This is only needed for unsecure spreadsheet applications (hi Google Docs and MS Excel) that load formulae by default.
See https://owasp.org/www-community/attacks/CSV_Injection for some mitigation explanation. This is not complete, but it should be OK for now.
* get weight sum along with bills to scale
otherwise, we need to get the weight sum for each displayed bill.
Here, we are much more scalable
* add test
* format
* remove unused import
* oops, restore pagination to 100
* add comments
* format
* rename method to make it clearer
And also, make it static, since it doesn't rely on instance.
* improve comments and naming
* improve naming
* missing article
* Change the way we import datetime
This makes it easier to use datetime.date later.
* Display monthly statistics for the range of months where the project was active
Currently, we display a hard-coded "one year" range of monthly statistics
starting from today. This generally is not the intended behaviour: for
instance, on an archived project, the bills might all be older than one
year, so the table only displays months without any operation.
Instead, display all months between the first and last bills. There might
be empty months in the middle, but that's intended, because we want all
months to be consecutive.
If there are no bills, simply display an empty table.
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
* Do not require a captcha when using the API
This was trickier than expected, due to some side effects : when the
captcha is set to `True` via configuration, it doesn't change the
behavior directly of the ProjectForm class, but does so only when the
project form is used in the `web.py` module.
So, when just using the API (and not using the web.py module, for
instance during tests — manual or functional), no problem was shown,
and everything was working properly.
But at soon as somebody sees the "/" endpoint, the captcha was
required, by both the API and the `web.py` module.
This fixes it by adding a way to bypass the captcha with a new
`bypass_captcha` property on the form.
Prior to this commit, things were done by activating or deactivating a
"captcha" property on the class on-the-fly, which caused side-effects.
This is now using subclasses, which makes the code simpler to
understand, and less prone to side-effects.
Thanks @zorun for the idea.
Fix#780
This a breaking change, the API for authentication is different, as it now requires `project_id`. Token is generated with only the project_id (so it's shorter than before), and signature is done by mixing password with secret key. Thus, it expires on every project code change.
This mock was already applied to all tests, because it was done statically
in the TestCurrencyConverter class definition. But it was really not
clear that it's applied everywhere.
Moving this to the setUp() function makes it much clearer.
Also, remove useless redefinition in other tests.
Most of the tests are using a separate database, but we have a few tests
that are loading default values and are writing to /tmp/ihatemoney.db.
This is annoying because it's also the database used for development:
running the test suite breaks the dev database.
To fix this, always use a separate testing database to avoid interference.
Co-authored-by: Alexis Métaireau <alexis@notmyidea.org>
Currency switching is both simpler and less powerful. This was done primarily for users, to have a clear and logical understanding, but the code is also simpler. The main change is that it is now forbidden to switch a project to "no currency" if bills don't share the same currency.
Also, tests assume that projects are created without currency, as in the web UI.
