As discussed on issue #15225, it should be possible for system administrators
to disable the 1-click installation system.
The plan is to disable the feature by default, but make it relatively easy
to turn on when it is explicitly desired.
1. At the moment we cannot guarantee that all Apps published on the Odoo Apps
Store are safe. And it is a security risk to let end-users deploy Python
code on their Odoo servers without requiring any review/deployment by a
competent system administrator.
We will work on improving the validation process of the Store, but this
will require time, and won't probably be a 100% safe process in any case.
2. The one-click install feature is however really useful to help
non-technical users install Apps, as long as the feature has been
explicitly allowed by the system administrator. This is a common feature
in other software suites as well. So we'd like to keep it as an opt-in
feature.
3. Administrators of multi-tenant servers, cloud hosting services, etc.
understandably expect to be able to turn off the feature for
security/control reasons.
4. By turning off the feature by default, but still exposing it in the UI,
we keep it *discoverable* for users. The error message should be
helpful to direct users to their sysadmins.
5. By using the permissions of the download folder as a flag for turning
off the feature, we avoid introducing an extra server parameter.
The folder is still created (read-only) by default, for the sole purpose
of making it easier to locate.
Fixes#15225
The reverse field of a one2many could be originating from an
inherits'd field, this was solved in some instance with f5e5bbda.
The issue could still happen in some instances when doing a comparison
of:
- the one2many field to a False value,
- the one2many with a negative operator and an empty set to negate,
With this change, the ORM is used in such a situation.
closes#15234
opw-704962
Introduced by python-pillow/Pillow@c3fe5d43 and integrated into pillow 4.0
The size of the image is ignored and must be set using an image or a mask.
This patch is retrocompatible with the previous versions as the changed code was
in the box size computation. With this patch a 4 points box size is given so the
modified code is not executed.
Fixes#14927
The double inversion introduced by 6e063188 is done to catch default 0
values.
For example '>= -3' is transformed in "NOT what is found by < -3".
There was an issue with '> 0' and '< 0' since in these instance 0 don't
match and the inversion must not be done.
opw-703929
As of f814dd9908355465dd03735f4589dd1697b3658a, debug
mode causes an extra X-Debug-Mode header to be sent
by the rpc() JS method.
This custom header was not whitelisted in the accepted
CORS headers, therefore any cross-origin call to a route with
`cors=True` would fail in debug mode, with a console error
along those lines:
"Request header field X-Debug-Mode is not allowed by
Access-Control-Allow-Headers in preflight response"
This would prevent loading the POS GUI in debug mode,
for example.
This commit is necessary in the 8.0 branch because
the POSBox is currently based on a 8.0 server and may
be accessed by a 9.0 POS or later, thus with the extra header.
The effect of this change is to trigger the recomputation of fields on larger
recordsets. This takes advantage of batch computations within compute methods.
* Failing test for one2many [(5,)] action, when domain is callable.
The problem is that `self` inside a callable domain becomes the comodel when at [(5,)].
* [FIX][fields] Make [(5,)] with computed domain work.
To reproduce this failure, declare a field like:
```
child_ids = fields.One2many(
comodel_name="other.model",
domain=lambda self: [("id", "in", self._ids_to_find())],
)
```
Now set some value to it.
Now unset them. Impossible because ``self`` becomes ``other.model`` in domain evaluation.
Web client use fields_get (which one call get_description) to know if
a group operator exists. But until now, group_operator are never returned.
Without it, the web client cannot display the sub-total except for sum
(the fallback in the web client).
This commit closes#13713
Todo: do the same on Class Monetary in next branch
Also restrict XML data attribute evaluation context
even for real module data files. This will prevent
accidentally depending on context parameters that
would not be available inside base_import_module.
extract terms in correct folder
If two addons path have a common part in the folder name (e.g. `/home/alice/dev`
and `/home/alice/devodoo`), the `get_module_from_path` method may match the
wrong folder.
A file `/home/alice/devodoo/bob/models.py` would wrongly match `/home/alice/dev`
path (due to the lack of separator) and the returned module would be `odoo`
(`"odoo/bob/models.py".split('/')[0]`).
In such scenario, the translations of files (code, static folder, report) would
not be included in the exported translation file.
Force the module path to ends with a folder separator to avoid wrong matching.
Closes#13363