[REF] create a new module sql_request_abstract

8 years ago · 6aea27bb3d
23 changed files with 1049 additions and 224 deletions
--- a/sql_export/README.rst
+++ b/sql_export/README.rst
@ -12,16 +12,21 @@ A new menu named Export is created.
 Known issues / Roadmap
 ======================
 Some words are prohibeted and can't be used is the query in anyways, even in a select query :
 * delete
 * drop
 * insert
 * alter
 * truncate
 * execute
 * create
 * update
 * Some words are prohibeted and can't be used is the query in anyways, even in a select query :
    * delete
    * drop
    * insert
    * alter
    * truncate
    * execute
    * create
    * update
 See sql_request_abstract module to fix this issue.
 * checking SQL request by execution and rollback is disabled in this module
  since variables features has been introduced. This can be fixed by
  overloading _prepare_request_check_execution() function.
 Bug Tracker
--- a/sql_export/openerp.py
+++ b/sql_export/openerp.py
@ -19,21 +19,25 @@
 #
 ##############################################################################
 {'name': 'SQL Export',
 'version': '9.0.1.0.0',
 'author': 'Akretion,Odoo Community Association (OCA)',
 'website': 'http://www.akretion.com',
 'license': 'AGPL-3',
 'category': 'Generic Modules/Others',
 'summary': 'Export data in csv file with SQL requests',
 'depends': ['base',
             ],
 'data': [
     'views/sql_export_view.xml',
     'wizard/wizard_file_view.xml',
     'security/sql_export_security.xml',
     'security/ir.model.access.csv',
 ],
 'installable': True,
 'images': [],
 }
 {
    'name': 'SQL Export',
    'version': '9.0.1.0.0',
    'author': 'Akretion,Odoo Community Association (OCA)',
    'website': 'http://www.akretion.com',
    'license': 'AGPL-3',
    'category': 'Generic Modules/Others',
    'summary': 'Export data in csv file with SQL requests',
    'depends': [
        'sql_request_abstract',
    ],
    'data': [
        'views/sql_export_view.xml',
        'wizard/wizard_file_view.xml',
        'security/sql_export_security.xml',
        'security/ir.model.access.csv',
    ],
    'demo': [
        'demo/sql_export.xml',
    ],
    'installable': True,
    }
--- a/sql_export/demo/sql_export.xml
+++ b/sql_export/demo/sql_export.xml
@ -0,0 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
@author Sylvain LE GAL (https://twitter.com/legalsylvain)
 License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 -->
 <openerp><data>
    <record id="sql_export_partner" model="sql.export">
        <field name="name">Export Partners (Demo Data)</field>
        <field name="query">SELECT name, street FROM res_partner;</field>
    </record>
    <function model="sql.export" name="button_clean_check_request" eval="([ref('sql_export.sql_export_partner')])"/>
 </data></openerp>
--- a/sql_export/i18n/fr.po
+++ b/sql_export/i18n/fr.po
@ -6,8 +6,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 8.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2016-02-05 13:10+0000\n"
 "PO-Revision-Date: 2016-02-05 13:10+0000\n"
 "POT-Creation-Date: 2017-02-27 12:18+0000\n"
 "PO-Revision-Date: 2017-02-27 12:18+0000\n"
 "Last-Translator: <>\n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
@ -21,6 +21,7 @@ msgid "Allow the user to save the file with sql request's data"
 msgstr "Permet à l'utilisateur de sauvegarder le fichier contenant les données de la requête SQL"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: field:sql.export,group_ids:0
 msgid "Allowed Groups"
 msgstr "Groupes Autorisés"
@ -31,15 +32,20 @@ msgstr "Groupes Autorisés"
 msgid "Allowed Users"
 msgstr "Utilisateurs Autorisés"
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Cancel"
 msgstr "Annuler"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Allowed Users Groups"
 msgstr "Groupes d'utilisateurs Autorisés"
 msgid "Clean and Check Request"
 msgstr "Corriger et vérifier la requête"
 #. module: sql_export
 #: field:sql.export,copy_options:0
 msgid "Copy Options"
 msgstr "Copy Options"
 msgstr "Options de copie"
 #. module: sql_export
 #: field:sql.export,create_uid:0
@ -58,10 +64,32 @@ msgstr "Créé le"
 msgid "Csv File"
 msgstr "Fichier CSV"
 #. module: sql_export
 #: field:sql.export,display_name:0
 #: field:sql.file.wizard,display_name:0
 msgid "Display Name"
 msgstr "Nom affiché"
 #. module: sql_export
 #: selection:sql.export,state:0
 msgid "Draft"
 msgstr "En brouillon"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: view:sql.export:sql_export.sql_export_view_tree
 msgid "Execute Query"
 msgstr "Exécuter"
 msgstr "Execute la requête"
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Export"
 msgstr "Exporter"
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Export file"
 msgstr "Fichier d'export"
 #. module: sql_export
 #: field:sql.file.wizard,binary_file:0
@ -71,7 +99,7 @@ msgstr "Fichier"
 #. module: sql_export
 #: field:sql.file.wizard,file_name:0
 msgid "File Name"
 msgstr "Nom du fichier"
 msgstr "Nom de fichier"
 #. module: sql_export
 #: field:sql.export,id:0
@ -79,39 +107,78 @@ msgstr "Nom du fichier"
 msgid "ID"
 msgstr "ID"
 #. module: sql_export
 #: field:sql.export,__last_update:0
 #: field:sql.file.wizard,__last_update:0
 msgid "Last Modified on"
 msgstr "Dernière modification le"
 #. module: sql_export
 #: field:sql.export,write_uid:0
 #: field:sql.file.wizard,write_uid:0
 msgid "Last Updated by"
 msgstr "Last Updated by"
 msgstr "Dernière mise à jour par"
 #. module: sql_export
 #: field:sql.export,write_date:0
 #: field:sql.file.wizard,write_date:0
 msgid "Last Updated on"
 msgstr "Last Updated on"
 msgstr "Dernière mise à jour le"
 #. module: sql_export
 #: field:sql.export,name:0
 msgid "Name"
 msgstr "Nom"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: field:sql.export,field_ids:0
 msgid "Parameters"
 msgstr "Paramètres"
 #. module: sql_export
 #: field:sql.export,query:0
 msgid "Query"
 msgstr "Requête"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Request Name"
 msgstr "Nom de la requête"
 #. module: sql_export
 #: model:ir.actions.act_window,name:sql_export.sql_export_tree_action
 #: view:sql.export:sql_export.sql_export_view_tree
 msgid "SQL Export"
 msgstr "SQL Export"
 msgstr "Export SQL"
 #. module: sql_export
 #: model:ir.actions.act_window,name:sql_export.sql_parameter_tree_action
 #: view:ir.model.fields:sql_export.sql_parameter_view_tree
 msgid "SQL Parameter"
 msgstr "Paramètre SQL"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "SQL Request"
 msgstr "Requête SQL"
 #. module: sql_export
 #: selection:sql.export,state:0
 msgid "SQL Valid"
 msgstr "SQL Validé"
 #. module: sql_export
 #: model:ir.model,name:sql_export.model_sql_export
 #: view:ir.model.fields:sql_export.sql_parameter_view_form
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "SQL export"
 msgstr "Export SQL"
 msgstr "export SQL"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Set to Draft"
 msgstr "Remettre en brouillon"
 #. module: sql_export
 #: model:ir.ui.menu,name:sql_export.sql_export_menu
@ -120,23 +187,46 @@ msgid "Sql Export"
 msgstr "Export SQL"
 #. module: sql_export
 #: model:res.groups,name:sql_export.group_sql_request_editor
 msgid "Sql Request Editor"
 msgstr "Edition de Requête SQL"
 #: model:ir.ui.menu,name:sql_export.sql_parameter_menu_view
 msgid "Sql Export Variables"
 msgstr "Variables d'export SQL"
 #. module: sql_export
 #: code:addons/sql_export/sql_export.py:132
 #, python-format
 msgid "The Sql query is not valid."
 msgstr "La requête SQL n'est pas valide"
 #: field:sql.file.wizard,sql_export_id:0
 msgid "Sql export id"
 msgstr "Sql export id"
 #. module: sql_export
 #: constraint:sql.export:0
 msgid "The query you want make is not allowed : prohibited actions (delete, drop, insert, alter, truncate, execute, create, update)"
 msgstr "La requête que vous voulez faire n'est pas autorisée : actions interdites (delete, drop, insert, alter, truncate, execute, create, update)"
 #: field:sql.export,state:0
 msgid "State"
 msgstr "Etat"
 #. module: sql_export
 #: help:sql.export,state:0
 msgid "State of the Request:\n"
 " * 'Draft': Not tested\n"
 " * 'SQL Valid': SQL Request has been checked and is valid"
 msgstr "Etat de la requête:\n"
 " * 'En brouillon': non testée\n"
 " * 'SQL Validé': La requête SQL a été vérifiée et est valide"
 #. module: sql_export
 #: help:sql.export,query:0
 msgid "You can't use the following word : delete, drop, create, insert, alter, truncate, execute, update"
 msgstr "Vous ne pouvez pas utiliser les mots suivants : delete, drop, create, insert, alter, truncate, execute, update"
 msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
 msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "or"
 msgstr "ou"
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "select * from res_partner"
 msgstr "select * from res_partner"
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "variables_placeholder"
 msgstr "variables_placeholder"
--- a/sql_export/i18n/sql_export.pot
+++ b/sql_export/i18n/sql_export.pot
@ -6,8 +6,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 8.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2016-02-05 13:10+0000\n"
 "PO-Revision-Date: 2016-02-05 13:10+0000\n"
 "POT-Creation-Date: 2017-02-27 12:24+0000\n"
 "PO-Revision-Date: 2017-02-27 12:24+0000\n"
 "Last-Translator: <>\n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
@ -21,6 +21,7 @@ msgid "Allow the user to save the file with sql request's data"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: field:sql.export,group_ids:0
 msgid "Allowed Groups"
 msgstr ""
@ -31,9 +32,14 @@ msgstr ""
 msgid "Allowed Users"
 msgstr ""
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Cancel"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Allowed Users Groups"
 msgid "Clean and Check Request"
 msgstr ""
 #. module: sql_export
@ -58,11 +64,33 @@ msgstr ""
 msgid "Csv File"
 msgstr ""
 #. module: sql_export
 #: field:sql.export,display_name:0
 #: field:sql.file.wizard,display_name:0
 msgid "Display Name"
 msgstr ""
 #. module: sql_export
 #: selection:sql.export,state:0
 msgid "Draft"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: view:sql.export:sql_export.sql_export_view_tree
 msgid "Execute Query"
 msgstr ""
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Export"
 msgstr ""
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "Export file"
 msgstr ""
 #. module: sql_export
 #: field:sql.file.wizard,binary_file:0
 msgid "File"
@ -79,6 +107,12 @@ msgstr ""
 msgid "ID"
 msgstr ""
 #. module: sql_export
 #: field:sql.export,__last_update:0
 #: field:sql.file.wizard,__last_update:0
 msgid "Last Modified on"
 msgstr ""
 #. module: sql_export
 #: field:sql.export,write_uid:0
 #: field:sql.file.wizard,write_uid:0
@ -96,23 +130,56 @@ msgstr ""
 msgid "Name"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 #: field:sql.export,field_ids:0
 msgid "Parameters"
 msgstr ""
 #. module: sql_export
 #: field:sql.export,query:0
 msgid "Query"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Request Name"
 msgstr ""
 #. module: sql_export
 #: model:ir.actions.act_window,name:sql_export.sql_export_tree_action
 #: view:sql.export:sql_export.sql_export_view_tree
 msgid "SQL Export"
 msgstr ""
 #. module: sql_export
 #: model:ir.actions.act_window,name:sql_export.sql_parameter_tree_action
 #: view:ir.model.fields:sql_export.sql_parameter_view_tree
 msgid "SQL Parameter"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "SQL Request"
 msgstr ""
 #. module: sql_export
 #: selection:sql.export,state:0
 msgid "SQL Valid"
 msgstr ""
 #. module: sql_export
 #: model:ir.model,name:sql_export.model_sql_export
 #: view:ir.model.fields:sql_export.sql_parameter_view_form
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "SQL export"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "Set to Draft"
 msgstr ""
 #. module: sql_export
 #: model:ir.ui.menu,name:sql_export.sql_export_menu
 #: model:ir.ui.menu,name:sql_export.sql_export_menu_view
@ -120,23 +187,44 @@ msgid "Sql Export"
 msgstr ""
 #. module: sql_export
 #: model:res.groups,name:sql_export.group_sql_request_editor
 msgid "Sql Request Editor"
 #: model:ir.ui.menu,name:sql_export.sql_parameter_menu_view
 msgid "Sql Export Variables"
 msgstr ""
 #. module: sql_export
 #: code:addons/sql_export/sql_export.py:132
 #, python-format
 msgid "The Sql query is not valid."
 #: field:sql.file.wizard,sql_export_id:0
 msgid "Sql export id"
 msgstr ""
 #. module: sql_export
 #: constraint:sql.export:0
 msgid "The query you want make is not allowed : prohibited actions (delete, drop, insert, alter, truncate, execute, create, update)"
 #: field:sql.export,state:0
 msgid "State"
 msgstr ""
 #. module: sql_export
 #: help:sql.export,state:0
 msgid "State of the Request:\n"
 " * 'Draft': Not tested\n"
 " * 'SQL Valid': SQL Request has been checked and is valid"
 msgstr ""
 #. module: sql_export
 #: help:sql.export,query:0
 msgid "You can't use the following word : delete, drop, create, insert, alter, truncate, execute, update"
 msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
 msgstr ""
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "or"
 msgstr ""
 #. module: sql_export
 #: view:sql.export:sql_export.sql_export_view_form
 msgid "select * from res_partner"
 msgstr ""
 #. module: sql_export
 #: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
 msgid "variables_placeholder"
 msgstr ""
--- a/sql_export/models/sql_export.py
+++ b/sql_export/models/sql_export.py
@ -19,65 +19,24 @@
 #
 ##############################################################################
 import re
 from openerp import models, fields, api
 class SqlExport(models.Model):
    _name = "sql.export"
    _inherit = ['sql.request.mixin']
    _description = "SQL export"
    PROHIBITED_WORDS = [
        'delete',
        'drop',
        'insert',
        'alter',
        'truncate',
        'execute',
        'create',
        'update'
    ]
    _sql_request_groups_relation = 'groups_sqlquery_rel'
    @api.multi
    def _check_query_allowed(self):
        for obj in self:
            query = obj.query.lower()
            for word in self.PROHIBITED_WORDS:
                expr = r'\b%s\b' % word
                is_not_safe = re.search(expr, query)
                if is_not_safe:
                    return False
        return True
    _sql_request_users_relation = 'users_sqlquery_rel'
    @api.model
    def _get_editor_group(self):
        ir_model_obj = self.env['ir.model.data']
        return [ir_model_obj.xmlid_to_res_id(
            'sql_export.group_sql_request_editor')]
    _check_execution_enabled = False
    name = fields.Char('Name', required=True)
    query = fields.Text(
        'Query',
        required=True,
        help="You can't use the following word : delete, drop, create, "
             "insert, alter, truncate, execute, update")
    copy_options = fields.Char(
        'Copy Options',
        required=True,
        string='Copy Options', required=True,
        default="CSV HEADER DELIMITER ';'")
    group_ids = fields.Many2many(
        'res.groups',
        'groups_sqlquery_rel',
        'sql_id',
        'group_id',
        'Allowed Groups',
        default=_get_editor_group)
    user_ids = fields.Many2many(
        'res.users',
        'users_sqlquery_rel',
        'sql_id',
        'user_id',
        'Allowed Users')
    field_ids = fields.Many2many(
        'ir.model.fields',
        'fields_sqlquery_rel',
@ -85,18 +44,11 @@ class SqlExport(models.Model):
        'field_id',
        'Parameters',
        domain=[('model', '=', 'sql.file.wizard')])
    valid = fields.Boolean()
    _constraints = [(_check_query_allowed,
                     'The query you want make is not allowed : prohibited '
                     'actions (%s)' % ', '.join(PROHIBITED_WORDS),
                     ['query'])]
    @api.multi
    def export_sql_query(self):
        self.ensure_one()
        wiz = self.env['sql.file.wizard'].create({
            'valid': self.valid,
            'sql_export_id': self.id})
        return {
            'view_type': 'form',
@ -108,31 +60,3 @@ class SqlExport(models.Model):
            'context': self._context,
            'nodestroy': True,
        }
    @api.model
    def check_query_syntax(self, vals):
        if vals.get('query', False):
            vals['query'] = vals['query'].strip()
            if vals['query'][-1] == ';':
                vals['query'] = vals['query'][:-1]
            # Can't test the query because of variables
 #            try:
 #                self.env.cr.execute(vals['query'])
 #            except:
 #                raise exceptions.Warning(
 #                    _("The Sql query is not valid."))
 #            finally:
 #                self.env.cr.rollback()
        return vals
    @api.multi
    def write(self, vals):
        vals = self.check_query_syntax(vals)
        if 'query' in vals:
            vals['valid'] = False
        return super(SqlExport, self).write(vals)
    @api.model
    def create(self, vals):
        vals = self.check_query_syntax(vals)
        return super(SqlExport, self).create(vals)
--- a/sql_export/security/ir.model.access.csv
+++ b/sql_export/security/ir.model.access.csv
@ -1,3 +1,3 @@
 "id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink"
 "access_sql_export_all","access_sql_export_all","model_sql_export",,1,0,0,0
 "access_sql_export_editor","access_sql_export_editor","model_sql_export",group_sql_request_editor,1,1,1,1
 "access_sql_export_editor","access_sql_export_editor","model_sql_export",sql_request_abstract.group_sql_request_manager,1,1,1,1
--- a/sql_export/security/sql_export_security.xml
+++ b/sql_export/security/sql_export_security.xml
@ -2,11 +2,6 @@
 <openerp>
 <data noupdate="0">
    <record model="res.groups" id="group_sql_request_editor">
        <field name="name">Sql Request Editor</field>
        <field name="users" eval="[(4, ref('base.user_root'))]"/>
    </record>
    <record model="ir.rule" id="sql_export_restric_access_user_or_group">
        <field name="name" >SQL Export users and groups rules</field>
        <field name="model_id" ref="model_sql_export"/>
--- a/sql_export/tests/test_sql_query.py
+++ b/sql_export/tests/test_sql_query.py
@ -20,35 +20,27 @@
 ##############################################################################
 import base64
 from openerp.tests.common import TransactionCase
 from openerp import exceptions
 from openerp.exceptions import Warning as UserError
 class TestExportSqlQuery(TransactionCase):
    def setUp(self):
        super(TestExportSqlQuery, self).setUp()
        query_vals = {
            'name': 'test',
            'query': "SELECT name, street FROM res_partner;"
        }
        self.sql_model = self.registry('sql.export')
        self.query_id = self.sql_model.create(
            self.cr,
            self.uid,
            query_vals)
        self.sql_export_obj = self.env['sql.export']
        self.wizard_obj = self.env['sql.file.wizard']
        self.sql_report_demo = self.env.ref('sql_export.sql_export_partner')
    def test_sql_query(self):
        test = self.sql_model.export_sql_query(
            self.cr, self.uid, [self.query_id])
        self.registry('sql.file.wizard').export_sql(
            self.cr, self.uid, test['res_id'])
        wizard = self.registry('sql.file.wizard').browse(
            self.cr, self.uid, test['res_id'])
        wizard = self.wizard_obj.create({
            'sql_export_id': self.sql_report_demo.id,
        })
        wizard.export_sql()
        export = base64.b64decode(wizard.binary_file)
        self.assertEqual(export.split(';')[0], 'name')
        self.assertTrue(len(export.split(';')) > 6)
    def test_prohibited_queries_creation(self):
    def test_prohibited_queries(self):
        prohibited_queries = [
            "upDaTe res_partner SET name = 'test' WHERE id = 1",
            "DELETE FROM sql_export WHERE name = 'test';",
@ -60,14 +52,22 @@ class TestExportSqlQuery(TransactionCase):
            """,
        ]
        for query in prohibited_queries:
            with self.assertRaises(exceptions.ValidationError):
                self.sql_model.create(
                    self.cr, self.uid,
                    {'name': 'test_prohibited',
                     'query': query})
        ok_query = {
            'name': 'test ok',
            'query': "SELECT create_date FROM res_partner"
        }
        query_id = self.sql_model.create(self.cr, self.uid, ok_query)
        self.assertIsNotNone(query_id)
            with self.assertRaises(UserError):
                sql_export = self.sql_export_obj.create({
                    'name': 'test_prohibited',
                    'query': query})
                sql_export.button_clean_check_request()
    def test_authorized_queries(self):
        authorized_queries = [
            "SELECT create_date FROM res_partner",
        ]
        for query in authorized_queries:
            sql_export = self.sql_export_obj.create({
                'name': 'test_authorized',
                'query': query})
            sql_export.button_clean_check_request()
            self.assertEqual(
                sql_export.state, 'sql_valid',
                "%s is a valid request" % (query))
--- a/sql_export/views/sql_export_view.xml
+++ b/sql_export/views/sql_export_view.xml
@ -8,26 +8,40 @@
        <field name="model">sql.export</field>
        <field name="arch" type="xml">
            <form string="SQL export">
                <group col="2">
                    <group colspan="2" col="5">
                        <label for="name" colspan="1"/>
                        <field name="name" colspan="2" nolabel="1"/>
                        <button name="export_sql_query" string="Execute Query" type="object" class="oe_highlight" icon="gtk-execute" colspan="2"/>
                        <label for="query" colspan="1"/>
                        <field name="query" nolabel="1" colspan="4"/>
                        <label for="Copy Options" colspan="1"/>
                        <field name="copy_options" nolabel="1" colspan="4"/>
                    </group>
                    <group groups="sql_export.group_sql_request_editor" string="Parameters">
                        <field name="field_ids" nolabel="1"/>
                    </group>
                    <group colspan="2" col="2" groups="sql_export.group_sql_request_editor">
                        <separator string="Allowed Users" colspan="1"/>
                        <separator string="Allowed Users Groups" colspan="1"/>
                <sheet>
                    <header>
                        <button name="button_clean_check_request" type="object" states="draft"
                                string="Clean and Check Request" class="oe_highlight"/>
                        <button name="button_set_draft" type="object" states="sql_valid"
                                string="Set to Draft" groups="sql_request_abstract.group_sql_request_manager"/>
                        <button name="export_sql_query" string="Execute Query" states="sql_valid" type="object" class="oe_highlight"
                            icon="gtk-execute"/>
                        <field name="state" widget="statusbar" />
                    </header>
                <group>
                    <h1>
                        <field name="name" nolabel="1" placeholder="Request Name"/>
                    </h1>
                </group>
                <group name="option" groups="sql_request_abstract.group_sql_request_user">
                    <field name="copy_options"/>
                </group>
                <group name="request" string="SQL Request" groups="sql_request_abstract.group_sql_request_user">
                    <field name="query" nolabel="1" placeholder="select * from res_partner"/>
                </group>
                <group string="Parameters" groups="sql_request_abstract.group_sql_request_user">
                    <field name="field_ids" nolabel="1"/>
                </group>
                <group groups="sql_request_abstract.group_sql_request_manager">
                    <group string="Allowed Users">
                        <field name="user_ids" nolabel="1"/>
                    </group>
                    <group string="Allowed Groups">
                        <field name="group_ids" nolabel="1"/>
                    </group>
                </group>
                </sheet>
            </form>
        </field>
    </record>
@ -36,9 +50,11 @@
        <field name="name">Sql_export_tree_view</field>
        <field name="model">sql.export</field>
        <field name="arch" type="xml">
            <tree string="SQL Export" colors="red:valid == False">
            <tree string="SQL Export" colors="blue:state == 'draft'">
                <field name="name"/>
                <field name="valid" invisible="1"/>
                <field name="state"/>
                <button name="export_sql_query" string="Execute Query" states="sql_valid" type="object"
                    icon="gtk-execute"/>
            </tree>
        </field>
    </record>
@ -84,7 +100,7 @@
        <field name="domain">[('model','=','sql.file.wizard')]</field>
    </record>
    <menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_tree_action" sequence="5"/>
    <menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_tree_action" sequence="5" groups="sql_request_abstract.group_sql_request_manager"/>
 </data>
--- a/sql_export/wizard/wizard_file.py
+++ b/sql_export/wizard/wizard_file.py
@ -18,14 +18,12 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 ##############################################################################
 from openerp import models, fields, api
 from openerp.osv.orm import setup_modifiers
 import StringIO
 import base64
 import datetime
 from lxml import etree
 from openerp import models, fields, api, osv
 from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT
 import uuid
 class SqlFileWizard(models.TransientModel):
@ -34,7 +32,6 @@ class SqlFileWizard(models.TransientModel):
    binary_file = fields.Binary('File', readonly=True)
    file_name = fields.Char('File Name', readonly=True)
    valid = fields.Boolean()
    sql_export_id = fields.Many2one(comodel_name='sql.export', required=True)
    @api.model
@ -58,7 +55,8 @@ class SqlFileWizard(models.TransientModel):
                    kwargs = {'name': "%s" % field.name}
                    toupdate_fields.append(field.name)
                    view_field = etree.SubElement(group, 'field', **kwargs)
                    setup_modifiers(view_field, self.fields_get(field.name))
                    osv.orm.setup_modifiers(
                        view_field, self.fields_get(field.name))
                res['fields'].update(self.fields_get(toupdate_fields))
                placeholder = eview.xpath(
@ -72,12 +70,13 @@ class SqlFileWizard(models.TransientModel):
    def export_sql(self):
        self.ensure_one()
        sql_export = self.sql_export_id
        # Manage Params
        variable_dict = {}
        today = datetime.datetime.now()
        today_tz = fields.Datetime.context_timestamp(
            sql_export, today)
        date = today_tz.strftime(DEFAULT_SERVER_DATETIME_FORMAT)
        output = StringIO.StringIO()
        variable_dict = {}
        if sql_export.field_ids:
            for field in sql_export.field_ids:
                variable_dict[field.name] = self[field.name]
@ -85,25 +84,16 @@ class SqlFileWizard(models.TransientModel):
            variable_dict['company_id'] = self.env.user.company_id.id
        if "%(user_id)s" in sql_export.query:
            variable_dict['user_id'] = self._uid
        format_query = self.env.cr.mogrify(
            sql_export.query, variable_dict).decode('utf-8')
        query = "COPY (" + format_query + ")  TO STDOUT WITH " + \
                sql_export.copy_options
        name = 'export_query_%s' % uuid.uuid1().hex
        self.env.cr.execute("SAVEPOINT %s" % name)
        try:
            self.env.cr.copy_expert(query, output)
            output.getvalue()
            new_output = base64.b64encode(output.getvalue())
            output.close()
        finally:
            self.env.cr.execute("ROLLBACK TO SAVEPOINT %s" % name)
        # Execute Request
        res = sql_export._execute_sql_request(
            params=variable_dict, mode='stdout',
            copy_options=sql_export.copy_options)
        self.write({
            'binary_file': new_output,
            'binary_file': res,
            'file_name': sql_export.name + '_' + date + '.csv'
        })
        if not sql_export.valid:
            sql_export.sudo().valid = True
        return {
            'view_type': 'form',
            'view_mode': 'form',
--- a/sql_export/wizard/wizard_file_view.xml
+++ b/sql_export/wizard/wizard_file_view.xml
@ -7,11 +7,9 @@
            <field name="model">sql.file.wizard</field>
            <field name="arch" type="xml">
                <form string="Csv File">
                    <separator string="Warning untested export" attrs="{'invisible': [('valid', '=', True)]}"/>
                    <separator string="variables_placeholder" colspan="4" invisible="1"/>
                    <separator string="Export file" colspan="4"
                        attrs="{'invisible': [('binary_file', '=', False)]}"/>
                    <field name="valid" invisible="1"/>
                    <field name="binary_file" filename="file_name"/>
                    <field name="file_name" invisible="1"/>
                    <footer>
--- a/sql_request_abstract/README.rst
+++ b/sql_request_abstract/README.rst
@ -0,0 +1,93 @@
 .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
   :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
   :alt: License: AGPL-3
 =====================================
 Abstract Model to manage SQL Requests
 =====================================
 This module provide an abstract model to manage SQL Select request on database.
 It is not usefull for itself. You can see an exemple of implementation in the
 'sql_export' module. (same repository).
 Implemented features
 --------------------
 * Add some restrictions in the sql request:
    * you can only read datas. No update, deletion or creation are possible.
    * some tables are not allowed, because they could contains clear password
      or keys. For the time being ('ir_config_parameter').
 * The request can be in a 'draft' or a 'SQL Valid' status. To be valid,
  the request has to be cleaned, checked and tested. All of this operations
  can be disabled in the inherited modules.
 * This module two new groups:
    * SQL Request / User : Can see all the sql requests by default and execute
      them, if they are valid.
    * SQL Request / Manager : has full access on sql requests.
 Usage
 =====
 Inherit the model:
    from openerp import models
    class MyModel(models.model)
        _name = 'my.model'
        _inherit = ['sql.request.mixin']
        _sql_request_groups_relation = 'my_model_groups_rel'
        _sql_request_users_relation = 'my_model_users_rel'
 .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
   :alt: Try me on Runbot
   :target: https://runbot.odoo-community.org/runbot/149/8.0
 Bug Tracker
 ===========
 Bugs are tracked on `GitHub Issues
 <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
 check there if your issue has already been reported. If you spotted it first,
 help us smash it by providing detailed and welcomed feedback.
 Credits
 =======
 Images
 ------
 * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
 Contributors
 ------------
 * Florian da Costa <florian.dacosta@akretion.com>
 * Sylvain LE GAL (https://twitter.com/legalsylvain)
 Funders
 -------
 The development of this module has been financially supported by:
 * Akretion (<http://www.akretion.com>)
 * GRAP, Groupement Régional Alimentaire de Proximité (<http://www.grap.coop>)
 Maintainer
 ----------
 .. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org
 This module is maintained by the OCA.
 OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 To contribute to this module, please visit https://odoo-community.org.
--- a/sql_request_abstract/init.py
+++ b/sql_request_abstract/init.py
@ -0,0 +1,3 @@
 # -*- coding: utf-8 -*-
 from . import models
--- a/sql_request_abstract/openerp.py
+++ b/sql_request_abstract/openerp.py
@ -0,0 +1,23 @@
 # -*- coding: utf-8 -*-
 # Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
 # @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 {
    'name': 'SQL Request Abstract',
    'version': '8.0.1.0.0',
    'author': 'GRAP,Akretion,Odoo Community Association (OCA)',
    'website': 'https://www.odoo-community.org',
    'license': 'AGPL-3',
    'category': 'Tools',
    'summary': 'Abstract Model to manage SQL Requests',
    'depends': [
        'base',
    ],
    'data': [
        'security/ir_module_category.xml',
        'security/res_groups.xml',
        'security/ir.model.access.csv',
    ],
    'installable': True,
 }
--- a/sql_request_abstract/i18n/fr.po
+++ b/sql_request_abstract/i18n/fr.po
@ -0,0 +1,145 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 #	* sql_request_abstract
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 8.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-02-27 12:11+0000\n"
 "PO-Revision-Date: 2017-02-27 12:11+0000\n"
 "Last-Translator: <>\n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: \n"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,group_ids:0
 msgid "Allowed Groups"
 msgstr "Groupes autorisés"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,user_ids:0
 msgid "Allowed Users"
 msgstr "Utilisateurs Autorisés"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,create_uid:0
 msgid "Created by"
 msgstr "Créé par"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,create_date:0
 msgid "Created on"
 msgstr "Créé le"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,display_name:0
 msgid "Display Name"
 msgstr "Nom affiché"
 #. module: sql_request_abstract
 #: selection:sql.request.mixin,state:0
 msgid "Draft"
 msgstr "En brouillon"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,id:0
 msgid "ID"
 msgstr "ID"
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
 #, python-format
 msgid "It is not allowed to execute a not checked request."
 msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée."
 #. module: sql_request_abstract
 #: field:sql.request.mixin,__last_update:0
 msgid "Last Modified on"
 msgstr "Dernière modification le"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,write_uid:0
 msgid "Last Updated by"
 msgstr "Dernière mise à jour par"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,write_date:0
 msgid "Last Updated on"
 msgstr "Dernière mise à jour le"
 #. module: sql_request_abstract
 #: model:res.groups,name:sql_request_abstract.group_sql_request_manager
 msgid "Manager"
 msgstr "Responsable"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,name:0
 msgid "Name"
 msgstr "Nom"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,query:0
 msgid "Query"
 msgstr "Requête"
 #. module: sql_request_abstract
 #: selection:sql.request.mixin,state:0
 msgid "SQL Valid"
 msgstr "SQL Validé"
 #. module: sql_request_abstract
 #: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
 msgid "Sql Request"
 msgstr "Request SQL"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,state:0
 msgid "State"
 msgstr "Etat"
 #. module: sql_request_abstract
 #: help:sql.request.mixin,state:0
 msgid "State of the Request:\n"
 " * 'Draft': Not tested\n"
 " * 'SQL Valid': SQL Request has been checked and is valid"
 msgstr "Etat de la requête:\n"
 " * 'En brouillon': non testée\n"
 " * 'SQL Validé': La requête SQL a été vérifiée et est valide"
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
 #, python-format
 msgid "The SQL query is not valid:\n"
 "\n"
 " %s"
 msgstr "La requête SQL n'est pas valide:\n"
 "\n"
 " %s"
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
 #, python-format
 msgid "The query is not allowed because it contains unsafe word '%s'"
 msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'"
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
 #, python-format
 msgid "Unimplemented mode : '%s'"
 msgstr "Mode non implémenté : '%s'"
 #. module: sql_request_abstract
 #: model:res.groups,name:sql_request_abstract.group_sql_request_user
 msgid "User"
 msgstr "Utilisateur"
 #. module: sql_request_abstract
 #: help:sql.request.mixin,query:0
 msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
 msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
--- a/sql_request_abstract/i18n/sql_export_abstract.pot
+++ b/sql_request_abstract/i18n/sql_export_abstract.pot
@ -0,0 +1,140 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 #	* sql_request_abstract
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 8.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-02-27 12:11+0000\n"
 "PO-Revision-Date: 2017-02-27 12:11+0000\n"
 "Last-Translator: <>\n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: \n"
 #. module: sql_request_abstract
 #: field:sql.request.mixin,group_ids:0
 msgid "Allowed Groups"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,user_ids:0
 msgid "Allowed Users"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,create_uid:0
 msgid "Created by"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,create_date:0
 msgid "Created on"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,display_name:0
 msgid "Display Name"
 msgstr ""
 #. module: sql_request_abstract
 #: selection:sql.request.mixin,state:0
 msgid "Draft"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,id:0
 msgid "ID"
 msgstr ""
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
 #, python-format
 msgid "It is not allowed to execute a not checked request."
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,__last_update:0
 msgid "Last Modified on"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,write_uid:0
 msgid "Last Updated by"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,write_date:0
 msgid "Last Updated on"
 msgstr ""
 #. module: sql_request_abstract
 #: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager
 msgid "Manager"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,name:0
 msgid "Name"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,query:0
 msgid "Query"
 msgstr ""
 #. module: sql_request_abstract
 #: selection:sql.request.mixin,state:0
 msgid "SQL Valid"
 msgstr ""
 #. module: sql_request_abstract
 #: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
 msgid "Sql Request"
 msgstr ""
 #. module: sql_request_abstract
 #: field:sql.request.mixin,state:0
 msgid "State"
 msgstr ""
 #. module: sql_request_abstract
 #: help:sql.request.mixin,state:0
 msgid "State of the Request:\n"
 " * 'Draft': Not tested\n"
 " * 'SQL Valid': SQL Request has been checked and is valid"
 msgstr ""
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
 #, python-format
 msgid "The SQL query is not valid:\n"
 "\n"
 " %s"
 msgstr ""
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
 #, python-format
 msgid "The query is not allowed because it contains unsafe word '%s'"
 msgstr ""
 #. module: sql_request_abstract
 #: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
 #, python-format
 msgid "Unimplemented mode : '%s'"
 msgstr ""
 #. module: sql_request_abstract
 #: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user
 msgid "User"
 msgstr ""
 #. module: sql_request_abstract
 #: help:sql.request.mixin,query:0
 msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
 msgstr ""
--- a/sql_request_abstract/models/init.py
+++ b/sql_request_abstract/models/init.py
@ -0,0 +1,3 @@
 # -*- coding: utf-8 -*-
 from . import sql_request_mixin
--- a/sql_request_abstract/models/sql_request_mixin.py
+++ b/sql_request_abstract/models/sql_request_mixin.py
@ -0,0 +1,255 @@
 # -*- coding: utf-8 -*-
 # Copyright (C) 2015 Akretion (<http://www.akretion.com>)
 # Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
 # @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 import re
 import uuid
 import StringIO
 import base64
 from psycopg2 import ProgrammingError
 from openerp import _, api, fields, models
 from openerp.exceptions import Warning as UserError
 class SQLRequestMixin(models.Model):
    _name = 'sql.request.mixin'
    _clean_query_enabled = True
    _check_prohibited_words_enabled = True
    _check_execution_enabled = True
    _sql_request_groups_relation = False
    _sql_request_users_relation = False
    STATE_SELECTION = [
        ('draft', 'Draft'),
        ('sql_valid', 'SQL Valid'),
    ]
    PROHIBITED_WORDS = [
        'delete',
        'drop',
        'insert',
        'alter',
        'truncate',
        'execute',
        'create',
        'update',
        'ir_config_parameter',
    ]
    # Default Section
    @api.model
    def _default_group_ids(self):
        ir_model_obj = self.env['ir.model.data']
        return [ir_model_obj.xmlid_to_res_id(
            'sql_request_abstract.group_sql_request_user')]
    @api.model
    def _default_user_ids(self):
        return []
    # Columns Section
    name = fields.Char('Name', required=True)
    query = fields.Text(
        string='Query', required=True, help="You can't use the following words"
        ": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE")
    state = fields.Selection(
        string='State', selection=STATE_SELECTION, default='draft',
        help="State of the Request:\n"
        " * 'Draft': Not tested\n"
        " * 'SQL Valid': SQL Request has been checked and is valid")
    group_ids = fields.Many2many(
        comodel_name='res.groups', string='Allowed Groups',
        relation=_sql_request_groups_relation,
        column1='sql_id', column2='group_id',
        default=_default_group_ids)
    user_ids = fields.Many2many(
        comodel_name='res.users', string='Allowed Users',
        relation=_sql_request_users_relation,
        column1='sql_id', column2='user_id',
        default=_default_user_ids)
    # Action Section
    @api.multi
    def button_clean_check_request(self):
        for item in self:
            if item._clean_query_enabled:
                item._clean_query()
            if item._check_prohibited_words_enabled:
                item._check_prohibited_words()
            if item._check_execution_enabled:
                item._check_execution()
            item.state = 'sql_valid'
    @api.multi
    def button_set_draft(self):
        self.write({'state': 'draft'})
    # API Section
    @api.multi
    def _execute_sql_request(
            self, params=None, mode='fetchall', rollback=True,
            view_name=False, copy_options="CSV HEADER DELIMITER ';'"):
        """Execute a SQL request on the current database.
        ??? This function checks before if the user has the
        right to execute the request.
        :param params: (dict) of keys / values that will be replaced in
            the sql query, before executing it.
        :param mode: (str) result type expected. Available settings :
            * 'view': create a view with the select query. Extra param
                required 'view_name'.
            * 'materialized_view': create a MATERIALIZED VIEW with the
                select query. Extra parameter required 'view_name'.
            * 'fetchall': execute the select request, and return the
                result of 'cr.fetchall()'.
            * 'fetchone' : execute the select request, and return the
                result of 'cr.fetchone()'
        :param rollback: (boolean) mention if a rollback should be played after
            the execution of the query. Please keep this feature enabled
            for security reason, except if necessary.
            (Ignored if @mode in ('view', 'materialized_view'))
        :param view_name: (str) name of the view.
            (Ignored if @mode not in ('view', 'materialized_view'))
        :param copy_options: (str) mentions extra options for
            "COPY request STDOUT WITH xxx" request.
            (Ignored if @mode != 'stdout')
        ..note:: The following exceptions could be raised:
            psycopg2.ProgrammingError: Error in the SQL Request.
            openerp.exceptions.Warning:
                * 'mode' is not implemented.
                * materialized view is not supported by the Postgresql Server.
        """
        self.ensure_one()
        res = False
        # Check if the request is in a valid state
        if self.state == 'draft':
            raise UserError(_(
                "It is not allowed to execute a not checked request."))
        # Disable rollback if a creation of a view is asked
        if mode in ('view', 'materialized_view'):
            rollback = False
        params = params and params or {}
        query = self.env.cr.mogrify(self.query, params).decode('utf-8')
        if mode in ('fetchone', 'fetchall'):
            pass
        elif mode == 'stdout':
            query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options)
        elif mode in 'view':
            query = "CREATE VIEW %s AS (%s);" % (query, view_name)
        elif mode in 'materialized_view':
            self._check_materialized_view_available()
            query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name)
        else:
            raise UserError(_("Unimplemented mode : '%s'" % mode))
        if rollback:
            rollback_name = self._create_savepoint()
        try:
            if mode == 'stdout':
                output = StringIO.StringIO()
                self.env.cr.copy_expert(query, output)
                output.getvalue()
                res = base64.b64encode(output.getvalue())
                output.close()
            else:
                self.env.cr.execute(query)
                if mode == 'fetchall':
                    res = self.env.cr.fetchall()
                elif mode == 'fetchone':
                    res = self.env.cr.fetchone()
        finally:
            self._rollback_savepoint(rollback_name)
        return res
    # Private Section
    @api.model
    def _create_savepoint(self):
        rollback_name = '%s_%s' % (
            self._name.replace('.', '_'), uuid.uuid1().hex)
        req = "SAVEPOINT %s" % (rollback_name)
        self.env.cr.execute(req)
        return rollback_name
    @api.model
    def _rollback_savepoint(self, rollback_name):
        req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name)
        self.env.cr.execute(req)
    @api.model
    def _check_materialized_view_available(self):
        self.env.cr.execute("SHOW server_version;")
        res = self.env.cr.fetchone()[0].split('.')
        minor_version = float('.'.join(res[:2]))
        return minor_version >= 9.3
    @api.multi
    def _clean_query(self):
        self.ensure_one()
        query = self.query.strip()
        while query[-1] == ';':
            query = query[:-1]
        self.query = query
    @api.multi
    def _check_prohibited_words(self):
        """Check if the query contains prohibited words, to avoid maliscious
        SQL requests"""
        self.ensure_one()
        query = self.query.lower()
        for word in self.PROHIBITED_WORDS:
            expr = r'\b%s\b' % word
            is_not_safe = re.search(expr, query)
            if is_not_safe:
                raise UserError(_(
                    "The query is not allowed because it contains unsafe word"
                    " '%s'") % (word))
    @api.multi
    def _check_execution(self):
        """Ensure that the query is valid, trying to execute it. A rollback
        is done after."""
        self.ensure_one()
        query = self._prepare_request_check_execution()
        rollback_name = self._create_savepoint()
        res = False
        try:
            self.env.cr.execute(query)
            res = self._hook_executed_request()
        except ProgrammingError as e:
            raise UserError(
                _("The SQL query is not valid:\n\n %s") % e.message)
        finally:
            self._rollback_savepoint(rollback_name)
        return res
    @api.multi
    def _prepare_request_check_execution(self):
        """Overload me to replace some part of the query, if it contains
        parameters"""
        self.ensure_one()
        return self.query
    def _hook_executed_request(self):
        """Overload me to insert custom code, when the SQL request has
        been executed, before the rollback.
        """
        self.ensure_one()
        return False
--- a/sql_request_abstract/security/ir.model.access.csv
+++ b/sql_request_abstract/security/ir.model.access.csv
@ -0,0 +1,4 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
 access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0
 access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0
 access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1
--- a/sql_request_abstract/security/ir_module_category.xml
+++ b/sql_request_abstract/security/ir_module_category.xml
@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <openerp><data>
    <record model="ir.module.category" id="category_sql_abstract">
        <field name="name">Sql Request</field>
    </record>
 </data></openerp>
--- a/sql_request_abstract/security/res_groups.xml
+++ b/sql_request_abstract/security/res_groups.xml
@ -0,0 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
@author Sylvain LE GAL (https://twitter.com/legalsylvain)
 License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 -->
 <openerp><data>
    <record model="res.groups" id="group_sql_request_user">
        <field name="name">User</field>
        <field name="category_id" ref="category_sql_abstract" />
    </record>
    <record model="res.groups" id="group_sql_request_manager">
        <field name="name">Manager</field>
        <field name="category_id" ref="category_sql_abstract" />
        <field name="users" eval="[(4, ref('base.user_root'))]"/>
        <field name="implied_ids" eval="[(4, ref('group_sql_request_user'))]" />
    </record>
 </data></openerp>
--- a/sql_request_abstract/static/description/icon.png
+++ b/sql_request_abstract/static/description/icon.png