1. 03 Jun, 2020 14 commits
    • Jérome Perrin's avatar
      7862f921
    • Jérome Perrin's avatar
      base: remove security guards on processing_status_workflow transitions · e9e590b5
      Jérome Perrin authored
      This workflow is not really related to security
      e9e590b5
    • Jérome Perrin's avatar
      b860323a
    • Jérome Perrin's avatar
      core: remove guard on edit workflow transition · d42bd46f
      Jérome Perrin authored
      edit method has security definition on the class, gard is not needed
      here.
      This cause compatibility issues, in the past it was not necessary to
      have any permission to call edit from restricted code.
      d42bd46f
    • Jérome Perrin's avatar
      core: don't set guard on edit_action · fd58bf02
      Jérome Perrin authored
      This action is typically used to add notes in history in scripts,
      including in cases where user does not have modify portal content
      permission on the document.
      fd58bf02
    • Jérome Perrin's avatar
      dms: remove guard on workflow transitions · 5a47bd01
      Jérome Perrin authored
      5a47bd01
    • Jérome Perrin's avatar
      ERP5Type: don't publish workflow methods · 36359c07
      Jérome Perrin authored
      Wrapping a method in a workflow method should not change the
      publishable state the method.
      If the original method is not publishable, wrapping it in a workflow
      method should not make it publishable.  If the original method is
      publishable, then the wrapped method should still be publishable.
      
      This was always intended to work like this, as we can see in the code
      comment in `WorkflowMethod.__init__` but was not properly tested and got
      broken at some point.
      
      It's important to restore the behavior, because workflow methods such as
      `validate` should not be published, users must only be able to use the
      user interface transitions freely, workflow methods transitions are
      only available if developer expose them in a script - and perform the
      necessary consistency and security checks in that script.
      36359c07
    • Jérome Perrin's avatar
      core: remove guards on workflow methods · 999e3a01
      Jérome Perrin authored
      999e3a01
    • Jérome Perrin's avatar
      testSecurity: adjust test_workflow_transition_protection · 2e9e9bb6
      Jérome Perrin authored
      Only "user action" methods needs a security declaration.
      2e9e9bb6
    • Jérome Perrin's avatar
      XXX tests: disable enable_full_indexing · b6629ef5
      Jérome Perrin authored
      This can hide bugs, especially when updating business templates.
      
      TODO: if we drop this we can also drop the command line flag
      b6629ef5
    • Jérome Perrin's avatar
      TrashTool: fail if backup object container already exist · bd156f4a
      Jérome Perrin authored
      This is not supposed to happen and can hide errors.
      bd156f4a
    • Jérome Perrin's avatar
      BusinessTemplate: fix simulataneous update of categories and paths · 0cacb444
      Jérome Perrin authored
      This addresses the problem of
      https://nexedijs.erp5.net/#/bug_module/20180719-135FAA8 a KeyError
      raised when some categories in a subtree are modified and some are
      removed and the corresponding base category is also installed as a base
      category.
      
      The problem was that both CategoryTemplateItem, which is in charge of
      updating the base category and PathTemplateItem, which is in charge of
      updating the categories listed as path both use the same
      ObjectTemplateItem.install method, with the same object_to_update dict.
      ObjectTemplateItem.install uninstall all objects that are listed in
      object_to_update and not in self._objects so something like this
      happened when business template from
      test_update_business_template_with_category_having_subcategory_tree_modified
      is updated:
      
        1. PathTemplateItem.install is called for the base category,
      portal_categories/test_category/modified/removed looks removed, so it is
      backed up. Because the the parent paths are not parts of self._objects,
      trash tool will create simple trash folder for
      portal_categories/test_category/modified
      
        2. PathTemplateItem.install is called for the paths,
      portal_categories/test_category/modified is modified, so the previous
      version will be backed up. At this point trash tool looks in the trash
      bin and the path for portal_categories/test_category is already present,
      so trash tool sees that path exists and does not return subobjects, so
      after portal_categories/test_category/modified is modified, the subjects
      such as
      portal_categories/test_category/modified/container_in_which_child_is_added
      are not restored and creating 'added' caused a
      KeyError('container_in_which_child_is_added')
      
      The approach is to make CategoryTemplateItem.install only consider base
      categories - ie. objects where path is portal_categories/* and not the
      subobjects, because they don't belong to CategoryTemplateItem but to
      PathTemplateItem.
      Co-authored-by: Georgios Dagkakis's avatarGeorgios Dagkakis <georgios.dagkakis@nexedi.com>
      0cacb444
    • Jérome Perrin's avatar
      BusinessTemplate: tolerate broken objects when updating their containers · 30ef111a
      Jérome Perrin authored
      Business template have some logic to keep uids when updating objects:
      during installation, when an object is modified, business template first
      remember the uids for this object and all its sub-objects,
      replaces this object with the new version then recursively set the uid
      on updated objects, so that updating an ERP5 document by business
      template does not change its uid because this would break catalog.
      
      When an object containing sub-objects is updated, it becomes a new
      object in ZODB and sub-objects of the previous object are set as child
      of the new object. This works even if the case of sub-objects being
      instances of ZODB Broken class, except that the step where we restore
      the uid fail as it's not allowed to modify a broken object.
      
      Instead of unconditionnally setting the sub-objects uids, check that we
      actually need to set it, because if it's already the expected value then
      we don't need to touch the object.
      30ef111a
    • Jérome Perrin's avatar
      erp5_core_test: style fixes · 94eedd77
      Jérome Perrin authored
      94eedd77
  2. 02 Jun, 2020 3 commits
    • Jérome Perrin's avatar
      versions up: Monaco editor 0.20.0 / prettier 2.0.5 · 3b45cd05
      Jérome Perrin authored
      These new versions contain several small improvements.
      
      It seems this version of prettier formats javascript in a way that jslint does not complain about.
      
      Also contain some small fixes for our renderjs and rsvp type definitions, so that monaco-editor-gadget.js can typecheck.
      
      See merge request nexedi/erp5!1139
      3b45cd05
    • Jérome Perrin's avatar
      Fix bugs in erp5_forge scripts · 9e5ee389
      Jérome Perrin authored
      * "Create Skin Folder" action had a typo, so it was not setting the `business_template_skin_layer_priorty` property that business template is using when installing.
      * "Create Report" was not updated for the new "action title" feature of forms.
      
      This time, add the missing tests that should have prevented these problems.
      
      See merge request nexedi/erp5!1133
      9e5ee389
    • Jérome Perrin's avatar
      erp5_forge coding style · e17f69f3
      Jérome Perrin authored
      Enable coding style on erp5_forge, after removing several problematic scripts that did not seem used.
      
      See merge request nexedi/erp5!1134
      e17f69f3
  3. 01 Jun, 2020 8 commits
  4. 29 May, 2020 15 commits