1. 11 Nov, 2024 2 commits
  2. 08 Nov, 2024 8 commits
  3. 06 Nov, 2024 1 commit
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance · 36768696
      Vincent Pelletier authored
      Malevolent users may decide to only - and repeatedly - present an otherwise
      valid refresh token, causing the issuance of a new access tokens everytime,
      likely along with new refresh tokens, causing many ZODB writes.
      Avoid this by pushing the token expiration date by one lifespan accuracy,
      so there can only be one write per session per lifespan accuracy period.
      36768696
  4. 05 Nov, 2024 6 commits
    • Jérome Perrin's avatar
      accounting: only allow Assignor to restart accounting periods · d7c0baf1
      Jérome Perrin authored
      This partially reverts 8a336dc5 (erp5_accounting: Allow
      Assignor manage Accounting Periods, 2024-09-16) for the restart
      transition, it is intentional that only Assignor can restart
      an accounting period that have been closed.
      The idea was to support a scenario where re-opening a period
      that was closed can not be done directly by the Assignee but
      needs validation from the assignor.
      d7c0baf1
    • Jérome Perrin's avatar
      web_renderjs_ui: fix detection of Base_redirect redirections · ad699c72
      Jérome Perrin authored
      The check was made on the blob response type, which is set from the
      Content-Type header returned by the server, but Safari has a different
      interpretation of the charset parameter from the mime type, with a
      content type set to application/json;charset=utf-8 like Base_redirect
      does today, safari creates a blob with type application/json;charset=utf-8
      and this was not detected as redirection and the json returned by
      Base_redirect was downloaded. Fix this by checking only the essence
      of the type.
      
      This also revealed a potential problem when actually downloading json
      files, in that case we also check that we have the X-Location header,
      that is supposed to be set by Base_redirect before interpreting the json
      and when it's not present we force download.
      ad699c72
    • Jérome Perrin's avatar
      ERP5Workflow: fix adding permissions · 9f3d6a99
      Jérome Perrin authored
      Follow up of ff624fd2 (ERP5Workflow: newly added permission should be
      acquired for all existing states., 2024-11-04) and cbef6282 (ERP5Workflow:
      make sure not create duplicate permissions, 2024-11-05)
      9f3d6a99
    • Jérome Perrin's avatar
      ERP5Workflow: make sure not create duplicate permissions · cbef6282
      Jérome Perrin authored
      Fix a problem introduced in ff624fd2 (ERP5Workflow: newly added
      permission should be acquired for all existing states., 2024-11-04),
      visible in a test failure
      cbef6282
    • Jérome Perrin's avatar
      3a9b16d4
    • Jérome Perrin's avatar
  5. 04 Nov, 2024 4 commits
  6. 01 Nov, 2024 2 commits
  7. 30 Oct, 2024 1 commit
  8. 29 Oct, 2024 1 commit
  9. 28 Oct, 2024 1 commit
    • Jérome Perrin's avatar
      Revert "simulation: introduce Rule.getSimulationMovementSimulationState" · ccadeaa4
      Jérome Perrin authored
      This reverts commit 5e21f77f.
      
      This was done too quickly based on a wrong assumption that simulation
      movements to build would always be in planned state and that we could
      have an efficient way of selecting them by catalog with index on
      portal_type and simulation state, but it does not work this way.
      
      Maybe the change is useful for something else, but since we don't have
      any use case for now, let's just revert.
      ccadeaa4
  10. 25 Oct, 2024 1 commit
  11. 24 Oct, 2024 7 commits
  12. 23 Oct, 2024 4 commits
  13. 16 Oct, 2024 2 commits
    • Jérome Perrin's avatar
      testCRM: use valid email address in the test · 007de00c
      Jérome Perrin authored
      `sender@customer.com <sender@customer.com>` used in the test is not a
      valid email address. We have updated to python3.9.20 which comes with a
      fix for CVE-2023-27043 and no longer allow this kind of broken addresses.
      
      Replace the address with a similar valid address,
      `"sender@customer.com" <sender@customer.com>`, that was probably the
      original intention of this test.
      007de00c
    • Jérome Perrin's avatar
      dms: explicitly cast `path` selected columns to char · ee19f449
      Jérome Perrin authored
      On python3, the type of selected columns depend on the data type from
      mariadb side, VARCHAR will be str, BINARY/BLOB will be bytes, etc
      
      These SQL method select path that is first evaluated from a variable
      that is NULL and in that case, mariadb seems to select LONGBLOB as data
      type:
      
          MariaDB [test]> set @defined_as_null=null; drop table if exists tmp; create table tmp as (select @defined_as_null); show create table tmp;
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
          | Table | Create Table                                                                                                                       |
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
          | tmp   | CREATE TABLE `tmp` (
            `@defined_as_null` longblob DEFAULT NULL
          ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci |
          +-------+------------------------------------------------------------------------------------------------------------------------------------+
      
      By casting to CHAR in SQL, on the python side we always have the str
      that we expect here, because this is used as path attribute of a SQL
      brain.
      ee19f449