1. 06 Sep, 2023 3 commits
  2. 04 Sep, 2023 7 commits
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Store more HTTPResponse headers using setHeader · b680b016
      Vincent Pelletier authored
      During the response process (especially setBody), HTTPResponse accesses
      and updates some response headers in its "headers" property (a dictionary).
      addHeader puts the response headers in a list which will not be updated by
      HTTPResponse. This is "more correct" from an RFC perspective, as any header
      specified as being a sequence of values delimited by commas may be split
      among multiple headers.
      So, keep using addHeader by default, but special-case some headers which
      are accessed and must be successfully updated by HTTPResponse itself so
      that those headers are set using setHeader, which updates the "headers"
      property.
      b680b016
    • Vincent Pelletier's avatar
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation/logged_in_once: Tolerate multipart/form-data request encoding · c5410570
      Vincent Pelletier authored
      For better compatibility, as not all templates may be reconfigured to post
      in application/x-www-form-urlencoded.
      Also, tolerate a missing Content-Type request header, treating as an
      unhandler type instead of raising a KeyError exception.
      c5410570
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Drop login retry URL double base64-encoding · 915b20c4
      Vincent Pelletier authored
      Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
      useless.
      
      This change breaks compabitility with what should be a transient login state
      (lasting as long as the login form is opened in any browser). So the
      consequence is that a user failing to authenticate will be redirected to a
      safe location (ex: the website's home page) instead of getting to the login
      form again.
      This should not be worth either a systematic double-decrypting (which could
      lead to harder to debug decryption errors) or some heuristic trying to
      guess if the value is in fact double-encoded.
      915b20c4
    • Vincent Pelletier's avatar
      Products.ERP5Security: Declare module security locally · 8041c090
      Vincent Pelletier authored
      For simplicity and readability.
      8041c090
    • Vincent Pelletier's avatar
      ERP5Site_checkOAuth2ResourceServerPostUpgradeConsistency: Do not lock ERP5 users out · e0b68bdb
      Vincent Pelletier authored
      When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor
      class. When installing the OAuth2 resource server plugin, it activates itself as an extractor,
      disabling this default mechanism. This is most likely unexpected to the admin, so in such
      situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to
      preserve basic authentiation.
      If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them.
      If any extraction plugin is already enabled, do nothing new.
      e0b68bdb
    • Jérome Perrin's avatar
      crm,credential: repair Ticket_getWorkflowStateTranslatedTitle for ERP5 workflow · c6b59bd6
      Jérome Perrin authored
      `state_var` is now a compatibility alias calling getStateVariable, which
      has a default value of `simulation_state`. As a result, this script was
      attempting to call getSimulationStateTranslatedTitle on credential
      requests, because they have an interaction workflow in their chain.
      
      This fixes by implementing the full logic using new ERP5 workflow API.
      c6b59bd6
  3. 28 Aug, 2023 2 commits
  4. 25 Aug, 2023 1 commit
  5. 24 Aug, 2023 4 commits
  6. 23 Aug, 2023 2 commits
  7. 22 Aug, 2023 1 commit
    • Rafael Monnerat's avatar
      erp5_core: Only search for ERP5 Login · 8c025549
      Rafael Monnerat authored
         The implementation only works with ERP5 Login, since it is the only portal type that
         holds password in ERP5. Other implementations are password-less: Certificate Login,
         Google Login and Facebook Login, so they cannot have their password reset anyway.
      
         It is overkill split the login on multiple categorization, to use some portal group (ie:
         getPortalLoginPortalTypeThatCanResetPassord...) until we have a a clear usecase.
      8c025549
  8. 21 Aug, 2023 1 commit
  9. 18 Aug, 2023 2 commits
  10. 16 Aug, 2023 1 commit
  11. 15 Aug, 2023 3 commits
  12. 11 Aug, 2023 1 commit
  13. 10 Aug, 2023 8 commits
  14. 03 Aug, 2023 4 commits