1. 23 May, 2022 1 commit
  2. 21 May, 2022 1 commit
    • Jérome Perrin's avatar
      ERP5Type/patches: prepare for removal of Products.DCWorkflowGraph · 88321109
      Jérome Perrin authored
      Supports the case where Products.DCWorkflowGraph is not present.
      Even though we are removing Products.DCWorkflowGraph from the
      software release, we don't remove this monkey patch yet, because
      this monkey patch also fixed a severe security issue. We keep the
      patch for the cases where a recent ERP5 runs on an old SlapOS where
      the product is still there.
      
      This change just moves the existing code in a try/except ImportError
      block
      88321109
  3. 19 May, 2022 1 commit
  4. 18 May, 2022 4 commits
    • Jérome Perrin's avatar
      85317472
    • Levin Zimmermann's avatar
      restricted: Allow patched pandas.read_* functions · 4360dbc6
      Levin Zimmermann authored
      Rationale:
      
      Converting * to data frame / numpy array efficiently is required in all
      wendelin projects, without this functionality wendelin is useless.
      Currently all projects allow this functionality in an insecure way.
      This commit aims to improve the situation by supporting a secure way of
      this functionality.
      
      (See nexedi/wendelin!99 (comment 158474))
      
      Because pandas (in restricted Python) can also be useful in 'pure' ERP5
      (without Wendelin) the functionality is added to ERP5 source code.
      
      ---
      
      Security:
      
      Security is guaranteed by patching selected read_* functions and
      allowing the patched versions. The patch prohibits anything but
      string input which directly contains the data (e.g. no urls, file
      paths). New unit tests ensure the restrictions of the patches
      are actually effective.
      
      ---
      
      Notes on implementation decisions:
      
      Instead of offering new ERP5 extension methods (e.g. Base_readJson)
      this commit adds patched pandas read functions in restricted Python.
      In this way the change of the known API is as minimal as possible.
      
      Instead of globally monkey-patching pandas read_* functions, only the
      functions inside restricted python are patched.
      In this way the fully-functional, original functions are still available
      in Zope products or ERP5 extension code.
      
      Minor changes in the way how pandas is allowed in restricted python
      have been applied. Please consult the following discussions in the Merge
      request for details:
      
      nexedi/erp5!1615 (comment 159203)
      nexedi/erp5!1615 (comment 159341)
      4360dbc6
    • Levin Zimmermann's avatar
      70b92437
    • Levin Zimmermann's avatar
      ERP5Site: Remove compatibility with old data model · b1bdb286
      Levin Zimmermann authored
      ...for  getPortalDataConfigurationTypeList.
      
      See !1630 (comment 159889).
      b1bdb286
  5. 17 May, 2022 5 commits
  6. 16 May, 2022 4 commits
    • Julien Muchembled's avatar
      ERP5Type: fix regression in properties.dtml · eef80b9e
      Julien Muchembled authored
      In commit a17bb910 ("py2/py3:
      Make Products code compatible with both python2 and python3"),
      2to3 changed `_.has_key(...)` to `... in _` whereas _ is not a dict.
      
      Traceback (innermost last):
       ...
       Module OFS.PropertyManager, line 309, in manage_editProperties
         manage_tabs_message=message)
       Module Shared.DC.Scripts.Bindings, line 322, in __call__
         return self._bindAndExec(args, kw, None)
       Module Shared.DC.Scripts.Bindings, line 359, in _bindAndExec
         return self._exec(bound_data, args, kw)
       Module App.special_dtml, line 185, in _exec
         try: result = render_blocks(self._v_blocks, ns)
       Module DocumentTemplate.DT_In, line 707, in renderwob
         try: append(render(section, md))
       Module DocumentTemplate.DT_Let, line 76, in render
         else: d[name]=expr(md)
       Module DocumentTemplate.DT_Util, line 210, in eval
        - __traceback_info__: _
         return eval(code, d)
       Module <string>, line 1, in <module>
      
      TypeError: argument of type 'TemplateDict' is not iterable
      eef80b9e
    • Xiaowu Zhang's avatar
      erp5_trade: add product line selection in stock report · 6cbb159d
      Xiaowu Zhang authored
      See merge request nexedi/erp5!1628
      6cbb159d
    • Xiaowu Zhang's avatar
      e1360ac0
    • Romain Courteaud's avatar
      erp5_web: force redirection on website using a service worker · 7a7b4a45
      Romain Courteaud authored
      Delete the content of the cache storage (used by erp5js), unregister the service worker and force the browser to reload.
      7a7b4a45
  7. 13 May, 2022 5 commits
  8. 11 May, 2022 1 commit
  9. 10 May, 2022 2 commits
  10. 09 May, 2022 4 commits
  11. 06 May, 2022 8 commits
  12. 04 May, 2022 4 commits