1. 28 Sep, 2017 6 commits
    • Gabriel Monnerat's avatar
    • Gabriel Monnerat's avatar
      erp5_oauth_google_login: Implementation of login in ERP5 with Google Account · 160891ef
      Gabriel Monnerat authored
      Google Login follow the same implementation of ERP5 Login(subobject of Person) and with an action in preferences, the user can add Google Login to his person.
      
      - A link was add to login page in ERP5 with Google Account and zocial.min.css is used to display it nicely
      
      - logout was extended to remove cookie __ac_google_hash if authentication with Google account is enabled
      
      - login_form is using ERP5Site_getAvailableOAuthLoginList to know if google login is supported or not. With this, we can extend to other oauth easily.
      
      - ERP5ExternalOauth2ExtractionPlugin don't have the responsability of create user in extraction plugin. A more apporpriate place would be a dedicated "signup using oauth" page, relying on erp5_credential for the actual user creation.
      
      - portal_oauth is used to store secret_key and client_id from Google
      
      - enable PAS plugin through upgrader
      160891ef
    • Boxiang Sun's avatar
      5ef71164
    • Boxiang Sun's avatar
    • Jérome Perrin's avatar
      notification_tool: fix Unauthorized when sending message to person user cannot access · 82c51e7e
      Jérome Perrin authored
      When a user triggers `NotificationTool.sendMessage(recipient=user_id)` to a recipient she does not have access permission on, it now causes this problem (the caller context is a custom script with manager proxy role):
      
      ```
        Module Products.ERP5.Tool.NotificationTool, line 322, in sendMessage
          person_value = getUserValueByUserId(person)
        Module Products.ERP5.Tool.NotificationTool, line 291, in getUserValueByUserId
          return portal.restrictedTraverse(user['path'])
        Module OFS.Traversable, line 317, in restrictedTraverse
          return self.unrestrictedTraverse(path, default, restricted=True)
        Module OFS.Traversable, line 251, in unrestrictedTraverse
         - __traceback_info__: (['redacted_person_id'], 'person_module')
          next = guarded_getattr(obj, name)
      Unauthorized: You are not allowed to access 'person_module' in this context
      ```
      
      This is a regression caused by 62d8d3ac .
      
      That particular case was working before, because the person was looked up using [catalog]( https://lab.nexedi.com/nexedi/erp5/blob/882f0022c7af4f36c2f31643498ac0b5d82c2217/product/ERP5/Tool/NotificationTool.py#L321-322) so the proxy role from the caller script was taken in to account.
      
      Now, we can say that the approach suggested here is not correct and document that the current logged in user must have permission to access the person documents involved as sender or recipient in the notification.
      
      Then, if we need to send message to persons the current user does not have access permission, instead  of using:
      ```python
      portal.portal_notifications.sendMessage(recipient=person.getUserId())
      ```
      
      just do:
      ```python
      portal.portal_notifications.sendMessage(recipient=person)
      ```
      
      but the later does not allow for using activities.
      
      /cc @vpelletier @gabriel 
      
      
      /reviewed-on nexedi/erp5!395
      82c51e7e
    • Vincent Pelletier's avatar
      d5f616d9
  2. 27 Sep, 2017 13 commits
  3. 26 Sep, 2017 8 commits
  4. 25 Sep, 2017 4 commits
    • Vincent Bechu's avatar
      c2daeddf
    • Vincent Pelletier's avatar
      erp5_accounting: Remove table name from selected column aliases. · 3be8d312
      Vincent Pelletier authored
      This reverts commit 206fa603 (which was
      itself a revert commit), re-applying the change now that surrounding
      code is ready for it.
      3be8d312
    • Vincent Pelletier's avatar
      ZSQLCatalog: Also render ignored columns · e4aa5476
      Vincent Pelletier authored
      Ignored columns are produced when aliasing a column. For example,
      aliasing "catalog.reference" as "reference".
      Before this change, this would cause conditions on "reference" to be
      rendered non-mapped, which can cause SQL execution issues when there is
      more than one "reference" column available (catalog.reference and its
      alias counting as only one), which is the case when
      catalog-category-catalog joins happen.
      
      Instead, render all columns which could be mapped, independently from
      their "ignored" status.
      
      Also, use a different local variable for table aliases than for column
      aliases.
      Also, use more "return" statements, and simplify conditional structure.
      e4aa5476
    • Vincent Pelletier's avatar
      SimulationTool: Remove input/output perimeter definition. · 8b6865ae
      Vincent Pelletier authored
      As per Jérome, who implemented the test, it was written to test the
      current state rather than testing the desired outcome. And it makes
      little sense to have (and test for) 100 being present in both debit and
      credit columns ("normal" lines), and 0 to be present in the stat line.
      
      Update test to check for a more consistent outcome.
      Acked-by: Jérome Perrin's avatarJérome Perrin <jerome@nexedi.com>
      8b6865ae
  5. 22 Sep, 2017 9 commits