[service] allow repo_stats for users It's used by the siteinfo view, which is available to managers and users. This change prevents a crash in that view.

[views] Escape class attribute value in CWGroup incontext view

[devtools] use a specific test_db_id when disabling anon The anonymous user is created (or not) in postcreate, which for tests means when creating the cached empty database. The anonymous_allowed=False test classes should thus not share their template db with other test classes, otherwise either they end up with an unexpected anonymous user, or the others miss theirs and things fall apart.

Restrict yams version CW 3.19 is not compatible with yams >= 0.40

[facets] Honor 'start_unfolded' facet attribute (closes #4502799)

[facets] Correctly look for inputs of type "hidden" (closes #4502768) jQuery ':hidden' selector looks at CSS visual properties (eg, 'display', 'visibility'). The intent here was probably to look for inputs of type "hidden", which many facets use to store user selection data (eg, FacetRangeWidget). The problem is that regular text inputs (eg the "has_text" facet which has a '<input type="text"/>') will be picked up by this selector if they are inside a folded facet. Chaos and destruction ensue.

[web] Cache results from 'i18n' ajax controller (closes #4487856) This is a simple transient cache which will be forgotten as soon as the user leaves the current page.

[web] There is no global noop(), use jQuery's instead (closes #4487832)

[server] Add missing import of logilab.database Closes #4469407.

[migration] hackish black magic to bootstrap addition of formula attr during migration Turns out we can't add an attribute to CWAttribute before the attribute exists. add_attribute generates rql with a 'formula' relation, which CW doesn't know about yet, so things get unhappy. Once that is fixed, we need to make the CWAttribute addition operation deal with CWAttribute entities that don't have a formula yet. Finally, move the migration to bootstrapmigration_repository so it happens early on, and use add_entity_type rather than add_relation_type for CWComputedRType.

[server] commit after serializing schema Use separate transactions for schema serialization and postcreate scripts execution, so that the latter can rely on the schema being persistently stored. This matters e.g. if something in a postcreate violates a unique_together constraint, we need the constraint persisted in order to raise a meaningful error. See #4525069.

[book] fix docstrings to please sphinx example rst roles in docstring must be protected (in a literal).

[book] several fixes in the rst files - prevent duplicate markup definitions, - use existing Workflow markup instead of redefining one (in baseschema.rst) - include dataimport - fix non-existant directive autodocfunction - remove the empty 'embedding.rst' file

[book] activate the viewcode extension Automagically make link to class/modules/etc. it finds in the documents.

[book] new theme based on pyramid theme (closes #4291287)

Remove unused lgc.interface imports and leftovers

[repository] provide a .new_session entry point The current .connect only returns a `sessionid` which must be given to repo._get_session(...) to get the real session object. Related to #4151635.

[devtools/testlib] Use actual 'admin' user configuration values Previously ``db-user`` and ``db-password`` configuration values were used to fill ``admlogin`` and `admpassword`` attributes of CubicWebTC. The correct data for these should read from `[admin]` section. Closes #4065070.

[forms] closes #2437859 - Detect and prevent concurrent edition of the same entity. Add the timestamp of form generation to each entity's meta-information fields. On form validation, check that no concurrent change is overwritten and raises a ValidationError in case of concurrent change. A nicer handling with a message and a link to the new version of the entity would be a good thing...

[migration] make sure the repo knows about all constraint types Adding new constraint types is cumbersome. It's easy to forget to do it in a migration script. So sync the constraint types at the beginning of each migration. Closes #3724892

[migration] stop caching the mapping from constraint type name to eid It's not so frequent that a cache seems necessary, and we were not invalidating that cache when adding a new constraint type. Related to #3724892.

[web/json] an empty rset is just fine for ejsonexport The ejsonexport view can just return an empty list for an empty rset. Closes #4005518

[RichString] Add markdown support Supporting markdown requires the 'Markdown' python packages, and since it widely available on the target platforms adding it as a strong requirements will not be a big constraint. Closes #3814302

[ldapfeed] Reduce default value for user-attrs-map option (closes #3824889) This is needed because lgc.configuration.Configuration does not allow removing key/value pairs from the default (due to its use of dict.update() internally). Since CWUser.login is required, users of the add-source command will always be able to override it.

[serverctl] Ask for URL when adding a new source (closes #3824868)

[serverctl] Ask for parser type when adding a new source (closes #3484231) Remove 'quick_start' option to load all AppObjects, including feed parsers.

[doc/3.20] more details on removed code related to #3799117

remove 3.11 bw compat Closes #3799117.

remove most 3.10 bw compat Related to #3799117. The boxes and entityvcomponent objects cannot really be removed as they are still used throughout the code base (and possible cubes). This may be caused by a non-working deprecation and needs some more work.

remove leftover pre 3.9 deprecation warnings

[utils] Remove function-in-the-middle call

[web] set Vary response header to "Accept-Language" when using content negotiation This is slightly annoying because the response actually only varies based on the language we decide to send, which has much fewer possible values than Accept-Language, but that's not in the request, so we can't easily use it. Deployments using varnish or similar and controlling the set of available languages will likely want to override this to allow reasonable amounts of caching. Closes #2105812

[web/cors] don't overwrite other Vary headers Vary is a list of request headers, we shouldn't override others.

[web] add support for HttpOnly cookie flag And use it for session cookies. Closes #4142521.

merge 3.19.5 into 3.20 branch

Added tag cubicweb-version-3.19.5, cubicweb-debian-version-3.19.5-1, cubicweb-centos-version-3.19.5-1 for changeset 3ac86df519af

i18n update 4 strings have disappeared.

[pkg] 3.19.5

[server] hold connection to the db in tx_actions We can be called without a cnxset (e.g. from repoapi).

[wsgi] If multipart cannot parse the POST content, let it pass. multipart can only parse html form data. It the content_type is, for example, "application/json", get_posted_data should not fail but just stop trying to read the content. Closes #4421845

[devtools] Fix JS tests' HTML code

[devtools] "Keep" some temporary files/dirs around to help with debugging The whole QUnitTestCase runs with an @with_tempdir so it's redundant anyway.

[devtools] Fix Firefox launcher in QUnitTestCase (closes #4294727) The main changes are: - stop creating the profile, firefox will create it - point firefox to a profile directory instead of giving it a profile name (this has the added bonus of not polluting the user's profile list) - start firefox once and kill it 5 seconds later to let it finish its profile creation (along with system-wide extensions setup)

[devtools] allow cross-origin requests for qunit We have a mix of file:// html and http:// ajax calls. Which we should at some point fix to all be http, but. Related to #4294727.

merge 3.19.4 in 3.20 branch

[cors] Fix CORS headers generators The Access-Control-Allow-* and Access-Control-Expose-Headers are response headers, not request headers. Hence, we need generators for them. Closes #4412575.

[wsgi] Fix posted files filename reading The filenames are parsed by multipart.parse_form_data, which does the unicode decoding. Trying to re-decode the filename was leading to an error.

[pkg] Depend on Pillow instead of PIL The Pillow library is becoming the de-facto replacement for PIL. It also is way simpler to install with pip than PIL. Closes #4411354.

Added tag cubicweb-version-3.19.4, cubicweb-debian-version-3.19.4-1, cubicweb-centos-version-3.19.4-1 for changeset c4e740e50fc7

[pkg] 3.19.4

merge 3.18.6 into 3.19

Added tag cubicweb-version-3.18.6, cubicweb-debian-version-3.18.6-1, cubicweb-centos-version-3.18.6-1 for changeset d91501356742

[pkg] 3.18.6

[hooks/security] allow edition of attributes with permissive permissions If an attribute has more permissive security rules than the entity type itself, we should be green and not deny action because of an early global entity permission check (with the more restrictive rules). Only if one attribute with the entity-level permission rules is edited will the global check be performed. Note: * the "if action == 'delete'" check at the entry of check_entity_attributes is a guard for a condition currently not happening in cubicweb itself (but application hooks could conceivably call this function with a 'delete' action) Closes #3489895.

Almost backout afcd46716d6a which breaks _select_best raising an ambiguity exception in debug mode. The problem is, before afcd4, *tests* ran in debug mode and we want this (e.g. we want to show, rather than swallow, select ambigüities). We juste replace the bogus __init__(vreg.config) by __init__(True), which is practically equivalent and also much more clear.

[server] fix anonymous_user predicate in tests devtools' TestServerConfiguration overrides the anonymous_user method, but not the anonymous-user config option, so testing for the latter would give the wrong result. Closes #3996664.

[entities] cw_rest_attr_info() should only consider required attributes (closes #3766717) This prevents CW from choosing unique but non-required attributes. None/NULL is a poor choice for RESTful URIs.

[views] csvexport accept an empty rset (closes #4236928) When you tried to apply the 'csvexport' view on an empty rset, the view couldn't be selected and you got a HTTP 500 error. Also add two new test cases.

[views] Display attributes in entity creation form based on "add" permission Previously, the "update" permission was used. Hence in case the latter is more restrictive that the "add" permission, an user may not be able to set such an attribute, despite she may have "add" permission on it. As a result of the change of permissions action in `editable_attributes` method (add/update depending on whether the entity is being created or modified), the "eid" attribute would have shown up in the edition form. To avoid this, it is moved in the "hidden" section (where it should arguably belong anyways). Closes #4342844.

[datafeed] Commit after all deletions in datafeed parser This avoids misleading validation error because schema constraints could be temporarily broken depending on the deletion order. Closes #4372127.