- 22 Feb, 2022 1 commit
-
-
Jérome Perrin authored
For historical reasons, EncryptedPasswordMixin.setPassword was public and did its own security checks, this was the case since 7d0882ef ( setPassword have to do explicit security checks…, 2007-11-12), this was because we wanted to support cases where user can edit the login ("Edit portal content" permission), but not changed the password ("Set own password" permission). Also, we wanted to support the case where login is edited through a view form, in that case we have a my_password field that is empty and we don't want to set the password to None in that case. For these two reasons the API to set password was very complex and behaving differently from other accessors: usually setSomething(None) just set something to None, ie. "unset" something, but for passwords it was not the case. Also we had to introduce _forceSetPassword method, which sets the password without security checks, so that it can be called from unrestricted code for cases where user does not have the permission to reset password (like in the reset password scenario). Since d1312cdb ( make edit check the security remove all useless security declaration on private method, 2008-05-23), edit supports restricted properties, so we can simplify all this and make setPassword a more standard accessor, ie: - setPassword has a security declaration, so if it is called from restricted python the security will apply at `__getattr__` time. `edit` method will also check security - setPassword(None) reset the password. - The logic to not change the password when editing in view mode is now `edit` responsability. ie. `login.setPassword(None)` resets, but `login.edit(password=None)` does not reset. This also correct some usage of the lower level API (`pw_encrypt` and `pw_validate`) which were never supposed to use `None`: - `pw_validate` was called with None when a user without password was trying to login, causing a TypeError that was cached by PAS and logged with level debug (and refusing login). Now the error is no longer raised. - `pw_encrypt` was called with None (but apparently only in the tests, when doing `user.newContent(portal_type='ERP5 Login', password=None)`) and this was creating a login with password `'None'` with AccessControl 2. With AccessControl 4 this was an Error.
-
- 21 Feb, 2022 13 commits
-
-
Jérome Perrin authored
reorder methods, make some docstrings a bit more informative and fix several typos
-
Jérome Perrin authored
Theses methods have always been using user_id, but where written at a time where there was not such disctinction
-
Jérome Perrin authored
-
Jérome Perrin authored
This test case tries to provide message helpful for debugging in case of assertion failure for assertUserCanPassWorkflowTransition, but this was not correctly using new workflow API and in case of failure there was an error like this: File ".../custom/test.py" self.assertUserCanPassWorkflowTransition(user, 'stop_action', packing_list) File "product/ERP5Type/tests/SecurityTestCase.py", line 237, in failUnlessUserCanPassWorkflowTransition if wf_transition.trigger_type == TRIGGER_USER_ACTION: AttributeError: 'NoneType' object has no attribute 'trigger_type' The previous implementation was using getGuardSummary, which no longer exist in new workflow, so we implement similar logic here. The new message changes a bit, it now look like this: AssertionError: User X can NOT pass stop_action transition on Internal Packing List at /erp5/internal_packing_list_module/20220218-22A38 (draft on delivery_causality_workflow, draft on internal_packing_list_notification_workflow, started on packing_list_workflow). Roles: [Owner, Member, Authenticated, Associate] Available transitions: deliver_action[packing_list_workflow] Expression: Permissions: Groups: * stop_action[packing_list_workflow] Expression: python: not(state_change['object'].getPortalType() == "Sale Packing List" and state_change['object'].getSimulationState() == "confirmed") Permissions: Groups:
-
Jérome Perrin authored
-
Jérome Perrin authored
1b1dbf60 (tests: also consider python unittest failures in functional tests, 2021-06-16) was not counting properly the cases where we have selenium failures. In that case we only want to count selenium failures, if we add with the python failures from status_dict, we report one extra failures. The correct approach is to count selenium failures if any and otherwise count python failures Co-authored-by: Vincent Pelletier <vincent@nexedi.com>
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Avoids duplicating items from that list.
-
Vincent Pelletier authored
Both so that changes to the list of core business templates are applied on upgrade, and to avoid uninstalling core business templates, if no other maintained-up-to-date business templates depend on them. Also, improve the documentation of the erp5_upgrader version of this script.
-
Vincent Pelletier authored
But make it non-publishable.
-
Vincent Pelletier authored
The main reason is to use portal type setters, and not set the properties directly: setting the properties directly bypasses interactions which trigger type refresh, which hence prevents such changes from being applied to the types until something else would cause a reload. While at it: - modify the property sheet list once only instead of once per added property sheet - only modify the property sheet list when fixit is true - improve constraint message to actually tell what is being detected - do not report a constraint error when no change is necessary - follow naming conventions: avoid abbreviations, variables holding documents must end in "_value" - avoid single-use local variables
-
Vincent Pelletier authored
This reverts commit 77b3f202. For some obscure reason, this affects unit tests related to inventory unit conversion. There seems to be too much code to cleanup to keep this patch for now, so drop it.
-
- 17 Feb, 2022 7 commits
-
-
Romain Courteaud authored
Fallback to modification_date if a document does not have an effective_date.
-
Vincent Pelletier authored
Indexation activities may spawn further activities, and for_each_activity expects the number of activities after a test to be zero.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
System user should be more reliable than whatever user has ownership of catalog tool (which may have its account closed or its roles changed).
-
Vincent Pelletier authored
CMFActivity: Fix ActivityRuntimeEnvironment.getPriority when activity was not loaded from an SQL queue. This happens when activities are being flushed from the ActivityBuffer directly, without being inserted into and then loaded from the SQL queue. It is unclear whether there are uses of this pattern besides testCMFActivity, but it is easy enough to fix.
-
Vincent Pelletier authored
Checking activity presence/absence is not enough: it risks both false negatives and false positives. Instead, manually poison the catalog's content and check which value we retrieve after executing spawned activities (if any).
-
- 16 Feb, 2022 10 commits
-
-
Xiaowu Zhang authored
it's not finished, rework if need
-
Vincent Pelletier authored
-
Georgios Dagkakis authored
- Remove trailing whitespaces - Follow guidelines - Fixup types
-
Vincent Pelletier authored
Also, use it in Products.ERP5Type.tests.ERP5TypeTestCase.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
The only use 'my_' has above 'your_' is to provide a default field value without needing a TALES expression. This only gets applied based on the field ID in the form being rendered. Field libraries are never meant to be rendered, so using 'my_' is always (if harmless) pointless. What really matters for the field naming convention (which exist to avoid collisions with form properties) is that *some* prefix is used, be it 'my_' or 'your_'. So update this check rule to tolerate 'your_' prefixes in addition to 'my_'. Also, use 'not any([...])' instead of 'not 1 in [...]'.
-
Vincent Pelletier authored
I guess this is the intention of the unnecessary pair or parentheses.
-
Vincent Pelletier authored
"Certificate Authority" is a bit long, especially as it is often followed by some other word ("Certificate", ...).
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Abbreviations must be upper-case.
-
- 15 Feb, 2022 3 commits
-
-
Xiaowu Zhang authored
-
Xiaowu Zhang authored
-
Xiaowu Zhang authored
-
- 14 Feb, 2022 1 commit
-
-
Vincent Pelletier authored
The precise number of entries in a bucket depend on an estimation of the size of a pickle. The pickled data contains DateTime objects, making an equality test brittle: - DateTime's timezones are stored as strings (ex: 'GMT') whose length depend on Zope's timezone, which is variable - DateTime's time is stored as a floating-point value represented as a string whose length depends on the number of units and decimals are necessary to represent its value, both being variable (one based on when the test was run, the other based on clock precision and exact test execution timing) Instead, restore the originally-considered-acceptable boundary (24) and verify that the generated value is greater or equal to it. If 24 is considered too small to be acceptable, then it is a decision independent from the present change.
-
- 13 Feb, 2022 1 commit
-
-
Julien Muchembled authored
-
- 10 Feb, 2022 4 commits
-
-
Roque authored
See merge request nexedi/erp5!1553
-
Roque authored
-
Roque authored
-
Jérome Perrin authored
Some combinations of periodicity, for example repeat every first week of the year and every month February are impossible (because the first week of the year is always in January) and such configurations caused infinite loops or probably overflow if we wait long enough. The algorithm being to try the next day until all constraints are met, it is not guaranteed to terminate. To make sure the algorithm terminate, we rely on the fact that calendars repeat after some time, so if after a few years we did not find a matching combination, we can stop retrying. according to https://en.wikipedia.org/wiki/Determination_of_the_day_of_the_week > Each leap year repeats once every 28 years, and every common year > repeats once every 6 years and twice every 11 years. so trying for 28 years should be enough to see all combinations
-