1. 19 Sep, 2023 2 commits
  2. 14 Sep, 2023 2 commits
  3. 12 Sep, 2023 1 commit
    • Jérome Perrin's avatar
      Update officejs support request app for strict CSP · 2dc9f19a
      Jérome Perrin authored
      This is a first step to stop using "unsafe" web sections.
      
      This updates support request app to not require `script-src: unsafe-eval` and `style-src: unsafe-inline` in the CSP.
      Dropping `script-src: unsafe-eval` is made possible by using domsugar instead of handlebars for dynamic content. Dropping `style-src: unsafe-inline` by using CSS files instead of inline `style` attributes in the DOM. One minor regression is that the tooltips from the graph on the front page gadget will cause warning because of `unsafe-inline` and not render the series color.
      
      This application was also modernized a bit, it now uses the HTML viewer gadget to display post contents and supports translation.
      
      See merge request nexedi/erp5!1821
      2dc9f19a
  4. 11 Sep, 2023 3 commits
    • Julien Muchembled's avatar
      ListBox: fix possible unexpected acquisition · 8e3d2599
      Julien Muchembled authored
      The use case is a listbox method being called for a document A
      and returning objects that:
      - aren't children of A
      - but wrapped with `.__of__(A)`
      
      By using `aq_self` instead of `aq_base`, the listbox could still
      acquire from the real parent of the returned object and wrongly access
      an attribute directly (e.g. comment) instead of using an appropriate
      method (if there's no `comment` attribute, getComment returns '').
      
      See merge request nexedi/erp5!1820
      8e3d2599
    • Julien Muchembled's avatar
      ListBox: simplify code · 5803f7b6
      Julien Muchembled authored
      5803f7b6
    • Julien Muchembled's avatar
      Ignore read-only transaction cache when getting a category from a new or temp object · 9053cc93
      Julien Muchembled authored
      The purpose is to be able to use the amount generator during indexation.
      At some point, it executes:
      
              if amount.getQuantityUnit():
              ...
              for x in property_dict.iteritems():
                amount._setProperty(*x)
      
      where `amount.getQuantityUnit()` may getResource before it is set.
      Any further access to the resource category would be wrong.
      
      There may be a way to only change the amount generator but this kind
      of pitfall is likely to happen in many other places if we keep such
      a read-only transaction cache for new or temp objects.
      
      See merge request nexedi/erp5!1818
      9053cc93
  5. 08 Sep, 2023 8 commits
  6. 07 Sep, 2023 4 commits
  7. 06 Sep, 2023 4 commits
  8. 04 Sep, 2023 7 commits
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Store more HTTPResponse headers using setHeader · b680b016
      Vincent Pelletier authored
      During the response process (especially setBody), HTTPResponse accesses
      and updates some response headers in its "headers" property (a dictionary).
      addHeader puts the response headers in a list which will not be updated by
      HTTPResponse. This is "more correct" from an RFC perspective, as any header
      specified as being a sequence of values delimited by commas may be split
      among multiple headers.
      So, keep using addHeader by default, but special-case some headers which
      are accessed and must be successfully updated by HTTPResponse itself so
      that those headers are set using setHeader, which updates the "headers"
      property.
      b680b016
    • Vincent Pelletier's avatar
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation/logged_in_once: Tolerate multipart/form-data request encoding · c5410570
      Vincent Pelletier authored
      For better compatibility, as not all templates may be reconfigured to post
      in application/x-www-form-urlencoded.
      Also, tolerate a missing Content-Type request header, treating as an
      unhandler type instead of raising a KeyError exception.
      c5410570
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Drop login retry URL double base64-encoding · 915b20c4
      Vincent Pelletier authored
      Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
      useless.
      
      This change breaks compabitility with what should be a transient login state
      (lasting as long as the login form is opened in any browser). So the
      consequence is that a user failing to authenticate will be redirected to a
      safe location (ex: the website's home page) instead of getting to the login
      form again.
      This should not be worth either a systematic double-decrypting (which could
      lead to harder to debug decryption errors) or some heuristic trying to
      guess if the value is in fact double-encoded.
      915b20c4
    • Vincent Pelletier's avatar
      Products.ERP5Security: Declare module security locally · 8041c090
      Vincent Pelletier authored
      For simplicity and readability.
      8041c090
    • Vincent Pelletier's avatar
      ERP5Site_checkOAuth2ResourceServerPostUpgradeConsistency: Do not lock ERP5 users out · e0b68bdb
      Vincent Pelletier authored
      When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor
      class. When installing the OAuth2 resource server plugin, it activates itself as an extractor,
      disabling this default mechanism. This is most likely unexpected to the admin, so in such
      situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to
      preserve basic authentiation.
      If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them.
      If any extraction plugin is already enabled, do nothing new.
      e0b68bdb
    • Jérome Perrin's avatar
      crm,credential: repair Ticket_getWorkflowStateTranslatedTitle for ERP5 workflow · c6b59bd6
      Jérome Perrin authored
      `state_var` is now a compatibility alias calling getStateVariable, which
      has a default value of `simulation_state`. As a result, this script was
      attempting to call getSimulationStateTranslatedTitle on credential
      requests, because they have an interaction workflow in their chain.
      
      This fixes by implementing the full logic using new ERP5 workflow API.
      c6b59bd6
  9. 28 Aug, 2023 2 commits
  10. 25 Aug, 2023 1 commit
  11. 24 Aug, 2023 4 commits
  12. 23 Aug, 2023 2 commits