[wsgi] add the simplest possible wsgi (debug) server This server is able to: * serve on a given port using the stdlib SimpleHTTPServer * run looping tasks Closes #3005509.

[querier/security] instrument a bit the querier read security checks Related to #2920304

[book] Improve PostgreSQL configuration section * Do not advice for specific PostgreSQL version (point to meta-packages if available in Linux distros); * First mention packages from Linux distros, put the link to official postgres documentation at the end; Closes #2725302.

[js] add a selector string escaping function will help use id strings in jquery selector expressions, e.g: "foo.[subject]:42" -> "foo\.\[subject\]\:42" Related to #3154531.

[merge] backport stable fixes

[test/ldapsource] backout 192a748550c7 which broke RQL2LDAPFilterTC

[rset] make sure rset.description is always a list It's more consistent, and avoids pylint warning "Instance of 'tuple' has no 'append' member"

[schema] edit syntax tree instead of playing with strings for RQLExpressions Lets us support more complex expressions involving e.g. "HAVING" clauses. Closes #3202855

[py3k] note about future warning on __eq__ vs __hash__ Closes #3179561.

[formfields] py3k kill future compat warning Related to #3179561.

[entity] do not raise an AssertionError if the kwargs given to set_relations/attributes is empty Regression was introduced in 3.16 with the new cw_set API. Old set_relations and set_attributes methods did not crash on empty kwargs. Closes #3104019.

[packaging] setup.py: don't exclude skeleton/debian/* from being installed Closes #3192725.

[tests/hooks/integrity] kill old and empty skipped test

[server/session] demote log to debug It can pollute the log very fast. Closes #3203391.

[test] use assertCountEqual instead of assertItemsEqual

[server] fix a number of typos, mostly in docstrings

[skeleton] Install cubes README in Debian packages (Closes #3171971)

[debian] Build-Depends on python-unittest2 | python (>= 2.7) Closes #3175895.

[doc] typos and reformulation

[doc] additional documentation about pip install under both Windows and Debian

spelling: rollbacked -> rolled back

Added tag cubicweb-version-3.17.9, cubicweb-debian-version-3.17.9-1 for changeset 5668d210e49c

merge two default heads

[pkg] prepare 3.17.9

Use the list of sources instead of an iterator in update-feeds looping task This prevents RuntimeError due to dictionary size change that may occur (as a result of a new source being added) during iteration. Closes #3155843.

[security] fix dumb attribute error when inserting read security. Closes #3196891 This has gone undetected because of erroneous tests...

[entity] give a default reasonnable __eq__ and __hash__ to Entity Using the eid. Closes #3179560.

[debian] add some Breaks for backwards compatibility removal The person and comment cubes used to import the cubicweb.mixins module. The inlinedit cube relied on String.startsWith in javascript.

[js] remove 3.9 bw compat (where apparently unused) - cubicweb.ajax.js - loadxhtml: form.callback support removal - removal of top-level functions: preprocessAjaxLoad, reloadBox, replacePageChunk, loadxhtml - cubicweb.compat.js: - map is undeprecated (jquery.map being not an acceptable replacement) - removal of noop, contains, findValue, filter, addElementClass, removeElementClass, hasElementClass, KEYS mapping - htmlhelpers.js: use non-deprecated functions cw.urlEncode - cubicweb.js: - removal of startsWith and endsWith monkeypatches - note deprecated but still used stuff (for action) - test_utils.js: use cw.utils.sliceList instead of global function Closes #2782004.

Rename cleanup_interface_sobjects into cleanup_unused_appobjects Interfaces are gone in 3.18 Related to #2782004.

remove cw 3.9 bw compat (bw compat other than the interface -> adapter changes) - cwconfig, doc/admin/setup: docstring adjustment wrt 3.9 & virtualenv - testing/rst: windmill (which is gone from the testing infrastructure) - other docs: "stuff introduced in 3.9" cleanup, as we don't care about the version old features were introduced - server/hooky.py: bw compat for propagation hooks - server/schemaserial.py: pre CWUniqueTogetherConstraint migration support - web.__init__.py: dumps bw import - autoform.py: .action ppty is gone, also deprecate set_action and get_action - baseviews: CSVView.subvid gone long ago, secondary view removal - primary.py: _render_attribute & _render_relation signature change - reledit.py: rvid/default_value bw compat, should_edit_* dropped - webconfig.py: resourcefile is gone - formfields.py: old vocabulary handling - request.py: build_ajax_replace_url, external_resource Related to #2782004.

remove 3.9 bw compat In cw 3.9, interfaces are deprecated and replaced with adapters, yielding a lot of bw compat in many places -- most if this patch is concerned with the interface bw compat - cwvreg: interface cleanup - doc/adapters.rst: interface cleanup - entities/adapters.py, wfobjs.py: interfaces bw compat - entity.py: interfaces bw compat, also get_value, delete, attr_metadata, has_perm, set_related_cache, clear_related_cache, clear_related_cache, related_rql - predicates.py: score_interfaces & implements - interfaces.py & mixins.py: 100% gone - view.py: implement_adapter_compat, unwrap_adapter_compat - calendar.py, editcontroller.py, ibreadcrumbs.py, navigation.py, xmlrss.py: interface bw compat - treeview.py: salvage one function from mixins.py Related to #2782004.

remove 3.8 bw compat - cwconfig: old keys such as depends_cubes and non-dict dependencies - cwctl: fall back to docstring if no short descr, forget 'short_descr' - dbapi: session_data, get_session_data, set_session_data, del_session_data - dbapi & testlib, session: eid_key is gone - migractions: cachekey is gone - doc/datamodel/definition, schemaserial: BoundConstraint -> BoundaryConstraint - formwidgets: separator - primary view: render_entity_metadata Related to #2782004.

[hooks/security] Defer entity permission checks to an Operation. Some of these checks may currently happen twice within the same transaction and be costly. This should be semantically safe. If people rely on some internal transaction ordering to be allowed early (thus pass) while the condition wouldn't be met at precommit time, their application is broken. It however seems unlikely to happen in the real life (tm). Closes #2932033

[schema] drop very old bw compat (pre 3.5.10) Closes #2925085.

[devtools,etwist] rename TwistedConfiguration to WebConfigurationBase (follows #2919310)

remove "twisted" configuration (closes #2919310) This was also known as "web only" instances. Not used in production anywhere today.

merge 3.17.8 into default

Added tag cubicweb-centos-version-3.17.8-1, cubicweb-version-3.17.8, cubicweb-debian-version-3.17.8-1 for changeset 909eb8b584c4

[pkg] prepare 3.17.8

[date picker] revert #ec65ca70aac9 which breaks the date picker (closes #3182844)

[merge] backport 3.17 fixes into the future 3.18

Added tag cubicweb-centos-version-3.17.7-1, cubicweb-version-3.17.7, cubicweb-debian-version-3.17.7-1 for changeset 483181543899

[pkg] prepare 3.17.7

i18n update

fix typos in workflow constraint error messages

[migractions] rschema.final.inlined -> rschema.inlined Closes #3153086.

[server] Make internal sessions not reset 'safe'-ness on first commit Increment the ctx_count when disabling integrity hooks so the next commit/rollback doesn't reset our transaction and magically turn us into a safe session. Closes #3168027

[facets] Correctly replace old 'edit box' HTML on facet-induced page refresh (closes #3161100)

[debian] replace find | xargs rm with find -delete in cube skeleton. Closes #3161797

[debian] don't require (fake)root to run the clean target. Closes #3161797 It works just fine as a normal user.

[debian] Add ${misc:Depends} to cube packaging skeleton. Closes #3161797 Best current practice is to have that in Depends in all packages using debhelper.

[devtools] fix race when creating backupdir If somebody else creates backupdir between our stat() and mkdir() (like, say, another test running in parallel), we shouldn't crash.

[staticcontrollers] Raise Forbidden, not Unauthorized Unauthorized means "log in to get access", as it results in a HTTP 401. Here, the error is pretty much permanent, and returning 401 instead of 403 confuses things terribly. (This seems to be a pretty widespread confusion :/)

[web] allow /data/ url again (closes #2464798) This feature was broken by 65fecbeb9c3a (which fixed another one itself).

[utils] fix typos in make_uid docstring