Commits · 82c51e7ecac90e358f2392b2ecd90afd40743437 · nexedi / erp5

28 Sep, 2017 2 commits

notification_tool: fix Unauthorized when sending message to person user cannot access · 82c51e7e

Jérome Perrin authored Sep 15, 2017

When a user triggers `NotificationTool.sendMessage(recipient=user_id)` to a recipient she does not have access permission on, it now causes this problem (the caller context is a custom script with manager proxy role):

```
  Module Products.ERP5.Tool.NotificationTool, line 322, in sendMessage
    person_value = getUserValueByUserId(person)
  Module Products.ERP5.Tool.NotificationTool, line 291, in getUserValueByUserId
    return portal.restrictedTraverse(user['path'])
  Module OFS.Traversable, line 317, in restrictedTraverse
    return self.unrestrictedTraverse(path, default, restricted=True)
  Module OFS.Traversable, line 251, in unrestrictedTraverse
   - __traceback_info__: (['redacted_person_id'], 'person_module')
    next = guarded_getattr(obj, name)
Unauthorized: You are not allowed to access 'person_module' in this context
```

This is a regression caused by 62d8d3ac .

That particular case was working before, because the person was looked up using [catalog]( https://lab.nexedi.com/nexedi/erp5/blob/882f0022c7af4f36c2f31643498ac0b5d82c2217/product/ERP5/Tool/NotificationTool.py#L321-322) so the proxy role from the caller script was taken in to account.

Now, we can say that the approach suggested here is not correct and document that the current logged in user must have permission to access the person documents involved as sender or recipient in the notification.

Then, if we need to send message to persons the current user does not have access permission, instead  of using:
```python
portal.portal_notifications.sendMessage(recipient=person.getUserId())
```

just do:
```python
portal.portal_notifications.sendMessage(recipient=person)
```

but the later does not allow for using activities.

/cc @vpelletier @gabriel 


/reviewed-on nexedi/erp5!395

82c51e7e

fixup! erp5_payline: use new API of HTTP Exchange · d5f616d9
Vincent Pelletier authored Sep 28, 2017

d5f616d9

27 Sep, 2017 13 commits
- erp5_officejs: Modify Dropbox synchronisation parameters for higher volume and efficiency · bc0fec9d
  Cédric Le Ninivin authored Sep 27, 2017
  
  bc0fec9d
- fixup! system_event: document how HTTP Exchange works · d5cb562a
  Kazuhiko Shiozaki authored Sep 27, 2017
  
  d5cb562a
- erp5_officejs_support_request_ui: Drop the SR which more than 30 days. · 848c28eb
  Boxiang Sun authored Sep 27, 2017
  
  848c28eb
- erp5_officejs_support_request_ui: Remove redundant query in these two python script. · 2d47c86f
  Boxiang Sun authored Sep 26, 2017
  
  2d47c86f
- erp5_officejs_support_request_ui: Add worklist to the homepage and remove child changeState calls · 83b27eb5
  Boxiang Sun authored Sep 27, 2017
```
This commit contains two main changes:
- Add worklist gadget to the homepage.
- Remove the child's `changeState` calls in homepage.
  This was done by using customized `form_list_sr`. Which can let the listbox
  has same appearance like `form_view` but use same argument passing mechanism
  as `form_list`.
```
  83b27eb5
- [erp5_officejs] Fix WallSearch cache name · ee85a1fb
  preetwinder authored Sep 27, 2017
```
/reviewed-on nexedi/erp5!415
```
  ee85a1fb
- [erp5_officejs] Add FB SDK instead of fetching it from Facebook servers · cb77685b
  preetwinder authored Sep 26, 2017
  
  cb77685b
- [erp5_officejs] Add WallSearch privacy policy(required by Facebook) · dadc0f79
  preetwinder authored Sep 26, 2017
  
  dadc0f79
- [erp5_officejs] Add cachealldocs Storage to cache allDocs call results and... · d3685edb
  preetwinder authored Sep 26, 2017
```
[erp5_officejs] Add cachealldocs Storage to cache allDocs call results and then service get requests with them
```
  d3685edb
- [erp5_officejs] Add WallSearch to Officejs appstore · af095eee
  preetwinder authored Sep 26, 2017
  
  af095eee
- [erp5_officejs] Add WallSearch · 43b77fd3
  preetwinder authored Sep 25, 2017
  
  43b77fd3
- [erp5_officejs] Bootloader create global only one time · 91a7a15a
  Vincent Bechu authored Sep 26, 2017
```
Test passed :  

https://nexedijs.erp5.net/#/test_result_module/20170926-4163AF53

/reviewed-on nexedi/erp5!414
```
  91a7a15a
- ERP5: prevent using NotificationTool directly · 9fdef63c
  Jérome Perrin authored Sep 27, 2017
```
We don't want users to be able to use the tool and send arbitrary
notifications to other users.
```
  9fdef63c
26 Sep, 2017 8 commits
- [erp5_core] Release Jio 3.22.1 · d00c7a79
  Vincent Bechu authored Sep 25, 2017
```
/reviewed-on nexedi/erp5!409
```
  d00c7a79
- erp5_oauth: clean up and add listbox to OAuth Tool · c176ff4a
  Gabriel Monnerat authored Sep 25, 2017
```
/cc @aurel 

/reviewed-on nexedi/erp5!411
```
  c176ff4a
- all: Drop {as,build}SQL*Expression methods · 42ca9cee
  Vincent Pelletier authored Jun 12, 2017
```
To generate (and execute) SQL, use catalog tool.
```
  42ca9cee
- erp5_web: Stop relying on portal_selections for SQL expression generation · a9803798
  Vincent Pelletier authored Aug 22, 2017
  
  a9803798
- SimulationTool: Stop relying on portal_selections for SQL expression generation · b7e644e4
  Vincent Pelletier authored Aug 22, 2017
  
  b7e644e4
- SQLCatalog: Stop relying on portal_selections for SQL expression generation · 958c3b87
  Vincent Pelletier authored Aug 22, 2017
  
  958c3b87
- SelectionTool: asDomainQuery: New method · 68de872c
  Vincent Pelletier authored Aug 22, 2017
  
  68de872c
- Predicate: New asQuery method. · a75dd0c9
  Vincent Pelletier authored Aug 22, 2017
  
  a75dd0c9
25 Sep, 2017 4 commits

[erp5_web_renderjs_ui] Release Jio Version 3.22.1 · c2daeddf
Vincent Bechu authored Sep 25, 2017
```
/reviewed-on nexedi/erp5!408
```
c2daeddf

erp5_accounting: Remove table name from selected column aliases. · 3be8d312

Vincent Pelletier authored Sep 21, 2017

This reverts commit 206fa603 (which was
itself a revert commit), re-applying the change now that surrounding
code is ready for it.

3be8d312

ZSQLCatalog: Also render ignored columns · e4aa5476

Vincent Pelletier authored Sep 21, 2017

Ignored columns are produced when aliasing a column. For example,
aliasing "catalog.reference" as "reference".
Before this change, this would cause conditions on "reference" to be
rendered non-mapped, which can cause SQL execution issues when there is
more than one "reference" column available (catalog.reference and its
alias counting as only one), which is the case when
catalog-category-catalog joins happen.

Instead, render all columns which could be mapped, independently from
their "ignored" status.

Also, use a different local variable for table aliases than for column
aliases.
Also, use more "return" statements, and simplify conditional structure.

e4aa5476

SimulationTool: Remove input/output perimeter definition. · 8b6865ae

Vincent Pelletier authored Sep 25, 2017

As per Jérome, who implemented the test, it was written to test the
current state rather than testing the desired outcome. And it makes
little sense to have (and test for) 100 being present in both debit and
credit columns ("normal" lines), and 0 to be present in the stat line.

Update test to check for a more consistent outcome.
Acked-by: Jérome Perrin <jerome@nexedi.com>

8b6865ae

22 Sep, 2017 12 commits
- [renderjs_ui] FloatField and Input uses render() to complete state change · 016684f2
  Tomáš Peterka authored Sep 20, 2017
  
  016684f2
- [renderjs_ui] MatrixBox uses "default" instead of "value" for sub-gadgets · 721fcfee
  Tomáš Peterka authored Sep 20, 2017
  
  721fcfee
- [renderjs_ui] Generic html5 input is not naive about missing values · 10f9b012
  Tomáš Peterka authored Sep 19, 2017
```
Explicitely state which values represent empty values. Coercing to boolean is not sufficient.
```
  10f9b012
- [renderjs_ui] Refactor FloatField · 819f77ec
  Tomáš Peterka authored Sep 19, 2017
```
-  Remove field_json.value because that one is never send by ERP5 backend
-  Set comprehensive initial state and avoid sneaking state variables afterwards
-  Handle better NaNs which represent empty numerical value
-  Refactor for shorter and simpler code
-  Rename "percents" -> "percentage" according to coding style guidelines
```
  819f77ec
- [renderjs_ui] Return default mini-step to floatfield because it is necessary for field valication · fdc408cb
  Tomáš Peterka authored Sep 19, 2017
  
  fdc408cb
- fixup! A new Z SQL method has been introduced in 'Fix an inventory bug' (a0f7e169 ). · 298979f4
  Kazuhiko Shiozaki authored Sep 22, 2017
  
  298979f4
- fixup! erp5_property_sheets: add preferred_ooodoc_server_url property · 13a58605
  Kazuhiko Shiozaki authored Sep 22, 2017
  
  13a58605
- Formulator: prepare DateTimeField's sub_form dynamically. · e2535554
  Kazuhiko Shiozaki authored Sep 18, 2017
```
otherwise TALES in input_style does not work and changes in the original proxy field will not be reflected.
```
  e2535554
- Formulator: add a new input style "number" in DateTimeField. · 0db642f9
  Kazuhiko Shiozaki authored Jun 09, 2017
  
  0db642f9
- Formultor: support input_type parameter in IntegerWidget. · 366a6364
  Kazuhiko Shiozaki authored Jun 09, 2017
  
  366a6364
- Zelenium: cleanup www/suiteView.zpt based on selenium/core/TestRunner.html. · 23f9c193
  Kazuhiko Shiozaki authored Sep 12, 2017
  
  23f9c193
- Zelenium: remove not-required directories. · 58c54c1c
  Kazuhiko Shiozaki authored Sep 12, 2017
  
  58c54c1c
21 Sep, 2017 1 commit

testSQLCatalog: Revert "Remove table name from selected column aliases." · 6bd1ebbe

Vincent Pelletier authored Sep 22, 2017

This change is not the correct one, and not at the correct time. Will be
re-applied when select_dict later looses the ability to strip table in
favour of stricter argument schema.

6bd1ebbe