From b8efac6bba8fa34a80725ed753af2b8b642b74aa Mon Sep 17 00:00:00 2001
From: Florian da Costa <florian.dacosta@akretion.com>
Date: Thu, 20 Jun 2019 20:33:58 +0200
Subject: [PATCH] Fix uses of params in sql query

---
 sql_export/demo/sql_export.xml                | 36 +++++++++++++++++++
 sql_export/tests/test_sql_query.py            | 16 ++++++++-
 sql_export/views/sql_export_view.xml          | 34 ++++++++++++++++--
 sql_export/wizard/wizard_file.py              |  7 +++-
 .../models/sql_request_mixin.py               |  7 +---
 5 files changed, 89 insertions(+), 11 deletions(-)

diff --git a/sql_export/demo/sql_export.xml b/sql_export/demo/sql_export.xml
index fa1268bc7..4c20291b9 100644
--- a/sql_export/demo/sql_export.xml
+++ b/sql_export/demo/sql_export.xml
@@ -7,6 +7,34 @@ License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 
 <odoo>
 
+    <record id="date_field_variable_sql" model="ir.model.fields">
+        <field name="name">x_date</field>
+        <field name="field_description">Date</field>
+        <field name="ttype">date</field>
+        <field name="model_id" ref="sql_export.model_sql_file_wizard"/>
+        <field name="model">sql.file.wizard</field>
+        <field name="state">manual</field>
+    </record>
+
+    <record id="integer_field_variable_sql" model="ir.model.fields">
+        <field name="name">x_id</field>
+        <field name="field_description">ID</field>
+        <field name="ttype">integer</field>
+        <field name="model_id" ref="sql_export.model_sql_file_wizard"/>
+        <field name="model">sql.file.wizard</field>
+        <field name="state">manual</field>
+    </record>
+
+    <record id="m2m_field_variable_sql" model="ir.model.fields">
+        <field name="name">x_partner_categ_ids</field>
+        <field name="field_description">Partner Categories</field>
+        <field name="ttype">many2many</field>
+        <field name="model_id" ref="sql_export.model_sql_file_wizard"/>
+        <field name="model">sql.file.wizard</field>
+        <field name="state">manual</field>
+        <field name="relation">res.partner.category</field>
+    </record>
+
     <record id="sql_export_partner" model="sql.export">
         <field name="name">Export Partners (Demo Data)</field>
         <field name="query">SELECT name, street FROM res_partner;</field>
@@ -14,4 +42,12 @@ License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 
     <function model="sql.export" name="button_validate_sql_expression" eval="([ref('sql_export.sql_export_partner')])"/>
 
+    <record id="sql_export_partner_with_variables" model="sql.export">
+        <field name="name">Export Partners With Variables (Demo Data)</field>
+	<field name="query">SELECT p.id FROM res_partner p LEFT JOIN res_partner_res_partner_category_rel rel ON rel.partner_id = p.id WHERE create_date &lt; %(x_date)s AND id = %(x_id)s AND rel.category_id in %(x_partner_categ_ids)s</field>
+	<field eval="[(6, 0, [ref('date_field_variable_sql'), ref('integer_field_variable_sql'), ref('m2m_field_variable_sql')])]" name="field_ids"/>
+    </record>
+
+    <function model="sql.export" name="button_validate_sql_expression" eval="([ref('sql_export.sql_export_partner_with_variables')])"/>
+
 </odoo>
diff --git a/sql_export/tests/test_sql_query.py b/sql_export/tests/test_sql_query.py
index 94ea9c15e..7b0c48b73 100644
--- a/sql_export/tests/test_sql_query.py
+++ b/sql_export/tests/test_sql_query.py
@@ -4,7 +4,8 @@
 
 import base64
 from odoo.tests.common import TransactionCase, post_install
-from odoo.exceptions import Warning as UserError
+from odoo.exceptions import UserError
+from odoo import fields
 
 
 @post_install(True)
@@ -56,3 +57,16 @@ class TestExportSqlQuery(TransactionCase):
             self.assertEqual(
                 sql_export.state, 'sql_valid',
                 "%s is a valid request" % (query))
+
+    def test_sql_query_with_params(self):
+        query = self.env.ref('sql_export.sql_export_partner_with_variables')
+        categ_id = self.env.ref('base.res_partner_category_0').id
+        wizard = self.wizard_obj.create({
+            'sql_export_id': query.id,
+            'x_date': fields.Date.today(),
+            'x_id': 1,
+            'x_partner_categ_ids': [(6, 0, [categ_id])]
+        })
+        wizard.export_sql()
+        export = base64.b64decode(wizard.binary_file)
+        self.assertTrue(export)
diff --git a/sql_export/views/sql_export_view.xml b/sql_export/views/sql_export_view.xml
index 53ac7f4f0..3bdc86b71 100644
--- a/sql_export/views/sql_export_view.xml
+++ b/sql_export/views/sql_export_view.xml
@@ -73,8 +73,18 @@
     <record id="sql_parameter_view_form" model="ir.ui.view">
         <field name="name">Sql_parameter_form_view</field>
         <field name="model">ir.model.fields</field>
+	<field name="priority">150</field>
         <field name="arch" type="xml">
             <form string="SQL export">
+		<group>
+                    <field name="name"/>
+                    <field name="field_description"/>
+                    <field name="ttype"/>
+		    <field name="relation" attrs="{'invisible': [('ttype', 'not in', ('many2one', 'many2many', 'one2many'))], 'required': [('ttype', 'in', ('many2one', 'many2many', 'one2many'))]}"/>
+                    <field name="model_id" readonly="1"/>
+                    <field name="model" invisible="1"/>
+                    <field name="required"/>
+	        </group>
             </form>
         </field>
     </record>
@@ -82,22 +92,40 @@
     <record id="sql_parameter_view_tree" model="ir.ui.view">
         <field name="name">Sql_parameter_tree_view</field>
         <field name="model">ir.model.fields</field>
+	<field name="priority">150</field>
         <field name="arch" type="xml">
             <tree string="SQL Parameter">
                 <field name="name"/>
+                <field name="field_description"/>
+                <field name="ttype"/>
+                <field name="required"/>
             </tree>
         </field>
     </record>
 
-    <record id="sql_parameter_tree_action" model="ir.actions.act_window">
+    <record id="sql_parameter_action" model="ir.actions.act_window">
         <field name="name">SQL Parameter</field>
         <field name="res_model">ir.model.fields</field>
         <field name="view_type">form</field>
         <field name="view_mode">tree,form</field>
-        <field name="context" eval="{'default_model_id': ref('sql_export.model_sql_file_wizard'), 'default_size': 64, 'search_default_state': 'manual'}"/>
+        <field name="context" eval="{'default_model_id': ref('sql_export.model_sql_file_wizard'), 'default_size': 64, 'search_default_state': 'manual', 'default_model': 'sql.file.wizard'}"/>
         <field name="domain">[('model','=','sql.file.wizard')]</field>
     </record>
 
-    <menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_tree_action" sequence="5" groups="sql_request_abstract.group_sql_request_manager"/>
+        <record id="sql_parameter_action_view_tree" model="ir.actions.act_window.view">
+            <field name="sequence" eval="1"/>
+            <field name="view_mode">tree</field>
+            <field name="view_id" ref="sql_parameter_view_tree"/>
+            <field name="act_window_id" ref="sql_parameter_action"/>
+        </record>
+
+        <record id="sql_parameter_action_view_form" model="ir.actions.act_window.view">
+            <field name="sequence" eval="2"/>
+            <field name="view_mode">form</field>
+            <field name="view_id" ref="sql_parameter_view_form"/>
+            <field name="act_window_id" ref="sql_parameter_action"/>
+        </record>
+
+    <menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_action" sequence="5" groups="sql_request_abstract.group_sql_request_manager"/>
 
 </odoo>
diff --git a/sql_export/wizard/wizard_file.py b/sql_export/wizard/wizard_file.py
index fad2c569c..25031b2f7 100644
--- a/sql_export/wizard/wizard_file.py
+++ b/sql_export/wizard/wizard_file.py
@@ -62,7 +62,12 @@ class SqlFileWizard(models.TransientModel):
         date = now_tz.strftime(DEFAULT_SERVER_DATETIME_FORMAT)
         if sql_export.field_ids:
             for field in sql_export.field_ids:
-                variable_dict[field.name] = self[field.name]
+                if field.ttype == 'many2one':
+                    variable_dict[field.name] = self[field.name].id
+                elif field.ttype == 'many2many':
+                    variable_dict[field.name] = tuple(self[field.name].ids)
+                else:
+                    variable_dict[field.name] = self[field.name]
         if "%(company_id)s" in sql_export.query:
             variable_dict['company_id'] = self.env.user.company_id.id
         if "%(user_id)s" in sql_export.query:
diff --git a/sql_request_abstract/models/sql_request_mixin.py b/sql_request_abstract/models/sql_request_mixin.py
index cd2010355..dd454bee0 100644
--- a/sql_request_abstract/models/sql_request_mixin.py
+++ b/sql_request_abstract/models/sql_request_mixin.py
@@ -144,12 +144,7 @@ class SQLRequestMixin(models.AbstractModel):
         if mode in ('view', 'materialized_view'):
             rollback = False
 
-        # pylint: disable=sql-injection
-        if params:
-            query = self.query % params
-        else:
-            query = self.query
-        query = query
+        query = self.env.cr.mogrify(self.query, params).decode('utf-8')
 
         if mode in ('fetchone', 'fetchall'):
             pass