[web] use `inline` `Content-Disposition` by default (closes #2535734) since known time we have been serving static file with a `filename` parameter on the `Content-Disposition` header. But since d74addac92bb we explicitly serve file as attachment if a filename is provided. However this is valid to have `inline` disposition and `filename` parameter. This changeset revert this part of d74addac92bb, going back to `inlined` by default. `IDownloadable` code explicitly request `attachment` content to preserve expected behavior.

[web] allow configuration of the Content-disposition value The `set_content_type` function now takes and optional `disposition` parameter to control the value of this HTTP header. Use of `Content-disposition: inline` with a filename parameter are valid, so the presence of filename does not allows to choose between `attachment` and `inline`

[downloadable] fix filename HTTP header for simple name with space (closes #2535715) Since d74addac92bb, we export simple ascii filename without any encoding in the `filename` parameter of the `Content-Disposition` header. If this name contains space this will fails, the parameter value will be truncated at the space position. (eg. `filename=jungle babar.txt` read as `jungle`) We need to quote the filename to prevent this (eg. `filename="jungle babar.txt"`). Then literal quote and backslash needs to be escaped too. The new escaping is correct according this extensive test case data base: http://greenbytes.de/tech/tc2231/

merge fixes from stable

Added tag cubicweb-debian-version-3.15.6-1 for changeset b05e156b8fe7

Added tag cubicweb-version-3.15.6 for changeset 0163bd9f4880

prepare 3.15.6

[web] add a digital signature to error form (closes #2522526) Simple (and quite weak) implementation of a digital signature of the content to be submited by email in the error report view generated by ErrorView. The signature is a simple hmac hash computed using a secret key (generated at repository startup) and the "secret" form content to be included in the notification email. The controller can then check this content has not been modified or forged by a malicious user.

[web/views] bugfix: the mime type is text/plain, not text/txt (closes #2526345)

[doc] fix of personnal etc directory in book

[web] add a Forbidden exception This is similar to the Unauthorized exception, but generates a 403 error instead of a 401 (Unauthorized)

[web] add a ``anonymize-jsonp-queries`` option in file configuration (closes #2465388) This option controls connection anonymizing before executing any query for CSRF / safety reason.

[downloadable] fix filename in HTTP header (closes #2522325, #2522324) Before this changeset we use the `filename` header with utf8 encoded filename all the time. However RFC6266 says: The parameters "filename" and "filename*" differ only in that "filename*" uses the encoding defined in [RFC5987], allowing the use of characters not present in the ISO-8859-1 character set ([ISO-8859-1]). Therefore, we alter the code to: 1. Use `filename` and `ascii` encoding whenever possible, 2. use `filename*` with `utf8` encoding otherwise (with a filename fallback for old browser) We also switch the `content-disposition` value to attachement if filename is specified, this will result as a mandatory download according to RFC6266. This mandatory download is the expected behavior. We changes the filename encoding to RFC5987 which is simpler, supported by all and modern browser (including IE from version 6) and does not suffer from the continuation issue. (see ticket #2522324 for details)

docstring typo

[facet] make BitFieldFacet allow special 0 value. Closes #2522697

[doc] ubuntu LTS is now Precise Pangolin

backport stable

[server] implement base_url with secure=True (closes #2508638)

[validation api] properly use yams 0.36 validation error api and update message catalog. Follows bbe0d6985e59 the creation of the `translate` method in the 23a10f049447 yams commit.

[wsgi] saner use of `self.config` instead of `config`

[server] fix repository initialisation Changeset d753d6a6798f was breaking database creation. Dropping the `config.creating` clause lead to trying to load the schema from database even in creation mode. Conditional are a bit altered and reordered to prevent this to happen.

[web test] make unittest_viewselectors work if rdflib isn't available

[js/ajax] documentation of 'reload' is missing an argument

[ldapfeed] move docstring to the class instead of the module

[hook] fix hook base class so access to __registries__ doesn't call check_event, only call it in registered callback. Closes #2517748

[startup hook/looping tasks] separated hook for each looping task to ease modification from cubes. Closes #2517096

[ldaputils] should use entity.eid instead of entity on raising ValidationError. closes #2517095

[dbapi] provide get_option_value over DBAPIRequest (closes #2515522)

Added tag cubicweb-debian-version-3.15.5-1 for changeset 19e115ae5442

Added tag cubicweb-version-3.15.5 for changeset b0e086f451b7

prepare 3.15.5

[entity attr cache] mark attribute as uncacheable in the underlying function else we may miss some changes. Also rewrite a storage test currently failing because cache of the entity created by the test transaction, distinct from the entity created internally and given to hooks and all, has its attributes cache not updated. As this doesn't seems a proper usage, rewrite it as expected. Much probably closes #2423719 definitly.

[repository] move modification of appobject_path to repository initialization code so we can restore it later to avoid side effect on the config. Fix regression introduced in d32ab8570e5d

[req / session] drop is_internal_session (buggy) compat on base request by implementing necessary methods on internal manager

[check integrity] use session consistently

[test] use session commit/rollback to be consistent with the test

[merge] reintegrate that black sheep

[ldapparser] utf-8 uri + unicode emailaddr will crash if the later is not properly encoded (closes #2508515)

backporting

backport stable

fix no more running zmq repository test (closes #2500153)

[dbapi] load_appobjects must attempt to load available cubicweb configurations to avoid error when some object use a persistent propery (CWProperty) defined there. Closes #2497697

dummy merge

[ajax] reload function should set 'processing' cursor. Closes #2503899

[misc/scripts] a slightly experimental script to help repair LDAPUser cwusers suffering from split-brainite (closes #2497108)

[views/boxes] re-establish the proper selector (closes #2496294)

[ldapparser] raise specific error if the configuration is wrong (closes #2498164)

[skeleton] add pypi classifiers in __pkginfo__ and setup.py (closes #2502156)

[c-c shell -H] add verbosity=0 so we are not asked to confirm everything, as when not using -H

mock ``CWUser.prefered_language()`` on InternalManager objects. The recent split of patches for session refactoring broke this.

[session] fix arguments default value and promote usage of security_enabled as session method. Closes #2481820 One should use session method rather than direct usage of the context manager of the same name. Fix default argument values for consistency with the context manager: when one omit an argument, meaning is "keep the current value", not "disable security".

[session] promote usage of [deny|all]_all_hooks_but session methods rather than hooks_control context manager directly

[web app] move set of status_out into validation_error_handler to ease readability

[workflow test] don't use session.user, subject to internal changes

[db creation test] more testing of db initialization: call build_db_cache and ensure admin user exists

[source synchronization hooks] Fix/enhance system source hooks They are broken if launched during repository initialization (this was not the case yet, but will be soon...). Add additional checks to ensure one doesn't try to store system source config in the database, as it will be ignored in favor of the "sources" file.

[validation error] refactor validation error handling so translation is done on the web side Users should now use cubicweb.validation_error helper function that will activate the feature with other handy behaviours. Also test testing for message in errors should call exception.tr(unicode) before comparing. Using bare ValidationError keep backward compat.

[repo cleanup] drop code moved to querier by 7e264ce34cd4

[repo cleanup] drop code moved to querier by 7e264ce34cd4

Added tag cubicweb-debian-version-3.15.4-1 for changeset 70cb36c826df