1. 17 Nov, 2022 3 commits
  2. 16 Nov, 2022 2 commits
    • Jérome Perrin's avatar
      *: add some missing security declaration on component code · 8be39d34
      Jérome Perrin authored
      This does not seem to be an actual problem because the object is
      declared protected, but these missing security declarations make
      testSecurity fail.
      8be39d34
    • Jérome Perrin's avatar
      testSecurity: don't skip portal_components in test_method_protection · e300e3f6
      Jérome Perrin authored
      We have been using `filter(lambda x:'/erp5/' in x[0], error_list)` as a
      way to see only missing declarations from ERP5 code, but only ERP5
      filesystem code contains /erp5/ in the filenames, in-ZODB components
      filename is set to something like <portal_components/document.erp5.FTPConnector>
      
      Change to also check methods for which filename contains <portal_components
      and also to print the ignored methods
      e300e3f6
  3. 10 Nov, 2022 4 commits
  4. 08 Nov, 2022 12 commits
  5. 07 Nov, 2022 6 commits
    • Jérome Perrin's avatar
      hal_json_style: adjust transaction interactions in the test · 52b25e02
      Jérome Perrin authored
       - the transaction is aborted in tearDown, no need to abort
        explicitly, for same reason if we want to delete documents, we
        need to explicitly commit (see TestERP5Person_getHateoas_mode_search)
       - simulate decorator should not commit the transaction to keep this
        semantic of abort by default, which keeps test isolated.
      52b25e02
    • Jérome Perrin's avatar
      hal_json_style: fix double translation of worklist message · d7f6bf12
      Jérome Perrin authored
      There was a regression with 45c03413 (hal_json_style: prevent a
      translation of worklist with document count, 2021-05-10), the title
      of the worklist was translated twice. This was supposed to be
      catched by the test, by checking that the mocked gettext had only
      one call for "Draft to Validate", assuming that the translation of
      "Draft to Validate" was "Draft to Validate" and that a double
      translation would cause this to be translated twice, but because of
      a side effect of another test inserting a translation for
      "Draft to Validate", this problem was not noticed.
      
      This fixes the double translation and adjust the test to not depend
      on the actual content of message catalog.
      d7f6bf12
    • Gabriel Monnerat's avatar
      erp5_stripe: introduce new module and features to handle Stripe checkout and payments in ERP5 · d0b448a2
      Gabriel Monnerat authored
      This business template contains a framework to integrate stripe checkout payments in ERP5.
      
      To configure the connector:
      
       - Create an account on stripe.com
       - In stripe.com's dashboard: Developers / API keys use "Create restricted key" to create a key with write access to "All Checkout resources".
       - Create a stripe connector in portal_web_services. Set URL to `https://api.stripe.com/v1/` and the restricted key created in the previous step
       - In stripe.com's dashboard: Developers / Webhooks use "Add endpoint", with "Endpoint URL" set to https://your.erp5.public.hostname/ERP5Site_receiveStripeWebHook and "Events to send" including all events from "checkout.session" category.
      
      To integrate in an ERP5 project:
      
       - Implement a custom script to start a checkout session. The script should call `StripePaymentSessionModule_createStripeSession` to initiate the session and redirect the end user to stripe checkout page.
       - Implement an interaction workfow on `Stripe Payment Session.complete` which inspects the value of `state_change['kwargs']['payment_status']` and implement the logic (such as create a payment transaction) depending on the status `"paid"` or `"unpaid"`.
      
      Example script to create session
      
      ```py
      web_site = context.getWebSiteValue()
      data = {
        # custom web sections for success and cancel URLs
        "success_url": web_site.stripe_payment_session_success.absolute_url(),
        "cancel_url": web_site.stripe_payment_session_cancel.absolute_url(),
        "line_items": {
            "price_data": {
              "currency": "EUR",
              "unit_amount": 2000, # for 20.00 EUR
              "product_data": {
                "name": "Product Name",
              }
            },
            "quantity": 1
          }
      }
      
       # this will redirect the user to stripe checkout page
      return module.StripePaymentSessionModule_createStripeSession(
        connector,
        data,
        context.getRelativeUrl(),
        resource="service_module/...",
      )
      ```
      
      Example interaction workflow script
      
      ```py
      if state_change['kwargs']['payment_status'] == 'paid':
        portal.accounting_module.newContent(
          portal_type='Payment Transaction',
          causality_value=state_change['object'],
          description="Stripe checkout ...",
          ...
        )
      
      ```
      
      Implementation notes:
      
      * Add new stripe connector in ERP5 to access retrieve Stripe session
      * New ERP5 functional module to handle Stripe Payment Sessions
      * Stripe Payment Session reflects a payment transaction/session initiated using the Stripe Checkout solution.
      * Workflow associated with Stripe Payment Sessions provides for the "draft", "open", "completed" and "expired" states in order to reflect the existing states on Stripe.
      * Each Stripe Payment Session offers a history and complete traceability of the HTTP exchanges carried out between ERP5 and Stripe from the start and the end of the payment transaction. All Stripe API calls (createSession, retrieveSession) and Stripe webhook POSTs are logged as system events (HTTP Exchange ERP5) related to a Stripe Payment Session.
      * Add alarm to handle Stripe Payment Sessions open whose date are expired
      * Set web service as source in Stripe Payment Session
      Reviewed-by: Jérome Perrin's avatarJérome Perrin <jerome@nexedi.com>
      Reviewed-on: nexedi/erp5!1656
      d0b448a2
    • Gabriel Monnerat's avatar
    • Jérome Perrin's avatar
      accounting: allow Associate role to pass transitions on accounting transactions · b5463f27
      Jérome Perrin authored
      f0808ac6 (workflow: add workflow transition guard for non-user
      actions as well., 2015-11-18) broke some custom security
      configurations where doing an action on a document would modify an
      accounting transaction - but the user doing this action does not have
      access to accounting.
      
      This repairs the situation for accounting, by using the Associate
      role. The idea is that for such patterns where users "do something
      which will interact with accounting", the users also need an
      Associate role on accounting transaction portal types, which is in
      line with the meaning of Associate.
      b5463f27
    • Jérome Perrin's avatar
      officejs_support_request_ui: Support events with non accessible sender in RSS · 43e0d1d6
      Jérome Perrin authored
      To be consistent with slapos.core RSS and default values of fields
      in ERP5, where we only check the permission on the "context" document
      and tolerate displaying properties of context document even if
      accessing some properties of related documents caused an error.
      
      See also nexedi/slapos.core!433
      43e0d1d6
  6. 04 Nov, 2022 2 commits
  7. 02 Nov, 2022 1 commit
  8. 31 Oct, 2022 3 commits
    • Jérome Perrin's avatar
      patches/pylint: teach astroid about xmlsec modules · b1d6fae6
      Jérome Perrin authored
      python xmlsec's xmlsec.so contains multiple level module in the same
      .so (xmlsec, xmlsec.template etc) and this seem to cause problems to
      astroid, trying to lint a module containing:
      
        import xmlsec
        xmlsec.template.encrypted_data_create('...')
      
      cause an error:
      
         File "develop-eggs/astroid-1.3.8+slapospatched001-py2.7.egg/astroid/raw_building.py", line 360, in _set_proxied
            return _CONST_PROXY[const.value.__class__]
        KeyError: <type 'module'>
      
      and unlike similar error happening with ffi's module from cryptography,
      retrying does not help.
      b1d6fae6
    • Jérome Perrin's avatar
      patches/pylint: teach astroid about cryptography.hazmat.bindings._openssl · eff0c49e
      Jérome Perrin authored
      This version of pylint tries to import the C modules for analysis and
      get confused by support ffi's CompiledFFI type.
      
      Use our utility  _register_module_extender_from_live_module to register
      a stub module instead.
      
      This also reverts b21f83fc,
      "BusinessTemplate_getPythonSourceCodeMessageList: Retry in case of
      pylint internal failure." which is no longer necessary with these
      changes.
      eff0c49e
    • Jérome Perrin's avatar
      5c213180
  9. 24 Oct, 2022 2 commits
    • Thomas Gambier's avatar
    • Jérome Perrin's avatar
      accounting: round in grouping when no section currency is set · 3e5ca320
      Jérome Perrin authored
      Grouping feature checks that the sum of all selected lines == 0, which
      is often not the case as the values are float. For that, our approach
      is to round the values with the precision of the accounting currency,
      since these precisions are usually small (typically 0, 2 or 3), we
      don't have problems with rounding. Using the section currency is not
      just a workaround for rounding, it's also correct because we don't
      consider more precise amounts in accounting transaction lines.
      
      The problem with this approach was for the case where no accounting
      currency is set on the section organisation, in that case we did not
      round and this sometimes led to "grouping is impossible" errors that
      are hard to find for users. At this level it's better to use a default
      rounding precision that would make it possible to use the grouping
      feature even when section currency is not set.
      3e5ca320
  10. 21 Oct, 2022 3 commits
    • Jérome Perrin's avatar
      core: Fix unicode bug on ZODB History view. · 0162ede8
      Jérome Perrin authored
      Some objects, in our case BTrees.Length.Length in a ZODB connection
      have a __str__ method that returns unicode on python2:
      
      u'<BTrees.Length.Length object at 0x7f850932e0d0 oid 0x1e334 in <Connection at 7f854bc0f190>>'
      
      They cause an unicode error in the history view when they are
      concatenated together with other str (encoded as UTF-8) properties,
      this can be observed when using history view with a "folderish"
      document (but not with a File as in test_ZODBHistoryBinaryData).
      
      To prevent this issue, we use the fact that ''.format unlike '' %
      seem to apply a str() on arguments and use it instead.
      Co-authored-by: Yusei Tahara's avatarYusei Tahara <yusei@nexedi.com>
      0162ede8
    • Yusei Tahara's avatar
      erp5_core: Fix unicode bug on ZODB History view. · 7d32a4f9
      Yusei Tahara authored
      Some objects become unicode when %s is applied and may cause
      UnicodeDecodeError, thus use %r insead.
      7d32a4f9
    • Yusei Tahara's avatar
      Revert "erp5_core: Fix unicode bug on ZODB History view." · d12f3483
      Yusei Tahara authored
      This reverts commit 40fded3e.
      
      It is not good to mix unicode and str for UI. Use utf8 str only.
      d12f3483
  11. 19 Oct, 2022 2 commits