We are proud to announce the 7.4 release of Tryton .
This release provides many bug fixes, performance improvements and some fine tuning.
You can give it a try on the demo server, use the docker image or download it here.
As usual upgrading from previous series is fully supported.

Here is a list of the most noticeable changes:

Changes for the User

Clients

The Many2Many widget now has a restore button to revert the removal of records before saving.

The CSV export window stays open after the export is done so you can refine your export without having the redo all of the configuration.
It also supports exporting and importing translatable fields with a language per column.
The error messages displayed when there is a problem with the CSV import have been improved to include the row and column number of the value that caused the error.

The management window for the favourites has been removed and replaced by a simple “last favorite first” order.

The focus goes back to the search entry after performing a search/refresh.

You can now close a tab by middle clicking on it (as is common in other software).

Web Client

The left menu and the attachment preview can now be resized so the user can make them the optimal size for their screen.

Accounting

The minimal chart of accounts has been replaced by the a universal chart of accounts which is a good base for IFRS and US GAAP.

It is now possible to copy an accounting move from a closed period. The closed period will be replaced by the current period after accepting the warning.

The payments are now numbered to make it easier to identify them inside the application.
An option has been added to the parties to allow direct debits to be created based on the balance instead of the accounting lines.
We’ve added a button on the Stripe payments and Stripe and Braintree customers to allow an updated to be forced. This helps when fixing missed webhooks.

When a stock move is cancelled, the corresponding stock account move is now cancelled automatically.
But it now no longer possible to cancel a done stock move which has been included in a calculation used for anglo-saxon accounting.

Commission

It is now possible to deactivate an agent so that they are no longer used for future orders.

Company

It is now possible to add a company logo. This is then displayed in the header of generated documents.

Incoterm

A warning is now raised when the incoterm of a shipment is different from the original document (such as the sale or purchase).

Party

We’ve added more identifiers for parties like the United Kingdom Unique Taxpayer Reference, Taiwanese Tax Number, Turkish tax identification number, El Salvador Tax Number, Singapore’s Unique Entity Number, Montenegro Tax Number and Kenya Tax Number.

Product

We’ve added a wizard to manage the replacement of products. Once there is no more stock of the replaced product in any of the warehouses, all the stock on all pending orders are replaced automatically.

A description can now be set for each product image.

There is now a button on the price list form to open the list of lines. This is helpful when the price list has a lot of lines.

Production

It is now possible to cancel a done production. All its stock moves are then cancelled.

The Bill of Materials now have an auto-generated internal code.

Purchase

The wizard to handle exceptions has been improved to clearly display the list of lines to recreate and the list of lines to ignore.

The menu entry Parties associated to Purchases has been removed in favour of the per party reporting.

The purchase amendment now supports amending the quantity of a purchase line using the secondary unit.

Quality

It is now no longer possible to delete non-pending inspections.

Sale

The wizards to handle exceptions have been improved to clearly display the list of lines to recreate and the list of lines to ignore.

The menu entry Parties associated to Sales has been removed in favor of the per party reporting.

A warning is now raised when the user tries to submit a complaint for the same origin as an existing complaint.

The reporting can be grouped per promotion.

From a promotion, it is now possible to list of the sales related to it.
The coupon number of promotion can now be reused once the previous promotion has expired.

The sale amendment now supports amending the quantity of a sale line using the secondary unit.

Stock

It is now possible to cancel a done shipment. When this happens the stock moves of the shipment are cancelled.

The task to reschedule late shipments now includes any shipment that is not yet done.

The supplier shipments no longer have a default planned date.

The customer shipments now have an extra state, Shipped, before the Done state.

The lot trace now shows the inventory as a document.

The package weight and the warehouse are now criteria that can be used when selecting a shipping method.

Changes for the System Administrator

The clients automatically retry 5 times on a 503 Service Unavailable response. They respect the Retry-After value if it is set in the response header. This is useful when performing short maintenance on the server without causing an interruption for the users.

The scheduled tasks now show when they are running and prevent the user from editing them (as they are locked anyway).
We also store their last duration for a month by default. So the administrator can analyze and find slow tasks.

It is now possible to configure a license key for the TinyMCE editor.
Also TinyMCE has been updated to version 7.

It is now possible to configure the command to use to convert a report to a different format. This allows the use of an external service like document-converter.

Accounting

The Accounting Party group has been merged into the *Accounting" group.

We now raise a warning when the user is changing one of the configured credentials used on external services. This is to prevent accidental modification.

Document Incoming

It is now possible to set a maximum size for the content of the document incoming requests.

Inbound Email

It is now possible to set a maximum size for the inbound email requests.

Web Shop

There is now a scheduled task that updates the cache that contains the product data feeds.

Changes for the Developer

Server

The ORM supports SQL Range functions and operators to build exclusion constraints. This allows, for example, the use of non-overlapping constraints using an index.
On PostgreSQL the btree_gist extension may be needed otherwise the ORM will fallback to locking querying the table.
The SQLite backend adds simple SQL constraints to the table schema.

The relational fields with a filter are no longer copied by default. This was a frequent source of bugs as the same relational field without the filter was already copied so it generated duplicates.

We’ve added a sparkline tool to generate textual sparklines. This allows the removal of the pygal dependency.

The activate_modules from testing now accepts a list of setup methods that are run before taking the backup. This speeds up any other tests which restore the backup as they then do not need to run those setup methods.

The backend now has a method to estimate the number of rows in a table. This is faster than counting when we only need an estimate, for example when choosing between a join and a sub-query.

We’ve added a ModelSQL.__setup_indexes__ method that prepares the indexes once the Pool has been loaded.

It is now possible to generate many sequential numbers in a single call. This allows, for example, to number a group of invoices with a single call.

The backend now uses JSONB by default for MultiSelection fields. It was already supported, but the database needed to be altered to activate the feature.

You can now define the cardinality (low, normal or high) for the index usage. This allows the backend to choose an optimal type of index to create.

We now have tools that apply the typing to columns of an SQLite query. This is needed because SQLite doesn’t do a good job of supporting CAST.

The RPC responses are now compressed if their size if large enough and the client accepts it.

The ModelView._changed_values and ModelStorage._save_values are now methods instead of properties. This makes it is easier to debug errors because AttributeError exceptions are no longer hidden.

The scheduled task runner now uses a pool of processes for better parallelism and management. Only the running task is now locked.

We’ve added an environment variable TEST_NETWORK so we can avoid running tests that require network access.

There is now a command line option for exporting translations and storing them as a po file in the corresponding module.
Tryton sets the python-format flag in the po file for the translations containing python formats. This allows Weblate (our translation service) to check if the translations keep the right placeholders.

Accounting

The payment amounts are now cached on the account move line to improve the performance when searching for lines to pay.
The payment amounts now have to be greater or equal to zero.

Purchase

Only purchase lines of type line can be used as an origin for a stock move.

Sale

Only sales lines of type line can be used as an origin for a stock move.

The fields from the Sale Shipment Cost Module are now all prefixed with sale_.

Stock

Cancelled moves are no longer included in the shipment and package measurements.

2 posts - 1 participant

Read full topic

Cédric Krier has found that python-sql does not escape non-Expression for unary operators (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.

Impact

CVSS v3.0 Base Score: 9.1

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Changed
• Confidentiality: High
• Integrity: Low
• Availability: Low

Workaround

There is no known workaround.

Resolution

All affected users should upgrade python-sql to the latest version.

Affected versions: <= 1.5.1
Non affected versions: >= 1.5.2

Reference

• Unary operators does not escape non-Expression (#93) · Issues · Tryton / python-sql · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/python-sql with the confidential checkbox checked.

3 posts - 3 participants

Read full topic

During the last month we mainly focus on bug fixes, behaviour improvements of several things and speeding-up performance issues stepping forward to our next release 7.4 scheduled to the 4th of November. We also added some new features which we would like to introduce to you in this newsletter.

For an in depth overview of the Tryton issues please take a look at our issue tracker or see the issues and merge requests filtered by label.

Changes for the User

Sales, Purchases and Projects

We add a new sale reporting per promotion.

We add now a relate from promotions to their sales.

We improved the exception handling wizards on sales and purchases. We added two fields to let the user explicitly fill with the records to ignore or to re-create.
Any cancelled record that is not added to one of the fields, will stay in exception state to be proceeded later. Also we changed the view between a MultiSelection to a Many2Many field depending on the number of records in the exception state.

Now, Tryton doesn’t add extra lines on sale orders for inactive products. Also Tryton does no longer recommend inactive products.

We removed the Menu: Parties → Parties → Parties Associated to Sales/Purchases entries, because the result is not limited to sales or purchases in state validated or processing. A draft, quotation or cancelled order doesn’t qualify a party as a customer or supplier. The functionality is already replaced by the reports in Menu: Sales → Reporting → Sales, Sales per Customer and Menu: Purchases → Reporting → Purchases, Purchases per Supplier which adds the ability to filter per state and per period.

Accounting, Invoicing and Payments

Now we re-launch the update of the payment customer for Stripe and Braintree in case it failed. Also the users can manually initiate the update process.

Stock, Production and Shipments

Now we round up weights and the other measurements to two decimals for the shipping carriers DPD, Sendcloud and UPS.

We make package measurements read-only once they are closed.

User Interface

We remove the favourite management from the favourite menu, because of
several issues [1] [2] and duplicated functionality.

Now we group links with a similar functional scope together.

In Menu: Administration → User Interface the entries

• View Tree Widths,
• View Tree Optionals,
• View Tree States and
• View Searches

are moved to the Open related records toolbar-menu of Menu: Administration → Models → Models.

We improve the widget for MultiSelection fields in the Tryton clients by adding checkboxes which display the selection state of the row. If the users clicks on a row, the selection state will be changed.

Now we visually remove records from Many2Many fields used in Wizard instead of greying them out.

We keep the CSV export dialogue now opened after exporting, to have a better user experience when fixing bugs, export and again fixing bugs.

Since we moved the functionality from product_price_list_dates to product_price_list, you can open price list lines in a new tab to be able to filtering, search or import import them.

New Documentation or Naming

We improved and unified the stock action naming and re-worked documentation:

• Rename “Product Quantities By Warehouse” into “Stock Quantities By Warehouse.”
• Remove “Lots By Warehouse” relate as the same view can be opened from the stock location relate.
• Rename prefix “Locations Quantity” to “Stock Locations”.
• Document viewing stock levels of lots.
• Rename “Products by Locations” into “Products”, as the locations are added to the tab name, there is no need to specify.

New Releases

We released bug fixes for the currently maintained long term support series
7.0 and 6.0, and for the penultimate series 7.2.

Security

Please update your systems to take care of a security related bug we found last month: trytond allows to execute reports for records for which the user has no read access and also for reports limited to a set of groups that the user is not member of.

Changes for the System Administrator

Now we use a random value for cron next call field when no value is defined.

Now we log the last cron scheduler runs and their durations. A new cron task periodically cleans the log entries. The new cron-section configuration variable clean_days (default 30) sets this period.

Changes for Implementers and Developers

The Tryton view-tests now check for some more attributes like sequence and on_write in tree-views or dtstart and dtend in calendar-views.

Now we unify the term “email”, as it is now the most common and recommended form.

We add to all “cost”-terms a “sale”-suffix in sale shipment cost fields to improve the naming convention and to avoid collisions or misinterpretations.

Authors: @dave @pokoli @udono

2 posts - 2 participants

Read full topic

Albert Cervera has found that trytond allows to execute reports for records that user has no read access and also for reports limited to a set of group that the user is not.

Impact

CVSS v3.0 Base Score: 4.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: Low
• Integrity: None
• Availability: None

Workaround

There is no known workaround.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.2: <= 7.2.8
  • 7.0: <= 7.0.17
  • 6.0: <= 6.0.51

Non affected versions per series:

• trytond:
  • 7.2: >= 7.2.9
  • 7.0: >= 7.0.18
  • 6.0: >= 6.0.52

Reference

• https://bugs.tryton.org/13505
• https://bugs.tryton.org/13506

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

2 posts - 2 participants

Read full topic