- 13 Dec, 2024 2 commits
-
-
Vincent Pelletier authored
Fix bugs: - Fix an acquisition context bug: the user found here would be wrapped in the acquisition context of self, and as a result SecurityManager.validate may consider the user to be outside of the acquisition path of the document being checked (ex: when accessing a module while publishing a web section). - While unusual, there may be multiple users matching a given request, which is handled by ZPublisher but was skipped here. Also: Document: - Why this method is needed. - assumptions made to get simpler code. Improve performance: - portal_membership._huntUser looks the user up twice, which is expensive. Stop using this method. - When the request is a fake request (from restrictedTraverse) nothing can nor should be done, so bypass the entire logic that case. - Assorted tiny improvements: do not retrieve security manager twice, avoid extraneous local assignments, ... Improve coding style: - Stop accessing portal_membership's underware. - Stop accessing PluggableAuthenticationService's underware. - Simplify disabled cache support: this is exceedingly rare, optimise for when it is enabled. - Do not hardcode log level, also increase the severity: this really is a warning. - Do not try to decode Basic-auth, this is the job of the user folder. This removes duplicated code.
-
Yusei Tahara authored
Set table:number-columns-spanned to each cell outside listbox/matrixbox.
-
- 06 Dec, 2024 1 commit
-
-
Rafael Monnerat authored
Like it is done for option, remove default from schema after append the value into decription.
-
- 21 Nov, 2024 1 commit
-
-
Léo-Paul Géneau authored
See merge request nexedi/erp5!2004
-
- 20 Nov, 2024 2 commits
-
-
Léo-Paul Géneau authored
-
Léo-Paul Géneau authored
-
- 18 Nov, 2024 2 commits
-
-
Léo-Paul Géneau authored
-
Léo-Paul Géneau authored
Limit printed decimals in flight log file for readability.
-
- 15 Nov, 2024 1 commit
-
-
Nicolas Wavrant authored
See merge request nexedi/erp5!2017
-
- 14 Nov, 2024 1 commit
-
-
Nicolas Wavrant authored
By pre-fetching some catalog entries to retrieve objects UIDs that can directly be used in the inventory query, to avoid needless (costly) joins and hinting the catalog to use the resource_section_node_uid index of the stock table.
-
- 12 Nov, 2024 9 commits
-
-
Xiaowu Zhang authored
See merge request nexedi/erp5!2012
-
Roque authored
See merge request nexedi/erp5!2016
-
Roque authored
-
Jérome Perrin authored
The test from 6316d9bb (Formulator: test form serialization with non ascii elements, 2024-10-24) revealed that form with an encoding other than UTF-8 are not supported.
-
Jérome Perrin authored
-
Jérome Perrin authored
-
Jérome Perrin authored
DB.query accepts either bytes or str on python3. We need to decode the query here to display it in traceback and we must not fail when we have bytes with non UTF-8 characters, which can happen with binary columns
-
Jérome Perrin authored
-
Jérome Perrin authored
It currently not used and it's better not to have such public method
-
- 11 Nov, 2024 1 commit
-
-
Jérome Perrin authored
ref: 906761ed (erp5_web: change one-day-max policy max-age to 14400s, 2021-09-01)
-
- 08 Nov, 2024 8 commits
-
-
Romain Courteaud authored
-
Romain Courteaud authored
-
Romain Courteaud authored
-
Romain Courteaud authored
Using the display router command allows to drop the user search term when moving from one access page to another.
-
Romain Courteaud authored
Set the max-age value to 4h instead of 10min for the one-day-max policy (ie, 24h/6, like one-hour-max uses 10min max age). The idea is to reduce backend access of nearly static web sites, while still allowing changes without waiting for too long before it is propagated.
-
Titouan Soulard authored
-
Titouan Soulard authored
-
Titouan Soulard authored
`createSession` method from the OAuth2 Authorisation Server Connector needs to access client value. Fetching this value from the session is not needed since it is already stored in a local variable.
-
- 07 Nov, 2024 3 commits
-
-
Xiaowu Zhang authored
erp5_invoicing: don't index reference in fulltext which is usually generated by system and meaningless it's like 5.1, 2.4
-
Xiaowu Zhang authored
-
Xiaowu Zhang authored
it's like 5.1, 2.4
-
- 06 Nov, 2024 1 commit
-
-
Vincent Pelletier authored
Malevolent users may decide to only - and repeatedly - present an otherwise valid refresh token, causing the issuance of a new access tokens everytime, likely along with new refresh tokens, causing many ZODB writes. Avoid this by pushing the token expiration date by one lifespan accuracy, so there can only be one write per session per lifespan accuracy period.
-
- 05 Nov, 2024 6 commits
-
-
Jérome Perrin authored
This partially reverts 8a336dc5 (erp5_accounting: Allow Assignor manage Accounting Periods, 2024-09-16) for the restart transition, it is intentional that only Assignor can restart an accounting period that have been closed. The idea was to support a scenario where re-opening a period that was closed can not be done directly by the Assignee but needs validation from the assignor.
-
Jérome Perrin authored
The check was made on the blob response type, which is set from the Content-Type header returned by the server, but Safari has a different interpretation of the charset parameter from the mime type, with a content type set to application/json;charset=utf-8 like Base_redirect does today, safari creates a blob with type application/json;charset=utf-8 and this was not detected as redirection and the json returned by Base_redirect was downloaded. Fix this by checking only the essence of the type. This also revealed a potential problem when actually downloading json files, in that case we also check that we have the X-Location header, that is supposed to be set by Base_redirect before interpreting the json and when it's not present we force download.
-
Jérome Perrin authored
Follow up of ff624fd2 (ERP5Workflow: newly added permission should be acquired for all existing states., 2024-11-04) and cbef6282 (ERP5Workflow: make sure not create duplicate permissions, 2024-11-05)
-
Jérome Perrin authored
Fix a problem introduced in ff624fd2 (ERP5Workflow: newly added permission should be acquired for all existing states., 2024-11-04), visible in a test failure
-
Jérome Perrin authored
-
Jérome Perrin authored
-
- 04 Nov, 2024 2 commits
-
-
Roque authored
-
Kazuhiko Shiozaki authored
before, all permissions became acquired in all states once we update permission list.
-