udata 14.0.3.dev1__py3-none-any.whl → 14.7.3.dev4__py3-none-any.whl

udata/migrations/2025-12-16-create-transfer-request-notifications.py

@@ -0,0 +1,69 @@
+"""
+Create TransferRequestNotification for all pending transfer requests
+"""
+
+import logging
+
+import click
+
+from udata.features.notifications.models import Notification
+from udata.features.transfer.models import Transfer
+from udata.features.transfer.notifications import TransferRequestNotificationDetails
+
+log = logging.getLogger(__name__)
+
+
+def migrate(db):
+    log.info("Processing pending transfer requests...")
+
+    created_count = 0
+
+    # Get all pending transfers
+    transfers = Transfer.objects(status="pending")
+
+    with click.progressbar(transfers, length=transfers.count()) as transfer_list:
+        for transfer in transfer_list:
+            try:
+                # Get the recipient (could be a user or an organization)
+                recipient = transfer.recipient
+
+                # For organizations, we need to find admins who should receive notifications
+                if recipient._cls == "Organization":
+                    # Get all admin users for this organization
+                    recipient_users = [
+                        member.user for member in recipient.members if member.role == "admin"
+                    ]
+                else:
+                    # For users, just use the recipient directly
+                    recipient_users = [recipient]
+
+                # Create a notification for each recipient user
+                for recipient_user in recipient_users:
+                    try:
+                        # Check if notification already exists
+                        existing = Notification.objects(
+                            user=recipient_user,
+                            details__transfer_recipient=recipient,
+                            details__transfer_owner=transfer.owner,
+                            details__transfer_subject=transfer.subject,
+                        ).first()
+                        if not existing:
+                            notification = Notification(user=recipient_user)
+                            notification.details = TransferRequestNotificationDetails(
+                                transfer_owner=transfer.owner,
+                                transfer_recipient=recipient,
+                                transfer_subject=transfer.subject,
+                            )
+                            # Set the created_at to match the transfer creation date
+                            notification.created_at = transfer.created
+                            notification.save()
+                            created_count += 1
+                    except Exception as e:
+                        log.error(
+                            f"Error creating notification for user {recipient_user.id} "
+                            f"and transfer {transfer.id}: {e}"
+                        )
+            except Exception as e:
+                log.error(f"Error creating notification for transfer {transfer.id}: {e}")
+
+    log.info(f"Created {created_count} TransferRequestNotifications")

udata/migrations/2026-01-14-add-default-kind-to-posts.py

@@ -0,0 +1,17 @@
+"""
+This migration sets Post.kind to "news" for posts that don't have a kind.
+This is necessary because the default value is only applied to new documents,
+not existing ones.
+"""
+
+import logging
+
+from udata.models import Post
+
+log = logging.getLogger(__name__)
+
+
+def migrate(db):
+    log.info("Processing posts without kind...")
+    count = Post.objects(kind__exists=False).update(kind="news")
+    log.info(f"\tSet kind='news' for {count} posts")

udata/mongo/slug_fields.py

@@ -180,7 +180,7 @@ def populate_slug(instance, field):
             return qs(**{field.db_field: slug}).clear_cls_query().limit(1).count(True) > 0
 
         def get_existing_slug_suffixes(slug):
-            qs_suffix = qs(slug__regex=f"^{slug}-\d*$").clear_cls_query().only(field.db_field)
+            qs_suffix = qs(slug__regex=rf"^{slug}-\d*$").clear_cls_query().only(field.db_field)
             return [getattr(obj, field.db_field) for obj in qs_suffix]
 
         def trim_base_slug(base_slug, index):

udata/rdf.py

@@ -5,6 +5,7 @@ This module centralize udata-wide RDF helpers and configuration
 import logging
 import re
 from html.parser import HTMLParser
+from urllib.parse import quote
 
 import mongoengine
 from flask import abort, current_app, request, url_for
@@ -12,6 +13,7 @@ from rdflib import BNode, Graph, Literal, URIRef
 from rdflib.namespace import (
     DCTERMS,
     FOAF,
+    ORG,
     RDF,
     RDFS,
     SKOS,
@@ -20,6 +22,7 @@ from rdflib.namespace import (
     NamespaceManager,
 )
 from rdflib.resource import Resource as RdfResource
+from rdflib.term import _is_valid_uri
 from rdflib.util import SUFFIX_FORMAT_MAP
 from rdflib.util import guess_format as raw_guess_format
 
@@ -353,12 +356,24 @@ def theme_labels_from_rdf(rdf):
 
 
 def themes_from_rdf(rdf):
-    tags = [tag.toPython() for tag in rdf.objects(DCAT.keyword)]
+    tags = []
+    for tag in rdf.objects(DCAT.keyword):
+        if isinstance(tag, RdfResource):
+            # dcat:keyword should be Literal, not a Resource/URIRef
+            log.warning(f"Ignoring dcat:keyword with URI value: {tag.identifier}")
+            continue
+        tags.append(tag.toPython())
     tags += theme_labels_from_rdf(rdf)
     return list(set(tags))
 
 
-def contact_points_from_rdf(rdf, prop, role, dataset):
+def contact_point_name(agent_name: str | None, org_name: str | None) -> str:
+    if agent_name and org_name:
+        return f"{agent_name} ({org_name})"
+    return agent_name or org_name or ""
+
+
+def contact_points_from_rdf(rdf, prop, role, dataset, dryrun=False):
     if not dataset.organization and not dataset.owner:
         return
     for contact_point in rdf.objects(prop):
@@ -369,7 +384,10 @@ def contact_points_from_rdf(rdf, prop, role, dataset):
             email = None
             contact_form = None
         elif prop == DCAT.contactPoint:  # Could be split on the type of contact_point instead
-            name = rdf_value(contact_point, VCARD.fn) or ""
+            name = contact_point_name(
+                rdf_value(contact_point, VCARD.fn),
+                rdf_value(contact_point, VCARD["organization-name"]),
+            )
             email = (
                 rdf_value(contact_point, VCARD.hasEmail)
                 or rdf_value(contact_point, VCARD.email)
@@ -378,12 +396,16 @@ def contact_points_from_rdf(rdf, prop, role, dataset):
             email = email.replace("mailto:", "").strip() if email else None
             contact_form = rdf_value(contact_point, VCARD.hasUrl)
         else:
-            name = (
-                rdf_value(contact_point, FOAF.name)
-                or rdf_value(contact_point, SKOS.prefLabel)
-                or ""
+            contact_point_org = contact_point.value(ORG.memberOf)
+            name = contact_point_name(
+                rdf_value(contact_point, FOAF.name) or rdf_value(contact_point, SKOS.prefLabel),
+                rdf_value(contact_point_org, FOAF.name) if contact_point_org else None,
+            )
+            email = (
+                rdf_value(contact_point, FOAF.mbox)
+                or (contact_point_org and rdf_value(contact_point_org, FOAF.mbox))
+                or None
             )
-            email = rdf_value(contact_point, FOAF.mbox)
             email = email.replace("mailto:", "").strip() if email else None
             contact_form = None
 
@@ -398,9 +420,18 @@ def contact_points_from_rdf(rdf, prop, role, dataset):
         else:
             org_or_owner = {"owner": dataset.owner}
         try:
-            contact, _ = ContactPoint.objects.get_or_create(
-                name=name, email=email, contact_form=contact_form, role=role, **org_or_owner
-            )
+            if dryrun:
+                # In dryrun mode, only reuse existing contact points, don't create new ones.
+                # Mongoengine doesn't allow referencing unsaved documents.
+                contact = ContactPoint.objects.filter(
+                    name=name, email=email, contact_form=contact_form, role=role, **org_or_owner
+                ).first()
+                if not contact:
+                    continue
+            else:
+                contact, _ = ContactPoint.objects.get_or_create(
+                    name=name, email=email, contact_form=contact_form, role=role, **org_or_owner
+                )
         except mongoengine.errors.ValidationError as validation_error:
             log.warning(f"Unable to validate contact point: {validation_error}", exc_info=True)
             continue
@@ -568,6 +599,27 @@ def paginate_catalog(catalog, graph, datasets, _format, rdf_catalog_endpoint, **
     return catalog
 
 
+def escape_uri_in_graph(graph: Graph) -> Graph:
+    """
+    Some invalid uri could exist in the graph and they can't be serialized in N3/Turtle.
+    We use a urllib.parse.quote to escape these at best for invalid URIRef.
+    """
+    escaped_graph = Graph()
+    for s, p, o in graph:
+        try:
+            if isinstance(s, URIRef) and not _is_valid_uri(str(s)):
+                encoded_uri = quote(str(s), safe=":/?#[]@!$&'()*+,;=")
+                s = URIRef(encoded_uri)
+            if isinstance(o, URIRef) and not _is_valid_uri(str(o)):
+                encoded_uri = quote(str(o), safe=":/?#[]@!$&'()*+,;=")
+                o = URIRef(encoded_uri)
+            escaped_graph.add((s, p, o))
+        except Exception as e:
+            log.exception(f"Failing to escape uri on triplet {s} {p} {o} : {e}")
+            continue
+    return escaped_graph
+
+
 def graph_response(graph, format):
     """
     Return a proper flask response for a RDF resource given an expected format.
@@ -581,6 +633,8 @@ def graph_response(graph, format):
         kwargs["context"] = CONTEXT
     if isinstance(graph, RdfResource):
         graph = graph.graph
+    if fmt in ["n3", "nt", "turtle", "trig"]:
+        graph = escape_uri_in_graph(graph)
     return escape_xml_illegal_chars(graph.serialize(format=fmt, **kwargs)), 200, headers
 
 

udata/routing.py

@@ -1,3 +1,4 @@
+from urllib.parse import quote
 from uuid import UUID
 
 from bson import ObjectId
@@ -5,7 +6,6 @@ from flask import redirect, request, url_for
 from mongoengine.errors import InvalidQueryError, ValidationError
 from werkzeug.exceptions import NotFound
 from werkzeug.routing import BaseConverter, PathConverter
-from werkzeug.urls import url_quote
 
 from udata import models
 from udata.core.dataservices.models import Dataservice
@@ -79,7 +79,7 @@ class ModelConverter(BaseConverter):
         if self.has_slug:
             return self.model.slug.slugify(value)
         else:
-            return url_quote(value)
+            return quote(value)
 
     def to_python(self, value):
         try:

udata/settings.py

@@ -69,11 +69,13 @@ class Defaults(object):
     # Flask mail settings
 
     MAIL_DEFAULT_SENDER = "webmaster@udata"
+    MAIL_LOGO_URL = "https://www.data.gouv.fr/nuxt_images/udata_mails_external_logo.png"
 
     # Flask security settings
 
     SESSION_COOKIE_SECURE = True
     SESSION_COOKIE_SAMESITE = None  # Can be set to 'Lax' or 'Strict'. See https://flask.palletsprojects.com/en/2.3.x/security/#security-cookie
+    SECURITY_USE_REGISTER_V2 = True
 
     # Flask-Security-Too settings
 
@@ -172,6 +174,10 @@ class Defaults(object):
     SITE_AUTHOR = "Udata"
     SITE_GITHUB_URL = "https://github.com/etalab/udata"
 
+    TERMS_OF_USE_URL = None
+    TERMS_OF_USE_DELETION_ARTICLE = None
+    TELERECOURS_URL = None
+
     UDATA_INSTANCE_NAME = "udata"
 
     HARVESTER_BACKENDS = []
@@ -478,6 +484,11 @@ class Defaults(object):
     # Padding (in percent) used by the internal provider
     AVATAR_INTERNAL_PADDING = 10
 
+    # Notification settings
+    ###########################################################################
+    # Notifications are deleted after being handled for 90 days
+    DAYS_AFTER_NOTIFICATION_EXPIRED = 90
+
     # Post settings
     ###########################################################################
     # Discussions on posts are disabled by default

udata/tasks.py

@@ -161,6 +161,7 @@ def init_app(app):
     import udata.core.metrics.tasks  # noqa
     import udata.core.tags.tasks  # noqa
     import udata.core.activity.tasks  # noqa
+    import udata.core.dataservices.tasks  # noqa
     import udata.core.dataset.tasks  # noqa
     import udata.core.dataset.transport  # noqa
     import udata.core.dataset.recommendations  # noqa
@@ -172,6 +173,7 @@ def init_app(app):
     import udata.core.discussions.tasks  # noqa
     import udata.core.badges.tasks  # noqa
     import udata.core.storages.tasks  # noqa
+    import udata.features.notifications.tasks  # noqa
     import udata.harvest.tasks  # noqa
     import udata.db.tasks  # noqa
 

udata/templates/mail/message.html

@@ -6,9 +6,11 @@
     <title>{{ message.subject }}</title>
 </head>
 <body style="font-family: Marianne, Helvetica, Arial, sans-serif; line-height: 1.6; color: #333; background-color: #ffffff; max-width: 600px; margin: 0 auto; padding: 20px;">
+    {% if config.MAIL_LOGO_URL %}
     <div style="margin-bottom: 30px;">
-        <img width="186" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAVkAAABsCAYAAADAMsFxAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAABhjSURBVHgB7Z1Rcts6soZbkmvqvo3uCsKsIM4KoqwgzgqsPN66dexoBVFWIMuZqXm0sgI7KwizgmhWEJwVHJ23qRlLGnQDlCkQFAESpES6vyqdE9MSRRPAz0aj0d0DhmGYZ80sAhh8AtieA2zeA0wEBKQHDMMwz5LZEODsWgrrR/nD8Ol4bwGw/hxKbFlkGYZ5hny5kOI6k/+Ict6wAujfAPz2GSrCIsswzDPiy0i6BdA1MHL8gJAyKYX2agElYZFlGOYZgK4B8rt+hFL0HqQLYVLGhdAHhmGYztOflhdYZCvdC4M7Jdae3wwMwzCd5nYsLdGl9MG+BZr+eyP9s5uJchv0vYX6DBiGYToF+l030ursLwAe53KaL4/18WehhVb+vi9dB7mLXgkorvLz8KBcDbhQtvmccj1c6JCv5aGTsCXLMExHmJ1Lq/W7FD75QgHdTKXE/ZSCKH/cfFDv6f+SP7/RP8/zz9WLlSCfbeVn8HzD1M+/tOshUue/vVOxtjlnAoZhmFbjtKgltBU7lsJ4CSSaGKL1+FX5a+FSv2+pXAODSEUhIGi9ngllHR+yfvE82ZAvFlmGYVrMl2tlsYLjghRtNEBhHYMSVqF8rehSwHOcLXWI13nKVTCrEvLF7gKGYVoI+l3nctq+kdaoq8Ai27GUvXs15d+8BPK7btFfG0kxXWlXw0pZvYO/KneAs8AikTrf/GfiQmCRZRimZaDvtWjqfpCh3ko7Arh+Dcr6fCHFMVK+2Kv3ytKtEvIF50nIF4sswzAtY3CtLM1NyS2vu0WtF0qwkfWf8thK/XsX8oWWrgB/9kK+WGQZhmkZNOX/pVb6SQi/On4wiZX9qlwGiS+XBDdWi1u4qwv9s+RC+K5CtCgSQbh9BfpxN9I6HrxSrofeGxZZhmFaCoVofdeWqZ72W9GWZX+ioxCkgPaEFtc3yu+6uVcv/DdauHS+HzoE7I0W2wOWc3INZ39oP+44+Q2LLMMwbSbSVueddiEYVufOsnyhLEv0u+L7aCp/Z49MIPG+18L5QS18kfjaLGeROt+97XwcwsUwTMuYb/N/l4Ro4cITxFIY3+lFLtAhWbG2ZkfghjB2iYEO+RLqGCzUAlfe+XoxW7IMw3QI8tdi5EGcslTTIVnf/UOy9naJgbacP6qYWtr9NTp0As5dwDBM14hATdn1tB0FFqfy23MoDYn3SAkt+YGlYG+d4nPZkmUYpsOgX/UMxbWCwO6IpEV7rs7pDosswzBdRkjrcwTheCUt2H/6fIBFlmGYruOdaLuAlc+bWWQZhmkbAloEiyzDMC0j2bV10qzU5oWrtyyyDMO0DCxmeHajNgZggcNTI9kAgTG0bMkyDNM6MKnL472uWPDNL7dAnewSz/xSO8Tw+mYRx8kyDNMyMAvX+oNOR4gbA5ZG1YMImkU8VU+gDRDDp4Tf/TFbsgzDtIxkV1eSjrC30ruyXmirNvHX/pBiPIfgbBZAwrrWfldMHjO41Fm3lvsJvzkLF8Mw7SSSYjvTLoOvqUQuuurBJFbVatHq7S0hGNs/pcUqBXWNGbliXVjxp/odJYqJ9dbdXcJvThDDMEzLsCWIocQwKHxjKXLX+uBQH58o4a0cL7tSC1q7wos6XpZcBUltsJFxXTGLLMMwLcMlC1f/Qoqf9ImeobC+kgtl35SVW9pfu1LW8hnu+PpdF16MQBVaRHG9yLkezsLFMEyXSPy1WGCRytTcP1mXKJJlStbsQrJi5QNOCi9iNQVyDVwc+jSLLMMwXSNSL8q69Q03BKiy3mjJ+pSs2YVk6WoHA/n567H8xRwXtFQC8GIXBIdwMQzTYXpSIG8/qpAv9NeSz3asE29jiJUU34wLQWjXAGRDsvBcW85dwDAM8wRatHshXj/UlH9X9faD2jmGr3QtsE2qftguiuAVeMIiyzDMM8GMr8Wk2yS+lyp9Ib4G75QfF6GQrKUutDiFkhzJXTCfFr8HHdcTL7OcYZhngYDyUQKRjq+91i4D0LW7RurXW6FdBUK5EjaVk30fyyf7yeE9C/DM28gwzHOAyslMQcWqliXSLoOFFFq9JZd4UItklRN9r7Qf94bdBQzDtAzMwoWr/LSlNoZKkAsBXQZSFAeiRKFFCxiri9c2meJsnKMLGIZpKSi2IK3Q2VhP+SMoD24ywM1ZFXaFoeDjrjPc0vsEW7IMw7ScyUJati/1RoNjuBj1bjCMx90XWIRFlmGYjoDTc9qZVXcWrhj2s3C9VEJvh90FDMN0CHIhjPUPsfpfaJ1Fa3W21NFPhZUZ2JJlGIbxxj28lEWWYZiOQ5EIVUvUaNcApk30g90FtfFlpLblHQJXI9FZzjBMvaDPdBaXi69NctKW2xzFlizDMM8E3/jaJAvX1Ycqu09ZZBmGeWag2F69PeBCEIdCsnxhkWUY5pmSjq/F2l2bJCTr9aGQLF/YJ8swzDMH42vrgy1ZhmGYGmGRZRiGqZGS7oLZUH70XGUcx8S3vRfqOFZx7K1UotvH5Wnkg/1HBPCfEVDih921rpQP5tSutS6wvf4SAazPVV2i3l9BJcJI7oNQr6bvQ7of7WWcx2v4XbXNbzEcDew7j/qePde+w1TFoyQ4DojBWP7jnXsqMAqT+CpX6Rb7xw+V9E2g/cACSoExqttLXUXSNasOZkB/kIPmq9/34kC0gYMzybB+6Dv/8h6c+NfKbzDvtReKmON9SNpsHZe//0VQ+3xyvK6VKgsymMv2KSFm/yfAC7q2d7rvRG6fqeOeYfv9T+re+La/D2Yftt0z83ry3heaY31vOBxElqwNrIXzEcqnARMqC3kitnWJ7JdrXSai7HVqKPj4s9v3z39BtRRrjuA1YbxeEUHaCxFS1BbSkixRQjmPWSTF8q56vk5nhFo9dmEn/COohE/fOQRVD/m0f16X9vcF2wTzqe4Q9nuG/ar/x/6xTZAQp8PcGvld27eBp8An++VCNUBl4YpUFvLbO9VYoZlJi2j+U5WsgQDnp0S+snFnF9AqgrUXEqnz4EMEB2JVsI0OJkRGK01Ata2PJcD+eHuvdueFEP+k72BV0y6BVrQZwD9wqXBSAex3ZpusHUp5nxYHRPbLJz3dDSiK1AF/QlDQeqVznkNYIlWn/UvNHSkUdbQXEan7O6twfxOBNS1+2lEzUbOW6/9VFhS9eipWsfJ+c5fr+qldAzYSYZnr6/ygrwmtexzsy5zPRaqOFIp3HUbFsVgbsxoUwDr/voyIi5Dxq02Rs/BFA3YK9RBBMGq9Tg1Zc0IO/BN+guIMYTOG+hhqy/61/zSYpqOm+Oskx5OH/M9NUMDwtZDn+KiK2mWYw8Ekzb0Dv/ub9Nmvc2Y+lOEe2/uh2A9Kf99U/uMNZPo2indfCvnsbX3+7SZB18Ac70fqnvXRYp9CLZhWbNVSM8fBIrJNCFcIdv7XJpCDcfbjNAcKtdcY6icttCv3j2FROlyd3yG0L0+AM5MbndzjO+wNcFztvyoxLUe3ynph+YXQ4h+D+7XJz2D+0p3YmslHonL37WTBB1vawpTjsA6RvR0b/QaylnQ7MNwF2PnaILDIpkmf11At2JwaON1t9D5E2nJxhBaTjKn45n25hxVathsjzRyeezYCL1AMN5a2xAgG2k4ZQyl2yUcwWsQU00j2n6JIk5ZA6x5phko3gmM+rL61dTaQElnqfDMoj9Cvhp7WaA05TR9WKd/fe/U5+v/Eb/pB/qfQft+KkPBguQ3h8OaVrqL5Yf8+kGXi8vmEa3c/3NbwqeH3T5ZQGvTHmW3W9xzgpjWMbDDM8H0YS3OixdocB9h/urAYZlsA215DUGwLXpsFtJSUu+BMPjk2EbiDnUh2zg361Zb7HZQGIS4qjMHqqwrBrlLlVFeqtEB1z6cHBs+NiiAgf18EhdCANkQCg/i3tjcPwSkG1PWhtP7TfhzvA05F+2hhXNq/Q9V/z7kP2H4fdcXPmcM1Y4jYCArLbmAfyKwMB5ju4Tn6o9QB/JsdxYtcK9H+MbRgJ2MICrXJ26yg40Nn9tB+/6zZBokBUuUBmgYXvPbGlDjsvz9ttMiSFTt1/hQ9+bFj54kXHY/Vi8J/xvlCWBVM7kD+OpwCRvrgSk9LY4fPP6h6PbbV7ww4oKf7h/Ji9pySdi/DxPzR/R7rvyM9GxHu/k9Karx0i/7AYP0ikcWdXJv0gWUgccGBnF58GboNcGsfF1Iwaog9RfB6Zp+N9kjcTgHa/JhYF8AuID/awgN6OJsuphqKITaHdhcMRu4fwVRg+OR3nVrhwNpVkRRQC9joKCZJI/sGSeM1blwGW3TaITm4QIThUInrxnuBCe+fg7XpEk+6NV0rv0MQqN+J/WOD8+LP2WI6N6Wz3buB7ZGZWo/8/cgniSl812HGxgAF1jxPa61YRIvs1tHKxCdK2bRg5D9EIRRQC7Tw8FovXpR4opIouwy4CE4aemC89RfYhMzCho2o+C1bc6AICIYZmmWuQtuwhQM1MQW1uUh8/cinCPWTdDsMtUBWxPTvkh9fQIvp68WcyOG9AiqHapAAOO7VL/0dFaYsTgthJ2zJJtDsQUApbJaijRC7wJqCVr+j/WNNhQPhwzvTry6h9dgWwKr+XaRFxqykfTu8TPrurgJyEwSYWoVyjtfB9k9gAmFam5T5KxCmlbwp6FPkQ04joPY993t8M34edsNlsDZcBlVdIQMzSkE03E61gAtfbxzf22q/iJ10CkBMtbd1vRcdYy/l4AvLVL8EZtRFqKQwSeTKHgUPf9M/3PTOIdz4YO5YIz9yDK2GFsDwAZe6v+QKicEb64JXQ7ONekGRdRhQ5L8KYMUeC1NMaW+5dpM8wvNhdx9GQGIK50/pBjcQlsfY2OsSKSunqmWCfr+98J6VwznNKeg3aBQcO7g1e89l8Qo6Qe+r8RC7VGGVvnpB7WpqUQwd4Mxx0eCf0Cr+fq6F5M3zFNMEDCNL7kHT9wEH2W28b8EO0GcXQyUyGxwKZljWDSQCGgfD9dJjbXsOnYCsdGyTVEjdYAwUl+1D9xa8EtCSjYrfhlO/U2eXR/VCJcx+rqTzyW4CTPurkAlaH8vr+1remqV8FVH2Ow5xZrPSBTROxt9/5LYJBVnpuDiVFkn0gXuIbDcXvBJca3yduKuA0h3+0sHmz1RgUVxxR1OwfLIBsK2sY0auMpEJmDXLDC8ra+0cxfUloLNsjNmE7wJYNxe8ElpeSHGXcBkHX0csgzJQBqjvpyOuadZmTtih2lXmuo8/eXhksmaJ8mFYR9lQEkFnsT5ML8AJylMw3j/WjQWvBBRZUfw2F79t01A5jO8HEi77ILRvT0DrSAQ2iAUv9H0IaOntYqONwHVMao1VF1Bs/25cOwnryLDMjet03WzxaHvPEUTWDGFrgwvOC3Mx8dLtYWYNIY2hQ6BP1mVAneAUfPCpxOKB0AsQv+vYyqU6lkwf5wtoncXhlHPBRBTcBylsIYWI9vG/tlxrpMQWF+Mo5DLpi4eiHYTnbjZb/z6Hxh+opqHStZjssgtg1kxtAjoEiixGDhSJ1YnFj1LyFcfpJhW206VCula62ZbY2Ar+3TkZ05ri7J3DQlzB7wuzqlmwhU/1R9Bo3Lc1tncJJ8FZFCZ8r8wCGI3jaP/YutXJYGycaYumaDvcMEyMYyic8leK8vv324JLzgmc/qNf9JgPmNuZ8VDEa8HpJQ7CIuFNHhA3FdryB+yJbK/hGNVMbK9kEx/+DO6Y2/tMBM1QoZ/gQ7yfGpvJAliebmR0Z3naO0LLIUV2vXRb/6IsRjFUJsSedxc/bBsEtsrOKpsVkEGoZNTHhHK4pgV2uV8dgVahpZXXH6pyMgi5MQQEG3S4KJMe0EWDPzjvsoeKvjuzYy6CWsjshqsgsvg3mbHReTvArAtenbNikTN7bkgbSWb3qxsoTbJYVQUSl6I3lSxVgYsTWwjD48rh4RWpe1LGynQadGVjDSuIf5pMDlcBmfIzJDYx1Mr6IZuQPMTGCBdITAyjAF1YRTwuLTvmSvaVgxhWfdWNR+ia649SB3J2gOGCVyYx9wI6SNKKjk8QWhEuci3ksFsFj6B2en+AN5ipKUikQoLLYBiWTw/nIrJlVrC/pBcvKmLmcKUkQwIaZ6JdDmloY0QEtWPLY+sSaE/3yRSmMQQnU+Ylhmqgr9uIJLHVhcsseMXQUbTIetXPWeiB6AEKWLAwIxci8IIKEt5BUGyDxAY+uOoa7L7RF6ErFZvff0xLxZYnt+7imLQwOTYOCnc3RUZ43kFQbCkgqy7I0QPNNNqM66bt3tH+sXZWonVBiywJgsfUEgcixTiO82PhaKOAfILdYpA8VuqMIAjWuEcDnx0ntFvMUlwvBK75aTEW9PZOdb5/RE8vjB/FgYDiZwbvO1mpl24CTm01g/CVipt6qDpAfdySms/XYHCF3AS2agwePnLT4g1dVWFjsSZDzDTMHWDYD9LXbS54hfre0yTl9KEB5uPvieTNksLQl1Pz+U8lpigU+H8UYDyOVlqoFHcJrhYibt/Eh4CNvQcAWjg1CCzxw/2taPFgTbB//3p6Pf5UDyhqG8N3tnaxOLQPPO8+oJAnAf/bjxAeo52OnUPV1sfxWGihzXONeVfrjSFzvehbDrFjDY2LuvIF4N9oGhjJ1lnbgld38hTY6O3/OPuYzXt5LLBWVd7TDcXRWbxXKkwtgXyZEZTGp37YTFupIUQcB+jVh/1j8z88zh36Prwstj4y7STf35PTwoG8jv+vOC0tCwq9bfG1PwX4LcCUNXftQejSSD6GjGQ+lf8xLU5pGFxNoDToHsvM3gTA9UsIRuY+r1SfoXC2u/q+9/ToZQ/RrqeSi1shOTSI8wZKE/gWabQNkjJYRXYa5txlcBHZWtppqWNI5SyhH0thjMGbvDLyaH1RTLGAUlCWsClkH3yiWkgh7cCL9o+h0K5LVCuh6Jz77DViIdHQPvOMEYAPMdSW6OmQrV93C0uMEcU0HsnKcMVaN+lEIXeEgFqo89whoIdR6KngubaOPyn3SrI24HVdU3sSEjxv4h/3WYxE4cp1PYls2JovmdwPoNw7lGhnDE7s/O6W9QcqkLqA8JgLYPhgi/YPdXfBK6FnP4wNgiuvQUOaEgQ4TVOLLKXgIWFLHQBe8Df7WrJIiGvNe+Jbp34VwAHXx9XgqOB9L92Fw8u9UxahxczDQMizaHdo32IPfetS5M6EOoz5isnd8kr3l+GBa3oLQRZ1ZmN5rXf530PX+e3pOnELM25Woet8l3//N5jfdwy1QO6yA+GUeM1Xb6Hj9A7/urAT+iJUpyM/ZQFO09EojNBiRwO0DNASKXCVlBFZpOq1HppW0bTcMgX0heJYp/bpaea9jiJLU+gb4+Cy3M4iJz/yWPr4PKznuuK3y+RZKILaGYU2giDUKbAJhx6wdbgoTo9e8VuwE5JVO4JKpDvdfOvwfsdBTINkCuX8yEI3dKx+dPFHlxXZBHpwGX4pF4p8V9ROs3KzD/JFfk7dh0Aim4m7Xen7/QCVILEZg0pcFBm/XOkFJgFelG0XE/NehqZSf09Y6QfqDdROrl9edH3BK8FBZBN2HdslqUeC3mmDcXPpTodTn0Ie/KyAXeezDTzjmihpytfsQKAQo0OfReJA078Lva9bF3bM3NOVetGgxa2OC7f74dxOOW2TXFthGxe0T0ZgBQTPJ0FtLmcgYCQMKjsNpdCoC7Xl1suoONCn6mLXzj5iK/Ss7QYaTRhkHe+iuXt1XDxENk2S1GOQCEQaoUVhCUdLq0eLFskrTRx2kIcmWWwJdY1UOymCfcHE9ljWex9I/AyXkI8P15c5WmSG0FaecUSgEtec66xd5j1cPfXzY4oFPRhGDtcZQwczXLWBkiLLMIcw3Q2Jr7curPHI8juvp8AwR6blNb6Y0yOzL13UK7CILQHMcy2oyZwaLLJMYDbGwltT8cw9cyrccGJuhrHDIssEJlN14Ac0QucKEzIdgUWWCYyZ53Yt4DgcYcGVYbKwyDI1M4igEUKWUWGYcLDIMoExfaPbhhagzOKa3U6fx7QHFlkmMJkaUZdh8p8egpKkRMbBGBjmBGCRZQKTyYqPyYbuoTYoCbSRA5mSYwtgmBOARZYJDO0qspRNub0Pb9FiTC6m+zOTT3c/fR7THnjHF1MDtAMLxS8yfiFUZYSrBVQCa5+try1FCksmh2GY+mCRZWriYApBoRKqYP5T18oGWI/sP7jRIS83qvDPJ8sw9cMiy9QICS36Y4siDJL8ssI4PkzlkD3gaqhaNoZh6oNFlmkAyupvKT1SGaGTzyyAYU4UFlmmQVBsvXO1mqxULG6dibEZJhwssswRoCgDzNU6esqBai0tI+BJVI+co5hhyvFf5L5Kd3A79p8AAAAASUVORK5CYII=" alt="Logo">
+        <img width="186" src="{{ config.MAIL_LOGO_URL }}" alt="Logo">
     </div>
+    {% endif %}
 
     <p style="margin-bottom: 20px;">{{ _('Hi %(user)s', user=recipient.first_name) }},</p>
 

udata/tests/api/__init__.py

@@ -3,6 +3,7 @@ from urllib.parse import urlparse
 
 import pytest
 from flask import json
+from flask_security.utils import login_user, logout_user, set_request_attr
 
 from udata.core.user.factories import UserFactory
 from udata.mongo import db
@@ -55,27 +56,16 @@ class APITestCaseMixin:
 
     def login(self, user=None):
         """Login a user via session authentication."""
-        from flask import current_app
-        from flask_principal import Identity, identity_changed
-
-        user = user or UserFactory()
-        with self.client.session_transaction() as session:
-            # Since flask-security-too 4.0.0, the user.fs_uniquifier is used instead of user.id for auth
-            user_id = getattr(user, current_app.login_manager.id_attribute)()
-            session["user_id"] = user_id
-            session["_fresh"] = True
-            session["_id"] = current_app.login_manager._session_identifier_generator()
-            current_app.login_manager._update_request_context_with_user(user)
-            identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
-        self.user = user
+        self.user = user or UserFactory()
+
+        login_user(self.user)
+        set_request_attr("fs_authn_via", "session")
+
         return self.user
 
     def logout(self):
         """Logout the current user."""
-        with self.client.session_transaction() as session:
-            del session["user_id"]
-            del session["_fresh"]
-            del session["_id"]
+        logout_user()
         self.user = None
 
     def perform(self, verb, url, **kwargs):

udata/tests/api/test_activities_api.py

@@ -4,6 +4,7 @@ from werkzeug.test import TestResponse
 from udata.core.activity.models import Activity
 from udata.core.dataset.factories import DatasetFactory
 from udata.core.dataset.models import Dataset
+from udata.core.organization.factories import OrganizationFactory
 from udata.core.reuse.factories import ReuseFactory
 from udata.core.reuse.models import Reuse
 from udata.core.topic.factories import TopicFactory
@@ -111,3 +112,38 @@ class ActivityAPITest(APITestCase):
         assert activity_data["related_to_id"] == str(topic.id)
         assert activity_data["related_to_kind"] == "Topic"
         assert activity_data["related_to_url"] == topic.self_api_url()
+
+    def test_activity_api_list_with_private_visible_to_owner(self) -> None:
+        """Owner should see activities about their own private objects."""
+        owner = UserFactory()
+        dataset = DatasetFactory(private=True, owner=owner)
+        FakeDatasetActivity.objects.create(actor=UserFactory(), related_to=dataset)
+
+        # Anonymous user won't see it
+        response = self.get(url_for("api.activity"))
+        assert200(response)
+        assert len(response.json["data"]) == 0
+
+        # Owner should see their own private dataset activity
+        self.login(owner)
+        response = self.get(url_for("api.activity"))
+        assert200(response)
+        assert len(response.json["data"]) == 1
+
+    def test_activity_api_list_with_private_visible_to_org_member(self) -> None:
+        """Organization members should see activities about their org's private objects."""
+        member = UserFactory()
+        org = OrganizationFactory(admins=[member])
+        dataset = DatasetFactory(private=True, organization=org)
+        FakeDatasetActivity.objects.create(actor=UserFactory(), related_to=dataset)
+
+        # Anonymous user won't see it
+        response = self.get(url_for("api.activity"))
+        assert200(response)
+        assert len(response.json["data"]) == 0
+
+        # Org member should see the private dataset activity
+        self.login(member)
+        response = self.get(url_for("api.activity"))
+        assert200(response)
+        assert len(response.json["data"]) == 1

udata/tests/api/test_datasets_api.py

@@ -724,6 +724,19 @@ class DatasetAPITest(APITestCase):
         dataset = Dataset.objects.first()
         self.assertEqual(dataset.spatial.geom, SAMPLE_GEOM)
 
+    def test_dataset_api_create_with_invalid_geom_coordinates(self):
+        """It should return 400 with invalid GeoJSON coordinates, not 500"""
+        self.login()
+        data = DatasetFactory.as_dict()
+        # Invalid GeoJSON: {} in coordinates instead of numbers (Sentry issue)
+        data["spatial"] = {"geom": {"type": "Point", "coordinates": {}}}
+        response = self.post(url_for("api.datasets"), data)
+        self.assert400(response)
+        self.assertEqual(Dataset.objects.count(), 0)
+        # Verify error is properly captured in form validation errors
+        self.assertIn("errors", response.json)
+        self.assertIn("spatial", response.json["errors"])
+
     def test_dataset_api_create_with_legacy_frequency(self):
         """It should create a dataset from the API with a legacy frequency"""
         self.login()
@@ -1542,6 +1555,44 @@ class DatasetsFeedAPItest(APITestCase):
         entry = feed.entries[0]
         assert uris.validate(entry["id"])
 
+    @pytest.mark.options(DELAY_BEFORE_APPEARING_IN_RSS_FEED=0)
+    def test_recent_feed_with_organization_filter(self):
+        org1 = OrganizationFactory()
+        org2 = OrganizationFactory()
+        DatasetFactory(title="Dataset Org1", organization=org1, resources=[ResourceFactory()])
+        DatasetFactory(title="Dataset Org2", organization=org2, resources=[ResourceFactory()])
+
+        response = self.get(url_for("api.recent_datasets_atom_feed", organization=str(org1.id)))
+        self.assert200(response)
+
+        feed = feedparser.parse(response.data)
+        self.assertEqual(len(feed.entries), 1)
+        self.assertEqual(feed.entries[0].title, "Dataset Org1")
+
+    @pytest.mark.options(DELAY_BEFORE_APPEARING_IN_RSS_FEED=0)
+    def test_recent_feed_with_tag_filter(self):
+        DatasetFactory(title="Tagged", tags=["transport"], resources=[ResourceFactory()])
+        DatasetFactory(title="Not Tagged", tags=["other"], resources=[ResourceFactory()])
+
+        response = self.get(url_for("api.recent_datasets_atom_feed", tag="transport"))
+        self.assert200(response)
+
+        feed = feedparser.parse(response.data)
+        self.assertEqual(len(feed.entries), 1)
+        self.assertEqual(feed.entries[0].title, "Tagged")
+
+    @pytest.mark.options(DELAY_BEFORE_APPEARING_IN_RSS_FEED=0)
+    def test_recent_feed_with_search_query(self):
+        DatasetFactory(title="Transport public", resources=[ResourceFactory()])
+        DatasetFactory(title="Environnement", resources=[ResourceFactory()])
+
+        response = self.get(url_for("api.recent_datasets_atom_feed", q="transport"))
+        self.assert200(response)
+
+        feed = feedparser.parse(response.data)
+        self.assertEqual(len(feed.entries), 1)
+        self.assertEqual(feed.entries[0].title, "Transport public")
+
 
 class DatasetBadgeAPITest(APITestCase):
     @classmethod
@@ -1693,6 +1744,12 @@ class DatasetResourceAPITest(APITestCase):
         self.dataset.reload()
         self.assertEqual(len(self.dataset.resources), 2)
 
+    def test_create_with_list_returns_400(self):
+        """It should return 400 when sending a list instead of a dict"""
+        data = [ResourceFactory.as_dict()]
+        response = self.post(url_for("api.resources", dataset=self.dataset), data)
+        self.assert400(response)
+
     def test_create_with_file(self):
         """It should create a resource from the API with a file"""
         user = self.login()
@@ -1834,6 +1891,18 @@ class DatasetResourceAPITest(APITestCase):
             f"Resource ids must match existing ones in dataset, ie: {set(str(r.id) for r in self.dataset.resources)}",
         )
 
+    def test_invalid_reorder_dict_without_id(self):
+        """It should return 400 when dict in resources list has no 'id' key"""
+        self.dataset.resources = ResourceFactory.build_batch(3)
+        self.dataset.save()
+
+        # Dict without 'id' key should fail gracefully, not raise KeyError
+        wrong_order_dict_without_id = [{"title": "foo"}, {"title": "bar"}, {"title": "baz"}]
+        response = self.put(
+            url_for("api.resources", dataset=self.dataset), wrong_order_dict_without_id
+        )
+        self.assertStatus(response, 400)
+
     def test_update_local(self):
         resource = ResourceFactory()
         self.dataset.resources.append(resource)

udata/tests/api/test_organizations_api.py

@@ -1017,7 +1017,6 @@ class OrganizationCsvExportsTest(PytestOnlyAPITestCase):
 
         assert200(response)
         assert response.mimetype == "text/csv"
-        assert response.charset == "utf-8"
 
         csvfile = StringIO(response.data.decode("utf-8"))
         reader = csv.get_reader(csvfile)
@@ -1045,7 +1044,6 @@ class OrganizationCsvExportsTest(PytestOnlyAPITestCase):
 
         assert200(response)
         assert response.mimetype == "text/csv"
-        assert response.charset == "utf-8"
 
         csvfile = StringIO(response.data.decode("utf-8"))
         reader = csv.get_reader(csvfile)
@@ -1083,7 +1081,6 @@ class OrganizationCsvExportsTest(PytestOnlyAPITestCase):
 
         assert200(response)
         assert response.mimetype == "text/csv"
-        assert response.charset == "utf-8"
 
         csvfile = StringIO(response.data.decode("utf-8"))
         reader = csv.get_reader(csvfile)