Security Release for issue4155

Veröffentlicht: 2014-09-30 10:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by duesenfranz, that might allow a malicious user to execute arbitrary commands on the server via the safe_eval function (see issue4155).

Impact

Any authenticated user can run arbitrary commands on the server with the permissions of the trytond user.

Workaround

There is no workaround.

Resolution

All users should upgrade trytond to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

Tryton Unconference Leipzig 2014

Veröffentlicht: 2014-09-15 12:00:00+00:00 TUL

This year the annual Tryton Unconference will take place in Leipzig the 14th, 15th and 16th of November at the Leipzig University of Applied Sciences.

This will be the fourth global meeting where users, developers and interested people will have the opportunity to discover or talk about Tryton.

Until now, the following talks are proposed:

(More to be announced on our Lanyrd page)

The second Foundation Supporter Meeting will take place on Saturday 15h, 18.00.

On Sunday 16th, a Sprint is planned at the Hackerspace sublab.

Registration is available at TUL 2014.

If you like to give a talk, please announce it on Lanyrd. If you want to request a talk on a specific topic, you can send your request to the Tryton mailing list. If you have question about the organisation, please contact the foundation at foundation@tryton.org.

And don't forget to spread the word! #TUL2014

Videos of the Tryton Unconference 2013

Veröffentlicht: 2014-06-05 12:00:00+00:00 TUB video
Finally, the videos recored during the last Tryton Unconference 2013 are available. It took some time to synchronize the sound with the image but thanks to Pierre-Louis Bonicoli we have them now.

New Tryton release 3.2

Veröffentlicht: 2014-04-21 20:00:00+00:00 release

We are happy to announce the 3.2 release of Tryton.

This release mainly consolidates many new functionalities added in last two years. Also it prepares the future migration to Python 3 by dropping the support for Python 2.6. But also as usual there are many bug-fixes, improvements and new modules (see below).

Of course, migration from previous series is fully supported.

Major changes in graphical user interface

  • The client uses the local timezone to display date time.

  • The copy/paste on editable list has been improved to add new lines if needed beside of updating existing records.

  • The buttons of the view are also available in the action menu. This allows fast access using keyboard shortcuts but also trigger the button for a list of selected records.

    button action menu
  • Buttons and wizards can now trigger actions from the client side. This means it behaves like if the user clicked on one of the tool bar buttons.

  • The client uses now a pool of connections, this allows to speed up the client on requests that can be parallelized.

  • The attachment button can now receive drag & drop of file to quickly create attachments.

  • There is a new widget multi-selection, it uses the Many2Many field as backend. It is very useful and more visual when there is a small number of selection.

    multiselection
  • The client allows to browse the revisions of a record if it is historized. It also works on a full list of records, in this case the client shows the result of the search as if it was done at the revision date.

    revisions

Major changes on the server side

  • The server runs internally always in UTC timezone.
  • The ModelStorage.write method receives the similar improvements as the ModelStorage.create in version 2.8. This means it can write different values to many sets of records in one call and so this improves the performance by validating all the records at once and also it will validate only the modified and dependant fields. Also the action values of relation fields have been updated with the same interface.
  • A new decorator fields.depends is introduced to replace the deprecated on_change, on_change_with, selection_change_with and autocomplete fields attributes. This decorator applies on the called methods and the result will be the sum of all depends of all the modules, this brings much more flexibility to the modularity.
  • Tryton uses bcrypt to hash password if the library is available.
  • All types of field can now have a domain to constraint its value and most of the domains are supported for pre-validation and inversion on the client side.
  • The on_change returned value of One2Many uses now an index for the add keyword. This allows to define the position of the new record in the list instead of being always at the bottom.
  • A new method ModelSQL.restore_history allows to restore the values of a record as they were at a specific date time.

Modules

Account

  • A new journal type write-off has been added to ease the creation of write-offs.
  • Taxes has now an optional start and end, this allows to manage the changes over time.

French Chart of Account

  • The French chart of account has been updated for the new tax rates of 2014.

Account Statement

  • The module prevents now to use an already paid invoice in draft statements.
  • It uses the new index of on_change to add the new split line under the original.

Account Stock Continental

  • The creation of account move for stock move is speed-up.

Bank

  • The IBAN numbers are now validated and formatted.

Company

  • A new timezone field is added to the company to get the right date for today.
  • The employee is also taken from the context just like the company. This allows to use many clients with the same user but different employees.

Production

  • It is now possible to define the effective date of a production. This allows to enter past productions.

Purchase

  • There is now a warning when trying to receive a supplier stock move without an origin. Normally, the origin should be a purchase order.
  • The purchase tries to create links between stock moves and invoice lines.

Sale

  • The same warning exists for customer move without origin.
  • The sale tries as the purchase to create links between stock moves and invoice lines.

Stock

  • Supplier Shipment Return can now have partial assignation
  • The computation of stock quantities has been reworked to allow easy customization and better search.
  • It is now possible to define the effective date for all shipments. This allows to enter past shipments.

Stock Lot

  • A new relate has been added from lot to moves.

New modules

  • The Party Relationship module defines different types of relations between parties.
  • The Account Payment module allows to generate grouped payments for receivable and payable account move lines.
  • The Account Payment SEPA module allows to generate SEPA files for payments.
  • The Stock Package module allows to store packaging information about customer and supplier return shipments.
  • The Sale Shipment Grouping module adds an option to define how stock moves generated from sales will be grouped.
  • The Account Credit Limit module manages credit limit of parties.
  • The Sale Credit Limit module adds confirmed sale to the credit amount of the party.

Security Release for issue3446

Veröffentlicht: 2013-11-04 10:00:00+00:00 release security

Synopsis

A vulnerability in tryton has been found, that might allow a malicious server to send a crafted extention as answer to a report request leading the client to write the report on any file of the client host with the right of the user running the client (see issue3446).

Impact

Any file can be created on the client host with the access permissions of the user running the client.

Workaround

Users should connect only to trusted servers.

Resolution

All users should upgrade to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at http://bugs.tryton.org/ with the type security.

Neues Tryton Release 3.0

Veröffentlicht: 2013-10-21 18:00:00+00:00 release

Wir freuen uns, die Veröffentlichung von Tryton 3.0 bekannt zu geben!

Dieses Release bringt eine neue Kalenderansicht im Frontend, und ist weiterhin das Ergebnis eines weitreichenden Code-Refactorings, welches mit dem python-sql Projekt vor 2 Jahren gestartet ist. Des weiteren gibt es auch viele Fehlerkorrekturen, Verbesserungen und neue Module (siehe unten).

Wie immer ist die Migration aus älteren Versionen voll unterstützt.

Wesentliche Änderungen in der GUI

  • Eine Kalenderansicht ist nun verfügbar. Diese erlaubt die Anzeige von Vorgängen basierend auf Start- und/oder End-Datum bzw. -zeit. Drag&Drop von Events sowie editieren per Doppelklick wird unterstützt. Die Ansicht ist dahingehend optimiert, nur die anzuzeigenden Events abzurufen.

    Produktionskalender
  • Das URL-Schema, in Tryton 2.0 eingeführt, ist nun am Fuße aller Tabs sichtbar. Die URL erlaubt das Öffnen des gleichen Tab auf einem anderen Client.

    URL
  • Requests wurden wieder entfernt. Stattdessen sollen besser EMails mit URL genutzt werden.

  • Die ausgewählten Datensätze in einer Listanzeige sind persistent zwischen Sitzungen.

Wesentliche Änderungen am Server

  • Der Server nutzt nun python-sql um SQL Abfragen zu erzeugen. Dies verbessert die Kompatibilität zwischen unterschiedlichen Datenbanken - sowohl momentan unterstützten wie auch zukünftigen.
  • Die Sucher Methode kann nun die komplette Domäne zurückgeben (anstatt einer die durch eine AND Bedingung limitiert ist).
  • Das ältere order_field Attribut wurde ersetzt durch die Methode order_<field name> um eine höhere Modularität zu erreichen.
  • Das Datenbank-Backend kann dynamisch geladen werden, damit kann es in einem externen Package von trytond definiert werden.
  • Die Performance der MPTT Speicherung wurde verbessert indem die Standard-Sortierung entfernt und die Anzahl der Abfragen verringert wurde.
  • Ein neues Attribut grouped kann zum data -Tag hinzugefügt werden. Das erlaubt die gleichzeitige Erzeugung aller Datensätze eines Modells. Damit verkürzt sich die Installationszeit von Modulen mit großen Datensätzen.
  • Man kann nun eine Standard-Sortierung bei Action Windows definieren.

Module

  • Viele Module wurden einer neuen Entwicklung angepasst, bei dem erzeugte Dokumente mit ihrem Ursprung verlinkt werden. Anstatt den Code des Originals als Referenz zu kopieren wird ein Referenzfeld verwendet. Dies verbessert die Nachverfolgbarkeit der Verlinkungen zwischen Dokumenten ohne Informationsverlust, wenn diese später konsolidiert werden.

Account

  • Ein neuer Assistent vereinfacht die Saldenerzeugung bei nicht abgegrenzten Konten am Jahresende.
  • Alle Konten eines Kontenplans müssen in der gleichen Firma liegen. Durch diese Beschränkung wird die Performance bei der Soll/Haben Berechnung dramatisch erhöht.
  • Jede Buchung mit einer Nullzeile/Nullwert ist automatisch ausgeziffert wenn sie auf einem Abstimmungskonto ist. Damit werden Rechnungen mit Wert Null automatisch als gezahlt markiert.
  • Die centralised counterpart Option wurde vom Journal entfernt.

Account Invoice

  • Sobald eine Rechnung gebucht ist, werden die zugehörigen Buchungssätze genutzt, um die Buchungswerte anzuzeigen, anstatt sie aus den Rechnungszeilen zu berechnen. Das erhöht etwas die Performance, besonders bei Rechnungen mit vielen Zeilen.

Account Statement

  • Es ist jetzt möglich, direkt eine Rechnung auf eine Auftragzeile abzusetzen. Partnerdaten und Konto werden automatisch gezogen.

Stock

  • Es ist nun möglich den Bestand mit einem beliebigen Gruppierungsparameter abzufragen. So kann z.B. der Bestand pro Charge anstatt nur auf Artikelebene abgefragt werden.
  • Der Code des Bestandsmoduls wurde überarbeitet, um ein einfacheres Customizing der Bestandsbewegungen sowie der Constraints zu erreichen.
  • Der Periodencache kann nun verschieden gruppierte Mengen vorhalten.

Stock Lot

  • Felder für Menge und Forecastmenge sind jetzt auf Chargenebene.
  • Es können Bestände mit Charge angelegt werden.
  • Der Periodencache speichert Mengen pro Charge.

Stock Supply

  • Ein neuer Assistent erzeugt automatisch interne Warenbewegungen.
  • Wenn eine Bestellanforderung angelegt wird, und es bereits bekannt ist dass der Lieferant nicht zum Wunschlieferdatum liefern kann, erstellt der Assistent eine Warnung, damit der User diese erwarteten Wareneingänge in die Zukunft legen kann, da sie sonst für diese Bestellung ignoriert würden.

Neue Module

  • Das Bank Modul bringt die Referenz zu Banken und Bankkonten.
  • Das Account Dunning Modul stellt das Mahnwesen über mehrere Stufen bereit.
  • Das Account Dunning Letter Modul erzeugt die entsprechenden Mahnbriefe.
  • Das Sale Invoice Grouping Modul erlaubt die Gruppierung von Rechnungszeilen, die dem jeweiligen Verkauf zugrunde liegen.

Tryton Unconference Barcelona 2013

Veröffentlicht: 2013-09-17 12:00:00+00:00 TUB

Dies ist das dritte globale Meeting, auf dem sich Anwender und Entwickler treffen, um über die Zukunft von Tryton zu sprechen und Barcelona zu entdecken.

Bis jetzt sind die folgenden Gespräche vorgeschlagen:

(Folge den Änderungen auf der Planungsseite)

Das erste Unterstützertreffen der Stiftung (Foundation Supporter Meeting) wird am Samstag, 09.11.2013, 18.30h an gleicher Stelle wie die Unkonferenz stattfinden.

Der Sonntag 10.11.2013 ist für einen Coding Sprint reserviert.

Registrierung auf TUB 2013.

Wenn Sie selbst eine Gesprächsrunde starten wollen (über ihre Arbeit, um Feedback zu geben, etc), fügen Sie sich zur Wiki-Seite hinzu oder senden ein Email an mailto:foundation@tryton.org.

Please, spread the word! #TUB2013

News from Development July13

Veröffentlicht: 2013-07-08 12:00:00+00:00 development

Here are some changes recently landed in the development branch of Tryton that will be available on the next release.

Server

  • A factor on number widgets. This factor is used for conversion between the value displayed and the internal value. The main usage is showing the user a percent value like 10%, while storing 0.1.

    factor
  • The requests have been removed. Instead the server sends emails to notify users and thanks to the Tryton URL users are able to communicate about specific records by referencing them. This also removes load on the server as each client was polling every 5 minutes for new requests.

Client

  • A new kind of view has been added: calendar. It allows to display records on a calendar using ane start and/or an end date/datetime fields. It is based on the widget GooCalendar. It supports the Drag&Drop of events, the edition on double-click and it fetches only the events to display.

    production calendar
  • Since the version 2.0, Tryton has a URL scheme that the client can read. But in the past there was no easy way for the user to get the URL of a record. Now the URL is visible at the bottom of each tab. It contains all information to open the same tab on any other client.

    url

Modules

Account

  • Now any move posted with one line of zero is automaticaly reconciled if it is on an account to reconcile. With this feature, invoices with an amount of zero are automatically marked as paid.
  • A legacy of OpenERP, the centralised counterpart option on journal, has been removed after a poll that shows nobody was using it.

Account Invoice

  • Once an invoice is posted, the account move is used to show the amounts instead of computing it from the lines. This improve a little bit the performance especially for invoices with a lot of lines.

Account Statement

  • Now it is possible to directly set an invoice on a statement line. This will fill the party and account automatically.

Stock

  • It is now possible to query the stock quantity with any kind of grouping parameters. For example, it can be used to compute the stock quantity of a lot instead of a product.
  • The code of inventory has been reworked to allow easy customization of the move creation and also of the unique constraint on the inventory lines.
  • The period cache can now be adapted to cache different kind of grouped quantities.

Stock Lot

  • It is now possible to create inventories with lot.
  • The period cache store also the quantities per lot.

Stock Supply

  • If there are late supplier moves when creating purchase requests, the wizard shows a warning to allow the user to change the date of those moves into the future if needed otherwise those incoming moves will be ignored.

Letztes Bugfix-Release für Tryton 1.8

Veröffentlicht: 2013-05-16 12:00:00+00:00 release
Vor 2 Wochen ist das letzte Bugfix-Release für Tryton 1.8 erschienen. Nach zweieinhalb Jahren werden wir die Pflege des 1.8-Zweiges damit einstellen. Die Tryton-Releases 2.0, 2.2, 2.4 und 2.6 haben verschiedene Bugfixes erhalten, die bereits in 2.8 enthalten sind. Wie immer ist kein Datenbank-Upgrade notwendig für dieses Bugfix-Release.

New Tryton release 2.8

Veröffentlicht: 2013-04-22 18:00:00+00:00 release

We are happy to announce the 2.8 release of Tryton.

This release brings many changes for the graphical user interface in order to improve the workflow of the users like bookmarks, auto-completion, global search and a review of all error messages to provide more information. As usual there are many bug-fixes, module improvements and new modules (see below).

Of course, migration from previous series is fully supported.

Major changes in graphical user interface

  • Add domains on Action Window: This feature allows to set above any list view tabs which filter the records. All modules have been updated to take advantage of it and thus it reduced the number of menu entries.
Action Window domain
  • Bookmarks for search: Users can now bookmark their own searches and recall them anytime.
Bookmark
  • Auto-completion on Many2One, Many2Many and One2Many: When typing in those fields, the client will try to auto-complete them to allow a fast encoding. The completion also proposes two more actions to create a new record and to enter a complex search.
Completion
  • Replace shortcuts by menu favorites: A new design for favorites aka shortcuts has been implemented for a better user experience.
Menu Favorites
  • Add global search: A quick entry box has been added on top of the menu. It allows to search over all the business documents and the menu entries for fast access. When a search result is selected, the client will open its form view or will trigger the action for menu entries. The kind of documents to search is configurable.
Global Search

Major changes on the server side

  • The create method takes now a list of values thus unifying the API. This also improves the creation performance by validating in a bunch the created records.
  • (Field, Operator, Operand) are replaced by Domain on Rule in addition to unify such definition, it speeds up the computation and eases caching.
  • A new kind of field Dict is introduced. This field allows to store a dictionary for which the definitions of the keys are stored in the database. This feature is used in the new module product_attribute (see below).
  • It was decided to remove _inherits because it doesn't fulfill its mission. It was replaced case by case by Function fields, by a Mixin class or simply by an explicit Many2One.
  • The selection values of Selection and Reference fields can now be dynamic thanks to the selection_change_with attribute.

Modules

account

  • The Move Sequence on Period is optional. So if it is empty the fiscal year's one will be used.
  • Tax Rule and Tax Group have sale, purchase or other kind attribute which allow to define where they can be used.

account_invoice

  • Invoice Sequences on Period are also optional.
  • When cancelling an Invoice, the existing move will be deleted if possible or cancelled with an opposite move.
  • On validate Supplier Invoice, the draft Move is created. This allows in case of two step validation to get reports already up to date.
  • Supplier Invoice and Credit Note can no longer be refunded automatically because they must be checked with the supplier one.

dashboard

  • To ease user to select the actions for the dashboard, they are filtered based on the usage dashboard.

party

  • The new url widget on list view is used for contact mechanisms.
Contact Mechanisms

purchase

  • It is now possible to let the delivery time empty for a product supplier. This means that we don't know when the supplier will deliver.

stock

  • With the new workflow design, it was no more a bottleneck to add it on stock move.
  • All shipment Many2One on Move have been merged into one single shipment Reference.

stock_supply

  • The method find_best_supplier doesn't optimize anymore on the delivery delay and so it fully respects the priority order to select a supplier.

timesheet

  • It is now possible to define a period on which a work can be used to fill a timesheet.

New modules

  • account_asset adds depreciation of fixed assets.
  • sale_supply adds a supply on sale option on product to generate purchase request from sale lines regardless of the stock levels.
  • sale_supply_drop_shipment adds a drop shipment option on product supplier if supply on sale is checked to generate a drop shipment.
  • project_invoice adds some invoice methods (Manual, On Effort, On Timesheet) on project.
  • product_attribute adds flexible attributes on product.
Product Attribute

Other changes in graphical user interface

  • It is possible to use a range for Date/Time fields in filter box.
  • Multi-selection for Selection field is allowed in filter box.
  • View list can now disply url's.
  • The Plugins menu is moved into the toolbar Actions.

Other changes on server side

  • The default language is stored in the database which prevents unexpected behaviors in case the configuration of the server is changed.
  • The unique constraint on model and field access has been removed to allow many modules create their own accesses that overlap.
  • The _constraints list is deprecated and is replaced by the validate method on ModelStorage to allow better error messages.
  • Now it is possible to search on the target of a Reference field.