diff --git a/addons/account/account_invoice.py b/addons/account/account_invoice.py
index 6fc4fd9089e..932ad8bc064 100644
--- a/addons/account/account_invoice.py
+++ b/addons/account/account_invoice.py
@@ -1735,7 +1735,9 @@ class account_invoice_tax(osv.osv):
             company_currency = company_obj.read(cr, uid, [company_id], ['currency_id'])[0]['currency_id'][0]
         if currency_id and company_currency:
             amount = cur_obj.compute(cr, uid, currency_id, company_currency, amount, context={'date': date_invoice or fields.date.context_today(self, cr, uid)}, round=False)
-        return {'value': {'tax_amount': amount}}
+        tax_rec = self.browse(cr, uid, ids)
+        tax_sign = (tax_rec[0].tax_amount / tax_rec[0].amount) if tax_rec and tax_rec[0].amount else 1
+        return {'value': {'tax_amount': amount * tax_sign}}
 
     _order = 'sequence'
     _defaults = {
diff --git a/addons/account/account_invoice_view.xml b/addons/account/account_invoice_view.xml
index ba4cc199fbf..b5bb1a542f3 100644
--- a/addons/account/account_invoice_view.xml
+++ b/addons/account/account_invoice_view.xml
@@ -255,7 +255,7 @@
                                     <field domain="[('partner_id', '=', partner_id)]" name="partner_bank_id" on_change="onchange_partner_bank(partner_bank_id)"/>
                                     <field name="user_id" context="{'default_groups_ref': ['base.group_user', 'base.group_partner_manager', 'account.group_account_invoice']}"/>
                                     <field name="name" attrs="{'invisible': [('type', '=', 'in_invoice')]}"/>
-                                    <field name="payment_term" options="{'no_create': True}"/>
+                                    <field name="payment_term" options="{'no_create': True}" on_change="onchange_payment_term_date_invoice(payment_term, date_invoice)"/>
                                 </group>
                                 <group>
                                     <field name="move_id" groups="account.group_account_user"/>
@@ -387,7 +387,7 @@
                                 <field name="reconciled" invisible="1"/>
                             </group>
                             <group>
-                                    <field name="payment_term" class="oe_inline"/>
+                                    <field name="payment_term" class="oe_inline" on_change="onchange_payment_term_date_invoice(payment_term, date_invoice)"/>
                             </group>
                             <div class="oe_clear">
                                 <label for="comment"/>
diff --git a/addons/auth_openid/res_users.py b/addons/auth_openid/res_users.py
index 897dea07982..0aee0723f66 100644
--- a/addons/auth_openid/res_users.py
+++ b/addons/auth_openid/res_users.py
@@ -73,22 +73,18 @@ class res_users(osv.osv):
                 cr.commit()
                 return res[0] if res else False
 
-    def check(self, db, uid, passwd):
+    def check_credentials(self, cr, uid, password):
         try:
-            return super(res_users, self).check(db, uid, passwd)
+            return super(res_users, self).check_credentials(cr, uid, password)
         except openerp.exceptions.AccessDenied:
-            if not passwd:
+            cr.execute('''SELECT COUNT(1)
+                            FROM res_users
+                           WHERE id=%s
+                             AND openid_key=%s
+                             AND active=%s''',
+                        (int(uid), password, True))
+            if not cr.fetchone()[0]:
                 raise
-            with RegistryManager.get(db).cursor() as cr:
-                cr.execute('''SELECT COUNT(1)
-                                FROM res_users
-                               WHERE id=%s
-                                 AND openid_key=%s
-                                 AND active=%s''',
-                            (int(uid), passwd, True))
-                if not cr.fetchone()[0]:
-                    raise
-                self._uid_cache.setdefault(db, {})[uid] = passwd
 
 
 
diff --git a/addons/sale/wizard/sale_make_invoice_advance.py b/addons/sale/wizard/sale_make_invoice_advance.py
index a2398b8330f..c71fc4c29af 100644
--- a/addons/sale/wizard/sale_make_invoice_advance.py
+++ b/addons/sale/wizard/sale_make_invoice_advance.py
@@ -147,7 +147,7 @@ class sale_advance_payment_inv(osv.osv_memory):
                 'partner_id': sale.partner_invoice_id.id,
                 'invoice_line': [(0, 0, inv_line_values)],
                 'currency_id': sale.pricelist_id.currency_id.id,
-                'comment': '',
+                'comment': sale.note,
                 'payment_term': sale.payment_term.id,
                 'fiscal_position': sale.fiscal_position.id or sale.partner_id.property_account_position.id
             }
diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py
index 088a8c6e821..3d09268208e 100644
--- a/openerp/addons/base/res/res_users.py
+++ b/openerp/addons/base/res/res_users.py
@@ -138,7 +138,7 @@ class res_users(osv.osv):
         avatar, ... The user model is now dedicated to technical data.
     """
     __admin_ids = {}
-    _uid_cache = {}
+    __uid_cache = {}
     _inherits = {
         'res.partner': 'partner_id',
     }
@@ -305,6 +305,24 @@ class res_users(osv.osv):
 
         return result
 
+    def read_group(self, cr, uid, domain, fields, groupby, offset=0, limit=None, context=None, orderby=False):
+        if uid != SUPERUSER_ID:
+            groupby_fields = set([groupby] if isinstance(groupby, basestring) else groupby)
+            if groupby_fields.intersection(USER_PRIVATE_FIELDS):
+                raise openerp.exceptions.AccessError('Invalid groupby')
+        return super(res_users, self).read_group(
+            cr, uid, domain, fields, groupby, offset=offset, limit=limit, context=context, orderby=orderby)
+
+    def _search(self, cr, user, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
+        if user != SUPERUSER_ID and args:
+            domain_terms = [term for term in args if isinstance(term, (tuple, list))]
+            domain_fields = set(left for (left, op, right) in domain_terms)
+            if domain_fields.intersection(USER_PRIVATE_FIELDS):
+                raise openerp.exceptions.AccessError('Invalid search criterion')
+        return super(res_users, self)._search(
+            cr, user, args, offset=offset, limit=limit, order=order, context=context, count=count,
+            access_rights_uid=access_rights_uid)
+
     def create(self, cr, uid, vals, context=None):
         user_id = super(res_users, self).create(cr, uid, vals, context=context)
         user = self.browse(cr, uid, user_id, context=context)
@@ -336,10 +354,10 @@ class res_users(osv.osv):
         clear = partial(self.pool['ir.rule'].clear_cache, cr)
         map(clear, ids)
         db = cr.dbname
-        if db in self._uid_cache:
+        if db in self.__uid_cache:
             for id in ids:
-                if id in self._uid_cache[db]:
-                    del self._uid_cache[db][id]
+                if id in self.__uid_cache[db]:
+                    del self.__uid_cache[db][id]
         self.context_get.clear_cache(self)
         return res
 
@@ -347,10 +365,10 @@ class res_users(osv.osv):
         if 1 in ids:
             raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)'))
         db = cr.dbname
-        if db in self._uid_cache:
+        if db in self.__uid_cache:
             for id in ids:
-                if id in self._uid_cache[db]:
-                    del self._uid_cache[db][id]
+                if id in self.__uid_cache[db]:
+                    del self.__uid_cache[db][id]
         return super(res_users, self).unlink(cr, uid, ids, context=context)
 
     def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100):
@@ -491,15 +509,12 @@ class res_users(osv.osv):
         if not passwd:
             # empty passwords disallowed for obvious security reasons
             raise openerp.exceptions.AccessDenied()
-        if self._uid_cache.get(db, {}).get(uid) == passwd:
+        if self.__uid_cache.setdefault(db, {}).get(uid) == passwd:
             return
         cr = self.pool.db.cursor()
         try:
             self.check_credentials(cr, uid, passwd)
-            if self._uid_cache.has_key(db):
-                self._uid_cache[db][uid] = passwd
-            else:
-                self._uid_cache[db] = {uid:passwd}
+            self.__uid_cache[db][uid] = passwd
         finally:
             cr.close()