Sylvain LE GAL
8 years ago
23 changed files with 1049 additions and 224 deletions
-
9sql_export/README.rst
-
12sql_export/__openerp__.py
-
17sql_export/demo/sql_export.xml
-
136sql_export/i18n/fr.po
-
110sql_export/i18n/sql_export.pot
-
2sql_export/security/ir.model.access.csv
-
5sql_export/security/sql_export_security.xml
-
88sql_export/sql_export.py
-
48sql_export/sql_export_view.xml
-
54sql_export/tests/test_sql_query.py
-
40sql_export/wizard/wizard_file.py
-
2sql_export/wizard/wizard_file_view.xml
-
93sql_request_abstract/README.rst
-
3sql_request_abstract/__init__.py
-
23sql_request_abstract/__openerp__.py
-
145sql_request_abstract/i18n/fr.po
-
140sql_request_abstract/i18n/sql_export_abstract.pot
-
3sql_request_abstract/models/__init__.py
-
255sql_request_abstract/models/sql_request_mixin.py
-
4sql_request_abstract/security/ir.model.access.csv
-
9sql_request_abstract/security/ir_module_category.xml
-
23sql_request_abstract/security/res_groups.xml
-
BINsql_request_abstract/static/description/icon.png
@ -0,0 +1,17 @@ |
|||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||
|
<!-- |
||||
|
Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) |
||||
|
@author Sylvain LE GAL (https://twitter.com/legalsylvain) |
||||
|
License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). |
||||
|
--> |
||||
|
|
||||
|
<openerp><data> |
||||
|
|
||||
|
<record id="sql_export_partner" model="sql.export"> |
||||
|
<field name="name">Export Partners (Demo Data)</field> |
||||
|
<field name="query">SELECT name, street FROM res_partner;</field> |
||||
|
</record> |
||||
|
|
||||
|
<function model="sql.export" name="button_clean_check_request" eval="([ref('sql_export.sql_export_partner')])"/> |
||||
|
|
||||
|
</data></openerp> |
@ -1,3 +1,3 @@ |
|||||
"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink" |
"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink" |
||||
"access_sql_export_all","access_sql_export_all","model_sql_export",,1,0,0,0 |
"access_sql_export_all","access_sql_export_all","model_sql_export",,1,0,0,0 |
||||
"access_sql_export_editor","access_sql_export_editor","model_sql_export",group_sql_request_editor,1,1,1,1 |
|
||||
|
"access_sql_export_editor","access_sql_export_editor","model_sql_export",sql_request_abstract.group_sql_request_manager,1,1,1,1 |
@ -0,0 +1,93 @@ |
|||||
|
.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg |
||||
|
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html |
||||
|
:alt: License: AGPL-3 |
||||
|
|
||||
|
===================================== |
||||
|
Abstract Model to manage SQL Requests |
||||
|
===================================== |
||||
|
|
||||
|
This module provide an abstract model to manage SQL Select request on database. |
||||
|
It is not usefull for itself. You can see an exemple of implementation in the |
||||
|
'sql_export' module. (same repository). |
||||
|
|
||||
|
Implemented features |
||||
|
-------------------- |
||||
|
|
||||
|
* Add some restrictions in the sql request: |
||||
|
* you can only read datas. No update, deletion or creation are possible. |
||||
|
* some tables are not allowed, because they could contains clear password |
||||
|
or keys. For the time being ('ir_config_parameter'). |
||||
|
|
||||
|
* The request can be in a 'draft' or a 'SQL Valid' status. To be valid, |
||||
|
the request has to be cleaned, checked and tested. All of this operations |
||||
|
can be disabled in the inherited modules. |
||||
|
|
||||
|
* This module two new groups: |
||||
|
* SQL Request / User : Can see all the sql requests by default and execute |
||||
|
them, if they are valid. |
||||
|
* SQL Request / Manager : has full access on sql requests. |
||||
|
|
||||
|
Usage |
||||
|
===== |
||||
|
|
||||
|
Inherit the model: |
||||
|
|
||||
|
from openerp import models |
||||
|
|
||||
|
class MyModel(models.model) |
||||
|
_name = 'my.model' |
||||
|
_inherit = ['sql.request.mixin'] |
||||
|
|
||||
|
_sql_request_groups_relation = 'my_model_groups_rel' |
||||
|
|
||||
|
_sql_request_users_relation = 'my_model_users_rel' |
||||
|
|
||||
|
|
||||
|
.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas |
||||
|
:alt: Try me on Runbot |
||||
|
:target: https://runbot.odoo-community.org/runbot/149/8.0 |
||||
|
|
||||
|
Bug Tracker |
||||
|
=========== |
||||
|
|
||||
|
Bugs are tracked on `GitHub Issues |
||||
|
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please |
||||
|
check there if your issue has already been reported. If you spotted it first, |
||||
|
help us smash it by providing detailed and welcomed feedback. |
||||
|
|
||||
|
Credits |
||||
|
======= |
||||
|
|
||||
|
Images |
||||
|
------ |
||||
|
|
||||
|
* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_. |
||||
|
|
||||
|
Contributors |
||||
|
------------ |
||||
|
|
||||
|
* Florian da Costa <florian.dacosta@akretion.com> |
||||
|
* Sylvain LE GAL (https://twitter.com/legalsylvain) |
||||
|
|
||||
|
Funders |
||||
|
------- |
||||
|
|
||||
|
The development of this module has been financially supported by: |
||||
|
|
||||
|
* Akretion (<http://www.akretion.com>) |
||||
|
* GRAP, Groupement Régional Alimentaire de Proximité (<http://www.grap.coop>) |
||||
|
|
||||
|
Maintainer |
||||
|
---------- |
||||
|
|
||||
|
.. image:: https://odoo-community.org/logo.png |
||||
|
:alt: Odoo Community Association |
||||
|
:target: https://odoo-community.org |
||||
|
|
||||
|
This module is maintained by the OCA. |
||||
|
|
||||
|
OCA, or the Odoo Community Association, is a nonprofit organization whose |
||||
|
mission is to support the collaborative development of Odoo features and |
||||
|
promote its widespread use. |
||||
|
|
||||
|
To contribute to this module, please visit https://odoo-community.org. |
@ -0,0 +1,3 @@ |
|||||
|
# -*- coding: utf-8 -*- |
||||
|
|
||||
|
from . import models |
@ -0,0 +1,23 @@ |
|||||
|
# -*- coding: utf-8 -*- |
||||
|
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) |
||||
|
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain) |
||||
|
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). |
||||
|
|
||||
|
{ |
||||
|
'name': 'SQL Request Abstract', |
||||
|
'version': '8.0.1.0.0', |
||||
|
'author': 'GRAP,Akretion,Odoo Community Association (OCA)', |
||||
|
'website': 'https://www.odoo-community.org', |
||||
|
'license': 'AGPL-3', |
||||
|
'category': 'Tools', |
||||
|
'summary': 'Abstract Model to manage SQL Requests', |
||||
|
'depends': [ |
||||
|
'base', |
||||
|
], |
||||
|
'data': [ |
||||
|
'security/ir_module_category.xml', |
||||
|
'security/res_groups.xml', |
||||
|
'security/ir.model.access.csv', |
||||
|
], |
||||
|
'installable': True, |
||||
|
} |
@ -0,0 +1,145 @@ |
|||||
|
|
||||
|
# Translation of Odoo Server. |
||||
|
# This file contains the translation of the following modules: |
||||
|
# * sql_request_abstract |
||||
|
# |
||||
|
msgid "" |
||||
|
msgstr "" |
||||
|
"Project-Id-Version: Odoo Server 8.0\n" |
||||
|
"Report-Msgid-Bugs-To: \n" |
||||
|
"POT-Creation-Date: 2017-02-27 12:11+0000\n" |
||||
|
"PO-Revision-Date: 2017-02-27 12:11+0000\n" |
||||
|
"Last-Translator: <>\n" |
||||
|
"Language-Team: \n" |
||||
|
"MIME-Version: 1.0\n" |
||||
|
"Content-Type: text/plain; charset=UTF-8\n" |
||||
|
"Content-Transfer-Encoding: \n" |
||||
|
"Plural-Forms: \n" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,group_ids:0 |
||||
|
msgid "Allowed Groups" |
||||
|
msgstr "Groupes autorisés" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,user_ids:0 |
||||
|
msgid "Allowed Users" |
||||
|
msgstr "Utilisateurs Autorisés" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,create_uid:0 |
||||
|
msgid "Created by" |
||||
|
msgstr "Créé par" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,create_date:0 |
||||
|
msgid "Created on" |
||||
|
msgstr "Créé le" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,display_name:0 |
||||
|
msgid "Display Name" |
||||
|
msgstr "Nom affiché" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: selection:sql.request.mixin,state:0 |
||||
|
msgid "Draft" |
||||
|
msgstr "En brouillon" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,id:0 |
||||
|
msgid "ID" |
||||
|
msgstr "ID" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135 |
||||
|
#, python-format |
||||
|
msgid "It is not allowed to execute a not checked request." |
||||
|
msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée." |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,__last_update:0 |
||||
|
msgid "Last Modified on" |
||||
|
msgstr "Dernière modification le" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,write_uid:0 |
||||
|
msgid "Last Updated by" |
||||
|
msgstr "Dernière mise à jour par" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,write_date:0 |
||||
|
msgid "Last Updated on" |
||||
|
msgstr "Dernière mise à jour le" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:res.groups,name:sql_request_abstract.group_sql_request_manager |
||||
|
msgid "Manager" |
||||
|
msgstr "Responsable" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,name:0 |
||||
|
msgid "Name" |
||||
|
msgstr "Nom" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,query:0 |
||||
|
msgid "Query" |
||||
|
msgstr "Requête" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: selection:sql.request.mixin,state:0 |
||||
|
msgid "SQL Valid" |
||||
|
msgstr "SQL Validé" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract |
||||
|
msgid "Sql Request" |
||||
|
msgstr "Request SQL" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,state:0 |
||||
|
msgid "State" |
||||
|
msgstr "Etat" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: help:sql.request.mixin,state:0 |
||||
|
msgid "State of the Request:\n" |
||||
|
" * 'Draft': Not tested\n" |
||||
|
" * 'SQL Valid': SQL Request has been checked and is valid" |
||||
|
msgstr "Etat de la requête:\n" |
||||
|
" * 'En brouillon': non testée\n" |
||||
|
" * 'SQL Validé': La requête SQL a été vérifiée et est valide" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248 |
||||
|
#, python-format |
||||
|
msgid "The SQL query is not valid:\n" |
||||
|
"\n" |
||||
|
" %s" |
||||
|
msgstr "La requête SQL n'est pas valide:\n" |
||||
|
"\n" |
||||
|
" %s" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217 |
||||
|
#, python-format |
||||
|
msgid "The query is not allowed because it contains unsafe word '%s'" |
||||
|
msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156 |
||||
|
#, python-format |
||||
|
msgid "Unimplemented mode : '%s'" |
||||
|
msgstr "Mode non implémenté : '%s'" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:res.groups,name:sql_request_abstract.group_sql_request_user |
||||
|
msgid "User" |
||||
|
msgstr "Utilisateur" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: help:sql.request.mixin,query:0 |
||||
|
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" |
||||
|
msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" |
||||
|
|
@ -0,0 +1,140 @@ |
|||||
|
# Translation of Odoo Server. |
||||
|
# This file contains the translation of the following modules: |
||||
|
# * sql_request_abstract |
||||
|
# |
||||
|
msgid "" |
||||
|
msgstr "" |
||||
|
"Project-Id-Version: Odoo Server 8.0\n" |
||||
|
"Report-Msgid-Bugs-To: \n" |
||||
|
"POT-Creation-Date: 2017-02-27 12:11+0000\n" |
||||
|
"PO-Revision-Date: 2017-02-27 12:11+0000\n" |
||||
|
"Last-Translator: <>\n" |
||||
|
"Language-Team: \n" |
||||
|
"MIME-Version: 1.0\n" |
||||
|
"Content-Type: text/plain; charset=UTF-8\n" |
||||
|
"Content-Transfer-Encoding: \n" |
||||
|
"Plural-Forms: \n" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,group_ids:0 |
||||
|
msgid "Allowed Groups" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,user_ids:0 |
||||
|
msgid "Allowed Users" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,create_uid:0 |
||||
|
msgid "Created by" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,create_date:0 |
||||
|
msgid "Created on" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,display_name:0 |
||||
|
msgid "Display Name" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: selection:sql.request.mixin,state:0 |
||||
|
msgid "Draft" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,id:0 |
||||
|
msgid "ID" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135 |
||||
|
#, python-format |
||||
|
msgid "It is not allowed to execute a not checked request." |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,__last_update:0 |
||||
|
msgid "Last Modified on" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,write_uid:0 |
||||
|
msgid "Last Updated by" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,write_date:0 |
||||
|
msgid "Last Updated on" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager |
||||
|
msgid "Manager" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,name:0 |
||||
|
msgid "Name" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,query:0 |
||||
|
msgid "Query" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: selection:sql.request.mixin,state:0 |
||||
|
msgid "SQL Valid" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract |
||||
|
msgid "Sql Request" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: field:sql.request.mixin,state:0 |
||||
|
msgid "State" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: help:sql.request.mixin,state:0 |
||||
|
msgid "State of the Request:\n" |
||||
|
" * 'Draft': Not tested\n" |
||||
|
" * 'SQL Valid': SQL Request has been checked and is valid" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248 |
||||
|
#, python-format |
||||
|
msgid "The SQL query is not valid:\n" |
||||
|
"\n" |
||||
|
" %s" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217 |
||||
|
#, python-format |
||||
|
msgid "The query is not allowed because it contains unsafe word '%s'" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156 |
||||
|
#, python-format |
||||
|
msgid "Unimplemented mode : '%s'" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user |
||||
|
msgid "User" |
||||
|
msgstr "" |
||||
|
|
||||
|
#. module: sql_request_abstract |
||||
|
#: help:sql.request.mixin,query:0 |
||||
|
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" |
||||
|
msgstr "" |
||||
|
|
@ -0,0 +1,3 @@ |
|||||
|
# -*- coding: utf-8 -*- |
||||
|
|
||||
|
from . import sql_request_mixin |
@ -0,0 +1,255 @@ |
|||||
|
# -*- coding: utf-8 -*- |
||||
|
# Copyright (C) 2015 Akretion (<http://www.akretion.com>) |
||||
|
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) |
||||
|
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain) |
||||
|
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). |
||||
|
|
||||
|
import re |
||||
|
import uuid |
||||
|
import StringIO |
||||
|
import base64 |
||||
|
from psycopg2 import ProgrammingError |
||||
|
|
||||
|
from openerp import _, api, fields, models |
||||
|
from openerp.exceptions import Warning as UserError |
||||
|
|
||||
|
|
||||
|
class SQLRequestMixin(models.Model): |
||||
|
_name = 'sql.request.mixin' |
||||
|
|
||||
|
_clean_query_enabled = True |
||||
|
|
||||
|
_check_prohibited_words_enabled = True |
||||
|
|
||||
|
_check_execution_enabled = True |
||||
|
|
||||
|
_sql_request_groups_relation = False |
||||
|
|
||||
|
_sql_request_users_relation = False |
||||
|
|
||||
|
STATE_SELECTION = [ |
||||
|
('draft', 'Draft'), |
||||
|
('sql_valid', 'SQL Valid'), |
||||
|
] |
||||
|
|
||||
|
PROHIBITED_WORDS = [ |
||||
|
'delete', |
||||
|
'drop', |
||||
|
'insert', |
||||
|
'alter', |
||||
|
'truncate', |
||||
|
'execute', |
||||
|
'create', |
||||
|
'update', |
||||
|
'ir_config_parameter', |
||||
|
] |
||||
|
|
||||
|
# Default Section |
||||
|
@api.model |
||||
|
def _default_group_ids(self): |
||||
|
ir_model_obj = self.env['ir.model.data'] |
||||
|
return [ir_model_obj.xmlid_to_res_id( |
||||
|
'sql_request_abstract.group_sql_request_user')] |
||||
|
|
||||
|
@api.model |
||||
|
def _default_user_ids(self): |
||||
|
return [] |
||||
|
|
||||
|
# Columns Section |
||||
|
name = fields.Char('Name', required=True) |
||||
|
|
||||
|
query = fields.Text( |
||||
|
string='Query', required=True, help="You can't use the following words" |
||||
|
": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE") |
||||
|
|
||||
|
state = fields.Selection( |
||||
|
string='State', selection=STATE_SELECTION, default='draft', |
||||
|
help="State of the Request:\n" |
||||
|
" * 'Draft': Not tested\n" |
||||
|
" * 'SQL Valid': SQL Request has been checked and is valid") |
||||
|
|
||||
|
group_ids = fields.Many2many( |
||||
|
comodel_name='res.groups', string='Allowed Groups', |
||||
|
relation=_sql_request_groups_relation, |
||||
|
column1='sql_id', column2='group_id', |
||||
|
default=_default_group_ids) |
||||
|
|
||||
|
user_ids = fields.Many2many( |
||||
|
comodel_name='res.users', string='Allowed Users', |
||||
|
relation=_sql_request_users_relation, |
||||
|
column1='sql_id', column2='user_id', |
||||
|
default=_default_user_ids) |
||||
|
|
||||
|
# Action Section |
||||
|
@api.multi |
||||
|
def button_clean_check_request(self): |
||||
|
for item in self: |
||||
|
if item._clean_query_enabled: |
||||
|
item._clean_query() |
||||
|
if item._check_prohibited_words_enabled: |
||||
|
item._check_prohibited_words() |
||||
|
if item._check_execution_enabled: |
||||
|
item._check_execution() |
||||
|
item.state = 'sql_valid' |
||||
|
|
||||
|
@api.multi |
||||
|
def button_set_draft(self): |
||||
|
self.write({'state': 'draft'}) |
||||
|
|
||||
|
# API Section |
||||
|
@api.multi |
||||
|
def _execute_sql_request( |
||||
|
self, params=None, mode='fetchall', rollback=True, |
||||
|
view_name=False, copy_options="CSV HEADER DELIMITER ';'"): |
||||
|
"""Execute a SQL request on the current database. |
||||
|
|
||||
|
??? This function checks before if the user has the |
||||
|
right to execute the request. |
||||
|
|
||||
|
:param params: (dict) of keys / values that will be replaced in |
||||
|
the sql query, before executing it. |
||||
|
:param mode: (str) result type expected. Available settings : |
||||
|
* 'view': create a view with the select query. Extra param |
||||
|
required 'view_name'. |
||||
|
* 'materialized_view': create a MATERIALIZED VIEW with the |
||||
|
select query. Extra parameter required 'view_name'. |
||||
|
* 'fetchall': execute the select request, and return the |
||||
|
result of 'cr.fetchall()'. |
||||
|
* 'fetchone' : execute the select request, and return the |
||||
|
result of 'cr.fetchone()' |
||||
|
:param rollback: (boolean) mention if a rollback should be played after |
||||
|
the execution of the query. Please keep this feature enabled |
||||
|
for security reason, except if necessary. |
||||
|
(Ignored if @mode in ('view', 'materialized_view')) |
||||
|
:param view_name: (str) name of the view. |
||||
|
(Ignored if @mode not in ('view', 'materialized_view')) |
||||
|
:param copy_options: (str) mentions extra options for |
||||
|
"COPY request STDOUT WITH xxx" request. |
||||
|
(Ignored if @mode != 'stdout') |
||||
|
|
||||
|
..note:: The following exceptions could be raised: |
||||
|
psycopg2.ProgrammingError: Error in the SQL Request. |
||||
|
openerp.exceptions.Warning: |
||||
|
* 'mode' is not implemented. |
||||
|
* materialized view is not supported by the Postgresql Server. |
||||
|
""" |
||||
|
self.ensure_one() |
||||
|
res = False |
||||
|
# Check if the request is in a valid state |
||||
|
if self.state == 'draft': |
||||
|
raise UserError(_( |
||||
|
"It is not allowed to execute a not checked request.")) |
||||
|
|
||||
|
# Disable rollback if a creation of a view is asked |
||||
|
if mode in ('view', 'materialized_view'): |
||||
|
rollback = False |
||||
|
|
||||
|
params = params and params or {} |
||||
|
query = self.env.cr.mogrify(self.query, params).decode('utf-8') |
||||
|
|
||||
|
if mode in ('fetchone', 'fetchall'): |
||||
|
pass |
||||
|
elif mode == 'stdout': |
||||
|
query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options) |
||||
|
elif mode in 'view': |
||||
|
query = "CREATE VIEW %s AS (%s);" % (query, view_name) |
||||
|
elif mode in 'materialized_view': |
||||
|
self._check_materialized_view_available() |
||||
|
query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name) |
||||
|
else: |
||||
|
raise UserError(_("Unimplemented mode : '%s'" % mode)) |
||||
|
|
||||
|
if rollback: |
||||
|
rollback_name = self._create_savepoint() |
||||
|
try: |
||||
|
if mode == 'stdout': |
||||
|
output = StringIO.StringIO() |
||||
|
self.env.cr.copy_expert(query, output) |
||||
|
output.getvalue() |
||||
|
res = base64.b64encode(output.getvalue()) |
||||
|
output.close() |
||||
|
else: |
||||
|
self.env.cr.execute(query) |
||||
|
if mode == 'fetchall': |
||||
|
res = self.env.cr.fetchall() |
||||
|
elif mode == 'fetchone': |
||||
|
res = self.env.cr.fetchone() |
||||
|
finally: |
||||
|
self._rollback_savepoint(rollback_name) |
||||
|
|
||||
|
return res |
||||
|
|
||||
|
# Private Section |
||||
|
@api.model |
||||
|
def _create_savepoint(self): |
||||
|
rollback_name = '%s_%s' % ( |
||||
|
self._name.replace('.', '_'), uuid.uuid1().hex) |
||||
|
req = "SAVEPOINT %s" % (rollback_name) |
||||
|
self.env.cr.execute(req) |
||||
|
return rollback_name |
||||
|
|
||||
|
@api.model |
||||
|
def _rollback_savepoint(self, rollback_name): |
||||
|
req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name) |
||||
|
self.env.cr.execute(req) |
||||
|
|
||||
|
@api.model |
||||
|
def _check_materialized_view_available(self): |
||||
|
self.env.cr.execute("SHOW server_version;") |
||||
|
res = self.env.cr.fetchone()[0].split('.') |
||||
|
minor_version = float('.'.join(res[:2])) |
||||
|
return minor_version >= 9.3 |
||||
|
|
||||
|
@api.multi |
||||
|
def _clean_query(self): |
||||
|
self.ensure_one() |
||||
|
query = self.query.strip() |
||||
|
while query[-1] == ';': |
||||
|
query = query[:-1] |
||||
|
self.query = query |
||||
|
|
||||
|
@api.multi |
||||
|
def _check_prohibited_words(self): |
||||
|
"""Check if the query contains prohibited words, to avoid maliscious |
||||
|
SQL requests""" |
||||
|
self.ensure_one() |
||||
|
query = self.query.lower() |
||||
|
for word in self.PROHIBITED_WORDS: |
||||
|
expr = r'\b%s\b' % word |
||||
|
is_not_safe = re.search(expr, query) |
||||
|
if is_not_safe: |
||||
|
raise UserError(_( |
||||
|
"The query is not allowed because it contains unsafe word" |
||||
|
" '%s'") % (word)) |
||||
|
|
||||
|
@api.multi |
||||
|
def _check_execution(self): |
||||
|
"""Ensure that the query is valid, trying to execute it. A rollback |
||||
|
is done after.""" |
||||
|
self.ensure_one() |
||||
|
query = self._prepare_request_check_execution() |
||||
|
rollback_name = self._create_savepoint() |
||||
|
res = False |
||||
|
try: |
||||
|
self.env.cr.execute(query) |
||||
|
res = self._hook_executed_request() |
||||
|
except ProgrammingError as e: |
||||
|
raise UserError( |
||||
|
_("The SQL query is not valid:\n\n %s") % e.message) |
||||
|
finally: |
||||
|
self._rollback_savepoint(rollback_name) |
||||
|
return res |
||||
|
|
||||
|
@api.multi |
||||
|
def _prepare_request_check_execution(self): |
||||
|
"""Overload me to replace some part of the query, if it contains |
||||
|
parameters""" |
||||
|
self.ensure_one() |
||||
|
return self.query |
||||
|
|
||||
|
def _hook_executed_request(self): |
||||
|
"""Overload me to insert custom code, when the SQL request has |
||||
|
been executed, before the rollback. |
||||
|
""" |
||||
|
self.ensure_one() |
||||
|
return False |
@ -0,0 +1,4 @@ |
|||||
|
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink |
||||
|
access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0 |
||||
|
access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0 |
||||
|
access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1 |
@ -0,0 +1,9 @@ |
|||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||
|
|
||||
|
<openerp><data> |
||||
|
|
||||
|
<record model="ir.module.category" id="category_sql_abstract"> |
||||
|
<field name="name">Sql Request</field> |
||||
|
</record> |
||||
|
|
||||
|
</data></openerp> |
@ -0,0 +1,23 @@ |
|||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||
|
<!-- |
||||
|
Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) |
||||
|
@author Sylvain LE GAL (https://twitter.com/legalsylvain) |
||||
|
License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). |
||||
|
--> |
||||
|
|
||||
|
<openerp><data> |
||||
|
|
||||
|
<record model="res.groups" id="group_sql_request_user"> |
||||
|
<field name="name">User</field> |
||||
|
<field name="category_id" ref="category_sql_abstract" /> |
||||
|
</record> |
||||
|
|
||||
|
|
||||
|
<record model="res.groups" id="group_sql_request_manager"> |
||||
|
<field name="name">Manager</field> |
||||
|
<field name="category_id" ref="category_sql_abstract" /> |
||||
|
<field name="users" eval="[(4, ref('base.user_root'))]"/> |
||||
|
<field name="implied_ids" eval="[(4, ref('group_sql_request_user'))]" /> |
||||
|
</record> |
||||
|
|
||||
|
</data></openerp> |
After Width: 128 | Height: 128 | Size: 9.2 KiB |
Write
Preview
Loading…
Cancel
Save
Reference in new issue