1. 08 Nov, 2024 1 commit
  2. 06 Nov, 2024 1 commit
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance · 36768696
      Vincent Pelletier authored
      Malevolent users may decide to only - and repeatedly - present an otherwise
      valid refresh token, causing the issuance of a new access tokens everytime,
      likely along with new refresh tokens, causing many ZODB writes.
      Avoid this by pushing the token expiration date by one lifespan accuracy,
      so there can only be one write per session per lifespan accuracy period.
      36768696
  3. 05 Nov, 2024 6 commits
    • Jérome Perrin's avatar
      accounting: only allow Assignor to restart accounting periods · d7c0baf1
      Jérome Perrin authored
      This partially reverts 8a336dc5 (erp5_accounting: Allow
      Assignor manage Accounting Periods, 2024-09-16) for the restart
      transition, it is intentional that only Assignor can restart
      an accounting period that have been closed.
      The idea was to support a scenario where re-opening a period
      that was closed can not be done directly by the Assignee but
      needs validation from the assignor.
      d7c0baf1
    • Jérome Perrin's avatar
      web_renderjs_ui: fix detection of Base_redirect redirections · ad699c72
      Jérome Perrin authored
      The check was made on the blob response type, which is set from the
      Content-Type header returned by the server, but Safari has a different
      interpretation of the charset parameter from the mime type, with a
      content type set to application/json;charset=utf-8 like Base_redirect
      does today, safari creates a blob with type application/json;charset=utf-8
      and this was not detected as redirection and the json returned by
      Base_redirect was downloaded. Fix this by checking only the essence
      of the type.
      
      This also revealed a potential problem when actually downloading json
      files, in that case we also check that we have the X-Location header,
      that is supposed to be set by Base_redirect before interpreting the json
      and when it's not present we force download.
      ad699c72
    • Jérome Perrin's avatar
      ERP5Workflow: fix adding permissions · 9f3d6a99
      Jérome Perrin authored
      Follow up of ff624fd2 (ERP5Workflow: newly added permission should be
      acquired for all existing states., 2024-11-04) and cbef6282 (ERP5Workflow:
      make sure not create duplicate permissions, 2024-11-05)
      9f3d6a99
    • Jérome Perrin's avatar
      ERP5Workflow: make sure not create duplicate permissions · cbef6282
      Jérome Perrin authored
      Fix a problem introduced in ff624fd2 (ERP5Workflow: newly added
      permission should be acquired for all existing states., 2024-11-04),
      visible in a test failure
      cbef6282
    • Jérome Perrin's avatar
      3a9b16d4
    • Jérome Perrin's avatar
  4. 04 Nov, 2024 4 commits
  5. 01 Nov, 2024 2 commits
  6. 30 Oct, 2024 1 commit
  7. 29 Oct, 2024 1 commit
  8. 28 Oct, 2024 1 commit
    • Jérome Perrin's avatar
      Revert "simulation: introduce Rule.getSimulationMovementSimulationState" · ccadeaa4
      Jérome Perrin authored
      This reverts commit 5e21f77f.
      
      This was done too quickly based on a wrong assumption that simulation
      movements to build would always be in planned state and that we could
      have an efficient way of selecting them by catalog with index on
      portal_type and simulation state, but it does not work this way.
      
      Maybe the change is useful for something else, but since we don't have
      any use case for now, let's just revert.
      ccadeaa4
  9. 25 Oct, 2024 1 commit
  10. 24 Oct, 2024 7 commits
  11. 23 Oct, 2024 4 commits
  12. 16 Oct, 2024 5 commits
    • Jérome Perrin's avatar
      testCRM: use valid email address in the test · 007de00c
      Jérome Perrin authored
      `sender@customer.com <sender@customer.com>` used in the test is not a
      valid email address. We have updated to python3.9.20 which comes with a
      fix for CVE-2023-27043 and no longer allow this kind of broken addresses.
      
      Replace the address with a similar valid address,
      `"sender@customer.com" <sender@customer.com>`, that was probably the
      original intention of this test.
      007de00c
    • Jérome Perrin's avatar
      dms: explicitly cast `path` selected columns to char · ee19f449
      Jérome Perrin authored
      On python3, the type of selected columns depend on the data type from
      mariadb side, VARCHAR will be str, BINARY/BLOB will be bytes, etc
      
      These SQL method select path that is first evaluated from a variable
      that is NULL and in that case, mariadb seems to select LONGBLOB as data
      type:
      
          MariaDB [test]> set @defined_as_null=null; drop table if exists tmp; create table tmp as (select @defined_as_null); show create table tmp;
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
          | Table | Create Table                                                                                                                       |
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
          | tmp   | CREATE TABLE `tmp` (
            `@defined_as_null` longblob DEFAULT NULL
          ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci |
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
      
      By casting to CHAR in SQL, on the python side we always have the str
      that we expect here, because this is used as path attribute of a SQL
      brain.
      ee19f449
    • Jérome Perrin's avatar
      custom_zodb: fix a ResourceWarning · 5349d8c4
      Jérome Perrin authored
      5349d8c4
    • Jérome Perrin's avatar
      ProcessingNodeTestCase: also setRequest in timerserver loop · 6102ed47
      Jérome Perrin authored
      This is similar to 18deb716 (ProcessingNodeTestCase: also setRequest
      in processing_node, 2023-05-02), as said in that commit message,
      timerserver loop calls setRequest, but before entering the loop, we
      wait for the portal to be created with:
      
       447   │           try:
       448   │             self.portal = self.app[self.app.test_portal_name]
       449   │           except (AttributeError, KeyError):
       450   │             continue
      
      While accessing like this, this will load classes and initialize dynamic
      modules, on python2 this was OK, but on python3 this was raising an
      error because `getRequest` returned None:
      
        File "./parts/erp5/product/ERP5Type/dynamic/component_package.py", line 449, in load_module
          return self.__load_module(fullname)
        File "./parts/erp5/product/ERP5Type/dynamic/component_package.py", line 416, in __load_module
          erp5.component.ref_manager.add_module(module)
        File "./parts/erp5/product/ERP5Type/dynamic/dynamic_module.py", line 86, in add_module
          self.add_request(get_request())
        File "./parts/erp5/product/ERP5Type/dynamic/dynamic_module.py", line 64, in add_request
          self.setdefault(last_sync, (WeakSet(), set()))[0].add(request_obj)
        File "./lib/python3.9/_weakrefset.py", line 89, in add
          self.data.add(ref(item, self._remove))
      TypeError: cannot create weak reference to 'NoneType' object
      
      On python2, this was actually raising as well, but this error is hidden
      by a `hasattr`, because on python2 `hasattr` ignores all exceptions and
      on python3 it only ignores only `AttributeError`.
      
        File "./parts/erp5/product/ERP5Type/Core/PropertySheet.py", line 61, in createAccessorHolder
          self.applyOnAccessorHolder(accessor_holder, expression_context, portal)
        File "./parts/erp5/product/ERP5Type/Core/PropertySheet.py", line 175, in applyOnAccessorHolder
          for property_definition in self.contentValues():
        File "./parts/erp5/product/ERP5Type/Core/Folder.py", line 1570, in contentValues
          portal_type_id_list = self._getTypesTool().listContentTypes()
        File "./parts/erp5/product/ERP5Type/Tool/TypesTool.py", line 173, in listContentTypes
          provider_value = _getOb(provider, None)
        File "./eggs/Zope-4.8.7-py2.7.egg/OFS/ObjectManager.py", line 323, in _getOb
          if id[:1] != '_' and hasattr(aq_base(self), id):
        File "./parts/erp5/product/ERP5Type/dynamic/lazy_class.py", line 120, in __getattribute__
          self.__class__.loadClass()
      6102ed47
    • Nicolas Wavrant's avatar
  13. 15 Oct, 2024 6 commits
    • Nicolas Wavrant's avatar
      erp5_web_renderjs_ui: update the interface for gadget_button_maximize · 0fcb4727
      Nicolas Wavrant authored
      And simplify just a bit the code
      0fcb4727
    • Jérome Perrin's avatar
      BusinessTemplate: Fix some lxml warnings for `findall` (!1751). · 6e4d8625
      Jérome Perrin authored
      FutureWarning: This search incorrectly ignores the root element, and will be
      fixed in a future version.  If you rely on the current behaviour, change it to
      './/role'.
      6e4d8625
    • Arnaud Fontaine's avatar
      py3: TestTradeModelLineMixin inherited from UserDict() to store values on the... · 57c609da
      Arnaud Fontaine authored
      py3: TestTradeModelLineMixin inherited from UserDict() to store values on the class direcly (!1751).
      
      This does not work with py3:
          File "parts/erp5/Products/ERP5Type/tests/runUnitTest.py", line 941, in main
            result = runUnitTestList(test_list=args,
          File "parts/erp5/Products/ERP5Type/tests/runUnitTest.py", line 703, in runUnitTestList
            result = TestRunner(verbosity=verbosity).run(suite)
          [...]
          File "parts/python3/lib/python3.9/unittest/runner.py", line 184, in run
            test(result)
          [...]
          File "parts/python3/lib/python3.9/unittest/suite.py", line 84, in __call__
            return self.run(*args, **kwds)
          File "parts/python3/lib/python3.9/unittest/suite.py", line 111, in run
            if _isnotsuite(test):
          File "parts/python3/lib/python3.9/unittest/suite.py", line 369, in _isnotsuite
            iter(test)
          File "parts/python3/lib/python3.9/collections/__init__.py", line 1067, in __iter__
            return iter(self.data)
        AttributeError: 'TestComplexTradeModelLineUseCaseSale' object has no attribute 'data'
      
      Use a dedicated dict() to store these values as there was no strong reasons to
      inherit from UserDict() here and this makes test implementation easier too...
      57c609da
    • Jérome Perrin's avatar
      IdTool: Handle group_id on python3 (!1980). · 1f369453
      Jérome Perrin authored
      group_id is used as key of OOBtree and as documented, it's not possible to mix
      keys that can not be compared, so we can not have a mix of string and bytes, for
      consistency with other BTrees, such as the ones used for OFS.
      
      group_id is also used in a SQL column which is BINARY, this is problematic on
      py3 because the selected values will be returned as bytes, but we expect str
      here. Because we don't want to run a data migration, we adjust the select
      methods to convert to str while selecting.
      
      Since years there was a warning that id_group must be a string, now we make it a
      bit stricter, we also enforce that the id_group is valid UTF-8.
      
      A few more tests and assertions were also added.
      1f369453
    • Jérome Perrin's avatar
      interfaces: register a ``IXmlrpcChecker` for Zope 5.8.2 compatibility (!1751). · 874e3f4b
      Jérome Perrin authored
      Since Zope commit 020685087 (`Allow ZPublisher to handle a query string together
      with a request body (#1124)`, 2023-05-15) Zope tries to process all XML HTTP
      requests as XML-RPC and we need to tell that these SOAP requests are not XML-RPC.
      874e3f4b
    • Kazuhiko Shiozaki's avatar
      py2/py3: Base64 encode inventory cache, as Shared.DC.ZRDB.DA.SQL tries to... · edfbdf6b
      Kazuhiko Shiozaki authored
      py2/py3: Base64 encode inventory cache, as Shared.DC.ZRDB.DA.SQL tries to decode bytes to str (nexedi/erp5!1751).
      edfbdf6b