Fix#780
This a breaking change, the API for authentication is different, as it now requires `project_id`. Token is generated with only the project_id (so it's shorter than before), and signature is done by mixing password with secret key. Thus, it expires on every project code change.
The previous query was working fine on sqlite and mariadb, but not on
postgresql :
return self.get_bills_unordered().group_by(Bill.original_currency).count() > 1
psycopg2.errors.GroupingError: column "bill.id" must appear in the GROUP BY clause or be used in an aggregate function
The failing SQL query was:
[SQL: SELECT count(*) AS count_1
FROM (SELECT bill.id AS bill_id, ...
FROM bill JOIN person ON person.id = bill.payer_id JOIN project ON project.id = person.project_id
WHERE bill.payer_id = person.id AND person.project_id = project.id AND project.id = %(id_1)s GROUP BY bill.original_currency) AS anon_1]
The problem is that sqlalchemy creates a subquery for postgresql, and the
internal query does not make sense.
GROUP BY is not actually useful, we simply need to count the number of
distinct currencies in the list of bills.
Co-authored-by: Alexis Métaireau <alexis@notmyidea.org>
Currency switching is both simpler and less powerful. This was done primarily for users, to have a clear and logical understanding, but the code is also simpler. The main change is that it is now forbidden to switch a project to "no currency" if bills don't share the same currency.
Also, tests assume that projects are created without currency, as in the web UI.
This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.
An authenticated member of one project can modify and delete members of
another project, without knowledge of this other project's private
code. This can be further exploited to access all bills of another project
without knowledge of this other project's private code.
With the default configuration, anybody is allowed to create a new
project. An attacker can create a new project and then use it to become
authenticated and exploit this flaw. As such, the exposure is similar to
an unauthenticated attack, because it is trivial to become authenticated.
This issue was caused by a wrong database queries in PersonQuery.
For more details, see https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9
Now each project can have a currency, default to None.
Each bill can use a different currency, and a conversion to project default currency is done on settle.
Fix#512
Currently the string representation of a Bill is: "<amount> for <description>"
It is used in the History Page to describe changes that were applied to
Bills, for instance:
Bill "42.0 for Test" renamed to "Another Test"
This is inconsistent, not easy to read, and the "for" in the middle is not
translatable.
To solve this issue, simply switch the string representation of a bill to
its description.
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
Co-Authored-By: Glandos <bugs-github@antipoul.fr>
All project activity can be tracked, using SQLAlchemy-continuum.
IP addresses can optionally be recorded.
* Update models: Bill.pay_each()
* Import sql func
* reformatted using black
* Added ModelsTestCase.test_bill_pay_each() in order to test the SQL query change within pay_each.
Had to add Project.ProjectQuery.get_by_name() for the test.
An optional field has been added to the bill form to add a link to a real bill. A new action button allow user to see this bill. Breaking change with Bill model update for database, a migration is needed.
See issue #429.
* Use token based auth in invitation e-mails
Invitation e-mails no longer contain the clear
text project password
* Skip invite page after project creation
- Replace ``The project identifier is demo, remember it!``
by ``Invite other people to join this project!``
(linking to the invite page)
- Encourage users to share the project password via other
communication means in the reminder email
* Use absolute imports and rename package to ihatemoney
* Add a ihatemoney command
* Factorize application creation logic
* Refactor the tests
* Update the wsgi.py module with the new create_app() function
* Fix some styling thanks to Flake8.
* Automate Flake8 check in the CI.
