- 28 Sep, 2017 4 commits
-
-
Boxiang Sun authored
-
Boxiang Sun authored
-
Jérome Perrin authored
When a user triggers `NotificationTool.sendMessage(recipient=user_id)` to a recipient she does not have access permission on, it now causes this problem (the caller context is a custom script with manager proxy role): ``` Module Products.ERP5.Tool.NotificationTool, line 322, in sendMessage person_value = getUserValueByUserId(person) Module Products.ERP5.Tool.NotificationTool, line 291, in getUserValueByUserId return portal.restrictedTraverse(user['path']) Module OFS.Traversable, line 317, in restrictedTraverse return self.unrestrictedTraverse(path, default, restricted=True) Module OFS.Traversable, line 251, in unrestrictedTraverse - __traceback_info__: (['redacted_person_id'], 'person_module') next = guarded_getattr(obj, name) Unauthorized: You are not allowed to access 'person_module' in this context ``` This is a regression caused by 62d8d3ac . That particular case was working before, because the person was looked up using [catalog]( https://lab.nexedi.com/nexedi/erp5/blob/882f0022c7af4f36c2f31643498ac0b5d82c2217/product/ERP5/Tool/NotificationTool.py#L321-322) so the proxy role from the caller script was taken in to account. Now, we can say that the approach suggested here is not correct and document that the current logged in user must have permission to access the person documents involved as sender or recipient in the notification. Then, if we need to send message to persons the current user does not have access permission, instead of using: ```python portal.portal_notifications.sendMessage(recipient=person.getUserId()) ``` just do: ```python portal.portal_notifications.sendMessage(recipient=person) ``` but the later does not allow for using activities. /cc @vpelletier @gabriel /reviewed-on nexedi/erp5!395
-
Vincent Pelletier authored
-
- 27 Sep, 2017 13 commits
-
-
Cédric Le Ninivin authored
-
Kazuhiko Shiozaki authored
-
Boxiang Sun authored
-
Boxiang Sun authored
-
Boxiang Sun authored
This commit contains two main changes: - Add worklist gadget to the homepage. - Remove the child's `changeState` calls in homepage. This was done by using customized `form_list_sr`. Which can let the listbox has same appearance like `form_view` but use same argument passing mechanism as `form_list`.
-
preetwinder authored
/reviewed-on !415
-
preetwinder authored
-
preetwinder authored
-
preetwinder authored
[erp5_officejs] Add cachealldocs Storage to cache allDocs call results and then service get requests with them
-
preetwinder authored
-
preetwinder authored
-
Vincent Bechu authored
Test passed : https://nexedijs.erp5.net/#/test_result_module/20170926-4163AF53 /reviewed-on !414
-
Jérome Perrin authored
We don't want users to be able to use the tool and send arbitrary notifications to other users.
-
- 26 Sep, 2017 8 commits
-
-
Vincent Bechu authored
/reviewed-on nexedi/erp5!409
-
Gabriel Monnerat authored
/cc @aurel /reviewed-on nexedi/erp5!411
-
Vincent Pelletier authored
To generate (and execute) SQL, use catalog tool.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 25 Sep, 2017 4 commits
-
-
Vincent Bechu authored
/reviewed-on nexedi/erp5!408
-
Vincent Pelletier authored
This reverts commit 206fa603 (which was itself a revert commit), re-applying the change now that surrounding code is ready for it.
-
Vincent Pelletier authored
Ignored columns are produced when aliasing a column. For example, aliasing "catalog.reference" as "reference". Before this change, this would cause conditions on "reference" to be rendered non-mapped, which can cause SQL execution issues when there is more than one "reference" column available (catalog.reference and its alias counting as only one), which is the case when catalog-category-catalog joins happen. Instead, render all columns which could be mapped, independently from their "ignored" status. Also, use a different local variable for table aliases than for column aliases. Also, use more "return" statements, and simplify conditional structure.
-
Vincent Pelletier authored
As per Jérome, who implemented the test, it was written to test the current state rather than testing the desired outcome. And it makes little sense to have (and test for) 100 being present in both debit and credit columns ("normal" lines), and 0 to be present in the stat line. Update test to check for a more consistent outcome. Acked-by: Jérome Perrin <jerome@nexedi.com>
-
- 22 Sep, 2017 11 commits
-
-
Tomáš Peterka authored
-
Tomáš Peterka authored
-
Tomáš Peterka authored
Explicitely state which values represent empty values. Coercing to boolean is not sufficient.
-
Tomáš Peterka authored
- Remove field_json.value because that one is never send by ERP5 backend - Set comprehensive initial state and avoid sneaking state variables afterwards - Handle better NaNs which represent empty numerical value - Refactor for shorter and simpler code - Rename "percents" -> "percentage" according to coding style guidelines
-
Tomáš Peterka authored
-
Kazuhiko Shiozaki authored
-
Kazuhiko Shiozaki authored
-
Kazuhiko Shiozaki authored
otherwise TALES in input_style does not work and changes in the original proxy field will not be reflected.
-
Kazuhiko Shiozaki authored
-
Kazuhiko Shiozaki authored
-
Kazuhiko Shiozaki authored
-