Causes a traceback "Expected singleton" when opening the Reconciliation
from the accounting dashboard

This is a backport of 5a53e5b8 as requested at #26638
Added Florian Kantelberg to our team of contributors

If currency set on account, all journal items part of this account must have either the same
currency or no currency.

In a multicompany environment, if the user is not logged-in in the same company as the statement's company (even though he might have access to it), the reconcile interface was filtering on the user's company instead of the bank statement lines's company.

Was PR #26782

If we do:

- one change that will be saved in history
- go back to the document before any change
- do other change

we can easily get in a state were the history is no longer recorded.

The history is kept like this:

- pos: our position in the history
- aUndo: the snapshots of history
- toSnap: the last history snapshop that is to be saved

so for example if we start without change (at originalState):

  {pos: 0, aUndo=[], toSnap=null}

Then we do two changes (change1, change2):

  {pos: 2, aUndo=[originalState, change1], toSnap=change2}

If we make an undo, we will get to:

  {pos: 1, aUndo=[originalState,change1,change2], toSnap=null)

If we make another change (change3):

  {pos: 2, aUndo=[originalState, change1], toSnap=change3}

So the history after the position is removed.

But when we get back to the original, the state would forever be:

  {pos: 0, aUndo=[originalState], toSnap=change85}

because when doing a change, the code only removed history from the
max(pos, 1) index.

opw-1870119
closes #26701

In the editor in a table cell, when we press UP/DOWN keys:

- we have default editor/browser behavior if there is content before
  (UP) or after (DOWN) the element we are currently on
- else we go to the previous (UP) or next (DOWN) row if available
- else we go to the next content if available
- else we have the default editor/browser behavior

But when checking if there is an element before/after the content, we
did not take into account if there was an ancestor node inside the cell
that had content after, so for example with this structure:

```
<table>
<tr><td>
  <p>hello <b>world</b></p>
  <p>cruel</p>
</td></tr>
<tr><td>
  <p>bingo</p>
</td></tr>
</table>
```

if the current range was on 'world' text node, we would just check if
there is content after this text node, not if there is content after its
`<p/>` ancestor.

Before the fix we would get on the next row, after we would have default
editor/browser behavior: ie. if cruel is on another line, going to this
line.

opw-1870119
closes #26701

The library https://github.com/syleam/openobject-library is obsolete
and advises to use OdooRPC instead.

Closes #26596

Closes #26617

backport 1dbc6556

Company in USD
Invoice in EUR with rate A
Register a payment in EUR with rate B

Unreconcile them.

Before this commit, there was an error because we tried to reconcile the exchange items
with its reversal while the formers were already reconciled with the invoice

After this commit, there is no error

OPW 1864091
closes #26583

- In some cases (merge of partners, etc ...) there might be mail.channel
  that have two mail.channel.partner with the same res.partner.
  When you try to open a discuss window with a partner for which you
  have no existing mail.channel.
  The channel opened is the one where your partner is duplicated.
  This is due to the fact that the SQL request to find the mail.channel
  doesn't take in account that a mail.channel may have twice the same
  partner.

  To fix this issue, we try to exactly match the partners we search.

Trying to generate an exception using a safe_eval was failing
Introduced at 12634e12
Can be ignored for v10 (fixed at bd00fcd5)

Closes #26450

PO that can be linked to an invoice are filtered via a domain
restricting the partner. However when no partner is selected yet, the
domain was `('partner_id', 'child_of', False)` which, beside being horribly slow, was also useless as it returns ALL partners.

Only generate a meaningfull domain.

Shame on me.

Recommended by GitHub's repository alerts.

We normally stick as close as possible to the version we depend
on in the official DEB packages. This in turn depends on the version of
Debian stable at the time of release - for 9.0 that would be Debian 8
(jessie) and thus Pillow 2.6.1.

However Pillow versions before 3.3.2 and Jinja2 before 2.8.1 suffer
from a few issues that could lead to crashes of Odoo workers.
The bugfixes have been backported in the DEB packages for Pillow,
so users of Debian/Ubuntu LTS versions won't be affected if they are
keeping their systems updated.

However it's worth an exception to our rule for pip users.

task: 51094

When converting an opportunity to a quotation, marketing context (campaign,
medium and source) weren't copied to the newly created quotation.

opw 1863825

The gorup was evaluated to True and no group was set on the ACL

The generation of the manifest should not be platform dependent, its content
should be the same whatever local files are present on the filesystem

Domain names may have been interpreted as a regex by mistake

The token field is a technical data that the other users are not able to
use.
It may be confusing for users to see token on the user interface.
Still show it to administrator for debug reasons.

Ensure, we only match the expected az-A-Z characters for old-style
onchanges.
The \w allowed starting with 0-9 which should be prevented.

The change of password is done in SQL so does not update write_date/uid
fields or triggers base.action.rules

The dateutil package uses lazy import to selectively expose its
features: `parser`, `relativedelta`, `rrule`, `tz`.

Depending on installed modules and order of initialization, there was no
guarantee that a given feature was already loaded during the preparation
of the action context.

This patch ensures that we always preload the feature set we need, and
only that feature set. This way we have a consistent `dateutil` lib in
the action context at all times.

When using sudo, the administrator is logged as deleting the action.
For audit reason, log the correct user.
To avoid access rights errors, only group system can delete the action.

Instead of forcing a token field through an override, set it at the class level
to be changed in other model inheriting from the MailThread

An ir.attachment record can be served as a request's reponse if:
  - a request triggers a 404
  - the ir.attachment record has its url field matching the url of
    the failed and is of binary type

Following rev[1], portal users have the right to create these kind of
records, and it is a security concern.

This patch restrict the ability to create and write on the ir.attachment
records that may be served through the dispatch's exception mechanism to
settings users.

As the asset bundles files are served through the use of these special
ir.attachment, we make sure to retrieve only ir.attachment records
created by the superuser in the `get_attachment` method.

As website administrators often need to play with these special
ir.attachment, we also let to this group the permission to manage them.

[1] 61065b6d

Make sure building reports using local resources are disabled.
This avoids get different report result based on the system if the
given resources are or not present (e.g. custom style)

In af64780a an improvement was done so a numerical fields like '-500'
was not breaked up over two lines after the hyphen.

But it seems in a very particular case of printing PDF in a given
combination of condition:

- printing over wkhtmltopdf which itself uses an old version of webkit
- particular font (issue happen with Arial but not "Segoe UI")
- particular version of windows (windows server 2012, not on windows 10)

the - character at the front of a monetary, float or integer field would
be displayed as | erroneously.

The problem is probably that the font system in the old webkit with
given windows will not find the code point in the given font, and
doesn't fallback correctly.

This commit replace using the "NON-BREAKING HYPHEN (U+2011)" by using
the "ZERO WIDTH NO-BREAK SPACE (U+FEFF)" which is an invisible character
with no width that prevent splitting at its location.

As a note, an alternative to this character is "WORD JOINER (U+2060)"
that may be preferred, but it presents exactly the same issue (with
-|500 instead of -{WORD JOINER}500) in the same environment.

mentioned in https://www.odoo.com/forum/1/question/118653
opw-1867842
fixes #17093
fixes #25840
closes #26019

Closes #25652

Rendering in html was correct thanks to the webkit-padding-start 40px added
by the browser. But once printed with wkhtml, the padding was missing.

Now we force the padding manually.

This commit closes #7375