When refresh_token is still valid google's endpoint does not include the
current refresh token in the response when refreshing the token, we need
to keep the current one.
This fixes user logout every one hour.

So that version view works as expected, see b415abbb (dms: add version
view on notification messages, 2024-06-19)

See merge request !2011

Fix bugs:
- Fix an acquisition context bug: the user found here would be wrapped in
  the acquisition context of self, and as a result SecurityManager.validate
  may consider the user to be outside of the acquisition path of the
  document being checked (ex: when accessing a module while publishing a
  web section).
- While unusual, there may be multiple users matching a given request,
  which is handled by ZPublisher but was skipped here.

Also:
Document:
- Why this method is needed.
- assumptions made to get simpler code.
Improve performance:
- portal_membership._huntUser looks the user up twice, which is expensive.
  Stop using this method.
- When the request is a fake request (from restrictedTraverse) nothing can
  nor should be done, so bypass the entire logic that case.
- Assorted tiny improvements: do not retrieve security manager twice, avoid
  extraneous local assignments, ...
Improve coding style:
- Stop accessing portal_membership's underware.
- Stop accessing PluggableAuthenticationService's underware.
- Simplify disabled cache support: this is exceedingly rare, optimise for
  when it is enabled.
- Do not hardcode log level, also increase the severity: this really is a
  warning.
- Do not try to decode Basic-auth, this is the job of the user folder.
  This removes duplicated code.

Set table:number-columns-spanned to each cell outside listbox/matrixbox.

  Like it is done for option, remove default from schema after append the value into decription.

See merge request !2004

Limit printed decimals in flight log file for readability.

See merge request !2017

By pre-fetching some catalog entries to retrieve objects UIDs that can directly
be used in the inventory query, to avoid needless (costly) joins and hinting
the catalog to use the resource_section_node_uid index of the stock table.

See merge request !2012

See merge request !2016

The test from 6316d9bb (Formulator: test form serialization with non
ascii elements, 2024-10-24) revealed that form with an encoding other
than UTF-8 are not supported.

DB.query accepts either bytes or str on python3. We need to decode the
query here to display it in traceback and we must not fail when we
have bytes with non UTF-8 characters, which can happen with binary
columns

It currently not used and it's better not to have such public method

ref: 906761ed (erp5_web: change one-day-max policy max-age to 14400s, 2021-09-01)

Using the display router command allows to drop the user search term
when moving from one access page to another.

Set the max-age value to 4h instead of 10min for the one-day-max policy
(ie, 24h/6, like one-hour-max uses 10min max age).

The idea is to reduce backend access of nearly static web sites,
while still allowing changes without waiting for too long before it is propagated.

`createSession` method from the OAuth2 Authorisation Server Connector needs
to access client value. Fetching this value from the session is not needed
since it is already stored in a local variable.

erp5_invoicing: don't index reference in fulltext which is usually generated by system and meaningless

it's like 5.1, 2.4

it's like 5.1, 2.4

Malevolent users may decide to only - and repeatedly - present an otherwise
valid refresh token, causing the issuance of a new access tokens everytime,
likely along with new refresh tokens, causing many ZODB writes.
Avoid this by pushing the token expiration date by one lifespan accuracy,
so there can only be one write per session per lifespan accuracy period.

For the same purpose as "trade_condition_type" on trade conditions,
to organise the transformation in a way that makes sense to users.

for consistency with Trade Condition views