diff --git a/swh/web/add_forge_now/models.py b/swh/web/add_forge_now/models.py
index 8683c440..c5dbab5d 100644
--- a/swh/web/add_forge_now/models.py
+++ b/swh/web/add_forge_now/models.py
@@ -1,71 +1,98 @@
 # Copyright (C) 2022  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
+from __future__ import annotations
+
 import enum
+from typing import List
 
 from django.db import models
 
 
 class RequestStatus(enum.Enum):
     """Request statuses.
 
     Values are used in the ui.
 
     """
 
     PENDING = "Pending"
     WAITING_FOR_FEEDBACK = "Waiting for feedback"
     FEEDBACK_TO_HANDLE = "Feedback to handle"
     ACCEPTED = "Accepted"
     SCHEDULED = "Scheduled"
     FIRST_LISTING_DONE = "First listing done"
     FIRST_ORIGIN_LOADED = "First origin loaded"
     REJECTED = "Rejected"
     SUSPENDED = "Suspended"
     DENIED = "Denied"
 
     @classmethod
     def choices(cls):
         return tuple((variant.name, variant.value) for variant in cls)
 
+    def allowed_next_statuses(self) -> List[RequestStatus]:
+        next_statuses = {
+            self.PENDING: [self.WAITING_FOR_FEEDBACK, self.REJECTED, self.SUSPENDED],
+            self.WAITING_FOR_FEEDBACK: [self.FEEDBACK_TO_HANDLE],
+            self.FEEDBACK_TO_HANDLE: [
+                self.WAITING_FOR_FEEDBACK,
+                self.ACCEPTED,
+                self.REJECTED,
+                self.SUSPENDED,
+            ],
+            self.ACCEPTED: [self.SCHEDULED],
+            self.SCHEDULED: [
+                self.FIRST_LISTING_DONE,
+                # in case of race condition between lister and loader:
+                self.FIRST_ORIGIN_LOADED,
+            ],
+            self.FIRST_LISTING_DONE: [self.FIRST_ORIGIN_LOADED],
+            self.FIRST_ORIGIN_LOADED: [],
+            self.REJECTED: [],
+            self.SUSPENDED: [self.PENDING],
+            self.DENIED: [],
+        }
+        return next_statuses[self]  # type: ignore
+
 
 class RequestActorRole(enum.Enum):
     MODERATOR = "moderator"
     SUBMITTER = "submitter"
 
     @classmethod
     def choices(cls):
         return tuple((variant.name, variant.value) for variant in cls)
 
 
 class RequestHistory(models.Model):
     """Comment or status change. This is commented or changed by either submitter or
     moderator.
 
     """
 
     request = models.ForeignKey("Request", models.DO_NOTHING)
     text = models.TextField()
     actor = models.TextField()
     actor_role = models.TextField(choices=RequestActorRole.choices())
     date = models.DateTimeField(auto_now_add=True)
     new_status = models.TextField(choices=RequestStatus.choices(), null=True)
 
 
 class Request(models.Model):
     status = models.TextField(
         choices=RequestStatus.choices(), default=RequestStatus.PENDING.name,
     )
     submission_date = models.DateTimeField(auto_now_add=True)
     submitter_name = models.TextField()
     submitter_email = models.TextField()
     # FIXME: shall we do create a user model inside the webapp instead?
     forge_type = models.TextField()
     forge_url = models.TextField()
     forge_contact_email = models.EmailField()
     forge_contact_name = models.TextField()
     forge_contact_comment = models.TextField(
         help_text="Where did you find this contact information (url, ...)",
     )
diff --git a/swh/web/api/views/add_forge_now.py b/swh/web/api/views/add_forge_now.py
index 1a87302f..ebe08927 100644
--- a/swh/web/api/views/add_forge_now.py
+++ b/swh/web/api/views/add_forge_now.py
@@ -1,108 +1,226 @@
 # Copyright (C) 2022  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 import json
 from typing import Union
 
 from django.core.exceptions import ObjectDoesNotExist
-from django.forms import ModelForm
+from django.db import transaction
+from django.forms import CharField, ModelForm
+from django.http import HttpResponseBadRequest
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse, HttpResponseForbidden
 from rest_framework import serializers
 from rest_framework.request import Request
 from rest_framework.response import Response
 
 from swh.web.add_forge_now.models import Request as AddForgeRequest
+from swh.web.add_forge_now.models import RequestActorRole as AddForgeNowRequestActorRole
+from swh.web.add_forge_now.models import RequestHistory as AddForgeNowRequestHistory
+from swh.web.add_forge_now.models import RequestStatus as AddForgeNowRequestStatus
 from swh.web.api.apidoc import api_doc, format_docstring
 from swh.web.api.apiurls import api_route
 from swh.web.common.exc import BadInputExc
 
+MODERATOR_ROLE = "swh.web.add_forge_now.moderator"
+
+
+def _block_while_testing():
+    """Replaced by tests to check concurrency behavior
+    """
+    pass
+
 
 class AddForgeNowRequestForm(ModelForm):
     class Meta:
         model = AddForgeRequest
         fields = (
             "forge_type",
             "forge_url",
             "forge_contact_email",
             "forge_contact_name",
             "forge_contact_comment",
         )
 
 
+class AddForgeNowRequestHistoryForm(ModelForm):
+    new_status = CharField(max_length=200, required=False,)
+
+    class Meta:
+        model = AddForgeNowRequestHistory
+        fields = ("text", "new_status")
+
+
 class AddForgeNowRequestSerializer(serializers.ModelSerializer):
     class Meta:
         model = AddForgeRequest
         fields = "__all__"
 
 
+class AddForgeNowRequestPublicSerializer(serializers.ModelSerializer):
+    """Serializes AddForgeRequest without private fields.
+    """
+
+    class Meta:
+        model = AddForgeRequest
+        fields = ("forge_url", "forge_type", "status", "submission_date")
+
+
 @api_route(
     r"/add-forge/request/create", "api-1-add-forge-request-create", methods=["POST"],
 )
 @api_doc("/add-forge/request/create")
 @format_docstring()
 def api_add_forge_request_create(request: Union[HttpRequest, Request]) -> HttpResponse:
     """
     .. http:post:: /api/1/add-forge/request/create/
 
         Create a new request to add a forge to the list of those crawled regularly
         by Software Heritage.
 
         .. warning::
             That endpoint is not publicly available and requires authentication
             in order to be able to request it.
 
         {common_headers}
 
         :<json string forge_type: the type of forge
         :<json string forge_url: the base URL of the forge
         :<json string forge_contact_email: email of an administator of the forge to
             contact
         :<json string forge_contact_name: the name of the administrator
         :<json string forge_contact_comment: to explain how Software Heritage can
             verify forge administrator info are valid
 
         :statuscode 201: request successfully created
         :statuscode 400: missing or invalid field values
         :statuscode 403: user not authenticated
     """
     if not request.user.is_authenticated:
         return HttpResponseForbidden(
             "You must be authenticated to create a new add-forge request"
         )
 
     add_forge_request = AddForgeRequest()
 
     if isinstance(request, Request):
         # request submitted with request body in JSON (goes through DRF)
         form = AddForgeNowRequestForm(request.data, instance=add_forge_request)
     else:
         # request submitted with request body in form encoded format
         # (directly handled by Django)
         form = AddForgeNowRequestForm(request.POST, instance=add_forge_request)
 
     if form.errors:
         raise BadInputExc(json.dumps(form.errors))
 
     try:
         existing_request = AddForgeRequest.objects.get(
             forge_url=add_forge_request.forge_url
         )
     except ObjectDoesNotExist:
         pass
     else:
         return Response(
             f"Request for forge already exists (id {existing_request.id})",
             status=409,  # Conflict
         )
 
     add_forge_request.submitter_name = request.user.username
     add_forge_request.submitter_email = request.user.email
 
     form.save()
 
     data = AddForgeNowRequestSerializer(add_forge_request).data
 
     return Response(data=data, status=201)
+
+
+@api_route(
+    r"/add-forge/request/(?P<id>[0-9]+)/update/",
+    "api-1-add-forge-request-update",
+    methods=["POST"],
+)
+@api_doc("/add-forge/request/update", tags=["hidden"])
+@format_docstring()
+@transaction.atomic
+def api_add_forge_request_update(
+    request: Union[HttpRequest, Request], id: int
+) -> HttpResponse:
+    """
+    .. http:post:: /api/1/add-forge/request/update/
+
+        Update a request to add a forge to the list of those crawled regularly
+        by Software Heritage.
+
+        .. warning::
+            That endpoint is not publicly available and requires authentication
+            in order to be able to request it.
+
+        {common_headers}
+
+        :<json string text: comment about new request status
+        :<json string new_status: the new request status
+
+        :statuscode 200: request successfully updated
+        :statuscode 400: missing or invalid field values
+        :statuscode 403: user is not a moderator
+    """
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden(
+            "You must be authenticated to update a new add-forge request"
+        )
+
+    if not request.user.has_perm(MODERATOR_ROLE):
+        return HttpResponseForbidden("You are not a moderator")
+
+    add_forge_request = (
+        AddForgeRequest.objects.filter(id=id).select_for_update().first()
+    )
+
+    if add_forge_request is None:
+        return HttpResponseBadRequest("Invalid request id")
+
+    request_history = AddForgeNowRequestHistory()
+    request_history.request = add_forge_request
+
+    if isinstance(request, Request):
+        # request submitted with request body in JSON (goes through DRF)
+        form = AddForgeNowRequestHistoryForm(request.data, instance=request_history)
+    else:
+        # request submitted with request body in form encoded format
+        # (directly handled by Django)
+        form = AddForgeNowRequestHistoryForm(request.POST, instance=request_history)
+
+    if form.errors:
+        raise BadInputExc(json.dumps(form.errors))
+
+    new_status_str = form["new_status"].value()
+    if new_status_str is not None:
+        new_status = AddForgeNowRequestStatus[new_status_str]
+        current_status = AddForgeNowRequestStatus[add_forge_request.status]
+        if new_status not in current_status.allowed_next_statuses():
+            raise BadInputExc(
+                f"New request status {new_status} cannot be reached "
+                f"from current status {add_forge_request.status}"
+            )
+
+    _block_while_testing()
+
+    request_history.actor = request.user.username
+    request_history.actor_role = AddForgeNowRequestActorRole.MODERATOR.name
+    form.save(commit=False)
+
+    if request_history.new_status == "":
+        request_history.new_status = None
+
+    request_history.save()
+
+    if request_history.new_status is not None:
+        add_forge_request.status = request_history.new_status
+        add_forge_request.save()
+
+    data = AddForgeNowRequestSerializer(add_forge_request).data
+    return Response(data=data, status=200)
diff --git a/swh/web/tests/add_forge_now/test_models.py b/swh/web/tests/add_forge_now/test_models.py
new file mode 100644
index 00000000..86e896f1
--- /dev/null
+++ b/swh/web/tests/add_forge_now/test_models.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022  The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU Affero General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+import pytest
+
+from swh.web.add_forge_now.models import RequestStatus
+
+
+@pytest.mark.parametrize(
+    "current_status, allowed_next_statuses",
+    [
+        (
+            RequestStatus.PENDING,
+            [
+                RequestStatus.WAITING_FOR_FEEDBACK,
+                RequestStatus.REJECTED,
+                RequestStatus.SUSPENDED,
+            ],
+        ),
+        (RequestStatus.WAITING_FOR_FEEDBACK, [RequestStatus.FEEDBACK_TO_HANDLE]),
+    ],
+)
+def test_allowed_next_statuses(current_status, allowed_next_statuses):
+    assert current_status.allowed_next_statuses() == allowed_next_statuses
diff --git a/swh/web/tests/api/views/test_add_forge_now.py b/swh/web/tests/api/views/test_add_forge_now.py
index 6d9713e0..4f170b34 100644
--- a/swh/web/tests/api/views/test_add_forge_now.py
+++ b/swh/web/tests/api/views/test_add_forge_now.py
@@ -1,117 +1,267 @@
 # Copyright (C) 2022  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 import datetime
+import threading
+import time
 from urllib.parse import urlencode
 
 import iso8601
 import pytest
 
 from swh.web.add_forge_now.models import Request
+from swh.web.api.views.add_forge_now import MODERATOR_ROLE
 from swh.web.common.utils import reverse
-from swh.web.tests.utils import check_api_post_response, check_http_post_response
+from swh.web.tests.utils import (
+    check_api_post_response,
+    check_http_post_response,
+    create_django_permission,
+)
 
 
 def test_add_forge_request_create_anonymous_user(api_client):
     url = reverse("api-1-add-forge-request-create")
     check_api_post_response(api_client, url, status_code=403)
 
 
 @pytest.mark.django_db
 def test_add_forge_request_create_empty(api_client, regular_user):
     api_client.force_login(regular_user)
     url = reverse("api-1-add-forge-request-create")
     resp = check_api_post_response(api_client, url, status_code=400)
     assert '"forge_type"' in resp.data["reason"]
 
 
 ADD_FORGE_DATA = {
     "forge_type": "gitlab",
     "forge_url": "https://gitlab.example.org",
     "forge_contact_email": "admin@gitlab.example.org",
     "forge_contact_name": "gitlab.example.org admin",
     "forge_contact_comment": "user marked as owner in forge members",
 }
 
+ADD_OTHER_FORGE_DATA = {
+    "forge_type": "gitea",
+    "forge_url": "https://gitea.example.org",
+    "forge_contact_email": "admin@gitea.example.org",
+    "forge_contact_name": "gitea.example.org admin",
+    "forge_contact_comment": "user marked as owner in forge members",
+}
+
 
 @pytest.mark.django_db(transaction=True, reset_sequences=True)
 def test_add_forge_request_create_success(api_client, regular_user):
     api_client.force_login(regular_user)
     url = reverse("api-1-add-forge-request-create")
 
     date_before = datetime.datetime.now(tz=datetime.timezone.utc)
 
     resp = check_api_post_response(
         api_client, url, data=ADD_FORGE_DATA, status_code=201,
     )
 
     date_after = datetime.datetime.now(tz=datetime.timezone.utc)
 
     assert resp.data == {
         **ADD_FORGE_DATA,
         "id": 1,
         "status": "PENDING",
         "submission_date": resp.data["submission_date"],
         "submitter_name": regular_user.username,
         "submitter_email": regular_user.email,
     }
 
     assert date_before < iso8601.parse_date(resp.data["submission_date"]) < date_after
 
     request = Request.objects.all()[0]
 
     assert request.forge_url == ADD_FORGE_DATA["forge_url"]
     assert request.submitter_name == regular_user.username
 
 
 @pytest.mark.django_db(transaction=True, reset_sequences=True)
 def test_add_forge_request_create_success_form_encoded(client, regular_user):
     client.force_login(regular_user)
     url = reverse("api-1-add-forge-request-create")
 
     date_before = datetime.datetime.now(tz=datetime.timezone.utc)
 
     resp = check_http_post_response(
         client,
         url,
         request_content_type="application/x-www-form-urlencoded",
         data=urlencode(ADD_FORGE_DATA),
         status_code=201,
     )
 
     date_after = datetime.datetime.now(tz=datetime.timezone.utc)
 
     assert resp.data == {
         **ADD_FORGE_DATA,
         "id": 1,
         "status": "PENDING",
         "submission_date": resp.data["submission_date"],
         "submitter_name": regular_user.username,
         "submitter_email": regular_user.email,
     }
 
     assert date_before < iso8601.parse_date(resp.data["submission_date"]) < date_after
 
     request = Request.objects.all()[0]
 
     assert request.forge_url == ADD_FORGE_DATA["forge_url"]
     assert request.submitter_name == regular_user.username
 
 
 @pytest.mark.django_db(transaction=True, reset_sequences=True)
 def test_add_forge_request_create_duplicate(api_client, regular_user):
     api_client.force_login(regular_user)
     url = reverse("api-1-add-forge-request-create")
-
     check_api_post_response(
         api_client, url, data=ADD_FORGE_DATA, status_code=201,
     )
-
     check_api_post_response(
         api_client, url, data=ADD_FORGE_DATA, status_code=409,
     )
 
     requests = Request.objects.all()
     assert len(requests) == 1
+
+
+@pytest.fixture
+def moderator_user(regular_user2):
+    regular_user2.user_permissions.add(create_django_permission(MODERATOR_ROLE))
+    return regular_user2
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_anonymous_user(api_client):
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=403)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_regular_user(api_client, regular_user):
+    api_client.force_login(regular_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=403)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_non_existent(api_client, moderator_user):
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=400)
+
+
+def _create_add_forge_request(api_client, regular_user, data=ADD_FORGE_DATA):
+    api_client.force_login(regular_user)
+    url = reverse("api-1-add-forge-request-create")
+    check_api_post_response(
+        api_client, url, data=data, status_code=201,
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_empty(api_client, regular_user, moderator_user):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=400)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_missing_field(
+    api_client, regular_user, moderator_user
+):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, data={}, status_code=400)
+    check_api_post_response(
+        api_client, url, data={"new_status": "REJECTED"}, status_code=400
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update(api_client, regular_user, moderator_user):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+
+    check_api_post_response(
+        api_client, url, data={"text": "updating request"}, status_code=200
+    )
+
+    check_api_post_response(
+        api_client,
+        url,
+        data={"new_status": "REJECTED", "text": "request rejected"},
+        status_code=200,
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_invalid_new_status(
+    api_client, regular_user, moderator_user
+):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(
+        api_client,
+        url,
+        data={"new_status": "ACCEPTED", "text": "request accepted"},
+        status_code=400,
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_status_concurrent(
+    api_client, regular_user, moderator_user, mocker
+):
+
+    _block_while_testing = mocker.patch(
+        "swh.web.api.views.add_forge_now._block_while_testing"
+    )
+    _block_while_testing.side_effect = lambda: time.sleep(1)
+
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+
+    worker_ended = False
+
+    def worker():
+        nonlocal worker_ended
+        check_api_post_response(
+            api_client,
+            url,
+            data={"new_status": "WAITING_FOR_FEEDBACK", "text": "waiting for message"},
+            status_code=200,
+        )
+        worker_ended = True
+
+    # this thread will first modify the request status to WAITING_FOR_FEEDBACK
+    thread = threading.Thread(target=worker)
+    thread.start()
+
+    # the other thread (slower) will attempt to modify the request status to REJECTED
+    # but it will not be allowed as the first faster thread already modified it
+    # and REJECTED state can not be reached from WAITING_FOR_FEEDBACK one
+    time.sleep(0.5)
+    check_api_post_response(
+        api_client,
+        url,
+        data={"new_status": "REJECTED", "text": "request accepted"},
+        status_code=400,
+    )
+    thread.join()
+    assert worker_ended
diff --git a/swh/web/tests/utils.py b/swh/web/tests/utils.py
index 92413568..216b2f1a 100644
--- a/swh/web/tests/utils.py
+++ b/swh/web/tests/utils.py
@@ -1,233 +1,235 @@
 # Copyright (C) 2020-2021  The Software Heritage developers
 # See the AUTHORS file at the top-level directory of this distribution
 # License: GNU Affero General Public License version 3, or any later version
 # See top-level LICENSE file for more information
 
 from typing import Any, Dict, Optional, cast
 
 from django.contrib.auth.models import Permission
 from django.contrib.contenttypes.models import ContentType
 from django.http import HttpResponse, StreamingHttpResponse
 from django.test.client import Client
 from rest_framework.response import Response
 from rest_framework.test import APIClient
 
 from swh.web.tests.django_asserts import assert_template_used
 
 
 def _assert_http_response(
     response: HttpResponse, status_code: int, content_type: str
 ) -> HttpResponse:
 
     if isinstance(response, Response):
         drf_response = cast(Response, response)
         error_context = (
             drf_response.data.pop("traceback")
             if isinstance(drf_response.data, dict) and "traceback" in drf_response.data
             else drf_response.data
         )
     elif isinstance(response, StreamingHttpResponse):
         error_context = getattr(response, "traceback", response.streaming_content)
     else:
         error_context = getattr(response, "traceback", response.content)
 
     assert response.status_code == status_code, error_context
     if content_type != "*/*":
         assert response["Content-Type"].startswith(content_type)
     return response
 
 
 def check_http_get_response(
     client: Client,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     http_origin: Optional[str] = None,
     server_name: Optional[str] = None,
 ) -> HttpResponse:
     """Helper function to check HTTP response for a GET request.
 
     Args:
         client: Django test client
         url: URL to check response
         status_code: expected HTTP status code
         content_type: expected response content type
         http_origin: optional HTTP_ORIGIN header value
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=client.get(
             url,
             HTTP_ACCEPT=content_type,
             HTTP_ORIGIN=http_origin,
             SERVER_NAME=server_name if server_name else "testserver",
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_http_post_response(
     client: Client,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     request_content_type="application/json",
     data: Optional[Dict[str, Any]] = None,
     http_origin: Optional[str] = None,
 ) -> HttpResponse:
     """Helper function to check HTTP response for a POST request.
 
     Args:
         client: Django test client
         url: URL to check response
         status_code: expected HTTP status code
         content_type: expected response content type
         request_content_type: content type of request body
         data: optional POST data
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=client.post(
             url,
             data=data,
             content_type=request_content_type,
             HTTP_ACCEPT=content_type,
             HTTP_ORIGIN=http_origin,
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_api_get_responses(
     api_client: APIClient, url: str, status_code: int
 ) -> Response:
     """Helper function to check Web API responses for GET requests
     for all accepted content types (JSON, YAML, HTML).
 
     Args:
         api_client: DRF test client
         url: Web API URL to check responses
         status_code: expected HTTP status code
 
     Returns:
         The Web API JSON response
     """
     # check JSON response
     response_json = check_http_get_response(
         api_client, url, status_code, content_type="application/json"
     )
 
     # check HTML response (API Web UI)
     check_http_get_response(api_client, url, status_code, content_type="text/html")
 
     # check YAML response
     check_http_get_response(
         api_client, url, status_code, content_type="application/yaml"
     )
 
     return cast(Response, response_json)
 
 
 def check_api_post_response(
     api_client: APIClient,
     url: str,
     status_code: int,
     content_type: str = "*/*",
     data: Optional[Dict[str, Any]] = None,
 ) -> HttpResponse:
     """Helper function to check Web API response for a POST request
     for all accepted content types.
 
     Args:
         api_client: DRF test client
         url: Web API URL to check response
         status_code: expected HTTP status code
 
     Returns:
         The HTTP response
     """
     return _assert_http_response(
         response=api_client.post(
             url, data=data, format="json", HTTP_ACCEPT=content_type,
         ),
         status_code=status_code,
         content_type=content_type,
     )
 
 
 def check_api_post_responses(
     api_client: APIClient,
     url: str,
     status_code: int,
     data: Optional[Dict[str, Any]] = None,
 ) -> Response:
     """Helper function to check Web API responses for POST requests
     for all accepted content types (JSON, YAML).
 
     Args:
         api_client: DRF test client
         url: Web API URL to check responses
         status_code: expected HTTP status code
 
     Returns:
         The Web API JSON response
     """
     # check JSON response
     response_json = check_api_post_response(
         api_client, url, status_code, content_type="application/json", data=data
     )
 
     # check YAML response
     check_api_post_response(
         api_client, url, status_code, content_type="application/yaml", data=data
     )
 
     return cast(Response, response_json)
 
 
 def check_html_get_response(
     client: Client, url: str, status_code: int, template_used: Optional[str] = None
 ) -> HttpResponse:
     """Helper function to check HTML responses for a GET request.
 
     Args:
         client: Django test client
         url: URL to check responses
         status_code: expected HTTP status code
         template_used: optional used Django template to check
 
     Returns:
         The HTML response
     """
     response = check_http_get_response(
         client, url, status_code, content_type="text/html"
     )
     if template_used is not None:
         assert_template_used(response, template_used)
     return response
 
 
 def create_django_permission(perm_name: str) -> Permission:
     """Create permission out of a permission name string
 
     Args:
         perm_name: Permission name (e.g. swh.web.api.throttling_exempted,
           swh.ambassador, ...)
 
     Returns:
         The persisted permission
 
     """
     perm_splitted = perm_name.split(".")
     app_label = ".".join(perm_splitted[:-1])
     perm_name = perm_splitted[-1]
-    content_type = ContentType.objects.create(app_label=app_label, model="dummy")
+    content_type = ContentType.objects.create(
+        id=1000, app_label=app_label, model="dummy"
+    )
     return Permission.objects.create(
-        codename=perm_name, name=perm_name, content_type=content_type,
+        codename=perm_name, name=perm_name, content_type=content_type, id=1000
     )