diff --git a/cypress/integration/deposit-admin.spec.js b/cypress/integration/deposit-admin.spec.js
index 4b308e4a..c8949e39 100644
--- a/cypress/integration/deposit-admin.spec.js
+++ b/cypress/integration/deposit-admin.spec.js
@@ -1,164 +1,208 @@
 /**
  * Copyright (C) 2020-2022  The Software Heritage developers
  * See the AUTHORS file at the top-level directory of this distribution
  * License: GNU Affero General Public License version 3, or any later version
  * See top-level LICENSE file for more information
  */
 
 // data to use as request query response
 let responseDeposits;
 let expectedOrigins;
+let depositModerationUrl;
+let depositListUrl;
+
+describe('Test moderation deposit Login/logout', function() {
+  before(function() {
+    depositModerationUrl = this.Urls.admin_deposit();
+  });
+
+  it('should not display deposit moderation link in sidebar when anonymous', function() {
+    cy.visit(depositModerationUrl);
+    cy.get(`.sidebar a[href="${depositModerationUrl}"]`)
+      .should('not.exist');
+  });
+
+  it('should not display deposit moderation link when connected as unprivileged user', function() {
+    cy.userLogin();
+    cy.visit(depositModerationUrl);
+
+    cy.get(`.sidebar a[href="${depositModerationUrl}"]`)
+      .should('not.exist');
+
+  });
+
+  it('should display deposit moderation link in sidebar when connected as privileged user', function() {
+    cy.depositLogin();
+    cy.visit(depositModerationUrl);
+
+    cy.get(`.sidebar a[href="${depositModerationUrl}"]`)
+      .should('exist');
+  });
+
+  it('should display deposit moderation link in sidebar when connected as staff member', function() {
+    cy.adminLogin();
+    cy.visit(depositModerationUrl);
+
+    cy.get(`.sidebar a[href="${depositModerationUrl}"]`)
+      .should('exist');
+  });
+
+});
 
 describe('Test admin deposit page', function() {
+  before(function() {
+    depositModerationUrl = this.Urls.admin_deposit();
+    depositListUrl = this.Urls.admin_deposit_list();
+  });
+
   beforeEach(() => {
     responseDeposits = [
       {
         'id': 614,
         'type': 'code',
         'external_id': 'ch-de-1',
         'reception_date': '2020-05-18T13:48:27Z',
         'status': 'done',
         'status_detail': null,
         'swhid': 'swh:1:dir:ef04a768',
         'swhid_context': 'swh:1:dir:ef04a768;origin=https://w.s.o/c-d-1;visit=swh:1:snp:b234be1e;anchor=swh:1:rev:d24a75c9;path=/',
         'uri': 'https://w.s.o/c-d-1'
       },
       {
         'id': 613,
         'type': 'code',
         'external_id': 'ch-de-2',
         'reception_date': '2020-05-18T11:20:16Z',
         'status': 'done',
         'status_detail': null,
         'swhid': 'swh:1:dir:181417fb',
         'swhid_context': 'swh:1:dir:181417fb;origin=https://w.s.o/c-d-2;visit=swh:1:snp:8c32a2ef;anchor=swh:1:rev:3d1eba04;path=/',
         'uri': 'https://w.s.o/c-d-2'
       },
       {
         'id': 612,
         'type': 'code',
         'external_id': 'ch-de-3',
         'reception_date': '2020-05-18T11:20:16Z',
         'status': 'rejected',
         'status_detail': 'incomplete deposit!',
         'swhid': null,
         'swhid_context': null,
         'uri': null
       }
     ];
     // those are computed from the
     expectedOrigins = {
       614: 'https://w.s.o/c-d-1',
       613: 'https://w.s.o/c-d-2',
       612: ''
     };
 
   });
 
   it('Should display properly entries', function() {
     cy.adminLogin();
 
     const testDeposits = responseDeposits;
-    cy.intercept(`${this.Urls.admin_deposit_list()}**`, {
+    cy.intercept(`${depositListUrl}**`, {
       body: {
         'draw': 10,
         'recordsTotal': testDeposits.length,
         'recordsFiltered': testDeposits.length,
         'data': testDeposits
       }
     }).as('listDeposits');
 
-    cy.visit(this.Urls.admin_deposit());
+    cy.visit(depositModerationUrl);
 
     cy.location('pathname')
-      .should('be.equal', this.Urls.admin_deposit());
-    cy.url().should('include', '/admin/deposit');
+      .should('be.equal', depositModerationUrl);
 
     cy.get('#swh-admin-deposit-list')
       .should('exist');
 
     cy.wait('@listDeposits').then((xhr) => {
       cy.log('response:', xhr.response);
       cy.log(xhr.response.body);
       const deposits = xhr.response.body.data;
       cy.log('Deposits: ', deposits);
       expect(deposits.length).to.equal(testDeposits.length);
 
       cy.get('#swh-admin-deposit-list').find('tbody > tr').as('rows');
 
       // only 2 entries
       cy.get('@rows').each((row, idx, collection) => {
         const deposit = deposits[idx];
         const responseDeposit = testDeposits[idx];
         assert.isNotNull(deposit);
         assert.isNotNull(responseDeposit);
         expect(deposit.id).to.be.equal(responseDeposit['id']);
         expect(deposit.uri).to.be.equal(responseDeposit['uri']);
         expect(deposit.type).to.be.equal(responseDeposit['type']);
         expect(deposit.external_id).to.be.equal(responseDeposit['external_id']);
         expect(deposit.status).to.be.equal(responseDeposit['status']);
         expect(deposit.status_detail).to.be.equal(responseDeposit['status_detail']);
         expect(deposit.swhid).to.be.equal(responseDeposit['swhid']);
         expect(deposit.swhid_context).to.be.equal(responseDeposit['swhid_context']);
 
         const expectedOrigin = expectedOrigins[deposit.id];
         // ensure it's in the dom
         cy.contains(deposit.id).should('be.visible');
         if (deposit.status !== 'rejected') {
           expect(row).to.not.contain(deposit.external_id);
           cy.contains(expectedOrigin).should('be.visible');
         }
 
         cy.contains(deposit.status).should('be.visible');
         // those are hidden by default, so now visible
         if (deposit.status_detail !== null) {
           cy.contains(deposit.status_detail).should('not.exist');
         }
 
         // those are hidden by default
         if (deposit.swhid !== null) {
           cy.contains(deposit.swhid).should('not.exist');
           cy.contains(deposit.swhid_context).should('not.exist');
         }
       });
 
       // toggling all links and ensure, the previous checks are inverted
       cy.get('a.toggle-col').click({'multiple': true}).then(() => {
         cy.get('#swh-admin-deposit-list').find('tbody > tr').as('rows');
 
         cy.get('@rows').each((row, idx, collection) => {
           const deposit = deposits[idx];
           const expectedOrigin = expectedOrigins[deposit.id];
 
           // ensure it's in the dom
           cy.contains(deposit.id).should('not.exist');
           if (deposit.status !== 'rejected') {
             expect(row).to.not.contain(deposit.external_id);
             expect(row).to.contain(expectedOrigin);
           }
 
           expect(row).to.not.contain(deposit.status);
           // those are hidden by default, so now visible
           if (deposit.status_detail !== null) {
             cy.contains(deposit.status_detail).should('be.visible');
           }
 
           // those are hidden by default, so now they should be visible
           if (deposit.swhid !== null) {
             cy.contains(deposit.swhid).should('be.visible');
             cy.contains(deposit.swhid_context).should('be.visible');
             // check SWHID link text formatting
             cy.contains(deposit.swhid_context).then(elt => {
               expect(elt[0].innerHTML).to.equal(deposit.swhid_context.replace(/;/g, ';<br>'));
             });
           }
         });
       });
 
       cy.get('#swh-admin-deposit-list-error')
         .should('not.contain',
                 'An error occurred while retrieving the list of deposits');
     });
 
   });
 });
diff --git a/cypress/support/index.js b/cypress/support/index.js
index e85132b0..486209c6 100644
--- a/cypress/support/index.js
+++ b/cypress/support/index.js
@@ -1,95 +1,99 @@
 /**
  * Copyright (C) 2019-2022  The Software Heritage developers
  * See the AUTHORS file at the top-level directory of this distribution
  * License: GNU Affero General Public License version 3, or any later version
  * See top-level LICENSE file for more information
  */
 
 import 'cypress-hmr-restarter';
 import '@cypress/code-coverage/support';
 
 Cypress.Screenshot.defaults({
   screenshotOnRunFailure: false
 });
 
 Cypress.Commands.add('xhrShouldBeCalled', (alias, timesCalled) => {
   const testRoutes = cy.state('routes');
   const aliasRoute = Cypress._.find(testRoutes, {alias});
   expect(Object.keys(aliasRoute.requests || {})).to.have.length(timesCalled);
 });
 
 function loginUser(username, password) {
   const url = '/admin/login/';
   return cy.request({
     url: url,
     method: 'GET'
   }).then(() => {
     cy.getCookie('sessionid').should('not.exist');
     cy.getCookie('csrftoken').its('value').then((token) => {
       cy.request({
         url: url,
         method: 'POST',
         form: true,
         followRedirect: false,
         body: {
           username: username,
           password: password,
           csrfmiddlewaretoken: token
         }
       }).then(() => {
         cy.getCookie('sessionid').should('exist');
         return cy.getCookie('csrftoken').its('value');
       });
     });
   });
 }
 
 Cypress.Commands.add('adminLogin', () => {
   return loginUser('admin', 'admin');
 });
 
 Cypress.Commands.add('userLogin', () => {
   return loginUser('user', 'user');
 });
 
 Cypress.Commands.add('ambassadorLogin', () => {
   return loginUser('ambassador', 'ambassador');
 });
 
+Cypress.Commands.add('depositLogin', () => {
+  return loginUser('deposit', 'deposit');
+});
+
 function mockCostlyRequests() {
   cy.intercept('https://status.softwareheritage.org/**', {
     body: {
       'result': {
         'status': [
           {
             'id': '5f7c4c567f50b304c1e7bd5f',
             'name': 'Save Code Now',
             'updated': '2020-11-30T13:51:21.151Z',
             'status': 'Operational',
             'status_code': 100
           }
         ]
       }
     }}).as('swhPlatformStatus');
 
   cy.intercept('/coverage', {
     body: ''
   }).as('swhCoverageWidget');
 }
 
 before(function() {
 
   mockCostlyRequests();
 
   cy.task('getSwhTestsData').then(testsData => {
     Object.assign(this, testsData);
   });
 
   cy.visit('/').window().then(async win => {
     this.Urls = win.Urls;
   });
 });
 
 beforeEach(function() {
   mockCostlyRequests();
 });
diff --git a/swh/web/templates/layout.html b/swh/web/templates/layout.html
index 1a682e2a..1ac28157 100644
--- a/swh/web/templates/layout.html
+++ b/swh/web/templates/layout.html
@@ -1,293 +1,295 @@
 {% comment %}
 Copyright (C) 2015-2021  The Software Heritage developers
 See the AUTHORS file at the top-level directory of this distribution
 License: GNU Affero General Public License version 3, or any later version
 See top-level LICENSE file for more information
 {% endcomment %}
 
 <!DOCTYPE html>
 
 {% load js_reverse %}
 {% load static %}
 {% load render_bundle from webpack_loader %}
 {% load swh_templatetags %}
 
 <html lang="en">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <title>{% block title %}{% endblock %}</title>
 
     {% render_bundle 'vendors' %}
     {% render_bundle 'webapp' %}
     {% render_bundle 'guided_tour' %}
 
     <script>
 /*
 @licstart  The following is the entire license notice for the JavaScript code in this page.
 
 Copyright (C) 2015-2021  The Software Heritage developers
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
 
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.
 
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 @licend  The above is the entire license notice for the JavaScript code in this page.
 */
     </script>
 
     <script>
       SWH_CONFIG = {{swh_client_config|jsonify}};
       swh.webapp.sentryInit(SWH_CONFIG.sentry_dsn);
     </script>
 
     <script src="{% url 'js_reverse' %}" type="text/javascript"></script>
 
     <script>
       swh.webapp.setSwhObjectIcons({{ swh_object_icons|jsonify }});
     </script>
 
     {{ request.user.is_authenticated|json_script:"swh_user_logged_in" }}
 
     {% block header %}{% endblock %}
 
     <link rel="icon" href="{% static 'img/icons/swh-logo-32x32.png' %}" sizes="32x32" />
     <link rel="icon" href="{% static 'img/icons/swh-logo-archive-192x192.png' %}" sizes="192x192" />
     <link rel="apple-touch-icon-precomposed" href="{% static 'img/icons/swh-logo-archive-180x180.png' %}" />
     <link rel="search" type="application/opensearchdescription+xml" title="Software Heritage archive of public source code" href="{% static 'xml/swh-opensearch.xml' %}">
     <meta name="msapplication-TileImage" content="{% static 'img/icons/swh-logo-archive-270x270.png' %}" />
 
     {% if not swh_web_dev and not swh_web_staging %}
 
       <!-- Matomo -->
       <script type="text/javascript">
         var _paq = window._paq = window._paq || [];
         _paq.push(['trackPageView']);
         (function() {
           var u="https://piwik.inria.fr/";
           _paq.push(['setTrackerUrl', u+'matomo.php']);
           _paq.push(['setSiteId', '59']);
           var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
           g.type='text/javascript'; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
         })();
       </script>
       <!-- End Matomo Code -->
 
     {% endif %}
 
   </head>
 
   <body class="hold-transition layout-fixed sidebar-mini">
     <a id="top"></a>
     <div class="wrapper">
       <div class="swh-top-bar">
         <ul>
           <li class="swh-position-left">
             <div id="swh-full-width-switch-container" class="custom-control custom-switch d-none d-lg-block d-xl-block">
               <input type="checkbox" class="custom-control-input" id="swh-full-width-switch" onclick="swh.webapp.fullWidthToggled(event)">
               <label class="custom-control-label font-weight-normal" for="swh-full-width-switch">Full width</label>
             </div>
           </li>
           <li>
             <a href="https://www.softwareheritage.org">Home</a>
           </li>
           <li>
             <a href="https://forge.softwareheritage.org/">Development</a>
           </li>
           <li>
             <a href="https://docs.softwareheritage.org/devel/">Documentation</a>
           </li>
           <li>
             <a class="swh-donate-link" href="https://www.softwareheritage.org/donate">Donate</a>
           </li>
           <li class="swh-position-right">
             <a href="{{ status.server_url }}" target="_blank"
               class="swh-current-status mr-3 d-none d-lg-inline-block d-xl-inline-block">
               <span id="swh-current-status-description">Operational</span>
               <i class="swh-current-status-indicator green"></i>
             </a>
             {% url 'logout' as logout_url %}
             {% if user.is_authenticated %}
               Logged in as
               {% if 'OIDC' in user.backend %}
                 <a id="swh-login" href="{% url 'oidc-profile' %}"><strong>{{ user.username }}</strong></a>,
                 <a href=  "{% url 'oidc-logout' %}?next_path={% url 'logout' %}?remote_user=1">logout</a>
               {% else %}
                 <strong id="swh-login">{{ user.username }}</strong>,
                 <a href="{{ logout_url }}">logout</a>
               {% endif %}
             {% elif oidc_enabled %}
               {% if request.path != logout_url %}
                 <a id="swh-login" href="{% url 'oidc-login' %}?next_path={{ request.build_absolute_uri }}">login</a>
               {% else %}
                 <a id="swh-login" href="{% url 'oidc-login' %}">login</a>
               {% endif %}
             {% else %}
               {% if request.path != logout_url %}
                 <a id="swh-login" href="{% url 'login' %}?next={{ request.build_absolute_uri }}">login</a>
               {% else %}
                 <a id="swh-login" href="{% url 'login' %}">login</a>
               {% endif %}
             {% endif %}
           </li>
         </ul>
       </div>
       {% comment %} <iframe class="swh-fundraising-banner-iframe" src="{% url 'swh-fundraising-banner' %}"></iframe> {% endcomment %}
       <nav class="main-header navbar navbar-expand-lg navbar-light navbar-static-top" id="swh-navbar">
         <div class="navbar-header">
           <a class="nav-link swh-push-menu" data-widget="pushmenu" data-enable-remember="true" href="#">
             <i class="mdi mdi-24px mdi-menu mdi-fw" aria-hidden="true"></i>
           </a>
         </div>
         <div class="navbar" style="width: 94%;">
           <div class="swh-navbar-content">
             {% block navbar-content %}{% endblock %}
             {% if request.resolver_match.url_name != 'swh-web-homepage' and request.resolver_match.url_name != 'browse-search' %}
               <form class="form-horizontal d-none d-md-flex input-group swh-search-navbar needs-validation"
                   id="swh-origins-search-top">
                 <input class="form-control"
                   placeholder="Enter a SWHID to resolve or keyword(s) to search for in origin URLs"
                   type="text" id="swh-origins-search-top-input"
                   oninput="swh.webapp.validateSWHIDInput(this)" required/>
                 <div class="input-group-append">
                   <button class="btn btn-primary" type="submit">
                   <i class="swh-search-icon mdi mdi-24px mdi-magnify" aria-hidden="true"></i>
                   </button>
                 </div>
               </form>
             {% endif %}
           </div>
         </div>
       </nav>
     </div>
 
     <aside class="swh-sidebar main-sidebar sidebar-no-expand sidebar-light-primary elevation-4">
       <a href="{% url 'swh-web-homepage' %}" class="brand-link">
         <img class="brand-image" src="{% static 'img/swh-logo.png' %}">
         <div class="brand-text sitename" href="{% url 'swh-web-homepage' %}">
           <span class="first-word">Software</span> <span class="second-word">Heritage</span>
         </div>
       </a>
 
       <a href="/" class="swh-words-logo">
         <div class="swh-words-logo-swh">
           <span class="first-word">Software</span>
           <span class="second-word">Heritage</span>
         </div>
         <span>Archive</span>
       </a>
 
       <div class="sidebar">
         <nav class="mt-2">
           <ul class="nav nav-pills nav-sidebar flex-column" data-widget="treeview" role="menu" data-accordion="false">
             <li class="nav-header">Features</li>
             <li class="nav-item swh-search-item" title="Search archived software">
               <a href="{% url 'browse-search' %}" class="nav-link swh-search-link">
                 <i style="color: #e20026;" class="nav-icon mdi mdi-24px mdi-magnify"></i>
                 <p>Search</p>
               </a>
             </li>
             <li class="nav-item swh-vault-item" title="Download archived software from the Vault">
               <a href="{% url 'browse-vault' %}" class="nav-link swh-vault-link">
                 <i style="color: #e20026;" class="nav-icon mdi mdi-24px mdi-download"></i>
                 <p>Downloads</p>
               </a>
             </li>
             <li class="nav-item swh-origin-save-item" title="Request the saving of a software origin into the archive">
               <a href="{% url 'origin-save' %}" class="nav-link swh-origin-save-link">
                 <i style="color: #e20026;" class="nav-icon mdi mdi-24px mdi-camera"></i>
                 <p>Save code now</p>
               </a>
             </li>
             <li class="nav-item swh-origin-save-item" title="Request adding a new forge listing">
               <a href="{% url 'forge-add' %}" class="nav-link swh-forge-add-link">
                 <i style="color: #e20026;" class="nav-icon mdi mdi-24px mdi-anvil"></i>
                 <p>Add forge now</p>
               </a>
             </li>
             <li class="nav-item swh-help-item" title="How to browse the archive ?">
               <a href="#" class="nav-link swh-help-link" onclick="swh.guided_tour.guidedTourButtonClick(event)">
                 <i style="color: #e20026;" class="nav-icon mdi mdi-24px mdi-help-circle"></i>
                 <p>Help</p>
               </a>
             </li>
-            {% if user.is_authenticated  and user.is_staff or ADMIN_LIST_DEPOSIT_PERMISSION in user.get_all_permissions %}
+            {% if user.is_authenticated %}
               <li class="nav-header">Administration</li>
               {% if user.is_staff %}
                 <li class="nav-item swh-origin-save-admin-item" title="Save code now administration">
                   <a href="{% url 'admin-origin-save' %}" class="nav-link swh-origin-save-admin-link">
                     <i style="color: #fecd1b;" class="nav-icon mdi mdi-24px mdi-camera"></i>
                     <p>Save code now</p>
                   </a>
                 </li>
               {% endif %}
+              {% if user.is_staff or ADMIN_LIST_DEPOSIT_PERMISSION in user.get_all_permissions %}
               <li class="nav-item swh-deposit-admin-item" title="Deposit administration">
                 <a href="{% url 'admin-deposit' %}" class="nav-link swh-deposit-admin-link">
                   <i style="color: #fecd1b;" class="nav-icon mdi mdi-24px mdi-folder-upload"></i>
                   <p>Deposit</p>
                 </a>
               </li>
+              {% endif %}
             {% endif %}
           </ul>
         </nav>
       </div>
     </aside>
 
     <div class="content-wrapper">
       <section class="content">
         <div class="container" id="swh-web-content">
           {% if swh_web_staging %}
             <div class="swh-corner-ribbon">Staging<br/>v{{ swh_web_version }}</div>
           {% elif swh_web_dev %}
             <div class="swh-corner-ribbon">Development<br/>v{{ swh_web_version|split:"+"|first }}</div>
           {% endif %}
           {% block content %}{% endblock %}
         </div>
       </section>
     </div>
 
     {% include "includes/global-modals.html" %}
 
     <footer class="footer">
       <div class="container text-center">
         <a href="https://www.softwareheritage.org">Software Heritage</a> &mdash;
         Copyright (C) 2015&ndash;{% now "Y" %}, The Software Heritage developers.
         License: <a href="https://www.gnu.org/licenses/agpl.html">GNU
         AGPLv3+</a>. <br/> The source code of Software Heritage <em>itself</em>
         is available on
         our <a href="https://forge.softwareheritage.org/">development
         forge</a>. <br/> The source code files <em>archived</em> by Software
         Heritage are available under their own copyright and licenses. <br/>
         <span class="link-color">Terms of use: </span>
         <a href="https://www.softwareheritage.org/legal/bulk-access-terms-of-use/">Archive access</a>,
         <a href="https://www.softwareheritage.org/legal/api-terms-of-use/">API</a>-
         <a href="https://www.softwareheritage.org/contact/">Contact</a>-
         <a href="{% url 'jslicenses' %}" rel="jslicense">JavaScript license information</a>-
         <a href="{% url 'api-1-homepage' %}">Web API</a><br/>
         {% if "production" not in DJANGO_SETTINGS_MODULE  %}
           swh-web v{{ swh_web_version }}
         {% endif %}
       </div>
     </footer>
     <div id="back-to-top">
       <a href="#top"><img alt="back to top" src="{% static 'img/arrow-up-small.png' %}" /></a>
     </div>
     <script>
       swh.webapp.setContainerFullWidth();
       var statusServerURL = {{ status.server_url|jsonify }};
       var statusJsonPath = {{ status.json_path|jsonify }};
       swh.webapp.initStatusWidget(statusServerURL + statusJsonPath);
     </script>
   </body>
 
 </html>
diff --git a/swh/web/tests/create_test_admin.py b/swh/web/tests/create_test_admin.py
index ca123dbf..b7af12e9 100644
--- a/swh/web/tests/create_test_admin.py
+++ b/swh/web/tests/create_test_admin.py
@@ -1,16 +1,20 @@
-# Copyright (C) 2019  The Software Heritage developers
+# Copyright (C) 2019-2022  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 
 from django.contrib.auth import get_user_model
 
 username = "admin"
 password = "admin"
 email = "admin@swh-web.org"
 
 User = get_user_model()
 
-if not User.objects.filter(username=username).exists():
-    User.objects.create_superuser(username, email, password)
+try:
+    user = User.objects.filter(username=username).get()
+except User.DoesNotExist:
+    user = User.objects.create_superuser(username, email, password)
+
+assert user.is_staff is True
diff --git a/swh/web/tests/create_test_users.py b/swh/web/tests/create_test_users.py
index f92d3604..b6668a72 100644
--- a/swh/web/tests/create_test_users.py
+++ b/swh/web/tests/create_test_users.py
@@ -1,29 +1,35 @@
-# Copyright (C) 2021  The Software Heritage developers
+# Copyright (C) 2021-2022  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 from typing import Dict, List, Tuple
 
 from django.contrib.auth import get_user_model
 
-from swh.web.auth.utils import SWH_AMBASSADOR_PERMISSION
+from swh.web.auth.utils import ADMIN_LIST_DEPOSIT_PERMISSION, SWH_AMBASSADOR_PERMISSION
 from swh.web.tests.utils import create_django_permission
 
 User = get_user_model()
 
 
 users: Dict[str, Tuple[str, str, List[str]]] = {
-    "user": ("user", "user@swh-web.org", []),
-    "ambassador": ("ambassador", "ambassador@swh-web.org", [SWH_AMBASSADOR_PERMISSION]),
+    "user": ("user", "user@example.org", []),
+    "ambassador": (
+        "ambassador",
+        "ambassador@example.org",
+        [SWH_AMBASSADOR_PERMISSION],
+    ),
+    "deposit": ("deposit", "deposit@example.org", [ADMIN_LIST_DEPOSIT_PERMISSION],),
 }
 
+
 for username, (password, email, permissions) in users.items():
     if not User.objects.filter(username=username).exists():
         user = User.objects.create_user(username, email, password)
         if permissions:
             for perm_name in permissions:
                 permission = create_django_permission(perm_name)
                 user.user_permissions.add(permission)
 
             user.save()
diff --git a/swh/web/tests/utils.py b/swh/web/tests/utils.py
index 216b2f1a..8d00afed 100644
--- a/swh/web/tests/utils.py
+++ b/swh/web/tests/utils.py
@@ -1,235 +1,239 @@
 # Copyright (C) 2020-2021  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 from typing import Any, Dict, Optional, cast
 
 from django.contrib.auth.models import Permission
 from django.contrib.contenttypes.models import ContentType
 from django.http import HttpResponse, StreamingHttpResponse
 from django.test.client import Client
 from rest_framework.response import Response
 from rest_framework.test import APIClient
 
 from swh.web.tests.django_asserts import assert_template_used
 
 
 def _assert_http_response(
     response: HttpResponse, status_code: int, content_type: str
 ) -> HttpResponse:
 
     if isinstance(response, Response):
         drf_response = cast(Response, response)
         error_context = (
             drf_response.data.pop("traceback")
             if isinstance(drf_response.data, dict) and "traceback" in drf_response.data
             else drf_response.data
         )
     elif isinstance(response, StreamingHttpResponse):
         error_context = getattr(response, "traceback", response.streaming_content)
     else:
         error_context = getattr(response, "traceback", response.content)
 
     assert response.status_code == status_code, error_context
     if content_type != "*/*":
         assert response["Content-Type"].startswith(content_type)
     return response
 
 
 def check_http_get_response(
     client: Client,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     http_origin: Optional[str] = None,
     server_name: Optional[str] = None,
 ) -> HttpResponse:
     """Helper function to check HTTP response for a GET request.
 
     Args:
         client: Django test client
         url: URL to check response
         status_code: expected HTTP status code
         content_type: expected response content type
         http_origin: optional HTTP_ORIGIN header value
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=client.get(
             url,
             HTTP_ACCEPT=content_type,
             HTTP_ORIGIN=http_origin,
             SERVER_NAME=server_name if server_name else "testserver",
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_http_post_response(
     client: Client,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     request_content_type="application/json",
     data: Optional[Dict[str, Any]] = None,
     http_origin: Optional[str] = None,
 ) -> HttpResponse:
     """Helper function to check HTTP response for a POST request.
 
     Args:
         client: Django test client
         url: URL to check response
         status_code: expected HTTP status code
         content_type: expected response content type
         request_content_type: content type of request body
         data: optional POST data
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=client.post(
             url,
             data=data,
             content_type=request_content_type,
             HTTP_ACCEPT=content_type,
             HTTP_ORIGIN=http_origin,
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_api_get_responses(
     api_client: APIClient, url: str, status_code: int
 ) -> Response:
     """Helper function to check Web API responses for GET requests
     for all accepted content types (JSON, YAML, HTML).
 
     Args:
         api_client: DRF test client
         url: Web API URL to check responses
         status_code: expected HTTP status code
 
     Returns:
         The Web API JSON response
     """
     # check JSON response
     response_json = check_http_get_response(
         api_client, url, status_code, content_type="application/json"
     )
 
     # check HTML response (API Web UI)
     check_http_get_response(api_client, url, status_code, content_type="text/html")
 
     # check YAML response
     check_http_get_response(
         api_client, url, status_code, content_type="application/yaml"
     )
 
     return cast(Response, response_json)
 
 
 def check_api_post_response(
     api_client: APIClient,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     data: Optional[Dict[str, Any]] = None,
 ) -> HttpResponse:
     """Helper function to check Web API response for a POST request
     for all accepted content types.
 
     Args:
         api_client: DRF test client
         url: Web API URL to check response
         status_code: expected HTTP status code
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=api_client.post(
             url, data=data, format="json", HTTP_ACCEPT=content_type,
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_api_post_responses(
     api_client: APIClient,
     url: str,
     status_code: int,
     data: Optional[Dict[str, Any]] = None,
 ) -> Response:
     """Helper function to check Web API responses for POST requests
     for all accepted content types (JSON, YAML).
 
     Args:
         api_client: DRF test client
         url: Web API URL to check responses
         status_code: expected HTTP status code
 
     Returns:
         The Web API JSON response
     """
     # check JSON response
     response_json = check_api_post_response(
         api_client, url, status_code, content_type="application/json", data=data
     )
 
     # check YAML response
     check_api_post_response(
         api_client, url, status_code, content_type="application/yaml", data=data
     )
 
     return cast(Response, response_json)
 
 
 def check_html_get_response(
     client: Client, url: str, status_code: int, template_used: Optional[str] = None
 ) -> HttpResponse:
     """Helper function to check HTML responses for a GET request.
 
     Args:
         client: Django test client
         url: URL to check responses
         status_code: expected HTTP status code
         template_used: optional used Django template to check
 
     Returns:
         The HTML response
     """
     response = check_http_get_response(
         client, url, status_code, content_type="text/html"
     )
     if template_used is not None:
         assert_template_used(response, template_used)
     return response
 
 
 def create_django_permission(perm_name: str) -> Permission:
     """Create permission out of a permission name string
 
     Args:
         perm_name: Permission name (e.g. swh.web.api.throttling_exempted,
           swh.ambassador, ...)
 
     Returns:
         The persisted permission
 
     """
     perm_splitted = perm_name.split(".")
     app_label = ".".join(perm_splitted[:-1])
     perm_name = perm_splitted[-1]
     content_type = ContentType.objects.create(
-        id=1000, app_label=app_label, model="dummy"
+        id=1000 + ContentType.objects.count(), app_label=app_label, model="dummy"
     )
+
     return Permission.objects.create(
-        codename=perm_name, name=perm_name, content_type=content_type, id=1000
+        codename=perm_name,
+        name=perm_name,
+        content_type=content_type,
+        id=1000 + Permission.objects.count(),
     )