jQuery has a special behaviour when using .contents() over an iframe
object. This caused an error for escaping when saving the page with an
iframe content of an external domain.
introduced by 8c77c711
opw-649570
Add multilang=False to website_image controller to prevent redirects
Because website_image is decorated with website=True
Requests made for the product image at
`/website/image/product.template/xx_xx/..`
triggered redirections to add the language code to the
requests URLs. This redirection was useless, as setting
the language code for images is non-sense.
Adding `websitelang=False` prevents this redirection.
In addition, the redirection could lead to
SSL security concerns, as the redirection
could use the http:// scheme.
Closes#8515
In 7d40a7d, f820c07, 3ed0628 the way the mobile preview iframe is set
was altered several times. This left an inconsistent needless page load.
This page load was cancelled, but as a side effect in a given set of
conditions:
- an ajax request is done early in current (and so iframe) page,
- phantomjs is used for the test,
- server response time
this could lead to a false positive caused by a cancelled xhr request
throwing the error: "Can't load template, http status 0".
Escape text nodes changed via the web editor before sending the content
it to the server controller.
It is done since the content is unescaped one time when being displayed,
and it is not done for inline style and script tags (which may be
injected by dropping a snippet) since that would break them.
replacing the solution in cdb900044.
1. A menu with `/page/website.***` should be flagged as `active`
if the current url is `/page/***`. This is a retro-compatibility
patch for c9d41679fb, so the
menu is marked as active without having to rename it, by
removing this `website.` thing.
2. If you defined two menus with as url `/page/test` and `/page/test2`
Both menus were flagged as `active` when you browsed the url
`/page/test2`, because it started by both menus urls.
Fixes#3059Closes#3070
In the top menu bar, the `active` class is set when the
menu url matches the page url (the url in the browser url bar)
A while ago, we made so all urls
`/page/website.***'
were automatically redirected to
`/page/****`
Therefore, if the menu url still contains this `website.` prefix,
the active class wasn't set on it, while it should.
Fixes#3059Closes#3070
When saving a template in version 8.0, html would be saved as it should
be displayed once on the site. In particular, if some text should be
escaped once send to the browser, it will be saved as such.
But when rendering, a text node content is unescaped two times:
* for translation which seems wrong since we already use .text of a node
which already escaped it, doing it one more time is bad,
* when rendering the template, since the html template is stored in xml,
This commit remove superfluous unescaping for translation, and add an
escaping when saving the changed template content.
closes#7967
opw-646889
Pasting from the website to the website could for example copy
t-field="..." which then would easily add an error if e.g a field
is copied to an area where it is not available.
This fix strip the data-oe-... attributes of nodes added to the DOM
when pasting.
closes#7653
opw-644968
Commit 4ff1af4 moves the groups attributes on the ir ui view/template.
So the option is no more available in customize menu if user is logged.
No luck, because when your are not logged you don't have the menu.
Groups on template are the best practice to hide the content of a view
to a group of poeple, except in this case where a customize_show is set
to True.
Maybe that customize_show should ignore groups on ir ui view in a future
version ?
Javascript regex \b is not unicode aware,
and words beginning or ending by accents won't match \b
We therefore use a custom regex to replace \b.
Basically, it's a regex matching all words separators
such as dot, comma, spaces, etc. and other unicode
separators as well.
opw-641005
A user (other than the admin) part of the group 'Manage QWeb views'
and the group 'Administration Settings' couldn't edit
any other view than QWeb views.
opw-640376
In website template,
it was not possible to use the variable "lang",
containing the current language,
as the variable was overwrote in website.layout,
in a loop context.
Changing the variable name used by the loop
solves the issue.
opw-639488
closes#6320
* Complements commits a696913364 and
21d4b3fda9 by adding the missing `data-lang`
attribute also in the report layout (in saas-6 a single QWeb
template is used for language links in both reports and website
layouts).
* Fix the "Edit Master" link to work also for outdated templates
where the data-lang attribute is dynamically set to 'default',
and thus cannot be used as URL prefix -> use /website/lang
controller to switch lang instead.
Depending on the area (in this case a html field), the editor can escape
the url which wasn't taken into account by this widget.
closes#6726
opw-639852
Improves aea358ca67 and avoid spurious
redirects for URLs that do not match a controller but do not
have a valid language.
When the URL does not match any controller, the language
matcher tried to strip the leading path component, treating
it as a language code. For example:
/fr_BE/page/homepage
would not match any route, so it would be rerouted internally
as /page/homepage, after setting `request.lang` to fr_BE.
This breaks the magical 404 handler that allows ir.attachment
entries to be mapped to static URLs. Due to the internal rerouting,
the mapping of e.g. /website_mycompany/static/src/image/logo.png
would be rerouted to /static/src/image/logo.png and not match
the mapped URL anymore.
Now the stripping of the path component will only occur if
that path component matches an installed language code.
The consequence is that URLs containing uninstalled language codes
will now lead to 404 errors - an acceptable trade-off (e.g.
when an older version of the website is still indexed by a search
engine)
when closing a modal, the class 'modal-open' was removed from the
'body' tag and all the existing modals became not scrollable.
The class 'modal-open' must be kept in the 'body' tag if there is
still a visible modal in the dom.
Inspired from commit: dee000be14
opw:633801
The company logo can't be customized because it's a t-field from the db.
This fix don't have to be forward ported because the problem is
already fixed in saas-6.
opw:632702
Prior to this fix, when you clicked on Publish or Not Published, the
effect was immediate, but the button disappeared instead of just
updating itself to the new value.
Fixes opw 614561.
Detect most of bots/crawlers to avoid auto redirect. Most bots fetch
with lang en_US, so even if default website lang was not in en_US,
googlebot was redirected to en_US page.
Now we keep also the language selected by user into a cookie.
If cookie exists but lang not in url, we redirect the user into
his preferred language.
Manage special case to allow to change the lang in url to set the
default lang at fly in url and set the cookie...
Many routes are not specified as multilang=False but should be.
With the auto redirection, we need to update these routes to avoid
useless redirects !
Check that url is setted before to use it (avoid traceback with startwith).
Field is not required because website.menu are using to create tree/sub menu
Change the behavior of new_window.
Use _blank and not blank... for links.
Blank has no sense in this context.
The page has a note saying this page can be disabled but has no option to do so.
Adding one in the customize menu.
Hide the technical informations to the non-technical users, keeping only
the list of applications (not modules) for public users.
Fixes#3546
Commit 540b753bf8 introduced
support for resources stored as ir.attachment records in
asset bundles too.
This is specifically useful for customizations.
However the HTTP route for reaching those resources
when they are *not* in a bundle was originally created
in the `website` module (as a special handling for
404 requests)
This means that these dynamic resources would only
be partially supported when `website` is not installed,
causing various problems:
- missing resources in debug mode where bundles are skipped
- errors when trying to define new client-side Qweb templates
via XML resources - which are loaded with a direct request
- ...
This commit moves back the supporting code to the web module.
The `mimetype` column is not present in ir.attachment without
the `website` module, but sniffing it based on the attachment
name works fine at serving time too.
Closes#6002
The implementation of `ormcache` does not work on methods that take a `context`
parameter. Because of the decorator `decorator`, the arguments of the call are
passed positionally to the method `ormcache.lookup`, and positional arguments
are used in the cache key.
The fix consists in removing the `context` parameter from the faulty methods,
either directly, or by caching a private method called by the public method.
-Website.tours must be loaded after the translation data:
"website.ready" before the tour ensure that the translations are loaded.
-Translations for qweb templates not applied:
Translate all text nodes in qweb templates when translation data
are loaded.
-Add some translations in website tours.
opw:619786
- Translations lookup normally uses the namespace of the current
QWeb template, after merging all inherited views.
But when a QWeb template is "cloned" by a child view using
inheritance with `primary` mode, the translations are more
likely to exist for the original (parent) template, and would not
be found when using only the "child" namespace.
This patch adds support for looking up each translation
also in the parent namespace in this case, if none was found
for the child template in the first place.
- ir.translation's _get_source() now supports a list of res_id
to search for, in addition to a single res_id
- Also moved the logic of routes /website/customize_template_get
and /website/get_view_translations to the ir.ui.view model where
it belongs.
opw: 615241
Closes#5325
If they are this routes:
/partner/p-1
/partner/p-2
...
/partner/grade-1/p-1
/partner/grade-1/p-2
...
/partner/grade-2/p-1
/partner/grade-2/p-2
...
We want test only one time the routes:
/partner/p-1
/partner/grade-1/p-1
Debian does not allow fetching data from external website at runtime.
This fixes the privacy-breach-generic lintian warnings for Debian packaging.
The removed youtube url was a dead link...
When url_for was looking for a route which match, it was only looking for GET route.
So routes which were restricted to be used only with a POST method, were never found.
The result was that urls in website for route post (form in most cases) was never prefixed with the lang.
So the request.lang was always the default lang from website...
If you was creating a sale order (in ecommerce), the lang used in sale order was wrong and the description not in the current lang.
It looks there is a bug in Firefox concerning responsive images in table. See bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=975632
Bootstrap advises to use width: 100% for .img-responsive as workaround were needed.
The @moz-document is to apply this for Mozilla only.
opw-617582
opw-618659
The website name is by default "localhost" (used in the page title in the format
"Current Page | Website Name") but there were no way to change it.
Fixes#3493
website introduces two new stored function fields, which depend on the attachment data
The thing is, these two fields are pertinent for website attachments only
Therefore, we avoid to read the datas field when the attachment is not a website attachment(when not needed), as this is the most costly field to read
The old-api model._all_columns contains information about model._columns and
inherited columns. This dictionary is missing new-api computed non-stored
fields, and the new field objects provide a more readable api...
This commit contains the following changes:
- adapt several methods of BaseModel to use fields instead of columns and
_all_columns
- copy all semantic-free attributes of related fields from their source
- add attribute 'group_operator' on integer and float fields
- base, base_action_rule, crm, edi, hr, mail, mass_mailing, pad,
payment_acquirer, share, website, website_crm, website_mail: simply use
_fields instead of _all_columns
- base, decimal_precision, website: adapt qweb rendering methods to use fields
instead of columns
Commit 57ad514b makes the function preserve the aspect ration of the
original picture. Error of mine because the expected behavior was to
lose it for kanban view purpose.
For backward compatibility sake, this commit will keep the old behavior
by default.
For some reasons, the browser will prevent to open the system file browser when clicking the input file with javascript using the jquery class element, but it works when using the standard js dom element.
* __content__ can't be used in Python implementation because safe_eval, so use
``0`` from Python implementation instead
* remove postfix from t-call tests because due to implementation details all
whitespace crap following a t-name is added to rendered template in Python
impl, and don't want to normalize whitespace.
Changed render_att_att to return an iterable of pairs instead of a pair, and
dispatched t-att on whether its result is a Mapping.
Also changed qweb test runner so it uses ordereddict for JSON mapping in
params, otherwise iteration order (and thus order of attributes in output) is
unpredictable and results don't/can't match expectations (as both are
strings).
Note that this relies on JS implementation details wrt iteration order of
mappings. Tests would probably be somewhat less brittle if rendering output
was parsed to XML... if that's possible (?)
The previous version of the lib seemed to be in an inconsistent state.
This fix the select2-offscreen class when the page is larger than
10 000px (this situation happens when importing a file with lots
of column).
Changes to contentEditable or attributeEditable attributes
should not cause the corresponding section to be marked
as dirty (oe_dirty). This would otherwise cause an extra
editor save() for those, wrongly marking untouched
templates as `noupdate`, and possibly triggering access
right errors.
The Edit button never appeared anymore for these users.
The idea was that they should see an edit button with
limited editing capabilities depending on their other
access rights.
For example, someone with only Sales Manager access and
'Display Editor Bar on Website'
would be able to edit online quotes from the website_quote
module, but not change the actual website pages or menus,
for instance.
This quick fix avoids a buggy behaviour in version 8.0 that could
confuse users.
A future version should implement properly selection fields in t-field.
(closes#2490)
(cherry picked from commit fe3cac30e4c5c132da1de02576d4aa325979ccd9)
Refactored and fixed tools.image_resize_image() that converted to RGBA
after making thumbnails, resulting in bad looking picture in case the
source is in 'P' mode (indexed palette)
Automatic Cookie Domain Configuration simplifies cross domain tracking implementations by automatically writing cookies to the highest level domain possible when the auto parameter is used. When used on the domain www.example.co.uk, it will try to write cookies in the following order:
co.uk
example.co.uk
www.example.co.uk
Analytics.js will fail to write a cookie on co.uk but will succeed on example.co.uk. Since a cookie was succesfully written on a higher level domain, www.example.co.uk will be skipped.