1. 28 Sep, 2017 2 commits
    • Jérome Perrin's avatar
      notification_tool: fix Unauthorized when sending message to person user cannot access · 82c51e7e
      Jérome Perrin authored
      When a user triggers `NotificationTool.sendMessage(recipient=user_id)` to a recipient she does not have access permission on, it now causes this problem (the caller context is a custom script with manager proxy role):
      
      ```
        Module Products.ERP5.Tool.NotificationTool, line 322, in sendMessage
          person_value = getUserValueByUserId(person)
        Module Products.ERP5.Tool.NotificationTool, line 291, in getUserValueByUserId
          return portal.restrictedTraverse(user['path'])
        Module OFS.Traversable, line 317, in restrictedTraverse
          return self.unrestrictedTraverse(path, default, restricted=True)
        Module OFS.Traversable, line 251, in unrestrictedTraverse
         - __traceback_info__: (['redacted_person_id'], 'person_module')
          next = guarded_getattr(obj, name)
      Unauthorized: You are not allowed to access 'person_module' in this context
      ```
      
      This is a regression caused by 62d8d3ac .
      
      That particular case was working before, because the person was looked up using [catalog]( https://lab.nexedi.com/nexedi/erp5/blob/882f0022c7af4f36c2f31643498ac0b5d82c2217/product/ERP5/Tool/NotificationTool.py#L321-322) so the proxy role from the caller script was taken in to account.
      
      Now, we can say that the approach suggested here is not correct and document that the current logged in user must have permission to access the person documents involved as sender or recipient in the notification.
      
      Then, if we need to send message to persons the current user does not have access permission, instead  of using:
      ```python
      portal.portal_notifications.sendMessage(recipient=person.getUserId())
      ```
      
      just do:
      ```python
      portal.portal_notifications.sendMessage(recipient=person)
      ```
      
      but the later does not allow for using activities.
      
      /cc @vpelletier @gabriel 
      
      
      /reviewed-on nexedi/erp5!395
      82c51e7e
    • Vincent Pelletier's avatar
      d5f616d9
  2. 27 Sep, 2017 13 commits
  3. 26 Sep, 2017 8 commits
  4. 25 Sep, 2017 4 commits
    • Vincent Bechu's avatar
      [erp5_web_renderjs_ui] Release Jio Version 3.22.1 · c2daeddf
      Vincent Bechu authored
      /reviewed-on !408
      c2daeddf
    • Vincent Pelletier's avatar
      erp5_accounting: Remove table name from selected column aliases. · 3be8d312
      Vincent Pelletier authored
      This reverts commit 206fa603 (which was
      itself a revert commit), re-applying the change now that surrounding
      code is ready for it.
      3be8d312
    • Vincent Pelletier's avatar
      ZSQLCatalog: Also render ignored columns · e4aa5476
      Vincent Pelletier authored
      Ignored columns are produced when aliasing a column. For example,
      aliasing "catalog.reference" as "reference".
      Before this change, this would cause conditions on "reference" to be
      rendered non-mapped, which can cause SQL execution issues when there is
      more than one "reference" column available (catalog.reference and its
      alias counting as only one), which is the case when
      catalog-category-catalog joins happen.
      
      Instead, render all columns which could be mapped, independently from
      their "ignored" status.
      
      Also, use a different local variable for table aliases than for column
      aliases.
      Also, use more "return" statements, and simplify conditional structure.
      e4aa5476
    • Vincent Pelletier's avatar
      SimulationTool: Remove input/output perimeter definition. · 8b6865ae
      Vincent Pelletier authored
      As per Jérome, who implemented the test, it was written to test the
      current state rather than testing the desired outcome. And it makes
      little sense to have (and test for) 100 being present in both debit and
      credit columns ("normal" lines), and 0 to be present in the stat line.
      
      Update test to check for a more consistent outcome.
      Acked-by: Jérome Perrin's avatarJérome Perrin <jerome@nexedi.com>
      8b6865ae
  5. 22 Sep, 2017 12 commits
  6. 21 Sep, 2017 1 commit