User.objects.get() == user
+
+
+@pytest.mark.parametrize(
+    "first_name, last_name, email",
+    [
+        ("Jack", "Doe", "john.doe@example.com"),
+        ("John", "Duy", "john.doe@example.com"),
+        ("John", "Doe", "jack.duy@example.com"),
+        ("Jack", "Duy", "jack.duy@example.com"),
+    ],
+)
+def test_authentication_getter_existing_user_change_fields(
+    first_name, last_name, email, django_assert_num_queries, monkeypatch
+):
+    """
+    It should update the email or name fields on the identity when they change.
+    The email on the user should not be changed.
+    """
+    klass = OIDCAuthenticationBackend()
+
+    identity = IdentityFactory(name="John Doe", email="john.doe@example.com")
+    user_email = identity.user.admin_email
+
+    # Create multiple identities for a user
+    for _ in range(5):
+        IdentityFactory(user=identity.user)
+
+    assert models.User.objects.count() == 1
+
+    def get_userinfo_mocked(*args):
+        return {
+            "sub": identity.sub,
+            "email": email,
+            "first_name": first_name,
+            "last_name": last_name,
+        }
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    # One and only one additional update query when a field has changed
+    with django_assert_num_queries(2):
+        user = klass.get_or_create_user(
+            access_token="test-token", id_token=None, payload=None
+        )
+
+    identity.refresh_from_db()
+    assert identity.email == email
+    assert identity.name == f"{first_name:s} {last_name:s}"
+
+    assert models.User.objects.count() == 1
+    assert user == identity.user
+    assert user.admin_email == user_email
+
+
+def test_authentication_getter_new_user_no_email(monkeypatch):
+    """
+    If no user matches the user's info sub, a user should be created.
+    User's info doesn't contain an email, created user's email should be empty.
+    """
+    klass = OIDCAuthenticationBackend()
+
+    def get_userinfo_mocked(*args):
+        return {"sub": "123"}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    user = klass.get_or_create_user(
+        access_token="test-token", id_token=None, payload=None
+    )
+
+    identity = user.identities.get()
+    assert identity.sub == "123"
+    assert identity.email is None
+
+    assert user.admin_email is None
+    assert user.password == "!"
+    assert models.User.objects.count() == 1
+
+
+def test_authentication_getter_new_user_with_email(monkeypatch):
+    """
+    If no user matches the user's info sub, a user should be created.
+    User's email and name should be set on the identity.
+    The "email" field on the User model should not be set as it is reserved for staff users.
+    """
+    klass = OIDCAuthenticationBackend()
+
+    email = "people@example.com"
+
+    def get_userinfo_mocked(*args):
+        return {"sub": "123", "email": email, "first_name": "John", "last_name": "Doe"}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    user = klass.get_or_create_user(
+        access_token="test-token", id_token=None, payload=None
+    )
+
+    identity = user.identities.get()
+    assert identity.sub == "123"
+    assert identity.email == email
+    assert identity.name == "John Doe"
+
+    assert user.admin_email is None
+    assert models.User.objects.count() == 1
+
+
+def test_models_oidc_user_getter_invalid_token(django_assert_num_queries, monkeypatch):
+    """The user's info doesn't contain a sub."""
+    klass = OIDCAuthenticationBackend()
+
+    def get_userinfo_mocked(*args):
+        return {
+            "test": "123",
+        }
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    with (
+        django_assert_num_queries(0),
+        pytest.raises(
+            SuspiciousOperation,
+            match="User info contained no recognizable user identification",
+        ),
+    ):
+        klass.get_or_create_user(access_token="test-token", id_token=None, payload=None)
+
+    assert models.User.objects.exists() is False

src/backend/core/tests/authentication/test_urls.py

@@ -0,0 +1,10 @@
+"""Unit tests for the Authentication URLs."""
+
+from core.authentication.urls import urlpatterns
+
+
+def test_urls_override_default_mozilla_django_oidc():
+    """Custom URL patterns should override default ones from Mozilla Django OIDC."""
+
+    url_names = [u.name for u in urlpatterns]
+    assert url_names.index("oidc_logout_custom") < url_names.index("oidc_logout")

src/backend/core/tests/authentication/test_views.py

@@ -0,0 +1,238 @@
+"""Unit tests for the Authentication Views."""
+
+from unittest import mock
+from urllib.parse import parse_qs, urlparse
+
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.core.exceptions import SuspiciousOperation
+from django.test import RequestFactory
+from django.test.utils import override_settings
+from django.urls import reverse
+from django.utils import crypto
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.authentication.views import OIDCLogoutCallbackView, OIDCLogoutView
+
+pytestmark = pytest.mark.django_db
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_anonymous():
+    """Anonymous users calling the logout url,
+    should be redirected to the specified LOGOUT_REDIRECT_URL."""
+
+    url = reverse("oidc_logout_custom")
+    response = APIClient().get(url)
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@mock.patch.object(
+    OIDCLogoutView, "construct_oidc_logout_url", return_value="/example-logout"
+)
+def test_view_logout(mocked_oidc_logout_url):
+    """Authenticated users should be redirected to OIDC provider for logout."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    url = reverse("oidc_logout_custom")
+    response = client.get(url)
+
+    mocked_oidc_logout_url.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/default-redirect-logout")
+@mock.patch.object(
+    OIDCLogoutView, "construct_oidc_logout_url", return_value="/default-redirect-logout"
+)
+def test_view_logout_no_oidc_provider(mocked_oidc_logout_url):
+    """Authenticated users should be logged out when no OIDC provider is available."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    url = reverse("oidc_logout_custom")
+
+    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
+        response = client.get(url)
+        mocked_oidc_logout_url.assert_called_once()
+        mock_logout.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/default-redirect-logout"
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_callback_anonymous():
+    """Anonymous users calling the logout callback url,
+    should be redirected to the specified LOGOUT_REDIRECT_URL."""
+
+    url = reverse("oidc_logout_callback")
+    response = APIClient().get(url)
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@pytest.mark.parametrize(
+    "initial_oidc_states",
+    [{}, {"other_state": "foo"}],
+)
+def test_view_logout_persist_state(initial_oidc_states):
+    """State value should be persisted in session's data."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    if initial_oidc_states:
+        request.session["oidc_states"] = initial_oidc_states
+        request.session.save()
+
+    mocked_state = "mock_state"
+
+    OIDCLogoutView().persist_state(request, mocked_state)
+
+    assert "oidc_states" in request.session
+    assert request.session["oidc_states"] == {
+        "mock_state": {},
+        **initial_oidc_states,
+    }
+
+
+@override_settings(OIDC_OP_LOGOUT_ENDPOINT="/example-logout")
+@mock.patch.object(OIDCLogoutView, "persist_state")
+@mock.patch.object(crypto, "get_random_string", return_value="mocked_state")
+def test_view_logout_construct_oidc_logout_url(
+    mocked_get_random_string, mocked_persist_state
+):
+    """Should construct the logout URL to initiate the logout flow with the OIDC provider."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    request.session["oidc_id_token"] = "mocked_oidc_id_token"
+    request.session.save()
+
+    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
+
+    mocked_persist_state.assert_called_once()
+    mocked_get_random_string.assert_called_once()
+
+    params = parse_qs(urlparse(redirect_url).query)
+
+    assert params["id_token_hint"][0] == "mocked_oidc_id_token"
+    assert params["state"][0] == "mocked_state"
+
+    url = reverse("oidc_logout_callback")
+    assert url in params["post_logout_redirect_uri"][0]
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/")
+def test_view_logout_construct_oidc_logout_url_none_id_token():
+    """If no ID token is available in the session,
+    the user should be redirected to the final URL."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
+
+    assert redirect_url == "/"
+
+
+@pytest.mark.parametrize(
+    "initial_state",
+    [None, {"other_state": "foo"}],
+)
+def test_view_logout_callback_wrong_state(initial_state):
+    """Should raise an error if OIDC state doesn't match session data."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    if initial_state:
+        request.session["oidc_states"] = initial_state
+        request.session.save()
+
+    callback_view = OIDCLogoutCallbackView.as_view()
+
+    with pytest.raises(SuspiciousOperation) as excinfo:
+        callback_view(request)
+
+    assert (
+        str(excinfo.value) == "OIDC callback state not found in session `oidc_states`!"
+    )
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_callback():
+    """If state matches, callback should clear OIDC state and redirects."""
+
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    request = RequestFactory().get("/logout-callback/", data={"state": "mocked_state"})
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    mocked_state = "mocked_state"
+
+    request.session["oidc_states"] = {mocked_state: {}}
+    request.session.save()
+
+    callback_view = OIDCLogoutCallbackView.as_view()
+
+    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
+
+        def clear_user(request):
+            # Assert state is cleared prior to logout
+            assert request.session["oidc_states"] == {}
+            request.user = AnonymousUser()
+
+        mock_logout.side_effect = clear_user
+        response = callback_view(request)
+        mock_logout.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"

src/backend/core/tests/swagger/test_openapi_schema.py

@@ -0,0 +1,42 @@
+"""
+Test suite for generated openapi schema.
+"""
+
+import json
+from io import StringIO
+
+from django.core.management import call_command
+from django.test import Client
+
+import pytest
+
+pytestmark = pytest.mark.django_db
+
+
+def test_openapi_client_schema():
+    """
+    Generated and served OpenAPI client schema should be correct.
+    """
+    # Start by generating the swagger.json file
+    output = StringIO()
+    call_command(
+        "spectacular",
+        "--api-version",
+        "v1.0",
+        "--urlconf",
+        "people.api_urls",
+        "--format",
+        "openapi-json",
+        "--file",
+        "core/tests/swagger/swagger.json",
+        stdout=output,
+    )
+    assert output.getvalue() == ""
+
+    response = Client().get("/v1.0/swagger.json")
+
+    assert response.status_code == 200
+    with open(
+        "core/tests/swagger/swagger.json", "r", encoding="utf-8"
+    ) as expected_schema:
+        assert response.json() == json.load(expected_schema)

src/backend/core/tests/team_accesses/test_api_team_accesses_create.py

@@ -0,0 +1,236 @@
+"""
+Test for team accesses API endpoints in People's core app : create
+"""
+
+import json
+import random
+import re
+
+import pytest
+import responses
+from rest_framework.test import APIClient
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_accesses_create_anonymous():
+    """Anonymous users should not be allowed to create team accesses."""
+    user = factories.UserFactory()
+    team = factories.TeamFactory()
+
+    response = APIClient().post(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+        {
+            "user": str(user.id),
+            "team": str(team.id),
+            "role": random.choice(models.RoleChoices.choices)[0],
+        },
+        format="json",
+    )
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+    assert models.TeamAccess.objects.exists() is False
+
+
+def test_api_team_accesses_create_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to create team accesses for a team to
+    which they are not related.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    other_user = factories.UserFactory()
+    team = factories.TeamFactory()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+        },
+        format="json",
+    )
+
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "You are not allowed to manage accesses for this team."
+    }
+    assert not models.TeamAccess.objects.filter(user=other_user).exists()
+
+
+def test_api_team_accesses_create_authenticated_member():
+    """Members of a team should not be allowed to create team accesses."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "member")])
+    other_user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+    for role in [role[0] for role in models.RoleChoices.choices]:
+        response = client.post(
+            f"/api/v1.0/teams/{team.id!s}/accesses/",
+            {
+                "user": str(other_user.id),
+                "role": role,
+            },
+            format="json",
+        )
+
+        assert response.status_code == 403
+        assert response.json() == {
+            "detail": "You are not allowed to manage accesses for this team."
+        }
+
+    assert not models.TeamAccess.objects.filter(user=other_user).exists()
+
+
+def test_api_team_accesses_create_authenticated_administrator():
+    """
+    Administrators of a team should be able to create team accesses except for the "owner" role.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    # It should not be allowed to create an owner access
+    response = client.post(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": "owner",
+        },
+        format="json",
+    )
+
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "Only owners of a team can assign other users as owners."
+    }
+
+    # It should be allowed to create a lower access
+    role = random.choice(
+        [role[0] for role in models.RoleChoices.choices if role[0] != "owner"]
+    )
+
+    response = client.post(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": role,
+        },
+        format="json",
+    )
+
+    assert response.status_code == 201
+    assert models.TeamAccess.objects.filter(user=other_user).count() == 1
+    new_team_access = models.TeamAccess.objects.filter(user=other_user).get()
+    assert response.json() == {
+        "abilities": new_team_access.get_abilities(user),
+        "id": str(new_team_access.id),
+        "role": role,
+        "user": str(other_user.id),
+    }
+
+
+def test_api_team_accesses_create_authenticated_owner():
+    """
+    Owners of a team should be able to create team accesses whatever the role.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    other_user = factories.UserFactory()
+
+    role = random.choice([role[0] for role in models.RoleChoices.choices])
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": role,
+        },
+        format="json",
+    )
+
+    assert response.status_code == 201
+    assert models.TeamAccess.objects.filter(user=other_user).count() == 1
+    new_team_access = models.TeamAccess.objects.filter(user=other_user).get()
+    assert response.json() == {
+        "abilities": new_team_access.get_abilities(user),
+        "id": str(new_team_access.id),
+        "role": role,
+        "user": str(other_user.id),
+    }
+
+
+def test_api_team_accesses_create_webhook():
+    """
+    When the team has a webhook, creating a team access should fire a call.
+    """
+    user, other_user = factories.UserFactory.create_batch(2)
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    webhook = factories.TeamWebhookFactory(team=team)
+
+    role = random.choice([role[0] for role in models.RoleChoices.choices])
+
+    client = APIClient()
+    client.force_login(user)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsp = rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        response = client.post(
+            f"/api/v1.0/teams/{team.id!s}/accesses/",
+            {
+                "user": str(other_user.id),
+                "role": role,
+            },
+            format="json",
+        )
+        assert response.status_code == 201
+
+        assert rsp.call_count == 1
+        assert rsps.calls[0].request.url == webhook.url
+
+        # Payload sent to scim provider
+        payload = json.loads(rsps.calls[0].request.body)
+        assert payload == {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [
+                {
+                    "op": "add",
+                    "path": "members",
+                    "value": [
+                        {
+                            "value": str(other_user.id),
+                            "email": None,
+                            "type": "User",
+                        }
+                    ],
+                }
+            ],
+        }

src/backend/core/tests/team_accesses/test_api_team_accesses_delete.py

@@ -0,0 +1,227 @@
+"""
+Test for team accesses API endpoints in People's core app : delete
+"""
+
+import json
+import random
+import re
+
+import pytest
+import responses
+from rest_framework.test import APIClient
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_accesses_delete_anonymous():
+    """Anonymous users should not be allowed to destroy a team access."""
+    access = factories.TeamAccessFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 401
+    assert models.TeamAccess.objects.count() == 1
+
+
+def test_api_team_accesses_delete_authenticated():
+    """
+    Authenticated users should not be allowed to delete a team access for a
+    team to which they are not related.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    access = factories.TeamAccessFactory()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.delete(
+        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.TeamAccess.objects.count() == 1
+
+
+def test_api_team_accesses_delete_member():
+    """
+    Authenticated users should not be allowed to delete a team access for a
+    team in which they are a simple member.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "member")])
+    access = factories.TeamAccessFactory(team=team)
+
+    assert models.TeamAccess.objects.count() == 2
+    assert models.TeamAccess.objects.filter(user=access.user).exists()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.TeamAccess.objects.count() == 2
+
+
+def test_api_team_accesses_delete_administrators():
+    """
+    Users who are administrators in a team should be allowed to delete an access
+    from the team provided it is not ownership.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    access = factories.TeamAccessFactory(
+        team=team, role=random.choice(["member", "administrator"])
+    )
+
+    assert models.TeamAccess.objects.count() == 2
+    assert models.TeamAccess.objects.filter(user=access.user).exists()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 204
+    assert models.TeamAccess.objects.count() == 1
+
+
+def test_api_team_accesses_delete_owners_except_owners():
+    """
+    Users should be able to delete the team access of another user
+    for a team of which they are owner provided it is not an owner access.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    access = factories.TeamAccessFactory(
+        team=team, role=random.choice(["member", "administrator"])
+    )
+
+    assert models.TeamAccess.objects.count() == 2
+    assert models.TeamAccess.objects.filter(user=access.user).exists()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 204
+    assert models.TeamAccess.objects.count() == 1
+
+
+def test_api_team_accesses_delete_owners_for_owners():
+    """
+    Users should not be allowed to delete the team access of another owner
+    even for a team in which they are direct owner.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    access = factories.TeamAccessFactory(team=team, role="owner")
+
+    assert models.TeamAccess.objects.count() == 2
+    assert models.TeamAccess.objects.filter(user=access.user).exists()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.TeamAccess.objects.count() == 2
+
+
+def test_api_team_accesses_delete_owners_last_owner():
+    """
+    It should not be possible to delete the last owner access from a team
+    """
+    user = factories.UserFactory()
+
+    team = factories.TeamFactory()
+    access = factories.TeamAccessFactory(team=team, user=user, role="owner")
+    assert models.TeamAccess.objects.count() == 1
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.TeamAccess.objects.count() == 1
+
+
+def test_api_team_accesses_delete_webhook():
+    """
+    When the team has a webhook, deleting a team access should fire a call.
+    """
+    user = factories.UserFactory()
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    webhook = factories.TeamWebhookFactory(team=team)
+    access = factories.TeamAccessFactory(
+        team=team, role=random.choice(["member", "administrator"])
+    )
+
+    assert models.TeamAccess.objects.count() == 2
+    assert models.TeamAccess.objects.filter(user=access.user).exists()
+
+    client = APIClient()
+    client.force_login(user)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsp = rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        response = client.delete(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+        )
+        assert response.status_code == 204
+
+        assert rsp.call_count == 1
+        assert rsps.calls[0].request.url == webhook.url
+
+        # Payload sent to scim provider
+        payload = json.loads(rsps.calls[0].request.body)
+        assert payload == {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [
+                {
+                    "op": "remove",
+                    "path": "members",
+                    "value": [
+                        {
+                            "value": str(access.user.id),
+                            "email": None,
+                            "type": "User",
+                        }
+                    ],
+                }
+            ],
+        }
+
+    assert models.TeamAccess.objects.count() == 1
+    assert models.TeamAccess.objects.filter(user=access.user).exists() is False

src/backend/core/tests/team_accesses/test_api_team_accesses_list.py

@@ -0,0 +1,289 @@
+"""
+Test for team accesses API endpoints in People's core app : list
+"""
+
+import pytest
+from rest_framework.status import HTTP_200_OK
+from rest_framework.test import APIClient
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_accesses_list_anonymous():
+    """Anonymous users should not be allowed to list team accesses."""
+    team = factories.TeamFactory()
+    factories.TeamAccessFactory.create_batch(2, team=team)
+
+    response = APIClient().get(f"/api/v1.0/teams/{team.id!s}/accesses/")
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_team_accesses_list_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to list team accesses for a team
+    to which they are not related.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory()
+    factories.TeamAccessFactory.create_batch(3, team=team)
+
+    # Accesses for other teams to which the user is related should not be listed either
+    other_access = factories.TeamAccessFactory(user=user)
+    factories.TeamAccessFactory(team=other_access.team)
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+    )
+    assert response.status_code == 200
+    assert response.json() == {
+        "count": 0,
+        "next": None,
+        "previous": None,
+        "results": [],
+    }
+
+
+def test_api_team_accesses_list_authenticated_related():
+    """
+    Authenticated users should be able to list team accesses for a team
+    to which they are related, with a given role.
+    """
+    identity = factories.IdentityFactory(is_main=True)
+    user = identity.user
+
+    team = factories.TeamFactory()
+
+    owner = factories.IdentityFactory(is_main=True)
+    access1 = factories.TeamAccessFactory.create(
+        team=team, user=owner.user, role="owner"
+    )
+
+    administrator = factories.IdentityFactory(is_main=True)
+    access2 = factories.TeamAccessFactory.create(
+        team=team, user=administrator.user, role="administrator"
+    )
+
+    # Ensure this user's role is different from other team members to test abilities' computation
+    user_access = models.TeamAccess.objects.create(team=team, user=user, role="member")
+
+    # Grant other team accesses to the user, they should not be listed either
+    other_access = factories.TeamAccessFactory(user=user)
+    factories.TeamAccessFactory(team=other_access.team)
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+    )
+
+    assert response.status_code == 200
+    assert response.json()["count"] == 3
+    assert sorted(response.json()["results"], key=lambda x: x["id"]) == sorted(
+        [
+            {
+                "id": str(user_access.id),
+                "user": {
+                    "id": str(user_access.user.id),
+                    "email": str(identity.email),
+                    "name": str(identity.name),
+                },
+                "role": str(user_access.role),
+                "abilities": user_access.get_abilities(user),
+            },
+            {
+                "id": str(access1.id),
+                "user": {
+                    "id": str(access1.user.id),
+                    "email": str(owner.email),
+                    "name": str(owner.name),
+                },
+                "role": str(access1.role),
+                "abilities": access1.get_abilities(user),
+            },
+            {
+                "id": str(access2.id),
+                "user": {
+                    "id": str(access2.user.id),
+                    "email": str(administrator.email),
+                    "name": str(administrator.name),
+                },
+                "role": str(access2.role),
+                "abilities": access2.get_abilities(user),
+            },
+        ],
+        key=lambda x: x["id"],
+    )
+
+
+def test_api_team_accesses_list_authenticated_main_identity():
+    """
+    Name and email should be returned from main identity only
+    """
+    user = factories.UserFactory()
+    identity = factories.IdentityFactory(user=user, is_main=True)
+    factories.IdentityFactory(user=user)  # additional non-main identity
+
+    team = factories.TeamFactory()
+    models.TeamAccess.objects.create(team=team, user=user)  # random role
+
+    # other team members should appear, with correct identity
+    other_user = factories.UserFactory()
+    other_main_identity = factories.IdentityFactory(is_main=True, user=other_user)
+    factories.IdentityFactory(user=other_user)
+    factories.TeamAccessFactory.create(team=team, user=other_user)
+
+    # Accesses for other teams to which the user is related should not be listed either
+    other_access = factories.TeamAccessFactory(user=user)
+    factories.TeamAccessFactory(team=other_access.team)
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/",
+    )
+
+    assert response.status_code == 200
+    assert response.json()["count"] == 2
+    users_info = [
+        (access["user"]["email"], access["user"]["name"])
+        for access in response.json()["results"]
+    ]
+    # user information should be returned from main identity
+    assert sorted(users_info) == sorted(
+        [
+            (str(identity.email), str(identity.name)),
+            (str(other_main_identity.email), str(other_main_identity.name)),
+        ]
+    )
+
+
+def test_api_team_accesses_list_authenticated_constant_numqueries(
+    django_assert_num_queries,
+):
+    """
+    The number of queries should not depend on the amount of fetched accesses.
+    """
+    user = factories.UserFactory()
+    factories.IdentityFactory(user=user, is_main=True)
+
+    team = factories.TeamFactory()
+    models.TeamAccess.objects.create(team=team, user=user)  # random role
+
+    client = APIClient()
+    client.force_login(user)
+    # Only 4 queries are needed to efficiently fetch team accesses,
+    # related users and identities :
+    # - query retrieving logged-in user for user_role annotation
+    # - count from pagination
+    # - query prefetching users' main identity
+    # - distinct from viewset
+    with django_assert_num_queries(4):
+        response = client.get(
+            f"/api/v1.0/teams/{team.id!s}/accesses/",
+        )
+
+    # create 20 new team members
+    for _ in range(20):
+        extra_user = factories.IdentityFactory(is_main=True).user
+        factories.TeamAccessFactory(team=team, user=extra_user)
+
+    # num queries should still be 4
+    with django_assert_num_queries(4):
+        response = client.get(
+            f"/api/v1.0/teams/{team.id!s}/accesses/",
+        )
+
+    assert response.status_code == 200
+    assert response.json()["count"] == 21
+
+
+def test_api_team_accesses_list_authenticated_ordering():
+    """Team accesses can be ordered by "role"."""
+
+    user = factories.UserFactory()
+    factories.IdentityFactory(user=user, is_main=True)
+
+    team = factories.TeamFactory()
+    models.TeamAccess.objects.create(team=team, user=user)
+
+    # create 20 new team members
+    for _ in range(20):
+        extra_user = factories.IdentityFactory(is_main=True).user
+        factories.TeamAccessFactory(team=team, user=extra_user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/?ordering=role",
+    )
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["count"] == 21
+
+    results = [team_access["role"] for team_access in response.json()["results"]]
+    assert sorted(results) == results
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/?ordering=-role",
+    )
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["count"] == 21
+
+    results = [team_access["role"] for team_access in response.json()["results"]]
+    assert sorted(results, reverse=True) == results
+
+
+@pytest.mark.parametrize("ordering_fields", ["name", "email"])
+def test_api_team_accesses_list_authenticated_ordering_user(ordering_fields):
+    """Team accesses can be ordered by user's fields "email" or "name"."""
+
+    user = factories.UserFactory()
+    factories.IdentityFactory(user=user, is_main=True)
+
+    team = factories.TeamFactory()
+    models.TeamAccess.objects.create(team=team, user=user)
+
+    # create 20 new team members
+    for _ in range(20):
+        extra_user = factories.IdentityFactory(is_main=True).user
+        factories.TeamAccessFactory(team=team, user=extra_user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/?ordering={ordering_fields}",
+    )
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["count"] == 21
+
+    def normalize(x):
+        """Mimic Django order_by, which is case-insensitive and space-insensitive"""
+        return x.casefold().replace(" ", "")
+
+    results = [
+        team_access["user"][ordering_fields]
+        for team_access in response.json()["results"]
+    ]
+    assert sorted(results, key=normalize) == results
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/?ordering=-{ordering_fields}",
+    )
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["count"] == 21
+
+    results = [
+        team_access["user"][ordering_fields]
+        for team_access in response.json()["results"]
+    ]
+    assert sorted(results, reverse=True, key=normalize) == results

src/backend/core/tests/team_accesses/test_api_team_accesses_retrieve.py

@@ -0,0 +1,87 @@
+"""
+Test for team accesses API endpoints in People's core app : retrieve
+"""
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_accesses_retrieve_anonymous():
+    """
+    Anonymous users should not be allowed to retrieve a team access.
+    """
+    access = factories.TeamAccessFactory()
+
+    response = APIClient().get(
+        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_team_accesses_retrieve_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to retrieve a team access for
+    a team to which they are not related.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    access = factories.TeamAccessFactory(team=factories.TeamFactory())
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+    )
+    assert response.status_code == 404
+    assert response.json() == {"detail": "No TeamAccess matches the given query."}
+
+    # Accesses related to another team should be excluded even if the user is related to it
+    for other_access in [
+        factories.TeamAccessFactory(),
+        factories.TeamAccessFactory(user=user),
+    ]:
+        response = client.get(
+            f"/api/v1.0/teams/{access.team.id!s}/accesses/{other_access.id!s}/",
+        )
+
+        assert response.status_code == 404
+        assert response.json() == {"detail": "No TeamAccess matches the given query."}
+
+
+def test_api_team_accesses_retrieve_authenticated_related():
+    """
+    A user who is related to a team should be allowed to retrieve the
+    associated team user accesses.
+    """
+    identity = factories.IdentityFactory(is_main=True)
+    user = identity.user
+
+    team = factories.TeamFactory()
+    access = factories.TeamAccessFactory(team=team, user=user)
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(access.id),
+        "user": {
+            "id": str(access.user.id),
+            "email": str(identity.email),
+            "name": str(identity.name),
+        },
+        "role": str(access.role),
+        "abilities": access.get_abilities(user),
+    }

src/backend/core/tests/team_accesses/test_api_team_accesses_update.py

@@ -0,0 +1,341 @@
+"""
+Test for team accesses API endpoints in People's core app : update
+"""
+
+import random
+from uuid import uuid4
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories, models
+from core.api import serializers
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_accesses_update_anonymous():
+    """Anonymous users should not be allowed to update a team access."""
+    access = factories.TeamAccessFactory()
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    for field, value in new_values.items():
+        response = APIClient().put(
+            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+        )
+        assert response.status_code == 401
+
+    access.refresh_from_db()
+    updated_values = serializers.TeamAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_team_accesses_update_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to update a team access for a team to which
+    they are not related.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    access = factories.TeamAccessFactory()
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        response = client.put(
+            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+        )
+        assert response.status_code == 403
+
+    access.refresh_from_db()
+    updated_values = serializers.TeamAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_team_accesses_update_authenticated_member():
+    """Members of a team should not be allowed to update its accesses."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "member")])
+    access = factories.TeamAccessFactory(team=team)
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        response = client.put(
+            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+        )
+        assert response.status_code == 403
+
+    access.refresh_from_db()
+    updated_values = serializers.TeamAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_team_accesses_update_administrator_except_owner():
+    """
+    A user who is an administrator in a team should be allowed to update a user
+    access for this team, as long as they don't try to set the role to owner.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    access = factories.TeamAccessFactory(
+        team=team,
+        role=random.choice(["administrator", "member"]),
+    )
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(["administrator", "member"]),
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = client.put(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+        )
+
+        if (
+            new_data["role"] == old_values["role"]
+        ):  # we are not really updating the role
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TeamAccessSerializer(instance=access).data
+        if field == "role":
+            assert updated_values == {**old_values, "role": new_values["role"]}
+        else:
+            assert updated_values == old_values
+
+
+def test_api_team_accesses_update_administrator_from_owner():
+    """
+    A user who is an administrator in a team, should not be allowed to update
+    the user access of an "owner" for this team.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+    access = factories.TeamAccessFactory(team=team, user=other_user, role="owner")
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        response = client.put(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+            data={**old_values, field: value},
+            format="json",
+        )
+        assert response.status_code == 403
+        access.refresh_from_db()
+        updated_values = serializers.TeamAccessSerializer(instance=access).data
+        assert updated_values == old_values
+
+
+def test_api_team_accesses_update_administrator_to_owner():
+    """
+    A user who is an administrator in a team, should not be allowed to update
+    the user access of another user to grant team ownership.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+    access = factories.TeamAccessFactory(
+        team=team,
+        user=other_user,
+        role=random.choice(["administrator", "member"]),
+    )
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": "owner",
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = client.put(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+        )
+        # We are not allowed or not really updating the role
+        if field == "role" or new_data["role"] == old_values["role"]:
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TeamAccessSerializer(instance=access).data
+        assert updated_values == old_values
+
+
+def test_api_team_accesses_update_owner_except_owner():
+    """
+    A user who is an owner in a team should be allowed to update
+    a user access for this team except for existing "owner" accesses.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    factories.UserFactory()
+    access = factories.TeamAccessFactory(
+        team=team,
+        role=random.choice(["administrator", "member"]),
+    )
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = client.put(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+        )
+
+        if (
+            new_data["role"] == old_values["role"]
+        ):  # we are not really updating the role
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TeamAccessSerializer(instance=access).data
+
+        if field == "role":
+            assert updated_values == {**old_values, "role": new_values["role"]}
+        else:
+            assert updated_values == old_values
+
+
+def test_api_team_accesses_update_owner_for_owners():
+    """
+    A user who is "owner" of a team should not be allowed to update
+    an existing owner access for this team.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    access = factories.TeamAccessFactory(team=team, role="owner")
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    client = APIClient()
+    client.force_login(user)
+    for field, value in new_values.items():
+        response = client.put(
+            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+            data={**old_values, field: value},
+            content_type="application/json",
+        )
+        assert response.status_code == 403
+        access.refresh_from_db()
+        updated_values = serializers.TeamAccessSerializer(instance=access).data
+        assert updated_values == old_values
+
+
+def test_api_team_accesses_update_owner_self():
+    """
+    A user who is owner of a team should be allowed to update
+    their own user access provided there are other owners in the team.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    team = factories.TeamFactory()
+    access = factories.TeamAccessFactory(team=team, user=user, role="owner")
+    old_values = serializers.TeamAccessSerializer(instance=access).data
+    new_role = random.choice(["administrator", "member"])
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+        data={**old_values, "role": new_role},
+        format="json",
+    )
+
+    assert response.status_code == 403
+    access.refresh_from_db()
+    assert access.role == "owner"
+
+    # Add another owner and it should now work
+    factories.TeamAccessFactory(team=team, role="owner")
+
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
+        data={**old_values, "role": new_role},
+        format="json",
+    )
+
+    assert response.status_code == 200
+    access.refresh_from_db()
+    assert access.role == new_role

src/backend/core/tests/teams/test_core_api_teams_create.py

@@ -0,0 +1,126 @@
+"""
+Tests for Teams API endpoint in People's core app: create
+"""
+
+import pytest
+from rest_framework.status import (
+    HTTP_201_CREATED,
+    HTTP_400_BAD_REQUEST,
+    HTTP_401_UNAUTHORIZED,
+)
+from rest_framework.test import APIClient
+
+from core.factories import IdentityFactory, TeamFactory
+from core.models import Team
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_teams_create_anonymous():
+    """Anonymous users should not be allowed to create teams."""
+    response = APIClient().post(
+        "/api/v1.0/teams/",
+        {
+            "name": "my team",
+        },
+    )
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert not Team.objects.exists()
+
+
+def test_api_teams_create_authenticated():
+    """
+    Authenticated users should be able to create teams and should automatically be declared
+    as the owner of the newly created team.
+    """
+    identity = IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.post(
+        "/api/v1.0/teams/",
+        {
+            "name": "my team",
+        },
+        format="json",
+    )
+
+    assert response.status_code == HTTP_201_CREATED
+    team = Team.objects.get()
+    assert team.name == "my team"
+    assert team.accesses.filter(role="owner", user=user).exists()
+
+
+def test_api_teams_create_authenticated_slugify_name():
+    """
+    Creating teams should automatically generate a slug.
+    """
+    identity = IdentityFactory()
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.post(
+        "/api/v1.0/teams/",
+        {"name": "my team"},
+    )
+
+    assert response.status_code == HTTP_201_CREATED
+    team = Team.objects.get()
+    assert team.name == "my team"
+    assert team.slug == "my-team"
+
+
+@pytest.mark.parametrize(
+    "param",
+    [
+        ("my team", "my-team"),
+        ("my     team", "my-team"),
+        ("MY TEAM TOO", "my-team-too"),
+        ("mon équipe", "mon-equipe"),
+        ("front devs & UX", "front-devs-ux"),
+    ],
+)
+def test_api_teams_create_authenticated_expected_slug(param):
+    """
+    Creating teams should automatically create unaccented, no unicode, lower-case slug.
+    """
+    identity = IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.post(
+        "/api/v1.0/teams/",
+        {
+            "name": param[0],
+        },
+    )
+
+    assert response.status_code == HTTP_201_CREATED
+    team = Team.objects.get()
+    assert team.name == param[0]
+    assert team.slug == param[1]
+
+
+def test_api_teams_create_authenticated_unique_slugs():
+    """
+    Creating teams should raise an error if already existing slug.
+    """
+    TeamFactory(name="existing team")
+    identity = IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.post(
+        "/api/v1.0/teams/",
+        {
+            "name": "èxisting team",
+        },
+    )
+
+    assert response.status_code == HTTP_400_BAD_REQUEST
+    assert response.json()["slug"] == ["Team with this Slug already exists."]

src/backend/core/tests/teams/test_core_api_teams_delete.py

@@ -0,0 +1,118 @@
+"""
+Tests for Teams API endpoint in People's core app: delete
+"""
+
+import pytest
+from rest_framework.status import (
+    HTTP_204_NO_CONTENT,
+    HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
+    HTTP_404_NOT_FOUND,
+)
+from rest_framework.test import APIClient
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_teams_delete_anonymous():
+    """Anonymous users should not be allowed to destroy a team."""
+    team = factories.TeamFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/teams/{team.id!s}/",
+    )
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert models.Team.objects.count() == 1
+
+
+def test_api_teams_delete_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to delete a team to which they are not
+    related.
+    """
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    team = factories.TeamFactory()
+
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id!s}/",
+    )
+
+    assert response.status_code == HTTP_404_NOT_FOUND
+    assert response.json() == {"detail": "No Team matches the given query."}
+    assert models.Team.objects.count() == 1
+
+
+def test_api_teams_delete_authenticated_member():
+    """
+    Authenticated users should not be allowed to delete a team for which they are
+    only a member.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "member")])
+
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/",
+    )
+
+    assert response.status_code == HTTP_403_FORBIDDEN
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+    assert models.Team.objects.count() == 1
+
+
+def test_api_teams_delete_authenticated_administrator():
+    """
+    Authenticated users should not be allowed to delete a team for which they are
+    administrator.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/",
+    )
+
+    assert response.status_code == HTTP_403_FORBIDDEN
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+    assert models.Team.objects.count() == 1
+
+
+def test_api_teams_delete_authenticated_owner():
+    """
+    Authenticated users should be able to delete a team for which they are directly
+    owner.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/",
+    )
+
+    assert response.status_code == HTTP_204_NO_CONTENT
+    assert models.Team.objects.exists() is False

src/backend/core/tests/teams/test_core_api_teams_list.py

@@ -0,0 +1,183 @@
+"""
+Tests for Teams API endpoint in People's core app: list
+"""
+
+from unittest import mock
+
+import pytest
+from rest_framework.pagination import PageNumberPagination
+from rest_framework.status import HTTP_200_OK, HTTP_401_UNAUTHORIZED
+from rest_framework.test import APIClient
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_teams_list_anonymous():
+    """Anonymous users should not be allowed to list teams."""
+    factories.TeamFactory.create_batch(2)
+
+    response = APIClient().get("/api/v1.0/teams/")
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_teams_list_authenticated():
+    """
+    Authenticated users should be able to list teams
+    they are an owner/administrator/member of.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    expected_ids = {
+        str(access.team.id)
+        for access in factories.TeamAccessFactory.create_batch(5, user=user)
+    }
+    factories.TeamFactory.create_batch(2)  # Other teams
+
+    response = client.get(
+        "/api/v1.0/teams/",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    results = response.json()["results"]
+    assert len(results) == 5
+    results_id = {result["id"] for result in results}
+    assert expected_ids == results_id
+
+
+@mock.patch.object(PageNumberPagination, "get_page_size", return_value=2)
+def test_api_teams_list_pagination(
+    _mock_page_size,
+):
+    """Pagination should work as expected."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team_ids = [
+        str(access.team.id)
+        for access in factories.TeamAccessFactory.create_batch(3, user=user)
+    ]
+
+    # Get page 1
+    response = client.get(
+        "/api/v1.0/teams/",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 3
+    assert content["next"] == "http://testserver/api/v1.0/teams/?page=2"
+    assert content["previous"] is None
+
+    assert len(content["results"]) == 2
+    for item in content["results"]:
+        team_ids.remove(item["id"])
+
+    # Get page 2
+    response = client.get(
+        "/api/v1.0/teams/?page=2",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 3
+    assert content["next"] is None
+    assert content["previous"] == "http://testserver/api/v1.0/teams/"
+
+    assert len(content["results"]) == 1
+    team_ids.remove(content["results"][0]["id"])
+    assert team_ids == []
+
+
+def test_api_teams_list_authenticated_distinct():
+    """A team with several related users should only be listed once."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    other_user = factories.UserFactory()
+
+    team = factories.TeamFactory(users=[user, other_user])
+
+    response = client.get(
+        "/api/v1.0/teams/",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+    assert len(content["results"]) == 1
+    assert content["results"][0]["id"] == str(team.id)
+
+
+def test_api_teams_order():
+    """
+    Test that the endpoint GET teams is sorted in 'created_at' descending order by default.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team_ids = [
+        str(team.id) for team in factories.TeamFactory.create_batch(5, users=[user])
+    ]
+
+    response = client.get(
+        "/api/v1.0/teams/",
+    )
+
+    assert response.status_code == 200
+
+    response_data = response.json()
+    response_team_ids = [team["id"] for team in response_data["results"]]
+
+    team_ids.reverse()
+    assert (
+        response_team_ids == team_ids
+    ), "created_at values are not sorted from newest to oldest"
+
+
+def test_api_teams_order_param():
+    """
+    Test that the 'created_at' field is sorted in ascending order
+    when the 'ordering' query parameter is set.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team_ids = [
+        str(team.id) for team in factories.TeamFactory.create_batch(5, users=[user])
+    ]
+
+    response = client.get(
+        "/api/v1.0/teams/?ordering=created_at",
+    )
+    assert response.status_code == 200
+
+    response_data = response.json()
+
+    response_team_ids = [team["id"] for team in response_data["results"]]
+
+    assert (
+        response_team_ids == team_ids
+    ), "created_at values are not sorted from oldest to newest"

src/backend/core/tests/teams/test_core_api_teams_retrieve.py

@@ -0,0 +1,77 @@
+"""
+Tests for Teams API endpoint in People's core app: retrieve
+"""
+
+import pytest
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_teams_retrieve_anonymous():
+    """Anonymous users should not be allowed to retrieve a team."""
+    team = factories.TeamFactory()
+    response = APIClient().get(f"/api/v1.0/teams/{team.id}/")
+
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_teams_retrieve_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to retrieve a team to which they are
+    not related.
+    """
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    team = factories.TeamFactory()
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/",
+    )
+    assert response.status_code == status.HTTP_404_NOT_FOUND
+    assert response.json() == {"detail": "No Team matches the given query."}
+
+
+def test_api_teams_retrieve_authenticated_related():
+    """
+    Authenticated users should be allowed to retrieve a team to which they
+    are related whatever the role.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory()
+    access1 = factories.TeamAccessFactory(team=team, user=user)
+    access2 = factories.TeamAccessFactory(team=team)
+
+    response = client.get(
+        f"/api/v1.0/teams/{team.id!s}/",
+    )
+
+    assert response.status_code == status.HTTP_200_OK
+    assert sorted(response.json().pop("accesses")) == sorted(
+        [
+            str(access1.id),
+            str(access2.id),
+        ]
+    )
+    assert response.json() == {
+        "id": str(team.id),
+        "name": team.name,
+        "slug": team.slug,
+        "abilities": team.get_abilities(user),
+        "created_at": team.created_at.isoformat().replace("+00:00", "Z"),
+        "updated_at": team.updated_at.isoformat().replace("+00:00", "Z"),
+    }

src/backend/core/tests/teams/test_core_api_teams_update.py

@@ -0,0 +1,224 @@
+"""
+Tests for Teams API endpoint in People's core app: update
+"""
+
+import random
+
+import pytest
+from rest_framework.status import (
+    HTTP_200_OK,
+    HTTP_400_BAD_REQUEST,
+    HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
+    HTTP_404_NOT_FOUND,
+)
+from rest_framework.test import APIClient
+
+from core import factories
+from core.api import serializers
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_teams_update_anonymous():
+    """Anonymous users should not be allowed to update a team."""
+    team = factories.TeamFactory()
+    old_team_values = serializers.TeamSerializer(instance=team).data
+
+    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
+    response = APIClient().put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_team_values,
+        format="json",
+    )
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+    team.refresh_from_db()
+    team_values = serializers.TeamSerializer(instance=team).data
+    assert team_values == old_team_values
+
+
+def test_api_teams_update_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to update a team to which they are not related.
+    """
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    team = factories.TeamFactory()
+    old_team_values = serializers.TeamSerializer(instance=team).data
+
+    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_team_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_404_NOT_FOUND
+    assert response.json() == {"detail": "No Team matches the given query."}
+
+    team.refresh_from_db()
+    team_values = serializers.TeamSerializer(instance=team).data
+    assert team_values == old_team_values
+
+
+def test_api_teams_update_authenticated_members():
+    """
+    Users who are members of a team but not administrators should
+    not be allowed to update it.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "member")])
+    old_team_values = serializers.TeamSerializer(instance=team).data
+
+    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_team_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_403_FORBIDDEN
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+
+    team.refresh_from_db()
+    team_values = serializers.TeamSerializer(instance=team).data
+    assert team_values == old_team_values
+
+
+def test_api_teams_update_authenticated_administrators():
+    """Administrators of a team should be allowed to update it."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "administrator")])
+    initial_values = serializers.TeamSerializer(instance=team).data
+
+    # generate new random values
+    new_values = serializers.TeamSerializer(instance=factories.TeamFactory.build()).data
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_values,
+        format="json",
+    )
+    assert response.status_code == HTTP_200_OK
+
+    team.refresh_from_db()
+    final_values = serializers.TeamSerializer(instance=team).data
+    for key, value in final_values.items():
+        if key in ["id", "accesses", "created_at"]:
+            assert value == initial_values[key]
+        elif key == "updated_at":
+            assert value > initial_values[key]
+        else:
+            # name, slug and abilities successfully modified
+            assert value == new_values[key]
+
+
+def test_api_teams_update_authenticated_owners():
+    """Administrators of a team should be allowed to update it,
+    apart from read-only fields."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    team = factories.TeamFactory(users=[(user, "owner")])
+    old_team_values = serializers.TeamSerializer(instance=team).data
+
+    new_team_values = serializers.TeamSerializer(
+        instance=factories.TeamFactory.build()
+    ).data
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_team_values,
+        format="json",
+    )
+    assert response.status_code == HTTP_200_OK
+
+    team.refresh_from_db()
+    team_values = serializers.TeamSerializer(instance=team).data
+    for key, value in team_values.items():
+        if key in ["id", "accesses", "created_at"]:
+            assert value == old_team_values[key]
+        elif key == "updated_at":
+            assert value > old_team_values[key]
+        else:
+            # name, slug and abilities successfully modified
+            assert value == new_team_values[key]
+
+
+def test_api_teams_update_administrator_or_owner_of_another():
+    """
+    Being administrator or owner of a team should not grant authorization to update
+    another team.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    factories.TeamFactory(users=[(user, random.choice(["administrator", "owner"]))])
+    team = factories.TeamFactory(name="Old name")
+    old_team_values = serializers.TeamSerializer(instance=team).data
+
+    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
+    response = client.put(
+        f"/api/v1.0/teams/{team.id!s}/",
+        new_team_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_404_NOT_FOUND
+    assert response.json() == {"detail": "No Team matches the given query."}
+
+    team.refresh_from_db()
+    team_values = serializers.TeamSerializer(instance=team).data
+    assert team_values == old_team_values
+
+
+def test_api_teams_update_existing_slug_should_return_error():
+    """
+    Updating a team's name to an existing slug should return a bad request,
+    instead of creating a duplicate.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    factories.TeamFactory(name="Existing team", users=[(user, "administrator")])
+    my_team = factories.TeamFactory(name="New team", users=[(user, "administrator")])
+
+    updated_values = serializers.TeamSerializer(instance=my_team).data
+    # Update my team's name for existing team. Creates a duplicate slug
+    updated_values["name"] = "existing team"
+    response = client.put(
+        f"/api/v1.0/teams/{my_team.id!s}/",
+        updated_values,
+        format="json",
+    )
+    assert response.status_code == HTTP_400_BAD_REQUEST
+    assert response.json()["slug"] == ["Team with this Slug already exists."]
+    # Both teams names and slugs should be unchanged
+    assert my_team.name == "New team"
+    assert my_team.slug == "new-team"

src/backend/core/tests/test_api_contacts.py

@@ -0,0 +1,678 @@
+"""
+Test contacts API endpoints in People's core app.
+"""
+
+from django.test.utils import override_settings
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories, models
+from core.api import serializers
+
+pytestmark = pytest.mark.django_db
+
+
+CONTACT_DATA = {
+    "emails": [
+        {"type": "Work", "value": "john.doe@work.com"},
+        {"type": "Home", "value": "john.doe@home.com"},
+    ],
+    "phones": [
+        {"type": "Work", "value": "(123) 456-7890"},
+        {"type": "Other", "value": "(987) 654-3210"},
+    ],
+    "addresses": [
+        {
+            "type": "Home",
+            "street": "123 Main St",
+            "city": "Cityville",
+            "state": "CA",
+            "zip": "12345",
+            "country": "USA",
+        }
+    ],
+    "links": [
+        {"type": "Blog", "value": "http://personalwebsite.com"},
+        {"type": "Website", "value": "http://workwebsite.com"},
+    ],
+    "customFields": {"custom_field_1": "value1", "custom_field_2": "value2"},
+    "organizations": [
+        {
+            "name": "ACME Corporation",
+            "department": "IT",
+            "jobTitle": "Software Engineer",
+        },
+        {
+            "name": "XYZ Ltd",
+            "department": "Marketing",
+            "jobTitle": "Marketing Specialist",
+        },
+    ],
+}
+
+
+def test_api_contacts_list_anonymous():
+    """Anonymous users should not be allowed to list contacts."""
+    factories.ContactFactory.create_batch(2)
+
+    response = APIClient().get("/api/v1.0/contacts/")
+
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_contacts_list_authenticated_no_query():
+    """
+    Authenticated users should be able to list contacts without applying a query.
+    Profile and base contacts should be excluded.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+    contact = factories.ContactFactory(owner=user)
+    user.profile_contact = contact
+    user.save()
+
+    # Let's have 5 contacts in database:
+    assert user.profile_contact is not None  # Excluded because profile contact
+    base_contact = factories.BaseContactFactory()  # Excluded because overriden
+    factories.ContactFactory(
+        base=base_contact
+    )  # Excluded because belongs to other user
+    contact2 = factories.ContactFactory(
+        base=base_contact, owner=user, full_name="Bernard"
+    )  # Included
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get("/api/v1.0/contacts/")
+
+    assert response.status_code == 200
+    assert response.json() == [
+        {
+            "id": str(contact2.id),
+            "base": str(base_contact.id),
+            "owner": str(contact2.owner.id),
+            "data": contact2.data,
+            "full_name": contact2.full_name,
+            "short_name": contact2.short_name,
+        },
+    ]
+
+
+def test_api_contacts_list_authenticated_by_full_name():
+    """
+    Authenticated users should be able to search users with a case insensitive and
+    partial query on the full name.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    dave = factories.BaseContactFactory(full_name="David Bowman")
+    nicole = factories.BaseContactFactory(full_name="Nicole Foole")
+    frank = factories.BaseContactFactory(full_name="Frank Poole")
+    factories.BaseContactFactory(full_name="Heywood Floyd")
+
+    # Full query should work
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get("/api/v1.0/contacts/?q=David%20Bowman")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+    # Partial query should work
+    response = client.get("/api/v1.0/contacts/?q=ank")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(frank.id)]
+
+    # Result that matches a trigram twice ranks better than result that matches once
+    response = client.get("/api/v1.0/contacts/?q=ole")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    # "Nicole Foole" matches twice on "ole"
+    assert contact_ids == [str(nicole.id), str(frank.id)]
+
+    response = client.get("/api/v1.0/contacts/?q=ool")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(nicole.id), str(frank.id)]
+
+
+def test_api_contacts_list_authenticated_uppercase_content():
+    """Upper case content should be found by lower case query."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    dave = factories.BaseContactFactory(full_name="EEE", short_name="AAA")
+
+    # Unaccented full name
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get("/api/v1.0/contacts/?q=eee")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+    # Unaccented short name
+    response = client.get("/api/v1.0/contacts/?q=aaa")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+
+def test_api_contacts_list_authenticated_capital_query():
+    """Upper case query should find lower case content."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    dave = factories.BaseContactFactory(full_name="eee", short_name="aaa")
+
+    client = APIClient()
+    client.force_login(user)
+
+    # Unaccented full name
+    response = client.get("/api/v1.0/contacts/?q=EEE")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+    # Unaccented short name
+    response = client.get("/api/v1.0/contacts/?q=AAA")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+
+def test_api_contacts_list_authenticated_accented_content():
+    """Accented content should be found by unaccented query."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    dave = factories.BaseContactFactory(full_name="ééé", short_name="ààà")
+
+    client = APIClient()
+    client.force_login(user)
+
+    # Unaccented full name
+    response = client.get("/api/v1.0/contacts/?q=eee")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+    # Unaccented short name
+    response = client.get("/api/v1.0/contacts/?q=aaa")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+
+def test_api_contacts_list_authenticated_accented_query():
+    """Accented query should find unaccented content."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    dave = factories.BaseContactFactory(full_name="eee", short_name="aaa")
+
+    client = APIClient()
+    client.force_login(user)
+
+    # Unaccented full name
+    response = client.get("/api/v1.0/contacts/?q=ééé")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+    # Unaccented short name
+    response = client.get("/api/v1.0/contacts/?q=ààà")
+
+    assert response.status_code == 200
+    contact_ids = [contact["id"] for contact in response.json()]
+    assert contact_ids == [str(dave.id)]
+
+
+def test_api_contacts_retrieve_anonymous():
+    """Anonymous users should not be allowed to retrieve a user."""
+    client = APIClient()
+    contact = factories.ContactFactory()
+    response = client.get(f"/api/v1.0/contacts/{contact.id!s}/")
+
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_contacts_retrieve_authenticated_owned():
+    """
+    Authenticated users should be allowed to retrieve a contact they own.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    contact = factories.ContactFactory(owner=user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get(f"/api/v1.0/contacts/{contact.id!s}/")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(contact.id),
+        "base": str(contact.base.id),
+        "owner": str(contact.owner.id),
+        "data": contact.data,
+        "full_name": contact.full_name,
+        "short_name": contact.short_name,
+    }
+
+
+def test_api_contacts_retrieve_authenticated_public():
+    """
+    Authenticated users should be able to retrieve public contacts.
+    """
+    identity = factories.IdentityFactory()
+    contact = factories.BaseContactFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.get(f"/api/v1.0/contacts/{contact.id!s}/")
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(contact.id),
+        "base": None,
+        "owner": None,
+        "data": contact.data,
+        "full_name": contact.full_name,
+        "short_name": contact.short_name,
+    }
+
+
+def test_api_contacts_retrieve_authenticated_other():
+    """
+    Authenticated users should not be allowed to retrieve another user's contacts.
+    """
+    identity = factories.IdentityFactory()
+    contact = factories.ContactFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.get(f"/api/v1.0/contacts/{contact.id!s}/")
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+
+
+def test_api_contacts_create_anonymous_forbidden():
+    """Anonymous users should not be able to create contacts via the API."""
+    response = APIClient().post(
+        "/api/v1.0/contacts/",
+        {
+            "full_name": "David",
+            "short_name": "Bowman",
+        },
+    )
+    assert response.status_code == 401
+    assert not models.Contact.objects.exists()
+
+
+def test_api_contacts_create_authenticated_missing_base():
+    """Anonymous users should be able to create users."""
+    identity = factories.IdentityFactory(user__profile_contact=None)
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.post(
+        "/api/v1.0/contacts/",
+        {
+            "full_name": "David Bowman",
+            "short_name": "Dave",
+        },
+        format="json",
+    )
+    assert response.status_code == 400
+    assert models.Contact.objects.exists() is False
+
+    assert response.json() == {"base": ["This field is required."]}
+
+
+def test_api_contacts_create_authenticated_successful():
+    """Authenticated users should be able to create contacts."""
+    identity = factories.IdentityFactory(user__profile_contact=None)
+    user = identity.user
+    base_contact = factories.BaseContactFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    # Existing override for another user should not interfere
+    factories.ContactFactory(base=base_contact)
+
+    response = client.post(
+        "/api/v1.0/contacts/",
+        {
+            "base": str(base_contact.id),
+            "full_name": "David Bowman",
+            "short_name": "Dave",
+            "data": CONTACT_DATA,
+        },
+        format="json",
+    )
+
+    assert response.status_code == 201
+    assert models.Contact.objects.count() == 3
+
+    contact = models.Contact.objects.get(owner=user)
+    assert response.json() == {
+        "id": str(contact.id),
+        "base": str(base_contact.id),
+        "data": CONTACT_DATA,
+        "full_name": "David Bowman",
+        "owner": str(user.id),
+        "short_name": "Dave",
+    }
+
+    assert contact.full_name == "David Bowman"
+    assert contact.short_name == "Dave"
+    assert contact.data == CONTACT_DATA
+    assert contact.base == base_contact
+    assert contact.owner == user
+
+
+@override_settings(ALLOW_API_USER_CREATE=True)
+def test_api_contacts_create_authenticated_existing_override():
+    """
+    Trying to create a contact for base contact that is already overriden by the user
+    should receive a 400 error.
+    """
+    identity = factories.IdentityFactory(user__profile_contact=None)
+    user = identity.user
+
+    base_contact = factories.BaseContactFactory()
+    factories.ContactFactory(base=base_contact, owner=user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        "/api/v1.0/contacts/",
+        {
+            "base": str(base_contact.id),
+            "full_name": "David Bowman",
+            "short_name": "Dave",
+            "data": CONTACT_DATA,
+        },
+        format="json",
+    )
+
+    assert response.status_code == 400
+    assert models.Contact.objects.count() == 2
+
+    assert response.json() == {
+        "__all__": ["Contact with this Owner and Base already exists."]
+    }
+
+
+def test_api_contacts_update_anonymous():
+    """Anonymous users should not be allowed to update a contact."""
+    contact = factories.ContactFactory()
+    old_contact_values = serializers.ContactSerializer(instance=contact).data
+
+    new_contact_values = serializers.ContactSerializer(
+        instance=factories.ContactFactory()
+    ).data
+    new_contact_values["base"] = str(factories.ContactFactory().id)
+    response = APIClient().put(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+        new_contact_values,
+        format="json",
+    )
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+    contact.refresh_from_db()
+    contact_values = serializers.ContactSerializer(instance=contact).data
+    assert contact_values == old_contact_values
+
+
+def test_api_contacts_update_authenticated_owned():
+    """
+    Authenticated users should be allowed to update their own contacts.
+    """
+    identity = factories.IdentityFactory(user__profile_contact=None)
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    contact = factories.ContactFactory(owner=user)  # Owned by the logged-in user
+    old_contact_values = serializers.ContactSerializer(instance=contact).data
+
+    new_contact_values = serializers.ContactSerializer(
+        instance=factories.ContactFactory()
+    ).data
+    new_contact_values["base"] = str(factories.ContactFactory().id)
+
+    response = client.put(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+        new_contact_values,
+        format="json",
+    )
+
+    assert response.status_code == 200
+
+    contact.refresh_from_db()
+    contact_values = serializers.ContactSerializer(instance=contact).data
+    for key, value in contact_values.items():
+        if key in ["base", "owner", "id"]:
+            assert value == old_contact_values[key]
+        else:
+            assert value == new_contact_values[key]
+
+
+def test_api_contacts_update_authenticated_profile():
+    """
+    Authenticated users should be allowed to update their profile contact.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    contact = factories.ContactFactory(owner=user)
+    user.profile_contact = contact
+    user.save()
+
+    old_contact_values = serializers.ContactSerializer(instance=contact).data
+    new_contact_values = serializers.ContactSerializer(
+        instance=factories.ContactFactory()
+    ).data
+    new_contact_values["base"] = str(factories.ContactFactory().id)
+
+    response = client.put(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+        new_contact_values,
+        format="json",
+    )
+
+    assert response.status_code == 200
+    contact.refresh_from_db()
+    contact_values = serializers.ContactSerializer(instance=contact).data
+    for key, value in contact_values.items():
+        if key in ["base", "owner", "id"]:
+            assert value == old_contact_values[key]
+        else:
+            assert value == new_contact_values[key]
+
+
+def test_api_contacts_update_authenticated_other():
+    """
+    Authenticated users should not be allowed to update contacts owned by other users.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    contact = factories.ContactFactory()  # owned by another user
+    old_contact_values = serializers.ContactSerializer(instance=contact).data
+
+    new_contact_values = serializers.ContactSerializer(
+        instance=factories.ContactFactory()
+    ).data
+    new_contact_values["base"] = str(factories.ContactFactory().id)
+
+    response = client.put(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+        new_contact_values,
+        format="json",
+    )
+
+    assert response.status_code == 403
+
+    contact.refresh_from_db()
+    contact_values = serializers.ContactSerializer(instance=contact).data
+    assert contact_values == old_contact_values
+
+
+def test_api_contacts_delete_list_anonymous():
+    """Anonymous users should not be allowed to delete a list of contacts."""
+    factories.ContactFactory.create_batch(2)
+
+    response = APIClient().delete("/api/v1.0/contacts/")
+
+    assert response.status_code == 401
+    assert models.Contact.objects.count() == 4
+
+
+def test_api_contacts_delete_list_authenticated():
+    """Authenticated users should not be allowed to delete a list of contacts."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    factories.ContactFactory.create_batch(2)
+
+    response = client.delete("/api/v1.0/contacts/")
+
+    assert response.status_code == 405
+    assert models.Contact.objects.count() == 4
+
+
+def test_api_contacts_delete_anonymous():
+    """Anonymous users should not be allowed to delete a contact."""
+    contact = factories.ContactFactory()
+
+    client = APIClient()
+    response = client.delete(f"/api/v1.0/contacts/{contact.id!s}/")
+
+    assert response.status_code == 401
+    assert models.Contact.objects.count() == 2
+
+
+def test_api_contacts_delete_authenticated_public():
+    """
+    Authenticated users should not be allowed to delete a public contact.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    contact = factories.BaseContactFactory()
+
+    response = client.delete(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.Contact.objects.count() == 1
+
+
+def test_api_contacts_delete_authenticated_owner():
+    """
+    Authenticated users should be allowed to delete a contact they own.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+    contact = factories.ContactFactory(owner=user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.delete(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+    )
+
+    assert response.status_code == 204
+    assert models.Contact.objects.count() == 1
+    assert models.Contact.objects.filter(id=contact.id).exists() is False
+
+
+def test_api_contacts_delete_authenticated_profile():
+    """
+    Authenticated users should be allowed to delete their profile contact.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+    contact = factories.ContactFactory(owner=user, base=None)
+    user.profile_contact = contact
+    user.save()
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.delete(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+    )
+
+    assert response.status_code == 204
+    assert models.Contact.objects.exists() is False
+
+
+def test_api_contacts_delete_authenticated_other():
+    """
+    Authenticated users should not be allowed to delete a contact they don't own.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+    contact = factories.ContactFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.delete(
+        f"/api/v1.0/contacts/{contact.id!s}/",
+    )
+
+    assert response.status_code == 403
+    assert models.Contact.objects.count() == 2

src/backend/core/tests/test_api_team_invitations.py

@@ -0,0 +1,424 @@
+"""
+Unit tests for the Invitation model
+"""
+
+import time
+
+import pytest
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from core import factories
+from core.api import serializers
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_team_invitations__create__anonymous():
+    """Anonymous users should not be able to create invitations."""
+    team = factories.TeamFactory()
+    invitation_values = serializers.InvitationSerializer(
+        factories.InvitationFactory.build()
+    ).data
+
+    response = APIClient().post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_values,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_team_invitations__create__authenticated_outsider():
+    """Users outside of team should not be permitted to invite to team."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory()
+    invitation_values = serializers.InvitationSerializer(
+        factories.InvitationFactory.build()
+    ).data
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_values,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.parametrize(
+    "role",
+    ["owner", "administrator"],
+)
+def test_api_team_invitations__create__privileged_members(role):
+    """Owners and administrators should be able to invite new members."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory(users=[(identity.user, role)])
+
+    invitation_values = serializers.InvitationSerializer(
+        factories.InvitationFactory.build()
+    ).data
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_values,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_201_CREATED
+
+
+def test_api_team_invitations__create__members():
+    """
+    Members should not be able to invite new members.
+    """
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory(users=[(identity.user, "member")])
+
+    invitation_values = serializers.InvitationSerializer(
+        factories.InvitationFactory.build()
+    ).data
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_values,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert response.json() == {
+        "detail": "You are not allowed to manage invitation for this team."
+    }
+
+
+def test_api_team_invitations__create__issuer_and_team_automatically_added():
+    """Team and issuer fields should auto-complete."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory(users=[(identity.user, "owner")])
+
+    # Generate a random invitation
+    invitation = factories.InvitationFactory.build()
+    invitation_data = {"email": invitation.email, "role": invitation.role}
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_data,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_201_CREATED
+    # team and issuer automatically set
+    assert response.json()["team"] == str(team.id)
+    assert response.json()["issuer"] == str(identity.user.id)
+
+
+def test_api_team_invitations__create__cannot_duplicate_invitation():
+    """An email should not be invited multiple times to the same team."""
+    existing_invitation = factories.InvitationFactory()
+    team = existing_invitation.team
+
+    # Grant privileged role on the Team to the user
+    identity = factories.IdentityFactory()
+    factories.TeamAccessFactory(team=team, user=identity.user, role="administrator")
+
+    # Create a new invitation to the same team with the exact same email address
+    duplicated_invitation = serializers.InvitationSerializer(
+        factories.InvitationFactory.build(email=existing_invitation.email)
+    ).data
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        duplicated_invitation,
+        format="json",
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["__all__"] == [
+        "Team invitation with this Email address and Team already exists."
+    ]
+
+
+def test_api_team_invitations__create__cannot_invite_existing_users():
+    """
+    Should not be able to invite already existing users.
+    """
+    user = factories.UserFactory()
+    team = factories.TeamFactory(users=[(user, "administrator")])
+
+    existing_user = factories.IdentityFactory(is_main=True)
+
+    # Build an invitation to the email of an exising identity in the db
+    invitation_values = serializers.InvitationSerializer(
+        factories.InvitationFactory.build(email=existing_user.email, team=team)
+    ).data
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.post(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+        invitation_values,
+        format="json",
+    )
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json()["email"] == [
+        "This email is already associated to a registered user."
+    ]
+
+
+def test_api_team_invitations__list__anonymous_user():
+    """Anonymous users should not be able to list invitations."""
+    team = factories.TeamFactory()
+    response = APIClient().get(f"/api/v1.0/teams/{team.id}/invitations/")
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+def test_api_team_invitations__list__authenticated():
+    """
+    Authenticated user should be able to list invitations
+    in teams they belong to, including from other issuers.
+    """
+    identity = factories.IdentityFactory()
+    other_user = factories.UserFactory()
+
+    team = factories.TeamFactory(
+        users=[(identity.user, "administrator"), (other_user, "owner")]
+    )
+    invitation = factories.InvitationFactory(
+        team=team, role="administrator", issuer=identity.user
+    )
+    other_invitations = factories.InvitationFactory.create_batch(
+        2, team=team, role="member", issuer=other_user
+    )
+
+    # invitations from other teams should not be listed
+    other_team = factories.TeamFactory()
+    factories.InvitationFactory.create_batch(2, team=other_team, role="member")
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+    )
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json()["count"] == 3
+    assert sorted(response.json()["results"], key=lambda x: x["created_at"]) == sorted(
+        [
+            {
+                "id": str(i.id),
+                "created_at": i.created_at.isoformat().replace("+00:00", "Z"),
+                "email": str(i.email),
+                "team": str(team.id),
+                "role": i.role,
+                "issuer": str(i.issuer.id),
+                "is_expired": False,
+            }
+            for i in [invitation, *other_invitations]
+        ],
+        key=lambda x: x["created_at"],
+    )
+
+
+def test_api_team_invitations__list__expired_invitations_still_listed(settings):
+    """
+    Expired invitations are still listed.
+    """
+    identity = factories.IdentityFactory()
+    other_user = factories.UserFactory()
+
+    team = factories.TeamFactory(
+        users=[(identity.user, "administrator"), (other_user, "owner")]
+    )
+
+    # override settings to accelerate validation expiration
+    settings.INVITATION_VALIDITY_DURATION = 1  # second
+    expired_invitation = factories.InvitationFactory(
+        team=team,
+        role="member",
+        issuer=identity.user,
+    )
+    time.sleep(1)
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.get(
+        f"/api/v1.0/teams/{team.id}/invitations/",
+    )
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json()["count"] == 1
+    assert sorted(response.json()["results"], key=lambda x: x["created_at"]) == sorted(
+        [
+            {
+                "id": str(expired_invitation.id),
+                "created_at": expired_invitation.created_at.isoformat().replace(
+                    "+00:00", "Z"
+                ),
+                "email": str(expired_invitation.email),
+                "team": str(team.id),
+                "role": expired_invitation.role,
+                "issuer": str(expired_invitation.issuer.id),
+                "is_expired": True,
+            },
+        ],
+        key=lambda x: x["created_at"],
+    )
+
+
+def test_api_team_invitations__retrieve__anonymous_user():
+    """
+    Anonymous user should not be able to retrieve invitations.
+    """
+
+    invitation = factories.InvitationFactory()
+    response = APIClient().get(
+        f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+    )
+
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+def test_api_team_invitations__retrieve__unrelated_user():
+    """
+    Authenticated unrelated users should not be able to retrieve invitations.
+    """
+    user = factories.IdentityFactory(user=factories.UserFactory()).user
+
+    invitation = factories.InvitationFactory()
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+    )
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+def test_api_team_invitations__retrieve__team_member():
+    """
+    Authenticated team members should be able to retrieve invitations
+    whatever their role in the team.
+    """
+    user = factories.IdentityFactory(user=factories.UserFactory()).user
+
+    invitation = factories.InvitationFactory()
+    factories.TeamAccessFactory(team=invitation.team, user=user, role="member")
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+    )
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json() == {
+        "id": str(invitation.id),
+        "created_at": invitation.created_at.isoformat().replace("+00:00", "Z"),
+        "email": invitation.email,
+        "team": str(invitation.team.id),
+        "role": str(invitation.role),
+        "issuer": str(invitation.issuer.id),
+        "is_expired": False,
+    }
+
+
+@pytest.mark.parametrize(
+    "method",
+    ["put", "patch"],
+)
+def test_api_team_invitations__update__forbidden(method):
+    """
+    Update of invitations is currently forbidden.
+    """
+    user = factories.IdentityFactory(user=factories.UserFactory()).user
+
+    invitation = factories.InvitationFactory()
+    factories.TeamAccessFactory(team=invitation.team, user=user, role="owner")
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = None
+    if method == "put":
+        response = client.put(
+            f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+        )
+    if method == "patch":
+        response = client.patch(
+            f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+        )
+    assert response is not None
+    assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
+    assert response.json()["detail"] == f'Method "{method.upper()}" not allowed.'
+
+
+def test_api_team_invitations__delete__anonymous():
+    """Anonymous user should not be able to delete invitations."""
+    invitation = factories.InvitationFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/teams/{invitation.team.id}/invitations/{invitation.id}/",
+    )
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+def test_api_team_invitations__delete__authenticated_outsider():
+    """Members outside of team should not cancel invitations."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory()
+    invitation = factories.InvitationFactory(team=team)
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/invitations/{invitation.id}/",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.parametrize("role", ["owner", "administrator"])
+def test_api_team_invitations__delete__privileged_members(role):
+    """Privileged member should be able to cancel invitation."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory(users=[(identity.user, role)])
+    invitation = factories.InvitationFactory(team=team)
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/invitations/{invitation.id}/",
+    )
+    assert response.status_code == status.HTTP_204_NO_CONTENT
+
+
+def test_api_team_invitations__delete__members():
+    """Member should not be able to cancel invitation."""
+    identity = factories.IdentityFactory()
+
+    team = factories.TeamFactory(users=[(identity.user, "member")])
+    invitation = factories.InvitationFactory(team=team)
+
+    client = APIClient()
+    client.force_login(identity.user)
+    response = client.delete(
+        f"/api/v1.0/teams/{team.id}/invitations/{invitation.id}/",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert (
+        response.json()["detail"]
+        == "You do not have permission to perform this action."
+    )

src/backend/core/tests/test_api_users.py

@@ -0,0 +1,911 @@
+"""
+Test users API endpoints in the People core app.
+"""
+
+from unittest import mock
+
+import pytest
+from rest_framework.status import (
+    HTTP_200_OK,
+    HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
+    HTTP_405_METHOD_NOT_ALLOWED,
+)
+from rest_framework.test import APIClient
+
+from core import factories, models
+from core.api import serializers
+from core.api.viewsets import Pagination
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_users_list_anonymous():
+    """Anonymous users should not be allowed to list users."""
+    factories.UserFactory()
+    client = APIClient()
+    response = client.get("/api/v1.0/users/")
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert "Authentication credentials were not provided." in response.content.decode(
+        "utf-8"
+    )
+
+
+def test_api_users_list_authenticated():
+    """
+    Authenticated users should be able to list all users.
+    """
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    factories.UserFactory.create_batch(2)
+    response = client.get(
+        "/api/v1.0/users/",
+    )
+    assert response.status_code == HTTP_200_OK
+    assert len(response.json()["results"]) == 3
+
+
+def test_api_users_authenticated_list_by_email():
+    """
+    Authenticated users should be able to search users with a case-insensitive and
+    partial query on the email.
+    """
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="john doe")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.IdentityFactory(
+        email="david.bowman@work.com", name=None, is_main=True
+    )
+    nicole = factories.IdentityFactory(
+        email="nicole_foole@work.com", name=None, is_main=True
+    )
+    frank = factories.IdentityFactory(
+        email="frank_poole@work.com", name=None, is_main=True
+    )
+    factories.IdentityFactory(email="heywood_floyd@work.com", name=None, is_main=True)
+
+    # Full query should work
+    response = client.get(
+        "/api/v1.0/users/?q=david.bowman@work.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids[0] == str(dave.user.id)
+
+    # Partial query should work
+    response = client.get("/api/v1.0/users/?q=fran")
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids[0] == str(frank.user.id)
+
+    # Result that matches a trigram twice ranks better than result that matches once
+    response = client.get("/api/v1.0/users/?q=ole")
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    # "Nicole Foole" matches twice on "ole"
+    assert user_ids == [str(nicole.user.id), str(frank.user.id)]
+
+    # Even with a low similarity threshold, query should match expected emails
+    response = client.get("/api/v1.0/users/?q=ool")
+
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["results"] == [
+        {
+            "id": str(nicole.user.id),
+            "email": nicole.email,
+            "name": nicole.name,
+            "is_device": nicole.user.is_device,
+            "is_staff": nicole.user.is_staff,
+            "language": nicole.user.language,
+            "timezone": str(nicole.user.timezone),
+        },
+        {
+            "id": str(frank.user.id),
+            "email": frank.email,
+            "name": frank.name,
+            "is_device": frank.user.is_device,
+            "is_staff": frank.user.is_staff,
+            "language": frank.user.language,
+            "timezone": str(frank.user.timezone),
+        },
+    ]
+
+
+def test_api_users_authenticated_list_by_name():
+    """
+    Authenticated users should be able to search users with a case-insensitive and
+    partial query on the name.
+    """
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="john doe")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.IdentityFactory(name="dave bowman", email=None, is_main=True)
+    nicole = factories.IdentityFactory(name="nicole foole", email=None, is_main=True)
+    frank = factories.IdentityFactory(name="frank poole", email=None, is_main=True)
+    factories.IdentityFactory(name="heywood floyd", email=None, is_main=True)
+
+    # Full query should work
+    response = client.get(
+        "/api/v1.0/users/?q=david.bowman@work.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids[0] == str(dave.user.id)
+
+    # Partial query should work
+    response = client.get("/api/v1.0/users/?q=fran")
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids[0] == str(frank.user.id)
+
+    # Result that matches a trigram twice ranks better than result that matches once
+    response = client.get("/api/v1.0/users/?q=ole")
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    # "Nicole Foole" matches twice on "ole"
+    assert user_ids == [str(nicole.user.id), str(frank.user.id)]
+
+    # Even with a low similarity threshold, query should match expected user
+    response = client.get("/api/v1.0/users/?q=ool")
+
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["results"] == [
+        {
+            "id": str(nicole.user.id),
+            "email": nicole.email,
+            "name": nicole.name,
+            "is_device": nicole.user.is_device,
+            "is_staff": nicole.user.is_staff,
+            "language": nicole.user.language,
+            "timezone": str(nicole.user.timezone),
+        },
+        {
+            "id": str(frank.user.id),
+            "email": frank.email,
+            "name": frank.name,
+            "is_device": frank.user.is_device,
+            "is_staff": frank.user.is_staff,
+            "language": frank.user.language,
+            "timezone": str(frank.user.timezone),
+        },
+    ]
+
+
+def test_api_users_authenticated_list_by_name_and_email():
+    """
+    Authenticated users should be able to search users with a case-insensitive and
+    partial query on the name and email.
+    """
+
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="john doe")
+
+    client = APIClient()
+    client.force_login(user)
+
+    nicole = factories.IdentityFactory(
+        email="nicole_foole@work.com", name="nicole foole", is_main=True
+    )
+    frank = factories.IdentityFactory(
+        email="oleg_poole@work.com", name=None, is_main=True
+    )
+    david = factories.IdentityFactory(email=None, name="david role", is_main=True)
+
+    # Result that matches a trigram in name and email ranks better than result that matches once
+    response = client.get("/api/v1.0/users/?q=ole")
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+
+    # "Nicole Foole" matches twice on "ole" in her name and twice on "ole" in her email
+    # "Oleg poole" matches twice on "ole" in her email
+    # "David role" matches once on "ole" in his name
+    assert user_ids == [str(nicole.user.id), str(frank.user.id), str(david.user.id)]
+
+
+def test_api_users_authenticated_list_exclude_users_already_in_team(
+    django_assert_num_queries,
+):
+    """
+    Authenticated users should be able to search users
+    but the result should exclude all users already in the given team.
+    """
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.email, name="john doe")
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.IdentityFactory(name="dave bowman", email=None, is_main=True)
+    nicole = factories.IdentityFactory(name="nicole foole", email=None, is_main=True)
+    frank = factories.IdentityFactory(name="frank poole", email=None, is_main=True)
+    mary = factories.IdentityFactory(name="mary poole", email=None, is_main=True)
+    factories.IdentityFactory(name="heywood floyd", email=None, is_main=True)
+    factories.IdentityFactory(name="Andrei Smyslov", email=None, is_main=True)
+    factories.TeamFactory.create_batch(10)
+
+    # Add Dave and Frank in the same team
+    team = factories.TeamFactory(
+        users=[
+            (dave.user, models.RoleChoices.MEMBER),
+            (frank.user, models.RoleChoices.MEMBER),
+        ]
+    )
+    factories.TeamFactory(users=[(nicole.user, models.RoleChoices.MEMBER)])
+
+    # Search user to add him/her to a team, we give a team id to the request
+    # to exclude all users already in the team
+
+    # We can't find David Bowman because he is already a member of the given team
+    # 2 queries are needed here:
+    # - user authenticated
+    # - search user query
+    with django_assert_num_queries(2):
+        response = client.get(
+            f"/api/v1.0/users/?q=bowman&team_id={team.id}",
+        )
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["results"] == []
+
+    # We can only find Nicole and Mary because Frank is already a member of the given team
+    # 4 queries are needed here:
+    # - user authenticated
+    # - search user query
+    # - User
+    # - Identity
+    with django_assert_num_queries(4):
+        response = client.get(
+            f"/api/v1.0/users/?q=ool&team_id={team.id}",
+        )
+    assert response.status_code == HTTP_200_OK
+    user_ids = sorted([user["id"] for user in response.json()["results"]])
+    assert user_ids == sorted([str(mary.user.id), str(nicole.user.id)])
+
+
+def test_api_users_authenticated_list_multiple_identities_single_user():
+    """
+    User with multiple identities should appear only once in results.
+    """
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="eva karl")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.UserFactory()
+    factories.IdentityFactory(
+        user=dave, email="dave.bowman@work.com", name="dave bowman"
+    )
+    factories.IdentityFactory(user=dave, email="dave.bowman@fun.fr", name="dave bowman")
+
+    # Full query should work
+    response = client.get(
+        "/api/v1.0/users/?q=david.bowman@work.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    # A single user is returned, despite similarity matching both emails
+    assert response.json()["count"] == 1
+    assert response.json()["results"][0]["id"] == str(dave.id)
+
+
+def test_api_users_authenticated_list_multiple_identities_multiple_users():
+    """
+    User with multiple identities should be ranked
+    on their best matching identity.
+    """
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="john doe")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.UserFactory()
+    dave_identity = factories.IdentityFactory(
+        user=dave, email="dave.bowman@work.com", is_main=True, name="dave bowman"
+    )
+    factories.IdentityFactory(user=dave, email="babibou@ehehe.com", name="babihou")
+    davina_identity = factories.IdentityFactory(
+        user=factories.UserFactory(), email="davina.bowan@work.com", name="davina"
+    )
+    prue_identity = factories.IdentityFactory(
+        user=factories.UserFactory(),
+        email="prudence.crandall@work.com",
+        name="prudence",
+    )
+
+    # Full query should work
+    response = client.get(
+        "/api/v1.0/users/?q=david.bowman@work.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    assert response.json()["count"] == 3
+    assert response.json()["results"] == [
+        {
+            "id": str(dave.id),
+            "email": dave_identity.email,
+            "name": dave_identity.name,
+            "is_device": dave_identity.user.is_device,
+            "is_staff": dave_identity.user.is_staff,
+            "language": dave_identity.user.language,
+            "timezone": str(dave_identity.user.timezone),
+        },
+        {
+            "id": str(davina_identity.user.id),
+            "email": davina_identity.email,
+            "name": davina_identity.name,
+            "is_device": davina_identity.user.is_device,
+            "is_staff": davina_identity.user.is_staff,
+            "language": davina_identity.user.language,
+            "timezone": str(davina_identity.user.timezone),
+        },
+        {
+            "id": str(prue_identity.user.id),
+            "email": prue_identity.email,
+            "name": prue_identity.name,
+            "is_device": prue_identity.user.is_device,
+            "is_staff": prue_identity.user.is_staff,
+            "language": prue_identity.user.language,
+            "timezone": str(prue_identity.user.timezone),
+        },
+    ]
+
+
+def test_api_users_authenticated_list_uppercase_content():
+    """Upper case content should be found by lower case query."""
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="eva karl")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.IdentityFactory(
+        email="DAVID.BOWMAN@INTENSEWORK.COM", name="DAVID BOWMAN"
+    )
+
+    # Unaccented full address
+    response = client.get(
+        "/api/v1.0/users/?q=david.bowman@intensework.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(dave.user.id)]
+
+    # Partial query
+    response = client.get(
+        "/api/v1.0/users/?q=david",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(dave.user.id)]
+
+
+def test_api_users_list_authenticated_capital_query():
+    """Upper case query should find lower case content."""
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="eva karl")
+
+    client = APIClient()
+    client.force_login(user)
+
+    dave = factories.IdentityFactory(email="david.bowman@work.com", name="david bowman")
+
+    # Full uppercase query
+    response = client.get(
+        "/api/v1.0/users/?q=DAVID.BOWMAN@WORK.COM",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(dave.user.id)]
+
+    # Partial uppercase email
+    response = client.get(
+        "/api/v1.0/users/?q=DAVID",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(dave.user.id)]
+
+
+def test_api_contacts_list_authenticated_accented_query():
+    """Accented content should be found by unaccented query."""
+    user = factories.UserFactory(admin_email="tester@ministry.fr")
+    factories.IdentityFactory(user=user, email=user.admin_email, name="john doe")
+
+    client = APIClient()
+    client.force_login(user)
+
+    helene = factories.IdentityFactory(
+        email="helene.bowman@work.com", name="helene bowman"
+    )
+
+    # Accented full query
+    response = client.get(
+        "/api/v1.0/users/?q=hélène.bowman@work.com",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(helene.user.id)]
+
+    # Unaccented partial email
+    response = client.get(
+        "/api/v1.0/users/?q=hélène",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user_ids = [user["id"] for user in response.json()["results"]]
+    assert user_ids == [str(helene.user.id)]
+
+
+@mock.patch.object(Pagination, "get_page_size", return_value=3)
+def test_api_users_list_pagination(
+    _mock_page_size,
+):
+    """Pagination should work as expected."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    factories.UserFactory.create_batch(4)
+
+    # Get page 1
+    response = client.get(
+        "/api/v1.0/users/",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 5
+    assert len(content["results"]) == 3
+    assert content["next"] == "http://testserver/api/v1.0/users/?page=2"
+    assert content["previous"] is None
+
+    # Get page 2
+    response = client.get(
+        "/api/v1.0/users/?page=2",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 5
+    assert content["next"] is None
+    assert content["previous"] == "http://testserver/api/v1.0/users/"
+
+    assert len(content["results"]) == 2
+
+
+@pytest.mark.parametrize("page_size", [1, 10, 99, 100])
+def test_api_users_list_pagination_page_size(
+    page_size,
+):
+    """Page's size on pagination should work as expected."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    for i in range(page_size):
+        factories.UserFactory.create(admin_email=f"user-{i}@people.com")
+
+    response = client.get(
+        f"/api/v1.0/users/?page_size={page_size}",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == page_size + 1
+    assert len(content["results"]) == page_size
+
+
+@pytest.mark.parametrize("page_size", [101, 200])
+def test_api_users_list_pagination_wrong_page_size(
+    page_size,
+):
+    """Page's size on pagination should be limited to "max_page_size"."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    for i in range(page_size):
+        factories.UserFactory.create(admin_email=f"user-{i}@people.com")
+
+    response = client.get(
+        f"/api/v1.0/users/?page_size={page_size}",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == page_size + 1
+
+    # Length should not exceed "max_page_size" default value
+    assert len(content["results"]) == 100
+
+
+def test_api_users_retrieve_me_anonymous():
+    """Anonymous users should not be allowed to list users."""
+    factories.UserFactory.create_batch(2)
+    client = APIClient()
+    response = client.get("/api/v1.0/users/me/")
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_users_retrieve_me_authenticated():
+    """Authenticated users should be able to retrieve their own user via the "/users/me" path."""
+    identity = factories.IdentityFactory(is_main=True)
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    # Define profile contact
+    contact = factories.ContactFactory(owner=user)
+    user.profile_contact = contact
+    user.save()
+
+    factories.UserFactory.create_batch(2)
+    response = client.get(
+        "/api/v1.0/users/me/",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    assert response.json() == {
+        "id": str(user.id),
+        "name": str(identity.name),
+        "email": str(identity.email),
+        "language": user.language,
+        "timezone": str(user.timezone),
+        "is_device": False,
+        "is_staff": False,
+    }
+
+
+def test_api_users_retrieve_anonymous():
+    """Anonymous users should not be allowed to retrieve a user."""
+    client = APIClient()
+    user = factories.UserFactory()
+    response = client.get(f"/api/v1.0/users/{user.id!s}/")
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_users_retrieve_authenticated_self():
+    """
+    Authenticated users should be allowed to retrieve their own user.
+    The returned object should not contain the password.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get(
+        f"/api/v1.0/users/{user.id!s}/",
+    )
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert response.json() == {"detail": 'Method "GET" not allowed.'}
+
+
+def test_api_users_retrieve_authenticated_other():
+    """
+    Authenticated users should be able to retrieve another user's detail view with
+    limited information.
+    """
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    other_user = factories.UserFactory()
+
+    response = client.get(
+        f"/api/v1.0/users/{other_user.id!s}/",
+    )
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert response.json() == {"detail": 'Method "GET" not allowed.'}
+
+
+def test_api_users_create_anonymous():
+    """Anonymous users should not be able to create users via the API."""
+    response = APIClient().post(
+        "/api/v1.0/users/",
+        {
+            "language": "fr-fr",
+            "password": "mypassword",
+        },
+    )
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert "Authentication credentials were not provided." in response.content.decode(
+        "utf-8"
+    )
+    assert models.User.objects.exists() is False
+
+
+def test_api_users_create_authenticated():
+    """Authenticated users should not be able to create users via the API."""
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        "/api/v1.0/users/",
+        {
+            "language": "fr-fr",
+            "password": "mypassword",
+        },
+        format="json",
+    )
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert response.json() == {"detail": 'Method "POST" not allowed.'}
+    assert models.User.objects.exclude(id=user.id).exists() is False
+
+
+def test_api_users_update_anonymous():
+    """Anonymous users should not be able to update users via the API."""
+    user = factories.UserFactory()
+
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data
+
+    response = APIClient().put(
+        f"/api/v1.0/users/{user.id!s}/",
+        new_user_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        assert value == old_user_values[key]
+
+
+def test_api_users_update_authenticated_self():
+    """
+    Authenticated users should be able to update their own user but only "language"
+    and "timezone" fields.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = dict(
+        serializers.UserSerializer(instance=factories.UserFactory()).data
+    )
+
+    response = client.put(
+        f"/api/v1.0/users/{user.id!s}/",
+        new_user_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_200_OK
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        if key in ["language", "timezone"]:
+            assert value == new_user_values[key]
+        else:
+            assert value == old_user_values[key]
+
+
+def test_api_users_update_authenticated_other():
+    """Authenticated users should not be allowed to update other users."""
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    user = factories.UserFactory()
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data
+
+    response = client.put(
+        f"/api/v1.0/users/{user.id!s}/",
+        new_user_values,
+        format="json",
+    )
+
+    assert response.status_code == HTTP_403_FORBIDDEN
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        assert value == old_user_values[key]
+
+
+def test_api_users_patch_anonymous():
+    """Anonymous users should not be able to patch users via the API."""
+    user = factories.UserFactory()
+
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = dict(
+        serializers.UserSerializer(instance=factories.UserFactory()).data
+    )
+
+    for key, new_value in new_user_values.items():
+        response = APIClient().patch(
+            f"/api/v1.0/users/{user.id!s}/",
+            {key: new_value},
+            format="json",
+        )
+        assert response.status_code == HTTP_401_UNAUTHORIZED
+        assert response.json() == {
+            "detail": "Authentication credentials were not provided."
+        }
+
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        assert value == old_user_values[key]
+
+
+def test_api_users_patch_authenticated_self():
+    """
+    Authenticated users should be able to patch their own user but only "language"
+    and "timezone" fields.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = dict(
+        serializers.UserSerializer(instance=factories.UserFactory()).data
+    )
+
+    for key, new_value in new_user_values.items():
+        response = client.patch(
+            f"/api/v1.0/users/{user.id!s}/",
+            {key: new_value},
+            format="json",
+        )
+        assert response.status_code == HTTP_200_OK
+
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        if key in ["language", "timezone"]:
+            assert value == new_user_values[key]
+        else:
+            assert value == old_user_values[key]
+
+
+def test_api_users_patch_authenticated_other():
+    """Authenticated users should not be allowed to patch other users."""
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    user = factories.UserFactory()
+    old_user_values = dict(serializers.UserSerializer(instance=user).data)
+    new_user_values = dict(
+        serializers.UserSerializer(instance=factories.UserFactory()).data
+    )
+
+    for key, new_value in new_user_values.items():
+        response = client.put(
+            f"/api/v1.0/users/{user.id!s}/",
+            {key: new_value},
+            format="json",
+        )
+        assert response.status_code == HTTP_403_FORBIDDEN
+
+    user.refresh_from_db()
+    user_values = dict(serializers.UserSerializer(instance=user).data)
+    for key, value in user_values.items():
+        assert value == old_user_values[key]
+
+
+def test_api_users_delete_list_anonymous():
+    """Anonymous users should not be allowed to delete a list of users."""
+    factories.UserFactory.create_batch(2)
+
+    client = APIClient()
+    response = client.delete("/api/v1.0/users/")
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert models.User.objects.count() == 2
+
+
+def test_api_users_delete_list_authenticated():
+    """Authenticated users should not be allowed to delete a list of users."""
+    factories.UserFactory.create_batch(2)
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.delete(
+        "/api/v1.0/users/",
+    )
+
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert models.User.objects.count() == 3
+
+
+def test_api_users_delete_anonymous():
+    """Anonymous users should not be allowed to delete a user."""
+    user = factories.UserFactory()
+
+    response = APIClient().delete(f"/api/v1.0/users/{user.id!s}/")
+
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert models.User.objects.count() == 1
+
+
+def test_api_users_delete_authenticated():
+    """
+    Authenticated users should not be allowed to delete a user other than themselves.
+    """
+    identity = factories.IdentityFactory()
+    other_user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.delete(f"/api/v1.0/users/{other_user.id!s}/")
+
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert models.User.objects.count() == 2
+
+
+def test_api_users_delete_self():
+    """Authenticated users should not be able to delete their own user."""
+    identity = factories.IdentityFactory()
+
+    client = APIClient()
+    client.force_login(identity.user)
+
+    response = client.delete(
+        f"/api/v1.0/users/{identity.user.id!s}/",
+    )
+
+    assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
+    assert models.User.objects.count() == 1

src/backend/core/tests/test_models_contacts.py

@@ -0,0 +1,164 @@
+"""
+Unit tests for the Contact model
+"""
+
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_contacts_str_full_name():
+    """The str representation should be the contact's full name."""
+    contact = factories.ContactFactory(full_name="David Bowman")
+    assert str(contact) == "David Bowman"
+
+
+def test_models_contacts_str_short_name():
+    """The str representation should be the contact's short name if full name is not set."""
+    contact = factories.ContactFactory(full_name=None, short_name="Dave")
+    assert str(contact) == "Dave"
+
+
+def test_models_contacts_base_self():
+    """A contact should not point to itself as a base contact."""
+    contact = factories.ContactFactory()
+    contact.base = contact
+
+    with pytest.raises(ValidationError) as excinfo:
+        contact.save()
+
+    error_message = (
+        "{'__all__': ['A contact cannot point to a base contact that itself points to a "
+        "base contact.', 'A contact cannot be based on itself.']}"
+    )
+    assert str(excinfo.value) == error_message
+
+
+def test_models_contacts_base_to_base():
+    """A contact should not point to a base contact that is itself derived from a base contact."""
+    contact = factories.ContactFactory()
+
+    with pytest.raises(ValidationError) as excinfo:
+        factories.ContactFactory(base=contact)
+
+    error_message = (
+        "{'__all__': ['A contact cannot point to a base contact that itself points to a "
+        "base contact.']}"
+    )
+    assert str(excinfo.value) == error_message
+
+
+def test_models_contacts_owner_base_unique():
+    """There should be only one contact deriving from a given base contact for a given owner."""
+    contact = factories.ContactFactory()
+
+    with pytest.raises(ValidationError) as excinfo:
+        factories.ContactFactory(base=contact.base, owner=contact.owner)
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['Contact with this Owner and Base already exists.']}"
+    )
+
+
+def test_models_contacts_base_not_owned():
+    """A contact cannot have a base and not be owned."""
+    with pytest.raises(ValidationError) as excinfo:
+        factories.ContactFactory(owner=None)
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['A contact overriding a base contact must be owned.']}"
+    )
+
+
+def test_models_contacts_profile_not_owned():
+    """A contact cannot be defined as profile for a user if is not owned."""
+    base_contact = factories.ContactFactory(owner=None, base=None)
+
+    with pytest.raises(ValidationError) as excinfo:
+        factories.UserFactory(profile_contact=base_contact)
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
+    )
+
+
+def test_models_contacts_profile_owned_by_other():
+    """A contact cannot be defined as profile for a user if is owned by another user."""
+    contact = factories.ContactFactory()
+
+    with pytest.raises(ValidationError) as excinfo:
+        factories.UserFactory(profile_contact=contact)
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
+    )
+
+
+def test_models_contacts_data_valid():
+    """Contact information matching the jsonschema definition should be valid"""
+    factories.ContactFactory(
+        data={
+            "emails": [
+                {"type": "Work", "value": "john.doe@work.com"},
+                {"type": "Home", "value": "john.doe@home.com"},
+            ],
+            "phones": [
+                {"type": "Work", "value": "(123) 456-7890"},
+                {"type": "Other", "value": "(987) 654-3210"},
+            ],
+            "addresses": [
+                {
+                    "type": "Home",
+                    "street": "123 Main St",
+                    "city": "Cityville",
+                    "state": "CA",
+                    "zip": "12345",
+                    "country": "USA",
+                }
+            ],
+            "links": [
+                {"type": "Blog", "value": "http://personalwebsite.com"},
+                {"type": "Website", "value": "http://workwebsite.com"},
+                {"type": "LinkedIn", "value": "https://www.linkedin.com/in/johndoe"},
+                {"type": "Facebook", "value": "https://www.facebook.com/in/johndoe"},
+            ],
+            "customFields": {"custom_field_1": "value1", "custom_field_2": "value2"},
+            "organizations": [
+                {
+                    "name": "ACME Corporation",
+                    "department": "IT",
+                    "jobTitle": "Software Engineer",
+                },
+                {
+                    "name": "XYZ Ltd",
+                    "department": "Marketing",
+                    "jobTitle": "Marketing Specialist",
+                },
+            ],
+        }
+    )
+
+
+def test_models_contacts_data_invalid():
+    """Invalid contact information should be rejected with a clear error message."""
+    with pytest.raises(ValidationError) as excinfo:
+        factories.ContactFactory(
+            data={
+                "emails": [
+                    {"type": "invalid type", "value": "john.doe@work.com"},
+                ],
+            }
+        )
+
+    assert str(excinfo.value) == (
+        "{'data': [\"Validation error in 'emails.0.type': 'invalid type' is not one of ['Work', "
+        "'Home', 'Other']\"]}"
+    )

src/backend/core/tests/test_models_identities.py

@@ -0,0 +1,183 @@
+"""
+Unit tests for the Identity model
+"""
+
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_identities_str_main():
+    """The str representation should be the email address with indication that it is main."""
+    identity = factories.IdentityFactory(email="david@example.com")
+    assert str(identity) == "david@example.com[main]"
+
+
+def test_models_identities_str_secondary():
+    """The str representation of a secondary email should be the email address."""
+    main_identity = factories.IdentityFactory()
+    secondary_identity = factories.IdentityFactory(
+        user=main_identity.user, email="david@example.com"
+    )
+    assert str(secondary_identity) == "david@example.com"
+
+
+def test_models_identities_is_main_automatic():
+    """The first identity created for a user should automatically be set as main."""
+    user = factories.UserFactory()
+    identity = models.Identity.objects.create(
+        user=user, sub="123", email="david@example.com"
+    )
+    assert identity.is_main is True
+
+
+def test_models_identities_is_main_exists():
+    """A user should always keep one and only one of its identities as main."""
+    user = factories.UserFactory()
+    main_identity, _secondary_identity = factories.IdentityFactory.create_batch(
+        2, user=user
+    )
+
+    assert main_identity.is_main is True
+
+    main_identity.is_main = False
+    with pytest.raises(
+        ValidationError, match="A user should have one and only one main identity."
+    ):
+        main_identity.save()
+
+
+def test_models_identities_is_main_switch():
+    """Setting a secondary identity as main should reset the existing main identity."""
+    user = factories.UserFactory()
+    first_identity, second_identity = factories.IdentityFactory.create_batch(
+        2, user=user
+    )
+
+    assert first_identity.is_main is True
+
+    second_identity.is_main = True
+    second_identity.save()
+
+    second_identity.refresh_from_db()
+    assert second_identity.is_main is True
+
+    first_identity.refresh_from_db()
+    assert first_identity.is_main is False
+
+
+def test_models_identities_email_not_required():
+    """The 'email' field can be blank."""
+    user = factories.UserFactory()
+    models.Identity.objects.create(user=user, sub="123", email=None)
+
+
+def test_models_identities_user_required():
+    """The 'user' field is required."""
+    with pytest.raises(models.User.DoesNotExist, match="Identity has no user."):
+        models.Identity.objects.create(user=None, email="david@example.com")
+
+
+def test_models_identities_email_unique_same_user():
+    """The 'email' field should be unique for a given user."""
+    email = factories.IdentityFactory()
+
+    with pytest.raises(
+        ValidationError,
+        match="Identity with this User and Email address already exists.",
+    ):
+        factories.IdentityFactory(user=email.user, email=email.email)
+
+
+def test_models_identities_email_unique_different_users():
+    """The 'email' field should not be unique among users."""
+    email = factories.IdentityFactory()
+    factories.IdentityFactory(email=email.email)
+
+
+def test_models_identities_email_normalization():
+    """The 'email' field should be automatically normalized upon saving."""
+    email = factories.IdentityFactory()
+    email.email = "Thomas.Jefferson@Example.com"
+    email.save()
+    assert email.email == "Thomas.Jefferson@example.com"
+
+
+def test_models_identities_ordering():
+    """Identities should be returned ordered by main status then by their email address."""
+    user = factories.UserFactory()
+    factories.IdentityFactory.create_batch(5, user=user)
+
+    emails = models.Identity.objects.all()
+
+    assert emails[0].is_main is True
+    for i in range(3):
+        assert emails[i + 1].is_main is False
+        assert emails[i + 2].email >= emails[i + 1].email
+
+
+def test_models_identities_sub_null():
+    """The 'sub' field should not be null."""
+    user = factories.UserFactory()
+    with pytest.raises(ValidationError, match="This field cannot be null."):
+        models.Identity.objects.create(user=user, sub=None)
+
+
+def test_models_identities_sub_blank():
+    """The 'sub' field should not be blank."""
+    user = factories.UserFactory()
+    with pytest.raises(ValidationError, match="This field cannot be blank."):
+        models.Identity.objects.create(user=user, email="david@example.com", sub="")
+
+
+def test_models_identities_sub_unique():
+    """The 'sub' field should be unique."""
+    user = factories.UserFactory()
+    identity = factories.IdentityFactory()
+    with pytest.raises(ValidationError, match="Identity with this Sub already exists."):
+        models.Identity.objects.create(user=user, sub=identity.sub)
+
+
+def test_models_identities_sub_max_length():
+    """The 'sub' field should be 255 characters maximum."""
+    factories.IdentityFactory(sub="a" * 255)
+    with pytest.raises(ValidationError) as excinfo:
+        factories.IdentityFactory(sub="a" * 256)
+
+    assert (
+        str(excinfo.value)
+        == "{'sub': ['Ensure this value has at most 255 characters (it has 256).']}"
+    )
+
+
+def test_models_identities_sub_special_characters():
+    """The 'sub' field should accept periods, dashes, +, @ and underscores."""
+    identity = factories.IdentityFactory(sub="dave.bowman-1+2@hal_9000")
+    assert identity.sub == "dave.bowman-1+2@hal_9000"
+
+
+def test_models_identities_sub_spaces():
+    """The 'sub' field should not accept spaces."""
+    with pytest.raises(ValidationError) as excinfo:
+        factories.IdentityFactory(sub="a b")
+
+    assert str(excinfo.value) == (
+        "{'sub': ['Enter a valid sub. This value may contain only letters, numbers, "
+        "and @/./+/-/_ characters.']}"
+    )
+
+
+def test_models_identities_sub_upper_case():
+    """The 'sub' field should accept upper case characters."""
+    identity = factories.IdentityFactory(sub="John")
+    assert identity.sub == "John"
+
+
+def test_models_identities_sub_ascii():
+    """The 'sub' field should accept non ASCII letters."""
+    identity = factories.IdentityFactory(sub="rené")
+    assert identity.sub == "rené"

src/backend/core/tests/test_models_invitations.py

@@ -0,0 +1,303 @@
+"""
+Unit tests for the Invitation model
+"""
+
+import smtplib
+import time
+import uuid
+from logging import Logger
+from unittest import mock
+
+from django.contrib.auth.models import AnonymousUser
+from django.core import exceptions, mail
+
+import pytest
+from faker import Faker
+from freezegun import freeze_time
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+fake = Faker()
+
+
+def test_models_invitations_readonly_after_create():
+    """Existing invitations should be readonly."""
+    invitation = factories.InvitationFactory()
+    with pytest.raises(exceptions.PermissionDenied):
+        invitation.save()
+
+
+def test_models_invitations_email_no_empty_mail():
+    """The "email" field should not be empty."""
+    with pytest.raises(exceptions.ValidationError, match="This field cannot be blank"):
+        factories.InvitationFactory(email="")
+
+
+def test_models_invitations_email_no_null_mail():
+    """The "email" field is required."""
+    with pytest.raises(exceptions.ValidationError, match="This field cannot be null"):
+        factories.InvitationFactory(email=None)
+
+
+def test_models_invitations_team_required():
+    """The "team" field is required."""
+    with pytest.raises(exceptions.ValidationError, match="This field cannot be null"):
+        factories.InvitationFactory(team=None)
+
+
+def test_models_invitations_team_should_be_team_instance():
+    """The "team" field should be a team instance."""
+    with pytest.raises(ValueError, match='Invitation.team" must be a "Team" instance'):
+        factories.InvitationFactory(team="ee")
+
+
+def test_models_invitations_role_required():
+    """The "role" field is required."""
+    with pytest.raises(exceptions.ValidationError, match="This field cannot be blank"):
+        factories.InvitationFactory(role="")
+
+
+def test_models_invitations_role_among_choices():
+    """The "role" field should be a valid choice."""
+    with pytest.raises(
+        exceptions.ValidationError, match="Value 'boss' is not a valid choice"
+    ):
+        factories.InvitationFactory(role="boss")
+
+
+def test_models_invitations__is_expired(settings):
+    """
+    The 'is_expired' property should return False until validity duration
+    is exceeded and True afterwards.
+    """
+    expired_invitation = factories.InvitationFactory()
+    assert expired_invitation.is_expired is False
+
+    settings.INVITATION_VALIDITY_DURATION = 1
+    time.sleep(1)
+
+    assert expired_invitation.is_expired is True
+
+
+def test_models_invitation__new_user__convert_invitations_to_accesses():
+    """
+    Upon creating a new identity, invitations linked to that email
+    should be converted to accesses and then deleted.
+    """
+    # Two invitations to the same mail but to different teams
+    invitation_to_team1 = factories.InvitationFactory()
+    invitation_to_team2 = factories.InvitationFactory(email=invitation_to_team1.email)
+
+    other_invitation = factories.InvitationFactory(
+        team=invitation_to_team2.team
+    )  # another person invited to team2
+
+    new_identity = factories.IdentityFactory(
+        is_main=True, email=invitation_to_team1.email
+    )
+
+    # The invitation regarding
+    assert models.TeamAccess.objects.filter(
+        team=invitation_to_team1.team, user=new_identity.user
+    ).exists()
+    assert models.TeamAccess.objects.filter(
+        team=invitation_to_team2.team, user=new_identity.user
+    ).exists()
+    assert not models.Invitation.objects.filter(
+        team=invitation_to_team1.team, email=invitation_to_team1.email
+    ).exists()  # invitation "consumed"
+    assert not models.Invitation.objects.filter(
+        team=invitation_to_team2.team, email=invitation_to_team2.email
+    ).exists()  # invitation "consumed"
+    assert models.Invitation.objects.filter(
+        team=invitation_to_team2.team, email=other_invitation.email
+    ).exists()  # the other invitation remains
+
+
+def test_models_invitation__new_user__filter_expired_invitations():
+    """
+    Upon creating a new identity, valid invitations should be converted into accesses
+    and expired invitations should remain unchanged.
+    """
+    with freeze_time("2020-01-01"):
+        expired_invitation = factories.InvitationFactory()
+    user_email = expired_invitation.email
+    valid_invitation = factories.InvitationFactory(email=user_email)
+
+    new_identity = factories.IdentityFactory(is_main=True, email=user_email)
+
+    # valid invitation should have granted access to the related team
+    assert models.TeamAccess.objects.filter(
+        team=valid_invitation.team, user=new_identity.user
+    ).exists()
+    assert not models.Invitation.objects.filter(
+        team=valid_invitation.team, email=user_email
+    ).exists()
+
+    # expired invitation should not have been consumed
+    assert not models.TeamAccess.objects.filter(
+        team=expired_invitation.team, user=new_identity.user
+    ).exists()
+    assert models.Invitation.objects.filter(
+        team=expired_invitation.team, email=user_email
+    ).exists()
+
+
+@pytest.mark.parametrize("num_invitations, num_queries", [(0, 8), (1, 11), (20, 11)])
+def test_models_invitation__new_user__user_creation_constant_num_queries(
+    django_assert_num_queries, num_invitations, num_queries
+):
+    """
+    The number of queries executed during user creation should not be proportional
+    to the number of invitations being processed.
+    """
+    user_email = fake.email()
+
+    if num_invitations != 0:
+        for _ in range(0, num_invitations):
+            factories.InvitationFactory(email=user_email, team=factories.TeamFactory())
+
+    user = factories.UserFactory()
+
+    # with no invitation, we skip an "if", resulting in 8 requests
+    # otherwise, we should have 11 queries with any number of invitations
+    with django_assert_num_queries(num_queries):
+        models.Identity.objects.create(
+            is_main=True,
+            email=user_email,
+            user=user,
+            name="Prudence C.",
+            sub=uuid.uuid4(),
+        )
+
+
+# get_abilities
+
+
+def test_models_team_invitations_get_abilities_anonymous():
+    """Check abilities returned for an anonymous user."""
+    access = factories.InvitationFactory()
+    abilities = access.get_abilities(AnonymousUser())
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+    }
+
+
+def test_models_team_invitations_get_abilities_authenticated():
+    """Check abilities returned for an authenticated user."""
+    access = factories.InvitationFactory()
+    user = factories.UserFactory()
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+    }
+
+
+@pytest.mark.parametrize("role", ["administrator", "owner"])
+def test_models_team_invitations_get_abilities_privileged_member(role):
+    """Check abilities for a team member with a privileged role."""
+
+    pivileged_access = factories.TeamAccessFactory(role=role)
+    team = pivileged_access.team
+
+    factories.TeamAccessFactory(team=team)  # another one
+
+    invitation = factories.InvitationFactory(team=team)
+    abilities = invitation.get_abilities(pivileged_access.user)
+
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": False,
+        "put": False,
+    }
+
+
+def test_models_team_invitations_get_abilities_member():
+    """Check abilities for a team member with 'member' role."""
+
+    member_access = factories.TeamAccessFactory(role="member")
+    team = member_access.team
+
+    factories.TeamAccessFactory(team=team)  # another one
+
+    invitation = factories.InvitationFactory(team=team)
+    abilities = invitation.get_abilities(member_access.user)
+
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+    }
+
+
+def test_models_team_invitations_email():
+    """Check email invitation during invitation creation."""
+
+    member_access = factories.TeamAccessFactory(role="member")
+    team = member_access.team
+
+    # pylint: disable-next=no-member
+    assert len(mail.outbox) == 0
+
+    factories.TeamAccessFactory(team=team)
+    invitation = factories.InvitationFactory(team=team, email="john@people.com")
+
+    # pylint: disable-next=no-member
+    assert len(mail.outbox) == 1
+
+    # pylint: disable-next=no-member
+    email = mail.outbox[0]
+
+    assert email.to == [invitation.email]
+    assert email.subject == "Invitation to join Desk!"
+
+    email_content = " ".join(email.body.split())
+    assert "Invitation to join Desk!" in email_content
+    assert "[//example.com]" in email_content
+
+
+@mock.patch(
+    "django.core.mail.send_mail",
+    side_effect=smtplib.SMTPException("Error SMTPException"),
+)
+@mock.patch.object(Logger, "error")
+def test_models_team_invitations_email_failed(mock_logger, _mock_send_mail):
+    """Check invitation behavior when an SMTP error occurs during invitation creation."""
+
+    member_access = factories.TeamAccessFactory(role="member")
+    team = member_access.team
+
+    # pylint: disable-next=no-member
+    assert len(mail.outbox) == 0
+
+    factories.TeamAccessFactory(team=team)
+
+    # No error should be raised
+    invitation = factories.InvitationFactory(team=team, email="john@people.com")
+
+    # No email has been sent
+    # pylint: disable-next=no-member
+    assert len(mail.outbox) == 0
+
+    # Logger should be called
+    mock_logger.assert_called_once()
+
+    (
+        _,
+        email,
+        exception,
+    ) = mock_logger.call_args.args
+
+    assert email == invitation.email
+    assert isinstance(exception, smtplib.SMTPException)

src/backend/core/tests/test_models_team_accesses.py

@@ -0,0 +1,357 @@
+"""
+Unit tests for the TeamAccess model
+"""
+
+import json
+import re
+
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ValidationError
+
+import pytest
+import responses
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_team_accesses_str():
+    """
+    The str representation should include user name, team full name and role.
+    """
+    contact = factories.ContactFactory(full_name="David Bowman")
+    user = contact.owner
+    user.profile_contact = contact
+    user.save()
+    access = factories.TeamAccessFactory(
+        role="member",
+        user=user,
+        team__name="admins",
+    )
+    assert str(access) == "David Bowman is member in team admins"
+
+
+def test_models_team_accesses_unique():
+    """Team accesses should be unique for a given couple of user and team."""
+    access = factories.TeamAccessFactory()
+
+    with pytest.raises(
+        ValidationError,
+        match="Team/user relation with this User and Team already exists.",
+    ):
+        factories.TeamAccessFactory(user=access.user, team=access.team)
+
+
+def test_models_team_accesses_create_webhook():
+    """
+    When the team has a webhook, creating a team access should fire a call.
+    """
+    user = factories.UserFactory()
+    team = factories.TeamFactory()
+    webhook = factories.TeamWebhookFactory(team=team)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsp = rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        models.TeamAccess.objects.create(user=user, team=team)
+
+        assert rsp.call_count == 1
+        assert rsps.calls[0].request.url == webhook.url
+
+        # Payload sent to scim provider
+        payload = json.loads(rsps.calls[0].request.body)
+        assert payload == {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [
+                {
+                    "op": "add",
+                    "path": "members",
+                    "value": [
+                        {
+                            "value": str(user.id),
+                            "email": None,
+                            "type": "User",
+                        }
+                    ],
+                }
+            ],
+        }
+
+
+def test_models_team_accesses_delete_webhook():
+    """
+    When the team has a webhook, deleting a team access should fire a call.
+    """
+    team = factories.TeamFactory()
+    webhook = factories.TeamWebhookFactory(team=team)
+    access = factories.TeamAccessFactory(team=team)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsp = rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        access.delete()
+
+        assert rsp.call_count == 1
+        assert rsps.calls[0].request.url == webhook.url
+
+        # Payload sent to scim provider
+        payload = json.loads(rsps.calls[0].request.body)
+        assert payload == {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [
+                {
+                    "op": "remove",
+                    "path": "members",
+                    "value": [
+                        {
+                            "value": str(access.user.id),
+                            "email": None,
+                            "type": "User",
+                        }
+                    ],
+                }
+            ],
+        }
+
+    assert models.TeamAccess.objects.exists() is False
+
+
+# get_abilities
+
+
+def test_models_team_access_get_abilities_anonymous():
+    """Check abilities returned for an anonymous user."""
+    access = factories.TeamAccessFactory()
+    abilities = access.get_abilities(AnonymousUser())
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_authenticated():
+    """Check abilities returned for an authenticated user."""
+    access = factories.TeamAccessFactory()
+    user = factories.UserFactory()
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+# - for owner
+
+
+def test_models_team_access_get_abilities_for_owner_of_self_allowed():
+    """
+    Check abilities of self access for the owner of a team when there is more than one user left.
+    """
+    access = factories.TeamAccessFactory(role="owner")
+    factories.TeamAccessFactory(team=access.team, role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "set_role_to": ["administrator", "member"],
+    }
+
+
+def test_models_team_access_get_abilities_for_owner_of_self_last():
+    """Check abilities of self access for the owner of a team when there is only one owner left."""
+    access = factories.TeamAccessFactory(role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_for_owner_of_owner():
+    """Check abilities of owner access for the owner of a team."""
+    access = factories.TeamAccessFactory(role="owner")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_for_owner_of_administrator():
+    """Check abilities of administrator access for the owner of a team."""
+    access = factories.TeamAccessFactory(role="administrator")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "set_role_to": ["owner", "member"],
+    }
+
+
+def test_models_team_access_get_abilities_for_owner_of_member():
+    """Check abilities of member access for the owner of a team."""
+    access = factories.TeamAccessFactory(role="member")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "set_role_to": ["owner", "administrator"],
+    }
+
+
+# - for administrator
+
+
+def test_models_team_access_get_abilities_for_administrator_of_owner():
+    """Check abilities of owner access for the administrator of a team."""
+    access = factories.TeamAccessFactory(role="owner")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_for_administrator_of_administrator():
+    """Check abilities of administrator access for the administrator of a team."""
+    access = factories.TeamAccessFactory(role="administrator")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "set_role_to": ["member"],
+    }
+
+
+def test_models_team_access_get_abilities_for_administrator_of_member():
+    """Check abilities of member access for the administrator of a team."""
+    access = factories.TeamAccessFactory(role="member")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "set_role_to": ["administrator"],
+    }
+
+
+# - for member
+
+
+def test_models_team_access_get_abilities_for_member_of_owner():
+    """Check abilities of owner access for the member of a team."""
+    access = factories.TeamAccessFactory(role="owner")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="member").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_for_member_of_administrator():
+    """Check abilities of administrator access for the member of a team."""
+    access = factories.TeamAccessFactory(role="administrator")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="member").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_for_member_of_member_user(
+    django_assert_num_queries,
+):
+    """Check abilities of member access for the member of a team."""
+    access = factories.TeamAccessFactory(role="member")
+    factories.TeamAccessFactory(team=access.team)  # another one
+    user = factories.TeamAccessFactory(team=access.team, role="member").user
+
+    with django_assert_num_queries(1):
+        abilities = access.get_abilities(user)
+
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_team_access_get_abilities_preset_role(django_assert_num_queries):
+    """No query is done if the role is preset, e.g., with a query annotation."""
+    access = factories.TeamAccessFactory(role="member")
+    user = factories.TeamAccessFactory(team=access.team, role="member").user
+    access.user_role = "member"
+
+    with django_assert_num_queries(0):
+        abilities = access.get_abilities(user)
+
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "set_role_to": [],
+    }

src/backend/core/tests/test_models_teams.py

@@ -0,0 +1,142 @@
+"""
+Unit tests for the Team model
+"""
+
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_teams_str():
+    """The str representation should be the name of the team."""
+    team = factories.TeamFactory(name="admins")
+    assert str(team) == "admins"
+
+
+def test_models_teams_id_unique():
+    """The "id" field should be unique."""
+    team = factories.TeamFactory()
+    with pytest.raises(ValidationError, match="Team with this Id already exists."):
+        factories.TeamFactory(id=team.id)
+
+
+def test_models_teams_name_null():
+    """The "name" field should not be null."""
+    with pytest.raises(ValidationError, match="This field cannot be null."):
+        models.Team.objects.create(name=None)
+
+
+def test_models_teams_name_empty():
+    """The "name" field should not be empty."""
+    with pytest.raises(ValidationError, match="This field cannot be blank."):
+        models.Team.objects.create(name="")
+
+
+def test_models_teams_name_max_length():
+    """The "name" field should be 100 characters maximum."""
+    factories.TeamFactory(name="a " * 50)
+    with pytest.raises(
+        ValidationError,
+        match=r"Ensure this value has at most 100 characters \(it has 102\)\.",
+    ):
+        factories.TeamFactory(name="a " * 51)
+
+
+def test_models_teams_slug_empty():
+    """Slug field should not be empty."""
+    with pytest.raises(ValidationError, match="This field cannot be blank."):
+        models.Team.objects.create(slug="")
+
+
+# get_abilities
+
+
+def test_models_teams_get_abilities_anonymous():
+    """Check abilities returned for an anonymous user."""
+    team = factories.TeamFactory()
+    abilities = team.get_abilities(AnonymousUser())
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+        "manage_accesses": False,
+    }
+
+
+def test_models_teams_get_abilities_authenticated():
+    """Check abilities returned for an authenticated user."""
+    team = factories.TeamFactory()
+    abilities = team.get_abilities(factories.UserFactory())
+    assert abilities == {
+        "delete": False,
+        "get": False,
+        "patch": False,
+        "put": False,
+        "manage_accesses": False,
+    }
+
+
+def test_models_teams_get_abilities_owner():
+    """Check abilities returned for the owner of a team."""
+    user = factories.UserFactory()
+    access = factories.TeamAccessFactory(role="owner", user=user)
+    abilities = access.team.get_abilities(access.user)
+    assert abilities == {
+        "delete": True,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "manage_accesses": True,
+    }
+
+
+def test_models_teams_get_abilities_administrator():
+    """Check abilities returned for the administrator of a team."""
+    access = factories.TeamAccessFactory(role="administrator")
+    abilities = access.team.get_abilities(access.user)
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": True,
+        "put": True,
+        "manage_accesses": True,
+    }
+
+
+def test_models_teams_get_abilities_member_user(django_assert_num_queries):
+    """Check abilities returned for the member of a team."""
+    access = factories.TeamAccessFactory(role="member")
+
+    with django_assert_num_queries(1):
+        abilities = access.team.get_abilities(access.user)
+
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "manage_accesses": False,
+    }
+
+
+def test_models_teams_get_abilities_preset_role(django_assert_num_queries):
+    """No query is done if the role is preset e.g. with query annotation."""
+    access = factories.TeamAccessFactory(role="member")
+    access.team.user_role = "member"
+
+    with django_assert_num_queries(0):
+        abilities = access.team.get_abilities(access.user)
+
+    assert abilities == {
+        "delete": False,
+        "get": True,
+        "patch": False,
+        "put": False,
+        "manage_accesses": False,
+    }

src/backend/core/tests/test_models_users.py

@@ -0,0 +1,116 @@
+"""
+Unit tests for the User model
+"""
+
+from unittest import mock
+
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_users_str():
+    """The str representation should be the full name."""
+    user = factories.UserFactory()
+    contact = factories.ContactFactory(full_name="david bowman", owner=user)
+    user.profile_contact = contact
+    user.save()
+
+    assert str(user) == "david bowman"
+
+
+def test_models_users_id_unique():
+    """The "id" field should be unique."""
+    user = factories.UserFactory()
+    with pytest.raises(ValidationError, match="User with this Id already exists."):
+        factories.UserFactory(id=user.id)
+
+
+def test_models_users_email_unique():
+    """The "admin_email" field should be unique except for the null value."""
+    user = factories.UserFactory()
+    with pytest.raises(
+        ValidationError, match="User with this Admin email address already exists."
+    ):
+        models.User.objects.create(admin_email=user.admin_email, password="password")
+
+
+def test_models_users_email_several_null():
+    """Several users with a null value for the "email" field can co-exist."""
+    factories.UserFactory(admin_email=None)
+    models.User.objects.create(admin_email=None, password="foo.")
+
+    assert models.User.objects.filter(admin_email__isnull=True).count() == 2
+
+
+def test_models_users_profile_not_owned():
+    """A user cannot declare as profile a contact that not is owned."""
+    user = factories.UserFactory()
+    contact = factories.ContactFactory(base=None, owner=None)
+
+    user.profile_contact = contact
+    with pytest.raises(ValidationError) as excinfo:
+        user.save()
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
+    )
+
+
+def test_models_users_profile_owned_by_other():
+    """A user cannot declare as profile a contact that is owned by another user."""
+    user = factories.UserFactory()
+    contact = factories.ContactFactory()
+
+    user.profile_contact = contact
+    with pytest.raises(ValidationError) as excinfo:
+        user.save()
+
+    assert (
+        str(excinfo.value)
+        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
+    )
+
+
+def test_models_users_send_mail_main_existing():
+    """The 'email_user' method should send mail to the user's main email address."""
+    main_email = factories.IdentityFactory(email="dave@example.com")
+    user = main_email.user
+    factories.IdentityFactory.create_batch(2, user=user)
+
+    with mock.patch("django.core.mail.send_mail") as mock_send:
+        user.email_user("my subject", "my message")
+
+    mock_send.assert_called_once_with(
+        "my subject", "my message", None, ["dave@example.com"]
+    )
+
+
+def test_models_users_send_mail_main_admin():
+    """
+    The 'email_user' method should send mail to the user's admin email address if the
+    user has no related identities.
+    """
+    user = factories.UserFactory()
+
+    with mock.patch("django.core.mail.send_mail") as mock_send:
+        user.email_user("my subject", "my message")
+
+    mock_send.assert_called_once_with(
+        "my subject", "my message", None, [user.admin_email]
+    )
+
+
+def test_models_users_send_mail_main_missing():
+    """The 'email_user' method should fail if the user has no email address."""
+    user = factories.UserFactory(admin_email=None)
+
+    with pytest.raises(ValueError) as excinfo:
+        user.email_user("my subject", "my message")
+
+    assert str(excinfo.value) == "You must first set an email for the user."

src/backend/core/tests/test_throttle.py

@@ -0,0 +1,35 @@
+"""
+Test Throttle in People's app.
+"""
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+
+from people.settings import REST_FRAMEWORK  # pylint: disable=E0611
+
+pytestmark = pytest.mark.django_db
+
+
+def test_throttle():
+    """
+    Throttle protection should block requests if too many.
+    """
+    identity = factories.IdentityFactory()
+    user = identity.user
+
+    client = APIClient()
+    client.force_login(user)
+    endpoint = "/api/v1.0/users/"
+
+    # loop to activate throttle protection
+    throttle_limit = int(
+        REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["burst"].replace("/minute", "")
+    )
+    for _ in range(0, throttle_limit):
+        client.get(endpoint)
+
+    # this call should err
+    response = client.get(endpoint)
+    assert response.status_code == 429  # too many requests

src/backend/core/tests/test_utils_webhooks_scim_client.py

@@ -0,0 +1,341 @@
+"""Test Team synchronization webhooks."""
+
+import json
+import random
+import re
+from logging import Logger
+from unittest import mock
+
+import pytest
+import responses
+
+from core import factories
+from core.utils.webhooks import scim_synchronizer
+
+pytestmark = pytest.mark.django_db
+
+
+def test_utils_webhooks_add_user_to_group_no_webhooks():
+    """If no webhook is declared on the team, the function should not make any request."""
+    access = factories.TeamAccessFactory()
+
+    with responses.RequestsMock():
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+
+    assert len(responses.calls) == 0
+
+
+@mock.patch.object(Logger, "info")
+def test_utils_webhooks_add_user_to_group_success(mock_info):
+    """The user passed to the function should get added."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhooks = factories.TeamWebhookFactory.create_batch(2, team=access.team)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+
+        for i, webhook in enumerate(webhooks):
+            assert rsps.calls[i].request.url == webhook.url
+
+            # Check headers
+            headers = rsps.calls[i].request.headers
+            assert "Authorization" not in headers
+            assert headers["Content-Type"] == "application/json"
+
+        # Payload sent to scim provider
+        for call in rsps.calls:
+            payload = json.loads(call.request.body)
+            assert payload == {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+                "Operations": [
+                    {
+                        "op": "add",
+                        "path": "members",
+                        "value": [
+                            {
+                                "value": str(access.user.id),
+                                "email": identity.email,
+                                "type": "User",
+                            }
+                        ],
+                    }
+                ],
+            }
+
+    # Logger
+    assert mock_info.call_count == 2
+    for i, webhook in enumerate(webhooks):
+        assert mock_info.call_args_list[i][0] == (
+            "%s synchronization succeeded with %s",
+            "add_user_to_group",
+            webhook.url,
+        )
+
+    # Status
+    for webhook in webhooks:
+        webhook.refresh_from_db()
+        assert webhook.status == "success"
+
+
+@mock.patch.object(Logger, "info")
+def test_utils_webhooks_remove_user_from_group_success(mock_info):
+    """The user passed to the function should get removed."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhooks = factories.TeamWebhookFactory.create_batch(2, team=access.team)
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        scim_synchronizer.remove_user_from_group(access.team, access.user)
+
+        for i, webhook in enumerate(webhooks):
+            assert rsps.calls[i].request.url == webhook.url
+
+        # Payload sent to scim provider
+        for call in rsps.calls:
+            payload = json.loads(call.request.body)
+            assert payload == {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+                "Operations": [
+                    {
+                        "op": "remove",
+                        "path": "members",
+                        "value": [
+                            {
+                                "value": str(access.user.id),
+                                "email": identity.email,
+                                "type": "User",
+                            }
+                        ],
+                    }
+                ],
+            }
+
+    # Logger
+    assert mock_info.call_count == 2
+    for i, webhook in enumerate(webhooks):
+        assert mock_info.call_args_list[i][0] == (
+            "%s synchronization succeeded with %s",
+            "remove_user_from_group",
+            webhook.url,
+        )
+
+    # Status
+    for webhook in webhooks:
+        webhook.refresh_from_db()
+        assert webhook.status == "success"
+
+
+@mock.patch.object(Logger, "error")
+@mock.patch.object(Logger, "info")
+def test_utils_webhooks_add_user_to_group_failure(mock_info, mock_error):
+    """The logger should be called on webhook call failure."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhooks = factories.TeamWebhookFactory.create_batch(2, team=access.team)
+
+    with responses.RequestsMock() as rsps:
+        # Simulate webhook failure using "responses":
+        rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=random.choice([404, 301, 302]),
+            content_type="application/json",
+        )
+
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+
+        for i, webhook in enumerate(webhooks):
+            assert rsps.calls[i].request.url == webhook.url
+
+        # Payload sent to scim provider
+        for call in rsps.calls:
+            payload = json.loads(call.request.body)
+            assert payload == {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+                "Operations": [
+                    {
+                        "op": "add",
+                        "path": "members",
+                        "value": [
+                            {
+                                "value": str(access.user.id),
+                                "email": identity.email,
+                                "type": "User",
+                            }
+                        ],
+                    }
+                ],
+            }
+
+    # Logger
+    assert not mock_info.called
+    assert mock_error.call_count == 2
+    for i, webhook in enumerate(webhooks):
+        assert mock_error.call_args_list[i][0] == (
+            "%s synchronization failed with %s",
+            "add_user_to_group",
+            webhook.url,
+        )
+
+    # Status
+    for webhook in webhooks:
+        webhook.refresh_from_db()
+        assert webhook.status == "failure"
+
+
+@mock.patch.object(Logger, "error")
+@mock.patch.object(Logger, "info")
+def test_utils_webhooks_add_user_to_group_retries(mock_info, mock_error):
+    """webhooks synchronization supports retries."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhook = factories.TeamWebhookFactory(team=access.team)
+
+    url = re.compile(r".*/Groups/.*")
+    with responses.RequestsMock() as rsps:
+        # Make webhook fail 3 times before succeeding using "responses"
+        all_rsps = [
+            rsps.add(rsps.PATCH, url, status=500, content_type="application/json"),
+            rsps.add(rsps.PATCH, url, status=500, content_type="application/json"),
+            rsps.add(rsps.PATCH, url, status=500, content_type="application/json"),
+            rsps.add(rsps.PATCH, url, status=200, content_type="application/json"),
+        ]
+
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+
+        for i in range(4):
+            assert all_rsps[i].call_count == 1
+            assert rsps.calls[i].request.url == webhook.url
+            payload = json.loads(rsps.calls[i].request.body)
+            assert payload == {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+                "Operations": [
+                    {
+                        "op": "add",
+                        "path": "members",
+                        "value": [
+                            {
+                                "value": str(access.user.id),
+                                "email": identity.email,
+                                "type": "User",
+                            }
+                        ],
+                    }
+                ],
+            }
+
+    # Logger
+    assert not mock_error.called
+    assert mock_info.call_count == 1
+    assert mock_info.call_args_list[0][0] == (
+        "%s synchronization succeeded with %s",
+        "add_user_to_group",
+        webhook.url,
+    )
+
+    # Status
+    webhook.refresh_from_db()
+    assert webhook.status == "success"
+
+
+@mock.patch.object(Logger, "error")
+@mock.patch.object(Logger, "info")
+def test_utils_synchronize_course_runs_max_retries_exceeded(mock_info, mock_error):
+    """Webhooks synchronization has exceeded max retries and should get logged."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhook = factories.TeamWebhookFactory(team=access.team)
+
+    with responses.RequestsMock() as rsps:
+        # Simulate webhook temporary failure using "responses":
+        rsp = rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=random.choice([500, 502]),
+            content_type="application/json",
+        )
+
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+
+        assert rsp.call_count == 5
+        assert rsps.calls[0].request.url == webhook.url
+        payload = json.loads(rsps.calls[0].request.body)
+        assert payload == {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "Operations": [
+                {
+                    "op": "add",
+                    "path": "members",
+                    "value": [
+                        {
+                            "value": str(access.user.id),
+                            "email": identity.email,
+                            "type": "User",
+                        }
+                    ],
+                }
+            ],
+        }
+
+    # Logger
+    assert not mock_info.called
+    assert mock_error.call_count == 1
+    assert mock_error.call_args_list[0][0] == (
+        "%s synchronization failed due to max retries exceeded with url %s",
+        "add_user_to_group",
+        webhook.url,
+    )
+
+    # Status
+    webhook.refresh_from_db()
+    assert webhook.status == "failure"
+
+
+def test_utils_webhooks_add_user_to_group_authorization():
+    """Secret token should be passed in authorization header when set."""
+    identity = factories.IdentityFactory()
+    access = factories.TeamAccessFactory(user=identity.user)
+    webhook = factories.TeamWebhookFactory(team=access.team, secret="123")
+
+    with responses.RequestsMock() as rsps:
+        # Ensure successful response by scim provider using "responses":
+        rsps.add(
+            rsps.PATCH,
+            re.compile(r".*/Groups/.*"),
+            body="{}",
+            status=200,
+            content_type="application/json",
+        )
+
+        scim_synchronizer.add_user_to_group(access.team, access.user)
+        assert rsps.calls[0].request.url == webhook.url
+
+        # Check headers
+        headers = rsps.calls[0].request.headers
+        assert headers["Authorization"] == "Bearer 123"
+        assert headers["Content-Type"] == "application/json"
+
+    # Status
+    webhook.refresh_from_db()
+    assert webhook.status == "success"