Tryton Unconference Liège 2017 is coming!

Security Release for issue4155

Publié: 2014-09-30 10:00:00+00:00 release security

Synopsis

A vulnerability in trytond has been found by duesenfranz, that might allow a malicious user to execute arbitrary commands on the server via the safe_eval function (see issue4155).

Impact

Any authenticated user can run arbitrary commands on the server with the permissions of the trytond user.

Workaround

There is no workaround.

Resolution

All users should upgrade trytond to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

New Tryton release 3.2

Publié: 2014-04-21 20:00:00+00:00 release

We are happy to announce the 3.2 release of Tryton.

This release mainly consolidates many new functionalities added in last two years. Also it prepares the future migration to Python 3 by dropping the support for Python 2.6. But also as usual there are many bug-fixes, improvements and new modules (see below).

Of course, migration from previous series is fully supported.

Major changes in graphical user interface

  • The client uses the local timezone to display date time.

  • The copy/paste on editable list has been improved to add new lines if needed beside of updating existing records.

  • The buttons of the view are also available in the action menu. This allows fast access using keyboard shortcuts but also trigger the button for a list of selected records.

    button action menu
  • Buttons and wizards can now trigger actions from the client side. This means it behaves like if the user clicked on one of the tool bar buttons.

  • The client uses now a pool of connections, this allows to speed up the client on requests that can be parallelized.

  • The attachment button can now receive drag & drop of file to quickly create attachments.

  • There is a new widget multi-selection, it uses the Many2Many field as backend. It is very useful and more visual when there is a small number of selection.

    multiselection
  • The client allows to browse the revisions of a record if it is historized. It also works on a full list of records, in this case the client shows the result of the search as if it was done at the revision date.

    revisions

Major changes on the server side

  • The server runs internally always in UTC timezone.
  • The ModelStorage.write method receives the similar improvements as the ModelStorage.create in version 2.8. This means it can write different values to many sets of records in one call and so this improves the performance by validating all the records at once and also it will validate only the modified and dependant fields. Also the action values of relation fields have been updated with the same interface.
  • A new decorator fields.depends is introduced to replace the deprecated on_change, on_change_with, selection_change_with and autocomplete fields attributes. This decorator applies on the called methods and the result will be the sum of all depends of all the modules, this brings much more flexibility to the modularity.
  • Tryton uses bcrypt to hash password if the library is available.
  • All types of field can now have a domain to constraint its value and most of the domains are supported for pre-validation and inversion on the client side.
  • The on_change returned value of One2Many uses now an index for the add keyword. This allows to define the position of the new record in the list instead of being always at the bottom.
  • A new method ModelSQL.restore_history allows to restore the values of a record as they were at a specific date time.

Modules

Account

  • A new journal type write-off has been added to ease the creation of write-offs.
  • Taxes has now an optional start and end, this allows to manage the changes over time.

French Chart of Account

  • The French chart of account has been updated for the new tax rates of 2014.

Account Statement

  • The module prevents now to use an already paid invoice in draft statements.
  • It uses the new index of on_change to add the new split line under the original.

Account Stock Continental

  • The creation of account move for stock move is speed-up.

Bank

  • The IBAN numbers are now validated and formatted.

Company

  • A new timezone field is added to the company to get the right date for today.
  • The employee is also taken from the context just like the company. This allows to use many clients with the same user but different employees.

Production

  • It is now possible to define the effective date of a production. This allows to enter past productions.

Purchase

  • There is now a warning when trying to receive a supplier stock move without an origin. Normally, the origin should be a purchase order.
  • The purchase tries to create links between stock moves and invoice lines.

Sale

  • The same warning exists for customer move without origin.
  • The sale tries as the purchase to create links between stock moves and invoice lines.

Stock

  • Supplier Shipment Return can now have partial assignation
  • The computation of stock quantities has been reworked to allow easy customization and better search.
  • It is now possible to define the effective date for all shipments. This allows to enter past shipments.

Stock Lot

  • A new relate has been added from lot to moves.

New modules

  • The Party Relationship module defines different types of relations between parties.
  • The Account Payment module allows to generate grouped payments for receivable and payable account move lines.
  • The Account Payment SEPA module allows to generate SEPA files for payments.
  • The Stock Package module allows to store packaging information about customer and supplier return shipments.
  • The Sale Shipment Grouping module adds an option to define how stock moves generated from sales will be grouped.
  • The Account Credit Limit module manages credit limit of parties.
  • The Sale Credit Limit module adds confirmed sale to the credit amount of the party.

Security Release for issue3446

Publié: 2013-11-04 10:00:00+00:00 release security

Synopsis

A vulnerability in tryton has been found, that might allow a malicious server to send a crafted extention as answer to a report request leading the client to write the report on any file of the client host with the right of the user running the client (see issue3446).

Impact

Any file can be created on the client host with the access permissions of the user running the client.

Workaround

Users should connect only to trusted servers.

Resolution

All users should upgrade to the latest version of the used series.

Concern?

Any security concerns should be reported on the bug-tracker at http://bugs.tryton.org/ with the type security.

New Tryton release 3.0

Publié: 2013-10-21 18:00:00+00:00 release

We are happy to announce the 3.0 release of Tryton.

This release brings a new calendar view for the graphical user interface and sees the result of a large refactoring of the code started 2 years ago with the project python-sql. But also as usual there are many bug-fixes, improvements and new modules (see below).

Of course, migration from previous series is fully supported.

Major changes in graphical user interface

  • A calendar view is now available. It allows to display records on a calendar using a start and/or an end date/datetime fields. It supports the Drag & Drop of events and the edition on double-click. The view is optimized to fetch only the events displayed.

    production calendar
  • The URL scheme, introduced in 2.0, is now accessible at the bottom of all tabs. This URL allows to open the same tab on any other client.

    url
  • The request has been removed. It is suggested to use emails with URL instead.

  • The selected records in list view is remembered between sessions.

Major changes on the server side

  • The server uses now python-sql to generate the SQL queries. This change brings a better compatibility with all the different Databases currently supported (and also with the future ones).
  • The searcher method can now return a full domain (instead of one limited to AND clause only).
  • The older order_field attribute is replaced by method order_<field name> to be more modular.
  • The database backend can be loaded dynamically which means it is possible to define one in a external package of trytond.
  • The performance of MPTT storage has been improved by removing the default order and reducing the number of queries.
  • A new attribute grouped can be added on the data tag. It allows to create all the records of the same Model at once. This improves the installation time of modules with large sets of data.
  • It is possible to define a default order on the Action Window.

Modules

  • Many modules have been adapted to a new design to link generated documents with their origin. Instead of copying the code of the origin as reference, a Reference field is used and most of the time the field is on the lines. This brings a better vision of the links between documents without loosing information when merge of documents occurs.

Account

  • A new wizard appears to ease the creation of the balance move for non-deferral accounts at the end of the fiscal year.
  • All accounts of a chart must always be in the same company. This constraint improves drastically the performance of computing the debit/credit.
  • Any move posted with one line of zero is automatically reconciled if it is on an account to reconcile. With this feature, invoices with amount of zero are automatically marked as paid.
  • The centralised counterpart option on journal has been removed.

Account Invoice

  • Once an invoice is posted, the account move is used to show the amounts instead of computing it from the lines. This improves a little bit the performance especially for invoices with a lot of lines.

Account Statement

  • Now it is possible to directly set an invoice on a statement line. This will fill the party and account automatically.

Stock

  • It is now possible to query the stock quantity with any kind of grouping parameters. For example, it can be used to compute the stock quantity of a lot instead of a product.
  • The code of inventory has been reworked to allow easy customization of the move creation and also of the unique constraint on the inventory lines.
  • The period cache can now be adapted to cache different kind of grouped quantities.

Stock Lot

  • The quantity and forecast quantity fields have been added on lot.
  • It is now possible to create inventories with lot.
  • The period cache stores also the quantities per lot.

Stock Supply

  • A new wizard appears to create automatically internal shipments.
  • If there are late supplier moves when creating purchase requests, the wizard shows a warning to allow the user to change the date of those moves into the future if needed otherwise those incoming moves will be ignored.

New modules

  • The Bank module defines the concept of bank and account.
  • The Account Dunning module allows to manage the dunning following a procedure with different levels.
  • The Account Dunning Letter module adds the generation of a letter when processing dunnings.
  • The Sale Invoice Grouping module adds an option to define how invoice lines generated from sales will be grouped.

Last maintenance releases for series 1.8

Publié: 2013-05-16 12:00:00+00:00 release
Two weeks ago, the series 1.8 received its very last bugfix releases. Two-and-a-half year after the first release, we are going to close the maintenance for this series. Additionally series 2.0, 2.2, 2.4 and 2.6 got several bugfix releases that were already provided in the 2.8 series. As usual, no database update is required for these releases.

New Tryton release 2.8

Publié: 2013-04-22 18:00:00+00:00 release

We are happy to announce the 2.8 release of Tryton.

This release brings many changes for the graphical user interface in order to improve the workflow of the users like bookmarks, auto-completion, global search and a review of all error messages to provide more information. As usual there are many bug-fixes, module improvements and new modules (see below).

Of course, migration from previous series is fully supported.

Major changes in graphical user interface

  • Add domains on Action Window: This feature allows to set above any list view tabs which filter the records. All modules have been updated to take advantage of it and thus it reduced the number of menu entries.
Action Window domain
  • Bookmarks for search: Users can now bookmark their own searches and recall them anytime.
Bookmark
  • Auto-completion on Many2One, Many2Many and One2Many: When typing in those fields, the client will try to auto-complete them to allow a fast encoding. The completion also proposes two more actions to create a new record and to enter a complex search.
Completion
  • Replace shortcuts by menu favorites: A new design for favorites aka shortcuts has been implemented for a better user experience.
Menu Favorites
  • Add global search: A quick entry box has been added on top of the menu. It allows to search over all the business documents and the menu entries for fast access. When a search result is selected, the client will open its form view or will trigger the action for menu entries. The kind of documents to search is configurable.
Global Search

Major changes on the server side

  • The create method takes now a list of values thus unifying the API. This also improves the creation performance by validating in a bunch the created records.
  • (Field, Operator, Operand) are replaced by Domain on Rule in addition to unify such definition, it speeds up the computation and eases caching.
  • A new kind of field Dict is introduced. This field allows to store a dictionary for which the definitions of the keys are stored in the database. This feature is used in the new module product_attribute (see below).
  • It was decided to remove _inherits because it doesn't fulfill its mission. It was replaced case by case by Function fields, by a Mixin class or simply by an explicit Many2One.
  • The selection values of Selection and Reference fields can now be dynamic thanks to the selection_change_with attribute.

Modules

account

  • The Move Sequence on Period is optional. So if it is empty the fiscal year's one will be used.
  • Tax Rule and Tax Group have sale, purchase or other kind attribute which allow to define where they can be used.

account_invoice

  • Invoice Sequences on Period are also optional.
  • When cancelling an Invoice, the existing move will be deleted if possible or cancelled with an opposite move.
  • On validate Supplier Invoice, the draft Move is created. This allows in case of two step validation to get reports already up to date.
  • Supplier Invoice and Credit Note can no longer be refunded automatically because they must be checked with the supplier one.

dashboard

  • To ease user to select the actions for the dashboard, they are filtered based on the usage dashboard.

party

  • The new url widget on list view is used for contact mechanisms.
Contact Mechanisms

purchase

  • It is now possible to let the delivery time empty for a product supplier. This means that we don't know when the supplier will deliver.

stock

  • With the new workflow design, it was no more a bottleneck to add it on stock move.
  • All shipment Many2One on Move have been merged into one single shipment Reference.

stock_supply

  • The method find_best_supplier doesn't optimize anymore on the delivery delay and so it fully respects the priority order to select a supplier.

timesheet

  • It is now possible to define a period on which a work can be used to fill a timesheet.

New modules

  • account_asset adds depreciation of fixed assets.
  • sale_supply adds a supply on sale option on product to generate purchase request from sale lines regardless of the stock levels.
  • sale_supply_drop_shipment adds a drop shipment option on product supplier if supply on sale is checked to generate a drop shipment.
  • project_invoice adds some invoice methods (Manual, On Effort, On Timesheet) on project.
  • product_attribute adds flexible attributes on product.
Product Attribute

Other changes in graphical user interface

  • It is possible to use a range for Date/Time fields in filter box.
  • Multi-selection for Selection field is allowed in filter box.
  • View list can now disply url's.
  • The Plugins menu is moved into the toolbar Actions.

Other changes on server side

  • The default language is stored in the database which prevents unexpected behaviors in case the configuration of the server is changed.
  • The unique constraint on model and field access has been removed to allow many modules create their own accesses that overlap.
  • The _constraints list is deprecated and is replaced by the validate method on ModelStorage to allow better error messages.
  • Now it is possible to search on the target of a Reference field.

Versions de maintenance pour les séries supportées 1.8, 2.0, 2.2, 2.4 et 2.6

Publié: 2012-12-24 12:00:00+00:00 release
Les séries 1.8, 2.0, 2.2, 2.4 et 2.6 ont reçus des versions de correction de bogues. Aucune mise à jour de la base de données n'est requise pour ces versions de correctives.

Nouvelle version de Tryton 2.6

Publié: 2012-10-23 12:00:00+00:00 release

Nous sommes heureux d'annoncer la version 2.6 de Tryton.

Cette version apporte de nombreux changements dans l'API avec l'introduction du patron Active Record. L'interface graphique a elle aussi reçu son lot d'améliorations. Comme d'habitude, la nouvelle version s'accompagne de corrections de bogues, de nouveaux modules (que nous annoncions précédemment) et de améliorations de modules existants.

Évidemment la migration depuis une version précédente est entièrement fonctionnelle.

Les changements majeurs dans l'interface graphique

  • Gestion des droits d'accès au niveau du modèle et des champs.

    Le client est maintenant capable de désactiver le bouton ‘Enregistrer’ quand un utilisateur n'a pas le droit de l'utiliser.

    Cette fonctionnalité est aussi présente sur les champs relation pour la création/l'effacement d'enregistrements distants.

  • Limitation dynamique de la taille des champs One2Many, Many2Many et Char.

    Il est possible de limiter la taille de ces champs tant au niveau du serveur que du client.

  • Suppression de la boite « Patientez … ». Cette fenêtre pop-up était ennuyante car elle entraînait une perte de focus.

  • Le copier/coller en vue ‘liste éditable’ peut mettre à jour une sélection carrée depuis par exemple un logiciel de type tableur.

Changements majeurs apportés au serveur

  • Les champs ‘Reference’ sont utilisables pour les One2Many et Many2Many.

    En plus de pouvoir utiliser un Many2One comme lien inverse de la relation, il est à présent possible d'utiliser un champ ‘Reference’. À l'avenir le lien entre les mouvements de stock (‘Move’) et les livraisons (‘Shipment’) utiliseront ce principe plutôt que quatre Many2One mutuellement exclusifs.

  • Tous les boutons ont été fusionnés dans un seul concept bien plus simple.

  • Patron Active Record : Ceci est le résultat d'un travail de refactorisation commencé il y a 2 ans.

    Voici quelques uns des bénéfices que nous en tirons:

    • La taille du code a été réduite (à peu près 2200 lignes de code retirées) par exemple les on_change_with et les getter des champs Function peuvent être fusionnés.

    • Unification de la manière d'accéder aux valeurs d'un enregistrement qu'il soit ou non dans la base de données. Ceci permet par exemple de simplifier les appels à la méthode on_change.

    • Suppression de la boucle sur les ids dans les getter des champs Function:

      avant:

      def getter(self, ids, name):
          res = {}
          for record in self.browse(ids):
              res[record.id] = …
          return res
      

      après:

      def getter(self, name):
          return self.…
      
    • Rationalisation du processus d'enregistrement des Model (copie des champs etc.)

    • Suppression du paramètre session dans les ‘wizard’. Maintenant l'instance du ‘wizard’ est la session.

  • Les vues peuvent être stockée dans un fichier XML au lieu de la base de données. Ceci permet la modification des vue sans mise à jour de la base de données et accélère leur conception.

  • Un nouveau genre de validation a été ajouté la pre_validation.

    Cette nouvelle pre_validation permet de valider l'enregistrement sans le sauver. Elle est utilisée par le client pour valider les lignes du One2Many. Avec la pre_validation, il est possible de fournir un retour à l'utilisateur au plus tôt et ce avant la sauvegarde.

Modules

account

  • La balance affiche maintenant la balance de départ et de fin en plus des colonnes débit et crédit.
  • Le double-clique sur le bilan ouvre les comptes.
  • Le plan comptable n'affiche plus les débit/crédit cumulés par défaut mais seulement pour la période courante.
  • La balance âgée est calculée sur toutes les années fiscales.
  • Les mouvements comptables ont été refactorisés pour inclure un champ origine ce qui permet de faire un lien vers le document maître. Ils ont aussi deux champs numérotés pour l'état brouillon et l'état posté.

account_stock_continental

  • La mise à jour du prix de revient crée automatiquement un mouvement comptable.

purchase

  • Les achats gèrent les quantités négatives sur les lignes. Un retour d'expédition et une note de crédit seront générées.

stock

  • Un graphique a été ajouté montrant l'évolution dans le passé et le futur du niveau de stock pour un produit par entrepôt.
quantités de produit par entrepôt

New modules

  • stock_lot définit des lot de produits.
  • stock_split ajoute un ‘wizard’ pour fractionner les mouvements.
  • account_fr ajoute le plan comptable français.
  • production définit les bases pour la gestion de production.
  • stock_supply_production ajoute l'approvisionnement via des demandes de production.

Autres changements dans l'interface graphique

  • L'interpolation «constante» a été ajoutée au graphique linéaire.
  • Les groupes peuvent avoir un état ‘readonly’.
  • Il est possible de définir un format pour le temps différent du classique '%H:%M:%S'.

Autres changements côté serveur

  • La méthode ModelSQL.default_sequence a été supprimée. Les champs séquence ne vont plus augmenter indéfiniment.
  • Le format du temps est validé, donc il est possible d'assurer que les secondes valent 0 par exemple.
  • __tryton__.py est remplacé par tryton.cfg, un fichier statique.
  • Il est possible d'utiliser un tuple comme valeur de Reference. C'est utile pour construire des domaines dynamiques sur de tel champs en PYSON.