See merge request !2012

See merge request !2016

The test from 6316d9bb (Formulator: test form serialization with non
ascii elements, 2024-10-24) revealed that form with an encoding other
than UTF-8 are not supported.

DB.query accepts either bytes or str on python3. We need to decode the
query here to display it in traceback and we must not fail when we
have bytes with non UTF-8 characters, which can happen with binary
columns

It currently not used and it's better not to have such public method

ref: 906761ed (erp5_web: change one-day-max policy max-age to 14400s, 2021-09-01)

Using the display router command allows to drop the user search term
when moving from one access page to another.

Set the max-age value to 4h instead of 10min for the one-day-max policy
(ie, 24h/6, like one-hour-max uses 10min max age).

The idea is to reduce backend access of nearly static web sites,
while still allowing changes without waiting for too long before it is propagated.

`createSession` method from the OAuth2 Authorisation Server Connector needs
to access client value. Fetching this value from the session is not needed
since it is already stored in a local variable.

erp5_invoicing: don't index reference in fulltext which is usually generated by system and meaningless

it's like 5.1, 2.4

it's like 5.1, 2.4

Malevolent users may decide to only - and repeatedly - present an otherwise
valid refresh token, causing the issuance of a new access tokens everytime,
likely along with new refresh tokens, causing many ZODB writes.
Avoid this by pushing the token expiration date by one lifespan accuracy,
so there can only be one write per session per lifespan accuracy period.

This partially reverts 8a336dc5 (erp5_accounting: Allow
Assignor manage Accounting Periods, 2024-09-16) for the restart
transition, it is intentional that only Assignor can restart
an accounting period that have been closed.
The idea was to support a scenario where re-opening a period
that was closed can not be done directly by the Assignee but
needs validation from the assignor.

The check was made on the blob response type, which is set from the
Content-Type header returned by the server, but Safari has a different
interpretation of the charset parameter from the mime type, with a
content type set to application/json;charset=utf-8 like Base_redirect
does today, safari creates a blob with type application/json;charset=utf-8
and this was not detected as redirection and the json returned by
Base_redirect was downloaded. Fix this by checking only the essence
of the type.

This also revealed a potential problem when actually downloading json
files, in that case we also check that we have the X-Location header,
that is supposed to be set by Base_redirect before interpreting the json
and when it's not present we force download.

Follow up of ff624fd2 (ERP5Workflow: newly added permission should be
acquired for all existing states., 2024-11-04) and cbef6282 (ERP5Workflow:
make sure not create duplicate permissions, 2024-11-05)

Fix a problem introduced in ff624fd2 (ERP5Workflow: newly added
permission should be acquired for all existing states., 2024-11-04),
visible in a test failure

before, all permissions became acquired in all states once we update permission list.

See merge request !1998

 Don't add to total_contribution_relief if employer price is not set (None).

It was not running because we had two methods with same name

This reverts commit 5e21f77f.

This was done too quickly based on a wrong assumption that simulation
movements to build would always be in planned state and that we could
have an efficient way of selecting them by catalog with index on
portal_type and simulation state, but it does not work this way.

Maybe the change is useful for something else, but since we don't have
any use case for now, let's just revert.

See merge request nexedi/erp5!2001

See merge request !2003