This is very unlikely to be exploitable because the
alt-field usually comes from master data (e.g. product
names) that can't be injected.
Courtesy of Naglis Jonaitis
When creating an invoice from a contract with button "create invoices",
the description linked to the contract has to written in the comment field
of the invoice.
opw:671660
When the POSBox boots without a network cable attached it will
automatically launch a wireless AP that people can connect to. This
allows them to configure what wireless network the POSBox should connect
to.
This wireless AP was configured to use the 10.10.0.0/24 subnet. The AP
itself was on 10.10.0.1. Although this is fine if used as intended it is
a quick way to take down an existing network if you where to plug in an
ethernet cable after the wireless AP has started. 10.10.0.1 is commonly
used by routers all over the world and plugging in a booted POSBox into
their networks will cause serious issues because the POSBox will share
the same IP as the router.
This moves the POSBox AP to the 10.11.12.0/24 subnet, with the AP on
10.11.12.1.
This also makes the DHCP server listen only on wlan0 because otherwise
you can end up with two DHCP servers on the same network which would
still break stuff.
Useful when updates to the initialization scripts don't go as
planned. This leaves something to inspect.
The initialization script already automatically stops (because of 'set
-o errexit') but it was a bit tricky to actually see what went wrong
because scrollback in QEMU isn't great.
The main reason for doing this is supporting the new Raspberry Pi 3. No
functional changes where made.
For Raspbian Wheezy we used to download the full image and strip it as
best we could to obtain a reasonable image size for people to
download. Since Raspbian Jessie the Raspberry Pi Foundation has started
releasing an official minimal image (Raspbian Jessie Lite) which we will
use from now on to build our image. One downside of this is that the
minimal image is a 1.3 GiB image which is too small for our
purposes so it has to be resized.
Because Raspbian Jessie migrated to systemd we cannot rely on
/etc/init.d/rcS to set up the ramdisks anymore. Jessie provides a
compatibility layer so old SysVinit scripts still work but rcS does not
block like it does in a SysVinit system, it is run in parallel with
other startup services. In our case this is a bad thing as setting up
the ramdisks has to be done before any other services are started. To
accomplish this the rcS hack has been migrated to a systemd service
running before basic.target and with DefaultDependencies=no. This has a
similar effect as the rcS hack because normal systemd services (with
DefaultDependencies=yes) all require basic.target by default.
When processing a payment transaction, double-check the
match between the amount of the transaction and the
amount of the SO, to be sure that we won't be validating
a SO that has been modified since the payment.
Such cases have to be double-checked manually.
Also add a bit of extra logging to make auditing ecommerce
transactions easier.
In addition to being mostly useless because Paypal's API
changes are supposed to be backwards-compatible, this
warning was using inconsistent version numbers.
Switched to a simple INFO line with IPN version.
Current behavior before PR: if you create a new record within a one2many
field and the model's form has a clickable status bar defined, clicking
this status bar will raise an exception because the virtual id
(one2many_v_XXXX) will be passed to the model's write method
Desired behavior after PR is merged: clicking just changes the cached
value
Users may sometimes need to edit their own partner records directly,
although indirect access by writing on `res.users` directly works
fine in most cases.
The SQL view `crm_partner_report_assign`
makes a join on `account_invoice_report`
A column is added to
`account_invoice_report` in the module
`sale` (`section_id` is added to the view),
making the SQL view `account_invoice_report`
replaced automatically at the install/update
of the `sale` module, which leads
to the automatic deletion of the SQL
view `crm_partner_report_assign`,
because the SQL view `account_invoice_report` is
altered.
Therefore, after the install/update of the `sale`
module, the view `crm_partner_report_assign` was
deleted, and the "partnership anaylsis" unusable.
This revision makes sure to init the
`crm.partner.report.assign` report after
every init of the `account.invoice.report`.
opw-674177
request.website.get_languages returns a list of tuple in the form:
(`language code`, `language name`)
With this commit the code first check if there is a language exactly
matching, and only if failed check if there is a match on the short
form.
closes#11613
opw-672412
Could not edit t-field content if modified by inherit xpath,
and could not inherit qweb views with non "xpath" nodes with
`position="attributes"`.
Examples:
Can't edit: `<data><xpath expr="div[@t-field='object.test']"
position="replace"><div t-field="object.test"/></xpath></data>`
Inherit doesn't work: `<data><h1 position="replace"/><h1
class="test">tata</h1></data>`
Closes#11561Closes#11547
If the costing method of the product is "average", the price unit
of the stock move is set in the currency of the field "price_currency_id"
with the function "do_partial" (addons/stock/stock.py).
opw:672552
When checking `Attach Google documents to any record`
in the general settings, if you are not redirected
to a module, but, instead, the current page is refreshed
(the wizard is reloaded instead of creating a new
configuration wizard),
the default value for `google_drive_uri` was not correctly
loaded, the `client_id` in the URL
remained `False` because the wizard was not being
re-created, but reloaded,
and therefore `default_get` hasn't been re-called,
and the `client_id` changed
(it was added to the system parameters after
the installation of the module)
Therefore, the link did not include the correct
`client_id`, and it leaded to the inabibility
to use the URL:
401. That’s an error.
The OAuth client was not found.
Replacing the simple char fields by a function
field, with the correct store trigger,
force the URL value to be reloaded
when the system parameter is inserted.
opw-673274
This revision is related to 9752aedb4e
It looks like in some cases, the user cannot read the
partner associated to his own cart.
This is the case when shopping without being signed in.
opw-673187
Add `display_start` and `display_stop` to the fields
which are public even if the event is marked as private.
There is no reason it should be public,
especially if `start` and `stop` are. Besides,
this leads to issues in
`get_search_fields`, when doing:
```
sort_fields['sort_start'] = browse_event['display_start'].replace(' ', '').replace('-', '')
```
opw-672997
Commits 7b7f3fa and d6c88b8 filter out special periods from the account
balances. However, this filtering is not necessary anymore for a closed
fiscal year. The result is that the opening balance becomes wrong as
soon as the previous fiscal year is closed.
This commit fix this by computing the balance over all fiscal years.
Closes#11515
When the user chooses as product image a file which is not an image, the
message "Could not display the selected image" is displayed. However, at
saving, a traceback is thrown since the file chosen is uploaded anyway.
If the image cannot be displayed, the image field is cleared.
opw-672206
This revision is related to 99d8cd6
Avoid to check the journal centralization
mutliple times, for each move lines.
Checking the journal centralization
for each journal for each period just
before the call to `super` is enough.
Before this revision,
if a large number of move lines
was passed in the `ids` parameter
of the `write` method, with all
the same journal / period, this
could lead to huge performances issues,
the `_check_moves` being called
a large number of times for the same
journal and period couple, uselessly.
opw-672797
When attempting to pay a cart in the ecommerce,
if the customer went on the payment acquirer site
(meaning, the `payment.transaction` is created
in the database), then come back to the checkout form
using the browser back button, and changed his customer
details (address, email, phone,...),
these changes in the details were not applied
in the `payment.transaction` record that was being
re-used.
e.g.
Checkout > Confirm > Choose Paypal, Pay Now
> History back to the checkout and apply changes
in the address > Confirm > Pay Now.
Commit 4a0b6f6 slightly improves the performances of `action_assign` by
skipping moves which already have pack operations. However, if the move
is not completely assigned, it prevents the possibility to search for
new quants to assign to the given move.
opw-672069
When adding new lines to an existing statement,
the order of the lines was not kept,
due to the re-sequencing operation done in the
override of `write` in `account.bank.statement`:
```
for statement in self.browse(cr, uid, ids, context):
for idx, line in enumerate(statement.line_ids):
account_bank_statement_line_obj.write(cr, uid, [line.id], {'sequence': idx + 1}, context=context)
```
as the lines order was based on `statement_id desc, sequence`,
which is the same for all lines added,
(except if the order is forced in the web client,
using the handle widget)
and, therefore, the order
of the lines returned by `statement.line_ids` was
not determinist.
Adding the `id` to the lines order
(as it's done in `sale.order`, for instance),
solves the issue, as the lines will then be fetched
in the order they were created.
opw-667541
When validating a payment transaction,
if the cart (order) cannot be confirmed or
the email cannot be sent for any reason
(instance, the email template is broken),
the transaction must continue, so the payment
transaction can be set to `done` or `pending`.
In other words, not sending the confirmation
email or not confirming the sale order must
not be blocking to mark the payment
transaction as done.
opw-672486
Commit 7b7f3fa filters out the special periods. However, the filtering
should be done only for the display in the form view, nto for the
reporting which is actually correct.
opw-672531