Browse Source

create a new module sql_request_abstract

pull/1323/head
Sylvain LE GAL 8 years ago
committed by hveficent
parent
commit
20a23bf4f3
  1. 93
      sql_request_abstract/README.rst
  2. 3
      sql_request_abstract/__init__.py
  3. 23
      sql_request_abstract/__openerp__.py
  4. 145
      sql_request_abstract/i18n/fr.po
  5. 140
      sql_request_abstract/i18n/sql_export_abstract.pot
  6. 3
      sql_request_abstract/models/__init__.py
  7. 255
      sql_request_abstract/models/sql_request_mixin.py
  8. 4
      sql_request_abstract/security/ir.model.access.csv
  9. 9
      sql_request_abstract/security/ir_module_category.xml
  10. 23
      sql_request_abstract/security/res_groups.xml
  11. BIN
      sql_request_abstract/static/description/icon.png

93
sql_request_abstract/README.rst

@ -0,0 +1,93 @@
.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
=====================================
Abstract Model to manage SQL Requests
=====================================
This module provide an abstract model to manage SQL Select request on database.
It is not usefull for itself. You can see an exemple of implementation in the
'sql_export' module. (same repository).
Implemented features
--------------------
* Add some restrictions in the sql request:
* you can only read datas. No update, deletion or creation are possible.
* some tables are not allowed, because they could contains clear password
or keys. For the time being ('ir_config_parameter').
* The request can be in a 'draft' or a 'SQL Valid' status. To be valid,
the request has to be cleaned, checked and tested. All of this operations
can be disabled in the inherited modules.
* This module two new groups:
* SQL Request / User : Can see all the sql requests by default and execute
them, if they are valid.
* SQL Request / Manager : has full access on sql requests.
Usage
=====
Inherit the model:
from openerp import models
class MyModel(models.model)
_name = 'my.model'
_inherit = ['sql.request.mixin']
_sql_request_groups_relation = 'my_model_groups_rel'
_sql_request_users_relation = 'my_model_users_rel'
.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
:alt: Try me on Runbot
:target: https://runbot.odoo-community.org/runbot/149/8.0
Bug Tracker
===========
Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.
Credits
=======
Images
------
* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
Contributors
------------
* Florian da Costa <florian.dacosta@akretion.com>
* Sylvain LE GAL (https://twitter.com/legalsylvain)
Funders
-------
The development of this module has been financially supported by:
* Akretion (<http://www.akretion.com>)
* GRAP, Groupement Régional Alimentaire de Proximité (<http://www.grap.coop>)
Maintainer
----------
.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org
This module is maintained by the OCA.
OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.
To contribute to this module, please visit https://odoo-community.org.

3
sql_request_abstract/__init__.py

@ -0,0 +1,3 @@
# -*- coding: utf-8 -*-
from . import models

23
sql_request_abstract/__openerp__.py

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
{
'name': 'SQL Request Abstract',
'version': '8.0.1.0.0',
'author': 'GRAP,Akretion,Odoo Community Association (OCA)',
'website': 'https://www.odoo-community.org',
'license': 'AGPL-3',
'category': 'Tools',
'summary': 'Abstract Model to manage SQL Requests',
'depends': [
'base',
],
'data': [
'security/ir_module_category.xml',
'security/res_groups.xml',
'security/ir.model.access.csv',
],
'installable': True,
}

145
sql_request_abstract/i18n/fr.po

@ -0,0 +1,145 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * sql_request_abstract
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2017-02-27 12:11+0000\n"
"PO-Revision-Date: 2017-02-27 12:11+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: \n"
#. module: sql_request_abstract
#: field:sql.request.mixin,group_ids:0
msgid "Allowed Groups"
msgstr "Groupes autorisés"
#. module: sql_request_abstract
#: field:sql.request.mixin,user_ids:0
msgid "Allowed Users"
msgstr "Utilisateurs Autorisés"
#. module: sql_request_abstract
#: field:sql.request.mixin,create_uid:0
msgid "Created by"
msgstr "Créé par"
#. module: sql_request_abstract
#: field:sql.request.mixin,create_date:0
msgid "Created on"
msgstr "Créé le"
#. module: sql_request_abstract
#: field:sql.request.mixin,display_name:0
msgid "Display Name"
msgstr "Nom affiché"
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "Draft"
msgstr "En brouillon"
#. module: sql_request_abstract
#: field:sql.request.mixin,id:0
msgid "ID"
msgstr "ID"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
#, python-format
msgid "It is not allowed to execute a not checked request."
msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée."
#. module: sql_request_abstract
#: field:sql.request.mixin,__last_update:0
msgid "Last Modified on"
msgstr "Dernière modification le"
#. module: sql_request_abstract
#: field:sql.request.mixin,write_uid:0
msgid "Last Updated by"
msgstr "Dernière mise à jour par"
#. module: sql_request_abstract
#: field:sql.request.mixin,write_date:0
msgid "Last Updated on"
msgstr "Dernière mise à jour le"
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_request_manager
msgid "Manager"
msgstr "Responsable"
#. module: sql_request_abstract
#: field:sql.request.mixin,name:0
msgid "Name"
msgstr "Nom"
#. module: sql_request_abstract
#: field:sql.request.mixin,query:0
msgid "Query"
msgstr "Requête"
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "SQL Valid"
msgstr "SQL Validé"
#. module: sql_request_abstract
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
msgid "Sql Request"
msgstr "Request SQL"
#. module: sql_request_abstract
#: field:sql.request.mixin,state:0
msgid "State"
msgstr "Etat"
#. module: sql_request_abstract
#: help:sql.request.mixin,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr "Etat de la requête:\n"
" * 'En brouillon': non testée\n"
" * 'SQL Validé': La requête SQL a été vérifiée et est valide"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
#, python-format
msgid "The SQL query is not valid:\n"
"\n"
" %s"
msgstr "La requête SQL n'est pas valide:\n"
"\n"
" %s"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
#, python-format
msgid "The query is not allowed because it contains unsafe word '%s'"
msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
#, python-format
msgid "Unimplemented mode : '%s'"
msgstr "Mode non implémenté : '%s'"
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_request_user
msgid "User"
msgstr "Utilisateur"
#. module: sql_request_abstract
#: help:sql.request.mixin,query:0
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"

140
sql_request_abstract/i18n/sql_export_abstract.pot

@ -0,0 +1,140 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * sql_request_abstract
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2017-02-27 12:11+0000\n"
"PO-Revision-Date: 2017-02-27 12:11+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: \n"
#. module: sql_request_abstract
#: field:sql.request.mixin,group_ids:0
msgid "Allowed Groups"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,user_ids:0
msgid "Allowed Users"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,create_uid:0
msgid "Created by"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,create_date:0
msgid "Created on"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,display_name:0
msgid "Display Name"
msgstr ""
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "Draft"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,id:0
msgid "ID"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
#, python-format
msgid "It is not allowed to execute a not checked request."
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,__last_update:0
msgid "Last Modified on"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,write_uid:0
msgid "Last Updated by"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,write_date:0
msgid "Last Updated on"
msgstr ""
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager
msgid "Manager"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,name:0
msgid "Name"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,query:0
msgid "Query"
msgstr ""
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "SQL Valid"
msgstr ""
#. module: sql_request_abstract
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
msgid "Sql Request"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,state:0
msgid "State"
msgstr ""
#. module: sql_request_abstract
#: help:sql.request.mixin,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
#, python-format
msgid "The SQL query is not valid:\n"
"\n"
" %s"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
#, python-format
msgid "The query is not allowed because it contains unsafe word '%s'"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
#, python-format
msgid "Unimplemented mode : '%s'"
msgstr ""
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user
msgid "User"
msgstr ""
#. module: sql_request_abstract
#: help:sql.request.mixin,query:0
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr ""

3
sql_request_abstract/models/__init__.py

@ -0,0 +1,3 @@
# -*- coding: utf-8 -*-
from . import sql_request_mixin

255
sql_request_abstract/models/sql_request_mixin.py

@ -0,0 +1,255 @@
# -*- coding: utf-8 -*-
# Copyright (C) 2015 Akretion (<http://www.akretion.com>)
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
import re
import uuid
import StringIO
import base64
from psycopg2 import ProgrammingError
from openerp import _, api, fields, models
from openerp.exceptions import Warning as UserError
class SQLRequestMixin(models.Model):
_name = 'sql.request.mixin'
_clean_query_enabled = True
_check_prohibited_words_enabled = True
_check_execution_enabled = True
_sql_request_groups_relation = False
_sql_request_users_relation = False
STATE_SELECTION = [
('draft', 'Draft'),
('sql_valid', 'SQL Valid'),
]
PROHIBITED_WORDS = [
'delete',
'drop',
'insert',
'alter',
'truncate',
'execute',
'create',
'update',
'ir_config_parameter',
]
# Default Section
@api.model
def _default_group_ids(self):
ir_model_obj = self.env['ir.model.data']
return [ir_model_obj.xmlid_to_res_id(
'sql_request_abstract.group_sql_request_user')]
@api.model
def _default_user_ids(self):
return []
# Columns Section
name = fields.Char('Name', required=True)
query = fields.Text(
string='Query', required=True, help="You can't use the following words"
": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE")
state = fields.Selection(
string='State', selection=STATE_SELECTION, default='draft',
help="State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid")
group_ids = fields.Many2many(
comodel_name='res.groups', string='Allowed Groups',
relation=_sql_request_groups_relation,
column1='sql_id', column2='group_id',
default=_default_group_ids)
user_ids = fields.Many2many(
comodel_name='res.users', string='Allowed Users',
relation=_sql_request_users_relation,
column1='sql_id', column2='user_id',
default=_default_user_ids)
# Action Section
@api.multi
def button_clean_check_request(self):
for item in self:
if item._clean_query_enabled:
item._clean_query()
if item._check_prohibited_words_enabled:
item._check_prohibited_words()
if item._check_execution_enabled:
item._check_execution()
item.state = 'sql_valid'
@api.multi
def button_set_draft(self):
self.write({'state': 'draft'})
# API Section
@api.multi
def _execute_sql_request(
self, params=None, mode='fetchall', rollback=True,
view_name=False, copy_options="CSV HEADER DELIMITER ';'"):
"""Execute a SQL request on the current database.
??? This function checks before if the user has the
right to execute the request.
:param params: (dict) of keys / values that will be replaced in
the sql query, before executing it.
:param mode: (str) result type expected. Available settings :
* 'view': create a view with the select query. Extra param
required 'view_name'.
* 'materialized_view': create a MATERIALIZED VIEW with the
select query. Extra parameter required 'view_name'.
* 'fetchall': execute the select request, and return the
result of 'cr.fetchall()'.
* 'fetchone' : execute the select request, and return the
result of 'cr.fetchone()'
:param rollback: (boolean) mention if a rollback should be played after
the execution of the query. Please keep this feature enabled
for security reason, except if necessary.
(Ignored if @mode in ('view', 'materialized_view'))
:param view_name: (str) name of the view.
(Ignored if @mode not in ('view', 'materialized_view'))
:param copy_options: (str) mentions extra options for
"COPY request STDOUT WITH xxx" request.
(Ignored if @mode != 'stdout')
..note:: The following exceptions could be raised:
psycopg2.ProgrammingError: Error in the SQL Request.
openerp.exceptions.Warning:
* 'mode' is not implemented.
* materialized view is not supported by the Postgresql Server.
"""
self.ensure_one()
res = False
# Check if the request is in a valid state
if self.state == 'draft':
raise UserError(_(
"It is not allowed to execute a not checked request."))
# Disable rollback if a creation of a view is asked
if mode in ('view', 'materialized_view'):
rollback = False
params = params and params or {}
query = self.env.cr.mogrify(self.query, params).decode('utf-8')
if mode in ('fetchone', 'fetchall'):
pass
elif mode == 'stdout':
query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options)
elif mode in 'view':
query = "CREATE VIEW %s AS (%s);" % (query, view_name)
elif mode in 'materialized_view':
self._check_materialized_view_available()
query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name)
else:
raise UserError(_("Unimplemented mode : '%s'" % mode))
if rollback:
rollback_name = self._create_savepoint()
try:
if mode == 'stdout':
output = StringIO.StringIO()
self.env.cr.copy_expert(query, output)
output.getvalue()
res = base64.b64encode(output.getvalue())
output.close()
else:
self.env.cr.execute(query)
if mode == 'fetchall':
res = self.env.cr.fetchall()
elif mode == 'fetchone':
res = self.env.cr.fetchone()
finally:
self._rollback_savepoint(rollback_name)
return res
# Private Section
@api.model
def _create_savepoint(self):
rollback_name = '%s_%s' % (
self._name.replace('.', '_'), uuid.uuid1().hex)
req = "SAVEPOINT %s" % (rollback_name)
self.env.cr.execute(req)
return rollback_name
@api.model
def _rollback_savepoint(self, rollback_name):
req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name)
self.env.cr.execute(req)
@api.model
def _check_materialized_view_available(self):
self.env.cr.execute("SHOW server_version;")
res = self.env.cr.fetchone()[0].split('.')
minor_version = float('.'.join(res[:2]))
return minor_version >= 9.3
@api.multi
def _clean_query(self):
self.ensure_one()
query = self.query.strip()
while query[-1] == ';':
query = query[:-1]
self.query = query
@api.multi
def _check_prohibited_words(self):
"""Check if the query contains prohibited words, to avoid maliscious
SQL requests"""
self.ensure_one()
query = self.query.lower()
for word in self.PROHIBITED_WORDS:
expr = r'\b%s\b' % word
is_not_safe = re.search(expr, query)
if is_not_safe:
raise UserError(_(
"The query is not allowed because it contains unsafe word"
" '%s'") % (word))
@api.multi
def _check_execution(self):
"""Ensure that the query is valid, trying to execute it. A rollback
is done after."""
self.ensure_one()
query = self._prepare_request_check_execution()
rollback_name = self._create_savepoint()
res = False
try:
self.env.cr.execute(query)
res = self._hook_executed_request()
except ProgrammingError as e:
raise UserError(
_("The SQL query is not valid:\n\n %s") % e.message)
finally:
self._rollback_savepoint(rollback_name)
return res
@api.multi
def _prepare_request_check_execution(self):
"""Overload me to replace some part of the query, if it contains
parameters"""
self.ensure_one()
return self.query
def _hook_executed_request(self):
"""Overload me to insert custom code, when the SQL request has
been executed, before the rollback.
"""
self.ensure_one()
return False

4
sql_request_abstract/security/ir.model.access.csv

@ -0,0 +1,4 @@
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0
access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0
access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1

9
sql_request_abstract/security/ir_module_category.xml

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<openerp><data>
<record model="ir.module.category" id="category_sql_abstract">
<field name="name">Sql Request</field>
</record>
</data></openerp>

23
sql_request_abstract/security/res_groups.xml

@ -0,0 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
@author Sylvain LE GAL (https://twitter.com/legalsylvain)
License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
-->
<openerp><data>
<record model="res.groups" id="group_sql_request_user">
<field name="name">User</field>
<field name="category_id" ref="category_sql_abstract" />
</record>
<record model="res.groups" id="group_sql_request_manager">
<field name="name">Manager</field>
<field name="category_id" ref="category_sql_abstract" />
<field name="users" eval="[(4, ref('base.user_root'))]"/>
<field name="implied_ids" eval="[(4, ref('group_sql_request_user'))]" />
</record>
</data></openerp>

BIN
sql_request_abstract/static/description/icon.png

After

Width: 128  |  Height: 128  |  Size: 9.2 KiB

Loading…
Cancel
Save