[hooks/integrity] use a cnx not a session

[hooks/security] let's use a connection, not a session

[server/sources/native] deal with connections, not sessions

[server] eschema_eid needs a connection, not a session

[repository] operations get a connection instead of a session Left extid2eid unchanged because that function scares the shit out of me.

[server/hook] operations get a connection instead of a session

[repository] Use an internal connection in register_user

avoid to internally raise 3.19 warnings

[sources] ensure we have a cnxset in undoable_transactions

[server] move security/integrity hook management away from InternalSession.__init__ and to Repository.internal_{session,cnx} instead. Lets internal_cnx avoid deprecation warnings.

[migration] make 'session' object be a server-side Connection, not ClientConnection I think this better corresponds to the previous behaviour. However, that Connection does not have a cnxset, which should probably be changed (for both interactive_shell and cmd_process_script).

[sources] Skip problematic sources when starting shell instead of crashing. Closes #3670208 At least this gives an opportunity to fix the problem in using c-c shell, which is currently not possible because it crashes during initialization. Notice that since sources are copy based, it should not be a problem at all to have some disabled, beside for services such as authentication sources as ldapfeed.

[web] fix language negotiation Regression caused by commit 6fd0ac6506cb "[web-request] handle default language earlier". We would handle language negotiation at request init time, but overwrite the selected language with the site default when calling set_cnx.

[merge] bring the 3.17.14 fixes to 3.18

[test/utils] repair concat-resources test That was forgotten in 240a620b9cd3. Related to #3670503.

[pkg] bump cubicweb.spec

[dataimport] Correctly call rschema(rtype) in SqlGenObjectStore, closes #3694139

[pkg] prepare 3.18.4

[web] Disable 'concat-resources' by default (closes #3670503) It makes debugging harder and it can actually *break* working JS or CSS files. This is the first step towards complete removal.

[testlib] Drop override of assertItemsEqual method The override is not compatible with underlying (standard) method because it builds sets and rely on eid. Closes #3641111.

[rewrite] Fix crash when the main variable doesn't appear in the snippet's vargraph Also, the added test discover another bug once the first has been fixed (erroneous argument given to .rewrite recursive call). Closes #3661918

[ext/rest] Catch SystemExit raised by docutils docutils publisher may raise SystemExit which is not caught by Exception. Closes #3648763.

[entity] User-defined relation to skip for copy has precedence Otherwise permission problems can occur on rtypes not yet skipped Closes #3653459

Make EditController edit_entity method always return an eid In cases the entity was to be created or copied, eid was None hence the method returned None despite the dosctring says the method should always return an eid. Now if the eid variable is None, it is assigned to the newly created entity eid. Closes #3593029.

[migration] Improve update of in-memory schema during 3.18 CWAttribute.defaultval change We weren't updating the schema properly so a bunch of structures still had the old rdef with 'String' as object. That caused failures to add new attributes later in the migration as their default value would be a Binary object but the schema would expect a String. Closes #3683640

[migration] always rebuild infered relation This was skipped for some bad reason (see 12ad88615a12 which introduced the change). Fix for #231956 in Yams is necessary to allow this cset: during a migration, we want to always reinfer relations while allowing explicit redefinition of an infered relation later. Else, we may run the migration with missing parts of the schema (the one that should have been infered). Closes #3685463.

Backout "[web/navigation] use add_onload instead of inline javascript href" This reverts changeset 170e1437948d, for at least two reasons: the PageNavigationSelect component was not updated for the new type of navigation links, and external cubes defining View.page_navigation_url exist in the wild and also got broken navigation links. This reopens #3501626 and closes #3677945.

[test] those are rql tests, not cubicweb (and they break with rql 0.31.5). Remove them.

[source/native] allow many eid creation per .create_eid call (closes #3526594) [jcr: move migration code to bootstrapmigration_repository.py to make sure we stop using the old sequence ASAP]

[pkg] bump the dependency on logilab.database This will allow use of an extended API. Related to #3526594.

[source/native] refactor eid generation code This set of related methods clutters the native source API. It will be better served with a dedicated eid genrator object. Related to #3526594. [jcr: allocate the eid generator in __init__]

Move entity cache from web.request.ConnectionCubicWebRequestBase to repoapi.ClientConnection ResultSet._build_entity relies on an entity cache to avoid going round in circles (stack overflow due to infinite recursion) e.g. in a postcreate script. Clear the cache at commit/rollback time to avoid unexpected side effects; and explicitly clear the cache in a few tests where we mix ORM and RQL using the same connection.

[server] Fix AttributeError in extid2eid Session._tx was renamed in cb87e831c183, use _cnx instead.

[book] Update documentation for new repoapi Quite a few things change in 3.19: - repoapi instead of dbapi - ClientConnection / Connection / Session rework - web authentication process - test APIs Closes #3638793

[utils] the json module is always available It's included since python 2.6, and we don't support earlier versions.

[fti] properly close the ProgressBar Ensures cubicweb-ctl db-rebuild-fti ends its output with a newline.

[serverctl] use repoapi for db-check, add-source, rebuild-fti commands One more step towards getting rid of dbapi.

[devtools] make get_repo_and_cnx return a repoapi ClientConnection And adjust callers accordingly (they need to use it as a context manager to open/close it properly).

[repoapi] Avoid deprecation warnings from session.id Apparently it's called session.sessionid now.

[server] some s/session/cnx/ For merely accessing the database we need a connection, not a session.

Move setting session.mtime from dbapi to web session manager clean_session was broken since the switch away from dbapi on the web side, since session.mtime wasn't being set anywhere.

[web] whitespace cleanup in http_headers.py

[web] implement cross origin resource sharing (CORS) (closes #2491768) Partial implementation that is enough to get started but leaves out some of the advanced features like caching and non-simple methods and headers.

[devtools] add a 'method' argument to RepoAccess.web_request so that one can easily forge a request with any HTTP method. Also a bunch of clone cleanups.

[web] Fix handling of some http headers The generator takes as argument a list of raw string values, and is supposed to return the parsed version. Calling str on that list makes no sense.

[web/request] deprecate user_callback Storing closures in session data considered harmful. Closes #3567793

[doc] undocument user_callback Related to #3567793

Added tag cubicweb-centos-version-3.17.14-1, cubicweb-version-3.17.14, cubicweb-debian-version-3.17.14-1 for changeset fa00fc251d57

[migractions] Better handle removal of RQLConstraint in sync_schema In rdef synchronisation, filter unmodified constraints before processing the sets of old and new constraints. Add a new `constraint_by_eid` method on RelationDefinitionSchema, which eliminates the ambiguity of `constraint_by_type` usage when several constraints of the same type are involved in the same migration. Closes #3633644.

[test] when the config change, we should cleanup sys.path and sys.modules. Closes #3634164 Without this, modules imported within instance home will be messed up.

[wsgi] make sure request.content is available for consumption The wsgi.input stream is not seekable, so make a copy either to memory or disk so it's still available to the user even after we've parsed it (for POST form processing). Closes #3554996

[facet] create a RangeRQLPathFacet (closes #2852512) This facet is a mix between a RQLPathFacet and a RangeFacet, allowing to use the FacetRangeWidget on the RQLPathFacet target attribute

[request] Make sure set_message() actually displays its given message (closes #3003425) The default automatic form sets a standard submit message as session data. However in some cases, such as the cancellation of a form edition, another message is intended to be printed on-screen. This patch makes sure that set_message() really scrubs all previous messages (and ids) from the request object and from the session data.

[pkg] prepare 3.17.14

[hooks/syncschema] do not crash on double removal of a constraint Some complicated migrations may entail a double constraint removal. It is not yet known whether this is a genuine cw bug or the result of a complicated migration story, but we should nevertheless not crash. Rather, emit a CRITICAL warning and proceed. Closes #3595309.

[doc/book] Fix typo in import

[server/session] fix a couple typos in doc strings

[server/migractions] finish migration to repoapi objects Changeset 241b1232ed7f (Use repoapi instead of dbapi for cwctl shell, upgrade and db-init) only did half of the job. It left the migration handler with both a session (cubicweb.server.session.Session) and a cnx (cubicweb.repoapi.ClientConnection) attribute with different ideas of what Connection they were talking to. With this change, we: - make the caller responsible of disabling security on the Connection if it wants to - turn mih.session into an actual attribute, set on __init__ - same for cnx (the client connection) - drop the "lazy connection" logic, and establish the connection up-front - always go through the connection instead of the session when we need to talk to the db

[server] use the ClientConnection directly now that it has more methods available Gets rid of ugly self.cnx._cnx.

[repoapi] add security/hook control and system_sql Just redirect these methods to the repo-side Connection.