See merge request !1824

- grid of blocks
- set of block templates
- randomization conditions
- new terrarin texture
- refine enemy drone collision
- more aggressive enemies

- drop import/export json
- API for operator script
- map utils class update
- doc api update
- all visible map parameters are geo
- allow to run twice
- fix default ai drone script distance fn
- fix flag elements position (altitude)
- better error handling

- add a new operator script editor
- update finish rules and scoring system
- refactor map parameters
- map randomization is done now by new class map utils
- update init flag info msg
- import/export script feature
- update web site CSP
- ui: activate js syntax in user script editor
- ui: styles, section titles, etc - doc api update
- fixes/refactoring
-- fix default target coordinates bug
-- control empty/invalid user scripts
-- raise an error on user script syntax error
-- fix onUpdate timestamp parameter (to integer milliseconds)
-- fix drone loiter (based on !1817/)

PDF_viewPDFJSPreview/my_data
Anyway, we are in PDF context, it can work even if content_type is not set

it can happen that getEffectiveModel does not find a model, this
is currently causing activity failures in indexation of
transformations. Tolerate errors here because this is not an error
but just a sign of invalid user data.

Due to some debug code, it never checked anything.

Spin is too much and waste cpu resource.

This is a first step to stop using "unsafe" web sections.

This updates support request app to not require `script-src: unsafe-eval` and `style-src: unsafe-inline` in the CSP.
Dropping `script-src: unsafe-eval` is made possible by using domsugar instead of handlebars for dynamic content. Dropping `style-src: unsafe-inline` by using CSS files instead of inline `style` attributes in the DOM. One minor regression is that the tooltips from the graph on the front page gadget will cause warning because of `unsafe-inline` and not render the series color.

This application was also modernized a bit, it now uses the HTML viewer gadget to display post contents and supports translation.

See merge request nexedi/erp5!1821

The use case is a listbox method being called for a document A
and returning objects that:
- aren't children of A
- but wrapped with `.__of__(A)`

By using `aq_self` instead of `aq_base`, the listbox could still
acquire from the real parent of the returned object and wrongly access
an attribute directly (e.g. comment) instead of using an appropriate
method (if there's no `comment` attribute, getComment returns '').

See merge request nexedi/erp5!1820

The purpose is to be able to use the amount generator during indexation.
At some point, it executes:

        if amount.getQuantityUnit():
        ...
        for x in property_dict.iteritems():
          amount._setProperty(*x)

where `amount.getQuantityUnit()` may getResource before it is set.
Any further access to the resource category would be wrong.

There may be a way to only change the amount generator but this kind
of pitfall is likely to happen in many other places if we keep such
a read-only transaction cache for new or temp objects.

See merge request nexedi/erp5!1818

See merge request nexedi/erp5!1819

 - switch to programmatic creation of DOM element using domsugar
  instead of using handlebars which needs CSP
 - use gadget_html_viewer to display post contents
 - more translation support

To work 100% this needs "style-src: unsafe-inline" in the CSP, without
this the popup on hover does not show the series color - which in our
case is better than using the CSP.

also drop obsolete appcache, browsers no longer use this.

reference: https://github.com/apache/echarts/issues/16610

it was same as testSupportRequestPanelTranslation, but with less
assertion, probably I made a mistake in renaming

Using "Number" was not good for translations and maybe not so good in
english either.

Using verifyImageMatchSnapshot with 20 is sometimes not enough to detect
some significant differences

these are not used anymore

to new suite, renderjs_ui_autocomplete_attribute_suite

to test the autocomplete attr of fields

Base_callDialogMethod may not provide REQUEST nor RESPONSE, and may provide
other arguments. Make the former optional, ignore the latter, and fallback
on RequestContainer's magic when REQUEST is None.

<dtml-sqlvar "None" type=nb> should be 'null'.

For TextWidget, PasswordWidget and ListWidget only
To define the autocomplete HTML attribute of the field

Fixes `Uncaught Error: Language id "vs.editor.nullLanguage" is not
configured nor known` errors with html using script type handlebars

During the response process (especially setBody), HTTPResponse accesses
and updates some response headers in its "headers" property (a dictionary).
addHeader puts the response headers in a list which will not be updated by
HTTPResponse. This is "more correct" from an RFC perspective, as any header
specified as being a sequence of values delimited by commas may be split
among multiple headers.
So, keep using addHeader by default, but special-case some headers which
are accessed and must be successfully updated by HTTPResponse itself so
that those headers are set using setHeader, which updates the "headers"
property.

For better compatibility, as not all templates may be reconfigured to post
in application/x-www-form-urlencoded.
Also, tolerate a missing Content-Type request header, treating as an
unhandler type instead of raising a KeyError exception.

Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
useless.

This change breaks compabitility with what should be a transient login state
(lasting as long as the login form is opened in any browser). So the
consequence is that a user failing to authenticate will be redirected to a
safe location (ex: the website's home page) instead of getting to the login
form again.
This should not be worth either a systematic double-decrypting (which could
lead to harder to debug decryption errors) or some heuristic trying to
guess if the value is in fact double-encoded.

For simplicity and readability.

When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor
class. When installing the OAuth2 resource server plugin, it activates itself as an extractor,
disabling this default mechanism. This is most likely unexpected to the admin, so in such
situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to
preserve basic authentiation.
If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them.
If any extraction plugin is already enabled, do nothing new.

`state_var` is now a compatibility alias calling getStateVariable, which
has a default value of `simulation_state`. As a result, this script was
attempting to call getSimulationStateTranslatedTitle on credential
requests, because they have an interaction workflow in their chain.

This fixes by implementing the full logic using new ERP5 workflow API.

See merge request nexedi/erp5!1814