[hooks/security] Defer entity permission checks to an Operation. Some of these checks may currently happen twice within the same transaction and be costly. This should be semantically safe. If people rely on some internal transaction ordering to be allowed early (thus pass) while the condition wouldn't be met at precommit time, their application is broken. It however seems unlikely to happen in the real life (tm). Closes #2932033

[schema] drop very old bw compat (pre 3.5.10) Closes #2925085.

[devtools,etwist] rename TwistedConfiguration to WebConfigurationBase (follows #2919310)

remove "twisted" configuration (closes #2919310) This was also known as "web only" instances. Not used in production anywhere today.

merge 3.17.8 into default

Added tag cubicweb-centos-version-3.17.8-1, cubicweb-version-3.17.8, cubicweb-debian-version-3.17.8-1 for changeset 909eb8b584c4

[pkg] prepare 3.17.8

[date picker] revert #ec65ca70aac9 which breaks the date picker (closes #3182844)

[merge] backport 3.17 fixes into the future 3.18

Added tag cubicweb-centos-version-3.17.7-1, cubicweb-version-3.17.7, cubicweb-debian-version-3.17.7-1 for changeset 483181543899

[pkg] prepare 3.17.7

i18n update

fix typos in workflow constraint error messages

[migractions] rschema.final.inlined -> rschema.inlined Closes #3153086.

[server] Make internal sessions not reset 'safe'-ness on first commit Increment the ctx_count when disabling integrity hooks so the next commit/rollback doesn't reset our transaction and magically turn us into a safe session. Closes #3168027

[facets] Correctly replace old 'edit box' HTML on facet-induced page refresh (closes #3161100)

[debian] replace find | xargs rm with find -delete in cube skeleton. Closes #3161797

[debian] don't require (fake)root to run the clean target. Closes #3161797 It works just fine as a normal user.

[debian] Add ${misc:Depends} to cube packaging skeleton. Closes #3161797 Best current practice is to have that in Depends in all packages using debhelper.

[devtools] fix race when creating backupdir If somebody else creates backupdir between our stat() and mkdir() (like, say, another test running in parallel), we shouldn't crash.

[staticcontrollers] Raise Forbidden, not Unauthorized Unauthorized means "log in to get access", as it results in a HTTP 401. Here, the error is pretty much permanent, and returning 401 instead of 403 confuses things terribly. (This seems to be a pretty widespread confusion :/)

[web] allow /data/ url again (closes #2464798) This feature was broken by 65fecbeb9c3a (which fixed another one itself).

[utils] fix typos in make_uid docstring

[c-c i18ncubicweb] fix crash, closes #3096647

[rql2sql] fix bad sql generated when outer joining 'identity' relation and lhs var comes from a subquery. Closes #3099418 The generated SQL was attempting to access table.cw_eid which doesn't exist.

[web] stop using deprecated StatusResponse. Closes #3098215

[deprecation] add (approximate) version number to deprecation message and set proper stacklevel

[schema] fix spurious warning when rqlexpr/constraint mainvars specify a non predefined variable. Closes #3098165

[repository] properly use IUserFriendlyError when UniqueTogetherError is raised during entity update. Closes #3096638

[deprecation] add cw version number to the deprecation message and help user to understand the change