Merge dev into new-v7

Author: pdo-axelor

Diff for: CHANGELOG.md

@@ -1,3 +1,111 @@
+## 6.1.4 (2023-06-23)
+
+#### Features
+
+* Preserve grid scroll position on form save/reload
+
+#### Fixed
+
+* Fix buttons actions in Tree views
+* Fix on how application and module are determinate during gradle resolution
+
+  <details>
+  
+  Due to the merge of `com.axelor.app` and `com.axelor.app-module` gradle
+  plugins, it is now hard to determinate who is the module from the
+  application. A module can be built itself, so it is seen as an
+  application (when checking `project == project.getRootProject()`) and
+  wrong plugins/dependencies/tasks are applied.
+  
+  To overcomes this, when a module need to be built standalone,
+  `axelor.application = false` property can be added in `gradle.properties`. 
+  This way, it will be seen as a module instead of an application.
+  
+  Better support will be added in a future version.
+  
+  </details>
+
+* Fix going into edit mode in editable grid when clicking readonly cell
+* Fix selection widget stealing focus after focusing another cell
+* Readonly fields, included dot fields, shouldn't be focusable
+* Fix search request when adjusting page boundary
+* Fix onChange on Enter key in simple fields
+* Fix lost dotted fields in grid when using master-detail widget
+* Fix editable grid that don't wait for pending actions
+* Fix deselected row after save triggered by previous row in editable grid
+* Fix search box show/hide on cards view dashlet depending on dashlet `canSearch` attribute
+* Fix onNew action on editor
+* Don't create webapp folder in war
+* Fix toolbar buttons display when same grid is displayed multiple times
+
+#### Security
+
+* Check for unauthorized users inside security filter directly
+
+## 6.1.3 (2023-05-15)
+
+#### Fixed
+
+* Align script helper test expressions with Action behavior
+* Fix attributes that need a test instead of an evaluation
+* Fix action test condition when context proxy is used
+* Do not try to generate binary download link on unsaved record
+
+## 6.1.2 (2023-04-05)
+
+#### Changes
+
+* Improve resolution of AOP core dependencies
+
+  <details>
+  
+  Use AOP version defined in root project. This avoids to use a version
+  coming from transitive dependencies.
+  
+  For example, if a module is built and published using AOP version 6.1.2
+  and the root project use AOP version 6.1.1, it will now use the AOP
+  version of the project, ie 6.1.1 (instead of getting the AOP version of
+  the transitive dependency of the module).
+  
+  </details>
+
+#### Fixed
+
+* Don't reload dashlet custom view when the widget is not visible
+* Disable exporting on Kanban views
+* Fix empty recipients list when posting message or adding followers
+* Fix onChange triggered after grid edit cancel
+* Fix missing "refresh", "new", "prev", and "next" keyboard shortcuts on cards and kanban views
+* Fix moving record on top level grid
+* Fix grid not editable depending on readonly/canEdit conditions
+* Fix redefined User namecolumn in collaboration widget
+
+  <details>
+  
+  When the namecolumn of the User entity is redefined,
+  it was not taken into account in the collaboration widget.
+  
+  </details>
+
+* Fix editable grid preventing save
+
+  <details>
+  
+  On slow network and/or big grids, going in and out of grid edit
+  may trigger duplicate grid edit events and mess with the counting
+  of active editable grids. This could cause saving to fail.
+  
+  </details>
+
+* Fix export on relational fields
+* Fix spinner buttons triggering onChange inside editable grid
+* Escape data when generating xml
+* Don't allow to post message without body
+
+#### Security
+
+* Check `canNew` view attribute with "create new record" keyboard shortcut
+
 ## 6.1.1 (2023-02-06)
 
 #### Fixed

Diff for: CONTRIBUTING.md

@@ -14,6 +14,10 @@ there are a few guidelines we’d like you to follow:
 By submitting code as an individual you agree to the [individual contributor license agreement][individual-cla].
 By submitting code as an entity you agree to the [corporate contributor license agreement][corporate-cla].
 
+## Security issues
+
+If you believe you've found a security vulnerability, please read our [security policy](SECURITY.md) for more details.
+
 ## Reporting Issues
 
 Before you submit your issue search the archive, maybe your question was already answered.

Diff for: SECURITY.md

@@ -0,0 +1,17 @@
+# Reporting security issues
+
+To report a security vulnerability, please send a report to [[email protected]](mailto:[email protected]). 
+
+This address can be used for all of Axelor's products. Do not report non-security-impacting bugs through this channel.
+
+Provide a descriptive title and in the description of the report, include the following information :
+
+- Detailed steps to reproduce the vulnerability (POC scripts, screenshots, and logs are all helpful).
+- Description of the effects of the vulnerability.
+- How the vulnerability affects the project usage.
+- The affected versions.
+
+While submitting, please remove or obfuscate any private data.
+
+After it has been submitted, the Security Team will investigate the vulnerability, determine its effects and 
+criticality and notify to the reporter.

Diff for: axelor-common/build.gradle

@@ -25,17 +25,3 @@ afterEvaluate {
   writeManifest(file("${projectDir}/bin/main"), false) // to eclipse output dir
   writeManifest(file("${projectDir}/out/production/resources"), false) // to intelij output dir
 }
-
-jar {
-  manifest {
-    attributes(
-      'Implementation-Title': project.name,
-      'Implementation-Version': project.version,
-      'Implementation-Vendor': 'Axelor',
-      'Implementation-Vendor-Id': 'com.axelor',
-      'Implementation-Vendor-Url': 'http://axelor.com',
-      'Specification-Title': project.name,
-      'Specification-Version': project.version,
-      'Specification-Vendor': 'Axelor')
-  }
-}

Diff for: axelor-core/build.gradle

@@ -84,3 +84,8 @@ test {
   // Avoid Warnings for Reflective Access in `AppSettingsTest`
   jvmArgs = ["--add-opens", "java.base/java.util=ALL-UNNAMED", "--add-opens", "java.base/java.lang=ALL-UNNAMED"]
 }
+
+license {
+  include "**/*.xsd"
+  excludePatterns.removeAll(['**/resources/**'] as Object[])
+}

Diff for: axelor-core/src/main/java/com/axelor/auth/AuthModule.java

@@ -52,9 +52,6 @@ protected final void configure() {
       return;
     }
 
-    // observe authentication-related events
-    bind(AuthObserver.class);
-
     // pac4j
     bind(AuthPac4jObserver.class);
     install(new AuthPac4jModule(context));

Diff for: axelor-core/src/main/java/com/axelor/auth/AuthObserver.java

@@ -23,7 +23,7 @@
 import org.apache.shiro.session.Session;
 
 /** Manages session attributes. */
-class AuthSessionService {
+public class AuthSessionService {
   private static final String LOGIN_DATE = "com.axelor.internal.loginDate";
 
   public void updateLoginDate() {

Diff for: axelor-core/src/main/java/com/axelor/auth/AuthSessionService.java

@@ -18,6 +18,7 @@
  */
 package com.axelor.auth.pac4j;
 
+import com.axelor.auth.AuthSessionService;
 import com.axelor.auth.AuthUtils;
 import com.axelor.auth.UserAuthenticationInfo;
 import com.axelor.auth.db.User;
@@ -42,6 +43,7 @@ public class AuthPac4jListener implements AuthenticationListener {
   @Inject private Event<LogoutEvent> logoutEvent;
   @Inject private AuthPac4jProfileService profileService;
   @Inject private AxelorSessionManager sessionManager;
+  @Inject private AuthSessionService sessionService;
 
   private static final String UNKNOWN_USER = "User not found: %s";
 
@@ -52,6 +54,7 @@ public void onSuccess(AuthenticationToken token, AuthenticationInfo info) {
 
       if (user != null) {
         sessionManager.changeSessionId();
+        sessionService.updateLoginDate();
         firePostLoginSuccess(token, user);
         return;
       }

Diff for: axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jListener.java

@@ -0,0 +1,76 @@
+/*
+ * Axelor Business Solutions
+ *
+ * Copyright (C) 2005-2023 Axelor (<http://axelor.com>).
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.axelor.auth.pac4j;
+
+import com.axelor.auth.AuthSessionService;
+import com.axelor.auth.AuthUtils;
+import com.axelor.auth.db.User;
+import java.time.LocalDateTime;
+import java.util.List;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import org.apache.shiro.SecurityUtils;
+import org.pac4j.core.authorization.authorizer.Authorizer;
+import org.pac4j.core.context.WebContext;
+import org.pac4j.core.context.session.SessionStore;
+import org.pac4j.core.profile.UserProfile;
+
+@Singleton
+public class AxelorUserAuthorizer implements Authorizer {
+
+  public static final String USER_AUTHORIZER_NAME = "AxelorUserAuthorizer";
+
+  private AuthSessionService authSessionService;
+
+  @Inject
+  public AxelorUserAuthorizer(AuthSessionService authSessionService) {
+    this.authSessionService = authSessionService;
+  }
+
+  @Override
+  public boolean isAuthorized(
+      WebContext context, SessionStore sessionStore, List<UserProfile> profiles) {
+    User user = AuthUtils.getUser();
+    if (user == null) {
+      return false;
+    }
+    if (!isAllowed(user)) {
+      removeSession();
+      return false;
+    }
+
+    return true;
+  }
+
+  private boolean isAllowed(User user) {
+    final LocalDateTime loginDate =
+        authSessionService.getLoginDate(AuthUtils.getSubject().getSession());
+    return AuthUtils.isActive(user)
+        && (user.getPasswordUpdatedOn() == null
+            || loginDate != null && !loginDate.isBefore(user.getPasswordUpdatedOn()));
+  }
+
+  private void removeSession() {
+    try {
+      SecurityUtils.getSubject().logout();
+    } catch (Exception e) {
+      // ignore
+    }
+  }
+}

Diff for: axelor-core/src/main/java/com/axelor/auth/pac4j/AxelorUserAuthorizer.java

@@ -31,8 +31,12 @@ public class ConfigProvider implements Provider<Config> {
 
   @Inject
   public ConfigProvider(
-      Clients clients, AxelorCsrfAuthorizer csrfAuthorizer, AxelorCsrfMatcher csrfMatcher) {
+      Clients clients,
+      AxelorUserAuthorizer userAuthorizer,
+      AxelorCsrfAuthorizer csrfAuthorizer,
+      AxelorCsrfMatcher csrfMatcher) {
     config = new Config(clients);
+    config.addAuthorizer(AxelorUserAuthorizer.USER_AUTHORIZER_NAME, userAuthorizer);
     config.addAuthorizer(AxelorCsrfAuthorizer.CSRF_AUTHORIZER_NAME, csrfAuthorizer);
     config.addMatcher(AxelorCsrfMatcher.CSRF_MATCHER_NAME, csrfMatcher);
   }