1. 08 Nov, 2024 37 commits
  2. 06 Nov, 2024 1 commit
    • Vincent Pelletier's avatar
      erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance · 36768696
      Vincent Pelletier authored
      Malevolent users may decide to only - and repeatedly - present an otherwise
      valid refresh token, causing the issuance of a new access tokens everytime,
      likely along with new refresh tokens, causing many ZODB writes.
      Avoid this by pushing the token expiration date by one lifespan accuracy,
      so there can only be one write per session per lifespan accuracy period.
      36768696
  3. 05 Nov, 2024 2 commits
    • Jérome Perrin's avatar
      accounting: only allow Assignor to restart accounting periods · d7c0baf1
      Jérome Perrin authored
      This partially reverts 8a336dc5 (erp5_accounting: Allow
      Assignor manage Accounting Periods, 2024-09-16) for the restart
      transition, it is intentional that only Assignor can restart
      an accounting period that have been closed.
      The idea was to support a scenario where re-opening a period
      that was closed can not be done directly by the Assignee but
      needs validation from the assignor.
      d7c0baf1
    • Jérome Perrin's avatar
      web_renderjs_ui: fix detection of Base_redirect redirections · ad699c72
      Jérome Perrin authored
      The check was made on the blob response type, which is set from the
      Content-Type header returned by the server, but Safari has a different
      interpretation of the charset parameter from the mime type, with a
      content type set to application/json;charset=utf-8 like Base_redirect
      does today, safari creates a blob with type application/json;charset=utf-8
      and this was not detected as redirection and the json returned by
      Base_redirect was downloaded. Fix this by checking only the essence
      of the type.
      
      This also revealed a potential problem when actually downloading json
      files, in that case we also check that we have the X-Location header,
      that is supposed to be set by Base_redirect before interpreting the json
      and when it's not present we force download.
      ad699c72