- 12 Sep, 2023 1 commit
-
-
Jérome Perrin authored
This is a first step to stop using "unsafe" web sections. This updates support request app to not require `script-src: unsafe-eval` and `style-src: unsafe-inline` in the CSP. Dropping `script-src: unsafe-eval` is made possible by using domsugar instead of handlebars for dynamic content. Dropping `style-src: unsafe-inline` by using CSS files instead of inline `style` attributes in the DOM. One minor regression is that the tooltips from the graph on the front page gadget will cause warning because of `unsafe-inline` and not render the series color. This application was also modernized a bit, it now uses the HTML viewer gadget to display post contents and supports translation. See merge request nexedi/erp5!1821
-
- 11 Sep, 2023 3 commits
-
-
Julien Muchembled authored
The use case is a listbox method being called for a document A and returning objects that: - aren't children of A - but wrapped with `.__of__(A)` By using `aq_self` instead of `aq_base`, the listbox could still acquire from the real parent of the returned object and wrongly access an attribute directly (e.g. comment) instead of using an appropriate method (if there's no `comment` attribute, getComment returns ''). See merge request nexedi/erp5!1820
-
Julien Muchembled authored
-
Julien Muchembled authored
The purpose is to be able to use the amount generator during indexation. At some point, it executes: if amount.getQuantityUnit(): ... for x in property_dict.iteritems(): amount._setProperty(*x) where `amount.getQuantityUnit()` may getResource before it is set. Any further access to the resource category would be wrong. There may be a way to only change the amount generator but this kind of pitfall is likely to happen in many other places if we keep such a read-only transaction cache for new or temp objects. See merge request nexedi/erp5!1818
-
- 08 Sep, 2023 8 commits
-
-
Georgios Dagkakis authored
See merge request nexedi/erp5!1819
-
Jérome Perrin authored
- switch to programmatic creation of DOM element using domsugar instead of using handlebars which needs CSP - use gadget_html_viewer to display post contents - more translation support
-
Jérome Perrin authored
To work 100% this needs "style-src: unsafe-inline" in the CSP, without this the popup on hover does not show the series color - which in our case is better than using the CSP. also drop obsolete appcache, browsers no longer use this. reference: https://github.com/apache/echarts/issues/16610
-
Gabriel Monnerat authored
-
Jérome Perrin authored
it was same as testSupportRequestPanelTranslation, but with less assertion, probably I made a mistake in renaming
-
Jérome Perrin authored
Using "Number" was not good for translations and maybe not so good in english either.
-
Jérome Perrin authored
Using verifyImageMatchSnapshot with 20 is sometimes not enough to detect some significant differences
-
Jérome Perrin authored
these are not used anymore
-
- 07 Sep, 2023 4 commits
-
-
Georgios Dagkakis authored
to new suite, renderjs_ui_autocomplete_attribute_suite
-
Georgios Dagkakis authored
to test the autocomplete attr of fields
-
Vincent Pelletier authored
Base_callDialogMethod may not provide REQUEST nor RESPONSE, and may provide other arguments. Make the former optional, ignore the latter, and fallback on RequestContainer's magic when REQUEST is None.
-
Yusei Tahara authored
<dtml-sqlvar "None" type=nb> should be 'null'.
-
- 06 Sep, 2023 4 commits
-
-
Georgios Dagkakis authored
-
Georgios Dagkakis authored
-
Georgios Dagkakis authored
For TextWidget, PasswordWidget and ListWidget only To define the autocomplete HTML attribute of the field
-
Jérome Perrin authored
Fixes `Uncaught Error: Language id "vs.editor.nullLanguage" is not configured nor known` errors with html using script type handlebars
-
- 04 Sep, 2023 7 commits
-
-
Vincent Pelletier authored
During the response process (especially setBody), HTTPResponse accesses and updates some response headers in its "headers" property (a dictionary). addHeader puts the response headers in a list which will not be updated by HTTPResponse. This is "more correct" from an RFC perspective, as any header specified as being a sequence of values delimited by commas may be split among multiple headers. So, keep using addHeader by default, but special-case some headers which are accessed and must be successfully updated by HTTPResponse itself so that those headers are set using setHeader, which updates the "headers" property.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
For better compatibility, as not all templates may be reconfigured to post in application/x-www-form-urlencoded. Also, tolerate a missing Content-Type request header, treating as an unhandler type instead of raising a KeyError exception.
-
Vincent Pelletier authored
Fernet tokens are urlsafe-base64-encoded, so re-encoding them is useless. This change breaks compabitility with what should be a transient login state (lasting as long as the login form is opened in any browser). So the consequence is that a user failing to authenticate will be redirected to a safe location (ex: the website's home page) instead of getting to the login form again. This should not be worth either a systematic double-decrypting (which could lead to harder to debug decryption errors) or some heuristic trying to guess if the value is in fact double-encoded.
-
Vincent Pelletier authored
For simplicity and readability.
-
Vincent Pelletier authored
When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor class. When installing the OAuth2 resource server plugin, it activates itself as an extractor, disabling this default mechanism. This is most likely unexpected to the admin, so in such situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to preserve basic authentiation. If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them. If any extraction plugin is already enabled, do nothing new.
-
Jérome Perrin authored
`state_var` is now a compatibility alias calling getStateVariable, which has a default value of `simulation_state`. As a result, this script was attempting to call getSimulationStateTranslatedTitle on credential requests, because they have an interaction workflow in their chain. This fixes by implementing the full logic using new ERP5 workflow API.
-
- 28 Aug, 2023 2 commits
-
-
Rafael Monnerat authored
See merge request !1814
-
Léo-Paul Géneau authored
See merge request !1817 Fix loitering trajectory when the drone is closer to the center than the required radius.
-
- 25 Aug, 2023 1 commit
-
-
Yusei Tahara authored
<dtml-sqlvar "None" type=string> should be 'null', not 'None'.
-
- 24 Aug, 2023 4 commits
-
-
Levin Zimmermann authored
When using the public API of pandas (which is partially allowed in restricted python), it can happen that this public API raises the error 'pytz.NonExistentTimeError' [1]. Users should be allowed to import and therefore catch this exception. Before this patch we could only do: >>> try: ... ts.tz_localize(tz) ... except Exception: ... ... After this patch we can do; >>> try: ... ts.tz_localize(tz) ... except pytz.NonExistentTimeError: ... ... pytz delivers more exceptions which are all equally harmless. We can therefore in the same patch also allow them, as they may be useful for similar cases. This patch also comes with tests which ensure that the allowed exceptions can be imported into restricted python and also a test to ensure no other objects in the pytz namespace can be used. --- [1] https://pandas.pydata.org/pandas-docs/version/2.0.3/reference/api/pandas.Series.tz_localize.html /reviewed-by @jerome /reviewed-on nexedi/erp5!1802
-
Jérome Perrin authored
-
Jérome Perrin authored
-
Vincent Pelletier authored
When an activity failure happens, the SQL row is updated: - date is set to a future value, so the activity does not get retried immediately, in the expectation that what caused the failure may have cleared by that point. - retry is incremented, to allow limiting the total number of retries - priority is incremented This last point seems harder to justify, and seems redundant with the date increase. In the context of processing node families and with a steady influx of similar activities at a base priority level, such priority increment can postpone the victim activity execution to an arbitrarily large amount of time, which is undesirable. So, remove this increment.
-
- 23 Aug, 2023 2 commits
-
-
Roque authored
See merge request nexedi/erp5!1809
-
Léo-Paul Géneau authored
-
- 22 Aug, 2023 1 commit
-
-
Rafael Monnerat authored
The implementation only works with ERP5 Login, since it is the only portal type that holds password in ERP5. Other implementations are password-less: Certificate Login, Google Login and Facebook Login, so they cannot have their password reset anyway. It is overkill split the login on multiple categorization, to use some portal group (ie: getPortalLoginPortalTypeThatCanResetPassord...) until we have a a clear usecase.
-
- 21 Aug, 2023 1 commit
-
-
Jérome Perrin authored
See merge request nexedi/erp5!1796
-
- 18 Aug, 2023 2 commits
-
-
Roque authored
See merge request nexedi/erp5!1810
-
Roque authored
- drop console logs - update api doc - refine init map coordinates - crash drone if logic is empty - jslint
-