PDF_viewPDFJSPreview/my_data
Anyway, we are in PDF context, it can work even if content_type is not set

it can happen that getEffectiveModel does not find a model, this
is currently causing activity failures in indexation of
transformations. Tolerate errors here because this is not an error
but just a sign of invalid user data.

Due to some debug code, it never checked anything.

Spin is too much and waste cpu resource.

This is a first step to stop using "unsafe" web sections.

This updates support request app to not require `script-src: unsafe-eval` and `style-src: unsafe-inline` in the CSP.
Dropping `script-src: unsafe-eval` is made possible by using domsugar instead of handlebars for dynamic content. Dropping `style-src: unsafe-inline` by using CSS files instead of inline `style` attributes in the DOM. One minor regression is that the tooltips from the graph on the front page gadget will cause warning because of `unsafe-inline` and not render the series color.

This application was also modernized a bit, it now uses the HTML viewer gadget to display post contents and supports translation.

See merge request !1821

The use case is a listbox method being called for a document A
and returning objects that:
- aren't children of A
- but wrapped with `.__of__(A)`

By using `aq_self` instead of `aq_base`, the listbox could still
acquire from the real parent of the returned object and wrongly access
an attribute directly (e.g. comment) instead of using an appropriate
method (if there's no `comment` attribute, getComment returns '').

See merge request !1820

The purpose is to be able to use the amount generator during indexation.
At some point, it executes:

        if amount.getQuantityUnit():
        ...
        for x in property_dict.iteritems():
          amount._setProperty(*x)

where `amount.getQuantityUnit()` may getResource before it is set.
Any further access to the resource category would be wrong.

There may be a way to only change the amount generator but this kind
of pitfall is likely to happen in many other places if we keep such
a read-only transaction cache for new or temp objects.

See merge request nexedi/erp5!1818

See merge request !1819

 - switch to programmatic creation of DOM element using domsugar
  instead of using handlebars which needs CSP
 - use gadget_html_viewer to display post contents
 - more translation support

To work 100% this needs "style-src: unsafe-inline" in the CSP, without
this the popup on hover does not show the series color - which in our
case is better than using the CSP.

also drop obsolete appcache, browsers no longer use this.

reference: https://github.com/apache/echarts/issues/16610

it was same as testSupportRequestPanelTranslation, but with less
assertion, probably I made a mistake in renaming

Using "Number" was not good for translations and maybe not so good in
english either.

Using verifyImageMatchSnapshot with 20 is sometimes not enough to detect
some significant differences

these are not used anymore

to new suite, renderjs_ui_autocomplete_attribute_suite

to test the autocomplete attr of fields

Base_callDialogMethod may not provide REQUEST nor RESPONSE, and may provide
other arguments. Make the former optional, ignore the latter, and fallback
on RequestContainer's magic when REQUEST is None.

<dtml-sqlvar "None" type=nb> should be 'null'.

For TextWidget, PasswordWidget and ListWidget only
To define the autocomplete HTML attribute of the field

Fixes `Uncaught Error: Language id "vs.editor.nullLanguage" is not
configured nor known` errors with html using script type handlebars

During the response process (especially setBody), HTTPResponse accesses
and updates some response headers in its "headers" property (a dictionary).
addHeader puts the response headers in a list which will not be updated by
HTTPResponse. This is "more correct" from an RFC perspective, as any header
specified as being a sequence of values delimited by commas may be split
among multiple headers.
So, keep using addHeader by default, but special-case some headers which
are accessed and must be successfully updated by HTTPResponse itself so
that those headers are set using setHeader, which updates the "headers"
property.

For better compatibility, as not all templates may be reconfigured to post
in application/x-www-form-urlencoded.
Also, tolerate a missing Content-Type request header, treating as an
unhandler type instead of raising a KeyError exception.

Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
useless.

This change breaks compabitility with what should be a transient login state
(lasting as long as the login form is opened in any browser). So the
consequence is that a user failing to authenticate will be redirected to a
safe location (ex: the website's home page) instead of getting to the login
form again.
This should not be worth either a systematic double-decrypting (which could
lead to harder to debug decryption errors) or some heuristic trying to
guess if the value is in fact double-encoded.

For simplicity and readability.

When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor
class. When installing the OAuth2 resource server plugin, it activates itself as an extractor,
disabling this default mechanism. This is most likely unexpected to the admin, so in such
situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to
preserve basic authentiation.
If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them.
If any extraction plugin is already enabled, do nothing new.

`state_var` is now a compatibility alias calling getStateVariable, which
has a default value of `simulation_state`. As a result, this script was
attempting to call getSimulationStateTranslatedTitle on credential
requests, because they have an interaction workflow in their chain.

This fixes by implementing the full logic using new ERP5 workflow API.

See merge request nexedi/erp5!1814

See merge request !1817
Fix loitering trajectory when the drone is closer to the center than the required radius.

<dtml-sqlvar "None" type=string> should be 'null', not 'None'.

When using the public API of pandas (which is partially allowed in
restricted python), it can happen that this public API raises the error
'pytz.NonExistentTimeError' [1]. Users should be allowed to
import and therefore catch this exception.

Before this patch we could only do:

>>> try:
...   ts.tz_localize(tz)
... except Exception:
...   ...

After this patch we can do;

>>> try:
...   ts.tz_localize(tz)
... except pytz.NonExistentTimeError:
...   ...

pytz delivers more exceptions which are all equally harmless.
We can therefore in the same patch also allow them, as they may be
useful for similar cases.

This patch also comes with tests which ensure that the allowed
exceptions can be imported into restricted python and also a
test to ensure no other objects in the pytz namespace can be used.

---

[1] https://pandas.pydata.org/pandas-docs/version/2.0.3/reference/api/pandas.Series.tz_localize.html

/reviewed-by @jerome
/reviewed-on nexedi/erp5!1802

When an activity failure happens, the SQL row is updated:
- date is set to a future value, so the activity does not get retried
  immediately, in the expectation that what caused the failure may have
  cleared by that point.
- retry is incremented, to allow limiting the total number of retries
- priority is incremented

This last point seems harder to justify, and seems redundant with the date
increase. In the context of processing node families and with a steady
influx of similar activities at a base priority level, such priority
increment can postpone the victim activity execution to an arbitrarily
large amount of time, which is undesirable.
So, remove this increment.