1. 21 May, 2022 1 commit
    • Jérome Perrin's avatar
      ERP5Type/patches: prepare for removal of Products.DCWorkflowGraph · 88321109
      Jérome Perrin authored
      Supports the case where Products.DCWorkflowGraph is not present.
      Even though we are removing Products.DCWorkflowGraph from the
      software release, we don't remove this monkey patch yet, because
      this monkey patch also fixed a severe security issue. We keep the
      patch for the cases where a recent ERP5 runs on an old SlapOS where
      the product is still there.
      
      This change just moves the existing code in a try/except ImportError
      block
      88321109
  2. 18 May, 2022 2 commits
    • Levin Zimmermann's avatar
      restricted: Allow patched pandas.read_* functions · 4360dbc6
      Levin Zimmermann authored
      Rationale:
      
      Converting * to data frame / numpy array efficiently is required in all
      wendelin projects, without this functionality wendelin is useless.
      Currently all projects allow this functionality in an insecure way.
      This commit aims to improve the situation by supporting a secure way of
      this functionality.
      
      (See wendelin!99 (comment 158474))
      
      Because pandas (in restricted Python) can also be useful in 'pure' ERP5
      (without Wendelin) the functionality is added to ERP5 source code.
      
      ---
      
      Security:
      
      Security is guaranteed by patching selected read_* functions and
      allowing the patched versions. The patch prohibits anything but
      string input which directly contains the data (e.g. no urls, file
      paths). New unit tests ensure the restrictions of the patches
      are actually effective.
      
      ---
      
      Notes on implementation decisions:
      
      Instead of offering new ERP5 extension methods (e.g. Base_readJson)
      this commit adds patched pandas read functions in restricted Python.
      In this way the change of the known API is as minimal as possible.
      
      Instead of globally monkey-patching pandas read_* functions, only the
      functions inside restricted python are patched.
      In this way the fully-functional, original functions are still available
      in Zope products or ERP5 extension code.
      
      Minor changes in the way how pandas is allowed in restricted python
      have been applied. Please consult the following discussions in the Merge
      request for details:
      
      !1615 (comment 159203)
      !1615 (comment 159341)
      4360dbc6
    • Levin Zimmermann's avatar
      ERP5Site: Remove compatibility with old data model · b1bdb286
      Levin Zimmermann authored
      ...for  getPortalDataConfigurationTypeList.
      
      See !1630 (comment 159889).
      b1bdb286
  3. 17 May, 2022 3 commits
  4. 16 May, 2022 1 commit
    • Julien Muchembled's avatar
      ERP5Type: fix regression in properties.dtml · eef80b9e
      Julien Muchembled authored
      In commit a17bb910 ("py2/py3:
      Make Products code compatible with both python2 and python3"),
      2to3 changed `_.has_key(...)` to `... in _` whereas _ is not a dict.
      
      Traceback (innermost last):
       ...
       Module OFS.PropertyManager, line 309, in manage_editProperties
         manage_tabs_message=message)
       Module Shared.DC.Scripts.Bindings, line 322, in __call__
         return self._bindAndExec(args, kw, None)
       Module Shared.DC.Scripts.Bindings, line 359, in _bindAndExec
         return self._exec(bound_data, args, kw)
       Module App.special_dtml, line 185, in _exec
         try: result = render_blocks(self._v_blocks, ns)
       Module DocumentTemplate.DT_In, line 707, in renderwob
         try: append(render(section, md))
       Module DocumentTemplate.DT_Let, line 76, in render
         else: d[name]=expr(md)
       Module DocumentTemplate.DT_Util, line 210, in eval
        - __traceback_info__: _
         return eval(code, d)
       Module <string>, line 1, in <module>
      
      TypeError: argument of type 'TemplateDict' is not iterable
      eef80b9e
  5. 11 May, 2022 1 commit
  6. 10 May, 2022 2 commits
  7. 09 May, 2022 2 commits
  8. 06 May, 2022 2 commits
    • Jérome Perrin's avatar
      TimerService: make TimerResponse support redirect() · b404b724
      Jérome Perrin authored
      This allows executing a script doing REQUEST.RESPONSE.redirect() without
      error.
      
      Before this patch it's an AttributeError similar to:
      
          ------
          2022-04-12 03:52:49,083 WARNING ActivityTool Could not call method ...
          Traceback (most recent call last):
            ...
            File "Script (Python)", line 34, in Base_redirect
              return request.RESPONSE.redirect(redirect_url, status=status_code)
          AttributeError: TimerResponse instance has no attribute 'redirect'
      b404b724
    • Jérome Perrin's avatar
      ERP5ExternalOauth2ExtractionPlugin: use facebook.GraphAPI timeout argument · bcce6fb1
      Jérome Perrin authored
      Instead of temporarily changing the global timeout, which can impact
      other parts of the system and which is not free from race conditions (
      another thread might have changed the timeout when socket.getdefaulttimeout()
      is called and then we restore a wrong default timeout).
      bcce6fb1
  9. 04 May, 2022 22 commits
  10. 03 May, 2022 4 commits