OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Merge pull request #17 from akretion/9-sql-export-abstract 

9 sql export abstract
pull/535/head
Florian 7 years ago
committed by GitHub
parent
6cb6ec924b 85e50881e0
commit
c072d448d5
23 changed files with 1052 additions and 227 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      sql_export/README.rst
  2. 40
      sql_export/__openerp__.py
  3. 17
      sql_export/demo/sql_export.xml
  4. 136
      sql_export/i18n/fr.po
  5. 110
      sql_export/i18n/sql_export.pot
  6. 88
      sql_export/models/sql_export.py
  7. 2
      sql_export/security/ir.model.access.csv
  8. 5
      sql_export/security/sql_export_security.xml
  9. 56
      sql_export/tests/test_sql_query.py
  10. 54
      sql_export/views/sql_export_view.xml
  11. 40
      sql_export/wizard/wizard_file.py
  12. 2
      sql_export/wizard/wizard_file_view.xml
  13. 93
      sql_request_abstract/README.rst
  14. 3
      sql_request_abstract/__init__.py
  15. 23
      sql_request_abstract/__openerp__.py
  16. 145
      sql_request_abstract/i18n/fr.po
  17. 140
      sql_request_abstract/i18n/sql_export_abstract.pot
  18. 3
      sql_request_abstract/models/__init__.py
  19. 255
      sql_request_abstract/models/sql_request_mixin.py
  20. 4
      sql_request_abstract/security/ir.model.access.csv
  21. 9
      sql_request_abstract/security/ir_module_category.xml
  22. 23
      sql_request_abstract/security/res_groups.xml
  23. BIN
      sql_request_abstract/static/description/icon.png

31
sql_export/README.rst
View File

@ -12,25 +12,30 @@ A new menu named Export is created.
Known issues / Roadmap
======================
Some words are prohibeted and can't be used is the query in anyways, even in a select query :
* Some words are prohibeted and can't be used is the query in anyways, even in a select query :
* delete
* drop
* insert
* alter
* truncate
* execute
* create
* update
* delete
* drop
* insert
* alter
* truncate
* execute
* create
* update
See sql_request_abstract module to fix this issue.
* checking SQL request by execution and rollback is disabled in this module
since variables features has been introduced. This can be fixed by
overloading _prepare_request_check_execution() function.
Bug Tracker
===========
Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
`here <https://github.com/OCA/server-tools/issues/new?body=module:%20sql_export%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.
Credits
=======

40
sql_export/__openerp__.py
View File

@ -19,21 +19,25 @@
#
##############################################################################
{'name': 'SQL Export',
'version': '9.0.1.0.0',
'author': 'Akretion,Odoo Community Association (OCA)',
'website': 'http://www.akretion.com',
'license': 'AGPL-3',
'category': 'Generic Modules/Others',
'summary': 'Export data in csv file with SQL requests',
'depends': ['base',
],
'data': [
'views/sql_export_view.xml',
'wizard/wizard_file_view.xml',
'security/sql_export_security.xml',
'security/ir.model.access.csv',
],
'installable': True,
'images': [],
}
{
'name': 'SQL Export',
'version': '9.0.1.0.0',
'author': 'Akretion,Odoo Community Association (OCA)',
'website': 'http://www.akretion.com',
'license': 'AGPL-3',
'category': 'Generic Modules/Others',
'summary': 'Export data in csv file with SQL requests',
'depends': [
'sql_request_abstract',
],
'data': [
'views/sql_export_view.xml',
'wizard/wizard_file_view.xml',
'security/sql_export_security.xml',
'security/ir.model.access.csv',
],
'demo': [
'demo/sql_export.xml',
],
'installable': True,
}

17
sql_export/demo/sql_export.xml
View File

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
@author Sylvain LE GAL (https://twitter.com/legalsylvain)
License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
-->
<openerp><data>
<record id="sql_export_partner" model="sql.export">
<field name="name">Export Partners (Demo Data)</field>
<field name="query">SELECT name, street FROM res_partner;</field>
</record>
<function model="sql.export" name="button_clean_check_request" eval="([ref('sql_export.sql_export_partner')])"/>
</data></openerp>

136
sql_export/i18n/fr.po
View File

@ -6,8 +6,8 @@ msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2016-02-05 13:10+0000\n"
"PO-Revision-Date: 2016-02-05 13:10+0000\n"
"POT-Creation-Date: 2017-02-27 12:18+0000\n"
"PO-Revision-Date: 2017-02-27 12:18+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
@ -21,6 +21,7 @@ msgid "Allow the user to save the file with sql request's data"
msgstr "Permet à l'utilisateur de sauvegarder le fichier contenant les données de la requête SQL"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: field:sql.export,group_ids:0
msgid "Allowed Groups"
msgstr "Groupes Autorisés"
@ -31,15 +32,20 @@ msgstr "Groupes Autorisés"
msgid "Allowed Users"
msgstr "Utilisateurs Autorisés"
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Cancel"
msgstr "Annuler"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Allowed Users Groups"
msgstr "Groupes d'utilisateurs Autorisés"
msgid "Clean and Check Request"
msgstr "Corriger et vérifier la requête"
#. module: sql_export
#: field:sql.export,copy_options:0
msgid "Copy Options"
msgstr "Copy Options"
msgstr "Options de copie"
#. module: sql_export
#: field:sql.export,create_uid:0
@ -58,10 +64,32 @@ msgstr "Créé le"
msgid "Csv File"
msgstr "Fichier CSV"
#. module: sql_export
#: field:sql.export,display_name:0
#: field:sql.file.wizard,display_name:0
msgid "Display Name"
msgstr "Nom affiché"
#. module: sql_export
#: selection:sql.export,state:0
msgid "Draft"
msgstr "En brouillon"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: view:sql.export:sql_export.sql_export_view_tree
msgid "Execute Query"
msgstr "Exécuter"
msgstr "Execute la requête"
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Export"
msgstr "Exporter"
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Export file"
msgstr "Fichier d'export"
#. module: sql_export
#: field:sql.file.wizard,binary_file:0
@ -71,7 +99,7 @@ msgstr "Fichier"
#. module: sql_export
#: field:sql.file.wizard,file_name:0
msgid "File Name"
msgstr "Nom du fichier"
msgstr "Nom de fichier"
#. module: sql_export
#: field:sql.export,id:0
@ -79,39 +107,78 @@ msgstr "Nom du fichier"
msgid "ID"
msgstr "ID"
#. module: sql_export
#: field:sql.export,__last_update:0
#: field:sql.file.wizard,__last_update:0
msgid "Last Modified on"
msgstr "Dernière modification le"
#. module: sql_export
#: field:sql.export,write_uid:0
#: field:sql.file.wizard,write_uid:0
msgid "Last Updated by"
msgstr "Last Updated by"
msgstr "Dernière mise à jour par"
#. module: sql_export
#: field:sql.export,write_date:0
#: field:sql.file.wizard,write_date:0
msgid "Last Updated on"
msgstr "Last Updated on"
msgstr "Dernière mise à jour le"
#. module: sql_export
#: field:sql.export,name:0
msgid "Name"
msgstr "Nom"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: field:sql.export,field_ids:0
msgid "Parameters"
msgstr "Paramètres"
#. module: sql_export
#: field:sql.export,query:0
msgid "Query"
msgstr "Requête"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Request Name"
msgstr "Nom de la requête"
#. module: sql_export
#: model:ir.actions.act_window,name:sql_export.sql_export_tree_action
#: view:sql.export:sql_export.sql_export_view_tree
msgid "SQL Export"
msgstr "SQL Export"
msgstr "Export SQL"
#. module: sql_export
#: model:ir.actions.act_window,name:sql_export.sql_parameter_tree_action
#: view:ir.model.fields:sql_export.sql_parameter_view_tree
msgid "SQL Parameter"
msgstr "Paramètre SQL"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "SQL Request"
msgstr "Requête SQL"
#. module: sql_export
#: selection:sql.export,state:0
msgid "SQL Valid"
msgstr "SQL Validé"
#. module: sql_export
#: model:ir.model,name:sql_export.model_sql_export
#: view:ir.model.fields:sql_export.sql_parameter_view_form
#: view:sql.export:sql_export.sql_export_view_form
msgid "SQL export"
msgstr "Export SQL"
msgstr "export SQL"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Set to Draft"
msgstr "Remettre en brouillon"
#. module: sql_export
#: model:ir.ui.menu,name:sql_export.sql_export_menu
@ -120,23 +187,46 @@ msgid "Sql Export"
msgstr "Export SQL"
#. module: sql_export
#: model:res.groups,name:sql_export.group_sql_request_editor
msgid "Sql Request Editor"
msgstr "Edition de Requête SQL"
#: model:ir.ui.menu,name:sql_export.sql_parameter_menu_view
msgid "Sql Export Variables"
msgstr "Variables d'export SQL"
#. module: sql_export
#: code:addons/sql_export/sql_export.py:132
#, python-format
msgid "The Sql query is not valid."
msgstr "La requête SQL n'est pas valide"
#: field:sql.file.wizard,sql_export_id:0
msgid "Sql export id"
msgstr "Sql export id"
#. module: sql_export
#: constraint:sql.export:0
msgid "The query you want make is not allowed : prohibited actions (delete, drop, insert, alter, truncate, execute, create, update)"
msgstr "La requête que vous voulez faire n'est pas autorisée : actions interdites (delete, drop, insert, alter, truncate, execute, create, update)"
#: field:sql.export,state:0
msgid "State"
msgstr "Etat"
#. module: sql_export
#: help:sql.export,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr "Etat de la requête:\n"
" * 'En brouillon': non testée\n"
" * 'SQL Validé': La requête SQL a été vérifiée et est valide"
#. module: sql_export
#: help:sql.export,query:0
msgid "You can't use the following word : delete, drop, create, insert, alter, truncate, execute, update"
msgstr "Vous ne pouvez pas utiliser les mots suivants : delete, drop, create, insert, alter, truncate, execute, update"
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "or"
msgstr "ou"
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "select * from res_partner"
msgstr "select * from res_partner"
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "variables_placeholder"
msgstr "variables_placeholder"

110
sql_export/i18n/sql_export.pot
View File

@ -6,8 +6,8 @@ msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2016-02-05 13:10+0000\n"
"PO-Revision-Date: 2016-02-05 13:10+0000\n"
"POT-Creation-Date: 2017-02-27 12:24+0000\n"
"PO-Revision-Date: 2017-02-27 12:24+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
@ -21,6 +21,7 @@ msgid "Allow the user to save the file with sql request's data"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: field:sql.export,group_ids:0
msgid "Allowed Groups"
msgstr ""
@ -31,9 +32,14 @@ msgstr ""
msgid "Allowed Users"
msgstr ""
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Cancel"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Allowed Users Groups"
msgid "Clean and Check Request"
msgstr ""
#. module: sql_export
@ -58,11 +64,33 @@ msgstr ""
msgid "Csv File"
msgstr ""
#. module: sql_export
#: field:sql.export,display_name:0
#: field:sql.file.wizard,display_name:0
msgid "Display Name"
msgstr ""
#. module: sql_export
#: selection:sql.export,state:0
msgid "Draft"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: view:sql.export:sql_export.sql_export_view_tree
msgid "Execute Query"
msgstr ""
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Export"
msgstr ""
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "Export file"
msgstr ""
#. module: sql_export
#: field:sql.file.wizard,binary_file:0
msgid "File"
@ -79,6 +107,12 @@ msgstr ""
msgid "ID"
msgstr ""
#. module: sql_export
#: field:sql.export,__last_update:0
#: field:sql.file.wizard,__last_update:0
msgid "Last Modified on"
msgstr ""
#. module: sql_export
#: field:sql.export,write_uid:0
#: field:sql.file.wizard,write_uid:0
@ -96,23 +130,56 @@ msgstr ""
msgid "Name"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
#: field:sql.export,field_ids:0
msgid "Parameters"
msgstr ""
#. module: sql_export
#: field:sql.export,query:0
msgid "Query"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Request Name"
msgstr ""
#. module: sql_export
#: model:ir.actions.act_window,name:sql_export.sql_export_tree_action
#: view:sql.export:sql_export.sql_export_view_tree
msgid "SQL Export"
msgstr ""
#. module: sql_export
#: model:ir.actions.act_window,name:sql_export.sql_parameter_tree_action
#: view:ir.model.fields:sql_export.sql_parameter_view_tree
msgid "SQL Parameter"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "SQL Request"
msgstr ""
#. module: sql_export
#: selection:sql.export,state:0
msgid "SQL Valid"
msgstr ""
#. module: sql_export
#: model:ir.model,name:sql_export.model_sql_export
#: view:ir.model.fields:sql_export.sql_parameter_view_form
#: view:sql.export:sql_export.sql_export_view_form
msgid "SQL export"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "Set to Draft"
msgstr ""
#. module: sql_export
#: model:ir.ui.menu,name:sql_export.sql_export_menu
#: model:ir.ui.menu,name:sql_export.sql_export_menu_view
@ -120,23 +187,44 @@ msgid "Sql Export"
msgstr ""
#. module: sql_export
#: model:res.groups,name:sql_export.group_sql_request_editor
msgid "Sql Request Editor"
#: model:ir.ui.menu,name:sql_export.sql_parameter_menu_view
msgid "Sql Export Variables"
msgstr ""
#. module: sql_export
#: code:addons/sql_export/sql_export.py:132
#, python-format
msgid "The Sql query is not valid."
#: field:sql.file.wizard,sql_export_id:0
msgid "Sql export id"
msgstr ""
#. module: sql_export
#: constraint:sql.export:0
msgid "The query you want make is not allowed : prohibited actions (delete, drop, insert, alter, truncate, execute, create, update)"
#: field:sql.export,state:0
msgid "State"
msgstr ""
#. module: sql_export
#: help:sql.export,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr ""
#. module: sql_export
#: help:sql.export,query:0
msgid "You can't use the following word : delete, drop, create, insert, alter, truncate, execute, update"
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr ""
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "or"
msgstr ""
#. module: sql_export
#: view:sql.export:sql_export.sql_export_view_form
msgid "select * from res_partner"
msgstr ""
#. module: sql_export
#: view:sql.file.wizard:sql_export.sql_file_wizard_view_form
msgid "variables_placeholder"
msgstr ""

88
sql_export/models/sql_export.py
View File

@ -19,65 +19,24 @@
#
##############################################################################
import re
from openerp import models, fields, api
class SqlExport(models.Model):
_name = "sql.export"
_inherit = ['sql.request.mixin']
_description = "SQL export"
PROHIBITED_WORDS = [
'delete',
'drop',
'insert',
'alter',
'truncate',
'execute',
'create',
'update'
]
_sql_request_groups_relation = 'groups_sqlquery_rel'
@api.multi
def _check_query_allowed(self):
for obj in self:
query = obj.query.lower()
for word in self.PROHIBITED_WORDS:
expr = r'\b%s\b' % word
is_not_safe = re.search(expr, query)
if is_not_safe:
return False
return True
_sql_request_users_relation = 'users_sqlquery_rel'
@api.model
def _get_editor_group(self):
ir_model_obj = self.env['ir.model.data']
return [ir_model_obj.xmlid_to_res_id(
'sql_export.group_sql_request_editor')]
_check_execution_enabled = False
name = fields.Char('Name', required=True)
query = fields.Text(
'Query',
required=True,
help="You can't use the following word : delete, drop, create, "
"insert, alter, truncate, execute, update")
copy_options = fields.Char(
'Copy Options',
required=True,
string='Copy Options', required=True,
default="CSV HEADER DELIMITER ';'")
group_ids = fields.Many2many(
'res.groups',
'groups_sqlquery_rel',
'sql_id',
'group_id',
'Allowed Groups',
default=_get_editor_group)
user_ids = fields.Many2many(
'res.users',
'users_sqlquery_rel',
'sql_id',
'user_id',
'Allowed Users')
field_ids = fields.Many2many(
'ir.model.fields',
'fields_sqlquery_rel',
@ -85,18 +44,11 @@ class SqlExport(models.Model):
'field_id',
'Parameters',
domain=[('model', '=', 'sql.file.wizard')])
valid = fields.Boolean()
_constraints = [(_check_query_allowed,
'The query you want make is not allowed : prohibited '
'actions (%s)' % ', '.join(PROHIBITED_WORDS),
['query'])]
@api.multi
def export_sql_query(self):
self.ensure_one()
wiz = self.env['sql.file.wizard'].create({
'valid': self.valid,
'sql_export_id': self.id})
return {
'view_type': 'form',
@ -108,31 +60,3 @@ class SqlExport(models.Model):
'context': self._context,
'nodestroy': True,
}
@api.model
def check_query_syntax(self, vals):
if vals.get('query', False):
vals['query'] = vals['query'].strip()
if vals['query'][-1] == ';':
vals['query'] = vals['query'][:-1]
# Can't test the query because of variables
# try:
# self.env.cr.execute(vals['query'])
# except:
# raise exceptions.Warning(
# _("The Sql query is not valid."))
# finally:
# self.env.cr.rollback()
return vals
@api.multi
def write(self, vals):
vals = self.check_query_syntax(vals)
if 'query' in vals:
vals['valid'] = False
return super(SqlExport, self).write(vals)
@api.model
def create(self, vals):
vals = self.check_query_syntax(vals)
return super(SqlExport, self).create(vals)

2
sql_export/security/ir.model.access.csv
View File

@ -1,3 +1,3 @@
"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink"
"access_sql_export_all","access_sql_export_all","model_sql_export",,1,0,0,0
"access_sql_export_editor","access_sql_export_editor","model_sql_export",group_sql_request_editor,1,1,1,1
"access_sql_export_editor","access_sql_export_editor","model_sql_export",sql_request_abstract.group_sql_request_manager,1,1,1,1

5
sql_export/security/sql_export_security.xml
View File

@ -2,11 +2,6 @@
<openerp>
<data noupdate="0">
<record model="res.groups" id="group_sql_request_editor">
<field name="name">Sql Request Editor</field>
<field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>
<record model="ir.rule" id="sql_export_restric_access_user_or_group">
<field name="name" >SQL Export users and groups rules</field>
<field name="model_id" ref="model_sql_export"/>

56
sql_export/tests/test_sql_query.py
View File

@ -20,35 +20,27 @@
##############################################################################
import base64
from openerp.tests.common import TransactionCase
from openerp import exceptions
from openerp.exceptions import Warning as UserError
class TestExportSqlQuery(TransactionCase):
def setUp(self):
super(TestExportSqlQuery, self).setUp()
query_vals = {
'name': 'test',
'query': "SELECT name, street FROM res_partner;"
}
self.sql_model = self.registry('sql.export')
self.query_id = self.sql_model.create(
self.cr,
self.uid,
query_vals)
self.sql_export_obj = self.env['sql.export']
self.wizard_obj = self.env['sql.file.wizard']
self.sql_report_demo = self.env.ref('sql_export.sql_export_partner')
def test_sql_query(self):
test = self.sql_model.export_sql_query(
self.cr, self.uid, [self.query_id])
self.registry('sql.file.wizard').export_sql(
self.cr, self.uid, test['res_id'])
wizard = self.registry('sql.file.wizard').browse(
self.cr, self.uid, test['res_id'])
wizard = self.wizard_obj.create({
'sql_export_id': self.sql_report_demo.id,
})
wizard.export_sql()
export = base64.b64decode(wizard.binary_file)
self.assertEqual(export.split(';')[0], 'name')
self.assertTrue(len(export.split(';')) > 6)
def test_prohibited_queries_creation(self):
def test_prohibited_queries(self):
prohibited_queries = [
"upDaTe res_partner SET name = 'test' WHERE id = 1",
"DELETE FROM sql_export WHERE name = 'test';",
@ -60,14 +52,22 @@ class TestExportSqlQuery(TransactionCase):
""",
]
for query in prohibited_queries:
with self.assertRaises(exceptions.ValidationError):
self.sql_model.create(
self.cr, self.uid,
{'name': 'test_prohibited',
'query': query})
ok_query = {
'name': 'test ok',
'query': "SELECT create_date FROM res_partner"
}
query_id = self.sql_model.create(self.cr, self.uid, ok_query)
self.assertIsNotNone(query_id)
with self.assertRaises(UserError):
sql_export = self.sql_export_obj.create({
'name': 'test_prohibited',
'query': query})
sql_export.button_clean_check_request()
def test_authorized_queries(self):
authorized_queries = [
"SELECT create_date FROM res_partner",
]
for query in authorized_queries:
sql_export = self.sql_export_obj.create({
'name': 'test_authorized',
'query': query})
sql_export.button_clean_check_request()
self.assertEqual(
sql_export.state, 'sql_valid',
"%s is a valid request" % (query))

54
sql_export/views/sql_export_view.xml
View File

@ -8,26 +8,40 @@
<field name="model">sql.export</field>
<field name="arch" type="xml">
<form string="SQL export">
<group col="2">
<group colspan="2" col="5">
<label for="name" colspan="1"/>
<field name="name" colspan="2" nolabel="1"/>
<button name="export_sql_query" string="Execute Query" type="object" class="oe_highlight" icon="gtk-execute" colspan="2"/>
<label for="query" colspan="1"/>
<field name="query" nolabel="1" colspan="4"/>
<label for="Copy Options" colspan="1"/>
<field name="copy_options" nolabel="1" colspan="4"/>
</group>
<group groups="sql_export.group_sql_request_editor" string="Parameters">
<field name="field_ids" nolabel="1"/>
</group>
<group colspan="2" col="2" groups="sql_export.group_sql_request_editor">
<separator string="Allowed Users" colspan="1"/>
<separator string="Allowed Users Groups" colspan="1"/>
<sheet>
<header>
<button name="button_clean_check_request" type="object" states="draft"
string="Clean and Check Request" class="oe_highlight"/>
<button name="button_set_draft" type="object" states="sql_valid"
string="Set to Draft" groups="sql_request_abstract.group_sql_request_manager"/>
<button name="export_sql_query" string="Execute Query" states="sql_valid" type="object" class="oe_highlight"
icon="gtk-execute"/>
<field name="state" widget="statusbar" />
</header>
<group>
<h1>
<field name="name" nolabel="1" placeholder="Request Name"/>
</h1>
</group>
<group name="option" groups="sql_request_abstract.group_sql_request_user">
<field name="copy_options"/>
</group>
<group name="request" string="SQL Request" groups="sql_request_abstract.group_sql_request_user">
<field name="query" nolabel="1" placeholder="select * from res_partner"/>
</group>
<group string="Parameters" groups="sql_request_abstract.group_sql_request_user">
<field name="field_ids" nolabel="1"/>
</group>
<group groups="sql_request_abstract.group_sql_request_manager">
<group string="Allowed Users">
<field name="user_ids" nolabel="1"/>
</group>
<group string="Allowed Groups">
<field name="group_ids" nolabel="1"/>
</group>
</group>
</sheet>
</form>
</field>
</record>
@ -36,9 +50,11 @@
<field name="name">Sql_export_tree_view</field>
<field name="model">sql.export</field>
<field name="arch" type="xml">
<tree string="SQL Export" colors="red:valid == False">
<tree string="SQL Export" colors="blue:state == 'draft'">
<field name="name"/>
<field name="valid" invisible="1"/>
<field name="state"/>
<button name="export_sql_query" string="Execute Query" states="sql_valid" type="object"
icon="gtk-execute"/>
</tree>
</field>
</record>
@ -84,7 +100,7 @@
<field name="domain">[('model','=','sql.file.wizard')]</field>
</record>
<menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_tree_action" sequence="5"/>
<menuitem id="sql_parameter_menu_view" name="Sql Export Variables" parent="sql_export_menu" action="sql_parameter_tree_action" sequence="5" groups="sql_request_abstract.group_sql_request_manager"/>
</data>

40
sql_export/wizard/wizard_file.py
View File

@ -18,14 +18,12 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
##############################################################################
from openerp import models, fields, api
from openerp.osv.orm import setup_modifiers
import StringIO
import base64
import datetime
from lxml import etree
from openerp import models, fields, api, osv
from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT
import uuid
class SqlFileWizard(models.TransientModel):
@ -34,7 +32,6 @@ class SqlFileWizard(models.TransientModel):
binary_file = fields.Binary('File', readonly=True)
file_name = fields.Char('File Name', readonly=True)
valid = fields.Boolean()
sql_export_id = fields.Many2one(comodel_name='sql.export', required=True)
@api.model
@ -58,7 +55,8 @@ class SqlFileWizard(models.TransientModel):
kwargs = {'name': "%s" % field.name}
toupdate_fields.append(field.name)
view_field = etree.SubElement(group, 'field', **kwargs)
setup_modifiers(view_field, self.fields_get(field.name))
osv.orm.setup_modifiers(
view_field, self.fields_get(field.name))
res['fields'].update(self.fields_get(toupdate_fields))
placeholder = eview.xpath(
@ -72,12 +70,13 @@ class SqlFileWizard(models.TransientModel):
def export_sql(self):
self.ensure_one()
sql_export = self.sql_export_id
# Manage Params
variable_dict = {}
today = datetime.datetime.now()
today_tz = fields.Datetime.context_timestamp(
sql_export, today)
date = today_tz.strftime(DEFAULT_SERVER_DATETIME_FORMAT)
output = StringIO.StringIO()
variable_dict = {}
if sql_export.field_ids:
for field in sql_export.field_ids:
variable_dict[field.name] = self[field.name]
@ -85,25 +84,16 @@ class SqlFileWizard(models.TransientModel):
variable_dict['company_id'] = self.env.user.company_id.id
if "%(user_id)s" in sql_export.query:
variable_dict['user_id'] = self._uid
format_query = self.env.cr.mogrify(
sql_export.query, variable_dict).decode('utf-8')
query = "COPY (" + format_query + ") TO STDOUT WITH " + \
sql_export.copy_options
name = 'export_query_%s' % uuid.uuid1().hex
self.env.cr.execute("SAVEPOINT %s" % name)
try:
self.env.cr.copy_expert(query, output)
output.getvalue()
new_output = base64.b64encode(output.getvalue())
output.close()
finally:
self.env.cr.execute("ROLLBACK TO SAVEPOINT %s" % name)
# Execute Request
res = sql_export._execute_sql_request(
params=variable_dict, mode='stdout',
copy_options=sql_export.copy_options)
self.write({
'binary_file': new_output,
'binary_file': res,
'file_name': sql_export.name + '_' + date + '.csv'
})
if not sql_export.valid:
sql_export.sudo().valid = True
return {
'view_type': 'form',
'view_mode': 'form',

2
sql_export/wizard/wizard_file_view.xml
View File

@ -7,11 +7,9 @@
<field name="model">sql.file.wizard</field>
<field name="arch" type="xml">
<form string="Csv File">
<separator string="Warning untested export" attrs="{'invisible': [('valid', '=', True)]}"/>
<separator string="variables_placeholder" colspan="4" invisible="1"/>
<separator string="Export file" colspan="4"
attrs="{'invisible': [('binary_file', '=', False)]}"/>
<field name="valid" invisible="1"/>
<field name="binary_file" filename="file_name"/>
<field name="file_name" invisible="1"/>
<footer>

93
sql_request_abstract/README.rst
View File

@ -0,0 +1,93 @@
.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
=====================================
Abstract Model to manage SQL Requests
=====================================
This module provide an abstract model to manage SQL Select request on database.
It is not usefull for itself. You can see an exemple of implementation in the
'sql_export' module. (same repository).
Implemented features
--------------------
* Add some restrictions in the sql request:
* you can only read datas. No update, deletion or creation are possible.
* some tables are not allowed, because they could contains clear password
or keys. For the time being ('ir_config_parameter').
* The request can be in a 'draft' or a 'SQL Valid' status. To be valid,
the request has to be cleaned, checked and tested. All of this operations
can be disabled in the inherited modules.
* This module two new groups:
* SQL Request / User : Can see all the sql requests by default and execute
them, if they are valid.
* SQL Request / Manager : has full access on sql requests.
Usage
=====
Inherit the model:
from openerp import models
class MyModel(models.model)
_name = 'my.model'
_inherit = ['sql.request.mixin']
_sql_request_groups_relation = 'my_model_groups_rel'
_sql_request_users_relation = 'my_model_users_rel'
.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
:alt: Try me on Runbot
:target: https://runbot.odoo-community.org/runbot/149/9.0
Bug Tracker
===========
Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.
Credits
=======
Images
------
* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
Contributors
------------
* Florian da Costa <florian.dacosta@akretion.com>
* Sylvain LE GAL (https://twitter.com/legalsylvain)
Funders
-------
The development of this module has been financially supported by:
* Akretion (<http://www.akretion.com>)
* GRAP, Groupement Régional Alimentaire de Proximité (<http://www.grap.coop>)
Maintainer
----------
.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org
This module is maintained by the OCA.
OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.
To contribute to this module, please visit https://odoo-community.org.

3
sql_request_abstract/__init__.py
View File

@ -0,0 +1,3 @@
# -*- coding: utf-8 -*-
from . import models

23
sql_request_abstract/__openerp__.py
View File

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
{
'name': 'SQL Request Abstract',
'version': '9.0.1.0.0',
'author': 'GRAP,Akretion,Odoo Community Association (OCA)',
'website': 'https://www.odoo-community.org',
'license': 'AGPL-3',
'category': 'Tools',
'summary': 'Abstract Model to manage SQL Requests',
'depends': [
'base',
],
'data': [
'security/ir_module_category.xml',
'security/res_groups.xml',
'security/ir.model.access.csv',
],
'installable': True,
}

145
sql_request_abstract/i18n/fr.po
View File

@ -0,0 +1,145 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * sql_request_abstract
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2017-02-27 12:11+0000\n"
"PO-Revision-Date: 2017-02-27 12:11+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: \n"
#. module: sql_request_abstract
#: field:sql.request.mixin,group_ids:0
msgid "Allowed Groups"
msgstr "Groupes autorisés"
#. module: sql_request_abstract
#: field:sql.request.mixin,user_ids:0
msgid "Allowed Users"
msgstr "Utilisateurs Autorisés"
#. module: sql_request_abstract
#: field:sql.request.mixin,create_uid:0
msgid "Created by"
msgstr "Créé par"
#. module: sql_request_abstract
#: field:sql.request.mixin,create_date:0
msgid "Created on"
msgstr "Créé le"
#. module: sql_request_abstract
#: field:sql.request.mixin,display_name:0
msgid "Display Name"
msgstr "Nom affiché"
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "Draft"
msgstr "En brouillon"
#. module: sql_request_abstract
#: field:sql.request.mixin,id:0
msgid "ID"
msgstr "ID"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
#, python-format
msgid "It is not allowed to execute a not checked request."
msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée."
#. module: sql_request_abstract
#: field:sql.request.mixin,__last_update:0
msgid "Last Modified on"
msgstr "Dernière modification le"
#. module: sql_request_abstract
#: field:sql.request.mixin,write_uid:0
msgid "Last Updated by"
msgstr "Dernière mise à jour par"
#. module: sql_request_abstract
#: field:sql.request.mixin,write_date:0
msgid "Last Updated on"
msgstr "Dernière mise à jour le"
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_request_manager
msgid "Manager"
msgstr "Responsable"
#. module: sql_request_abstract
#: field:sql.request.mixin,name:0
msgid "Name"
msgstr "Nom"
#. module: sql_request_abstract
#: field:sql.request.mixin,query:0
msgid "Query"
msgstr "Requête"
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "SQL Valid"
msgstr "SQL Validé"
#. module: sql_request_abstract
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
msgid "Sql Request"
msgstr "Request SQL"
#. module: sql_request_abstract
#: field:sql.request.mixin,state:0
msgid "State"
msgstr "Etat"
#. module: sql_request_abstract
#: help:sql.request.mixin,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr "Etat de la requête:\n"
" * 'En brouillon': non testée\n"
" * 'SQL Validé': La requête SQL a été vérifiée et est valide"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
#, python-format
msgid "The SQL query is not valid:\n"
"\n"
" %s"
msgstr "La requête SQL n'est pas valide:\n"
"\n"
" %s"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
#, python-format
msgid "The query is not allowed because it contains unsafe word '%s'"
msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'"
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
#, python-format
msgid "Unimplemented mode : '%s'"
msgstr "Mode non implémenté : '%s'"
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_request_user
msgid "User"
msgstr "Utilisateur"
#. module: sql_request_abstract
#: help:sql.request.mixin,query:0
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"

140
sql_request_abstract/i18n/sql_export_abstract.pot
View File

@ -0,0 +1,140 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * sql_request_abstract
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 8.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2017-02-27 12:11+0000\n"
"PO-Revision-Date: 2017-02-27 12:11+0000\n"
"Last-Translator: <>\n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: \n"
#. module: sql_request_abstract
#: field:sql.request.mixin,group_ids:0
msgid "Allowed Groups"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,user_ids:0
msgid "Allowed Users"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,create_uid:0
msgid "Created by"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,create_date:0
msgid "Created on"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,display_name:0
msgid "Display Name"
msgstr ""
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "Draft"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,id:0
msgid "ID"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
#, python-format
msgid "It is not allowed to execute a not checked request."
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,__last_update:0
msgid "Last Modified on"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,write_uid:0
msgid "Last Updated by"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,write_date:0
msgid "Last Updated on"
msgstr ""
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager
msgid "Manager"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,name:0
msgid "Name"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,query:0
msgid "Query"
msgstr ""
#. module: sql_request_abstract
#: selection:sql.request.mixin,state:0
msgid "SQL Valid"
msgstr ""
#. module: sql_request_abstract
#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
msgid "Sql Request"
msgstr ""
#. module: sql_request_abstract
#: field:sql.request.mixin,state:0
msgid "State"
msgstr ""
#. module: sql_request_abstract
#: help:sql.request.mixin,state:0
msgid "State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
#, python-format
msgid "The SQL query is not valid:\n"
"\n"
" %s"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
#, python-format
msgid "The query is not allowed because it contains unsafe word '%s'"
msgstr ""
#. module: sql_request_abstract
#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
#, python-format
msgid "Unimplemented mode : '%s'"
msgstr ""
#. module: sql_request_abstract
#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user
msgid "User"
msgstr ""
#. module: sql_request_abstract
#: help:sql.request.mixin,query:0
msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
msgstr ""

3
sql_request_abstract/models/__init__.py
View File

@ -0,0 +1,3 @@
# -*- coding: utf-8 -*-
from . import sql_request_mixin

255
sql_request_abstract/models/sql_request_mixin.py
View File

@ -0,0 +1,255 @@
# -*- coding: utf-8 -*-
# Copyright (C) 2015 Akretion (<http://www.akretion.com>)
# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
import re
import uuid
import StringIO
import base64
from psycopg2 import ProgrammingError
from openerp import _, api, fields, models
from openerp.exceptions import Warning as UserError
class SQLRequestMixin(models.Model):
_name = 'sql.request.mixin'
_clean_query_enabled = True
_check_prohibited_words_enabled = True
_check_execution_enabled = True
_sql_request_groups_relation = False
_sql_request_users_relation = False
STATE_SELECTION = [
('draft', 'Draft'),
('sql_valid', 'SQL Valid'),
]
PROHIBITED_WORDS = [
'delete',
'drop',
'insert',
'alter',
'truncate',
'execute',
'create',
'update',
'ir_config_parameter',
]
# Default Section
@api.model
def _default_group_ids(self):
ir_model_obj = self.env['ir.model.data']
return [ir_model_obj.xmlid_to_res_id(
'sql_request_abstract.group_sql_request_user')]
@api.model
def _default_user_ids(self):
return []
# Columns Section
name = fields.Char('Name', required=True)
query = fields.Text(
string='Query', required=True, help="You can't use the following words"
": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE")
state = fields.Selection(
string='State', selection=STATE_SELECTION, default='draft',
help="State of the Request:\n"
" * 'Draft': Not tested\n"
" * 'SQL Valid': SQL Request has been checked and is valid")
group_ids = fields.Many2many(
comodel_name='res.groups', string='Allowed Groups',
relation=_sql_request_groups_relation,
column1='sql_id', column2='group_id',
default=_default_group_ids)
user_ids = fields.Many2many(
comodel_name='res.users', string='Allowed Users',
relation=_sql_request_users_relation,
column1='sql_id', column2='user_id',
default=_default_user_ids)
# Action Section
@api.multi
def button_clean_check_request(self):
for item in self:
if item._clean_query_enabled:
item._clean_query()
if item._check_prohibited_words_enabled:
item._check_prohibited_words()
if item._check_execution_enabled:
item._check_execution()
item.state = 'sql_valid'
@api.multi
def button_set_draft(self):
self.write({'state': 'draft'})
# API Section
@api.multi
def _execute_sql_request(
self, params=None, mode='fetchall', rollback=True,
view_name=False, copy_options="CSV HEADER DELIMITER ';'"):
"""Execute a SQL request on the current database.
??? This function checks before if the user has the
right to execute the request.
:param params: (dict) of keys / values that will be replaced in
the sql query, before executing it.
:param mode: (str) result type expected. Available settings :
* 'view': create a view with the select query. Extra param
required 'view_name'.
* 'materialized_view': create a MATERIALIZED VIEW with the
select query. Extra parameter required 'view_name'.
* 'fetchall': execute the select request, and return the
result of 'cr.fetchall()'.
* 'fetchone' : execute the select request, and return the
result of 'cr.fetchone()'
:param rollback: (boolean) mention if a rollback should be played after
the execution of the query. Please keep this feature enabled
for security reason, except if necessary.
(Ignored if @mode in ('view', 'materialized_view'))
:param view_name: (str) name of the view.
(Ignored if @mode not in ('view', 'materialized_view'))
:param copy_options: (str) mentions extra options for
"COPY request STDOUT WITH xxx" request.
(Ignored if @mode != 'stdout')
..note:: The following exceptions could be raised:
psycopg2.ProgrammingError: Error in the SQL Request.
openerp.exceptions.Warning:
* 'mode' is not implemented.
* materialized view is not supported by the Postgresql Server.
"""
self.ensure_one()
res = False
# Check if the request is in a valid state
if self.state == 'draft':
raise UserError(_(
"It is not allowed to execute a not checked request."))
# Disable rollback if a creation of a view is asked
if mode in ('view', 'materialized_view'):
rollback = False
params = params and params or {}
query = self.env.cr.mogrify(self.query, params).decode('utf-8')
if mode in ('fetchone', 'fetchall'):
pass
elif mode == 'stdout':
query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options)
elif mode in 'view':
query = "CREATE VIEW %s AS (%s);" % (query, view_name)
elif mode in 'materialized_view':
self._check_materialized_view_available()
query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name)
else:
raise UserError(_("Unimplemented mode : '%s'" % mode))
if rollback:
rollback_name = self._create_savepoint()
try:
if mode == 'stdout':
output = StringIO.StringIO()
self.env.cr.copy_expert(query, output)
output.getvalue()
res = base64.b64encode(output.getvalue())
output.close()
else:
self.env.cr.execute(query)
if mode == 'fetchall':
res = self.env.cr.fetchall()
elif mode == 'fetchone':
res = self.env.cr.fetchone()
finally:
self._rollback_savepoint(rollback_name)
return res
# Private Section
@api.model
def _create_savepoint(self):
rollback_name = '%s_%s' % (
self._name.replace('.', '_'), uuid.uuid1().hex)
req = "SAVEPOINT %s" % (rollback_name)
self.env.cr.execute(req)
return rollback_name
@api.model
def _rollback_savepoint(self, rollback_name):
req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name)
self.env.cr.execute(req)
@api.model
def _check_materialized_view_available(self):
self.env.cr.execute("SHOW server_version;")
res = self.env.cr.fetchone()[0].split('.')
minor_version = float('.'.join(res[:2]))
return minor_version >= 9.3
@api.multi
def _clean_query(self):
self.ensure_one()
query = self.query.strip()
while query[-1] == ';':
query = query[:-1]
self.query = query
@api.multi
def _check_prohibited_words(self):
"""Check if the query contains prohibited words, to avoid maliscious
SQL requests"""
self.ensure_one()
query = self.query.lower()
for word in self.PROHIBITED_WORDS:
expr = r'\b%s\b' % word
is_not_safe = re.search(expr, query)
if is_not_safe:
raise UserError(_(
"The query is not allowed because it contains unsafe word"
" '%s'") % (word))
@api.multi
def _check_execution(self):
"""Ensure that the query is valid, trying to execute it. A rollback
is done after."""
self.ensure_one()
query = self._prepare_request_check_execution()
rollback_name = self._create_savepoint()
res = False
try:
self.env.cr.execute(query)
res = self._hook_executed_request()
except ProgrammingError as e:
raise UserError(
_("The SQL query is not valid:\n\n %s") % e.message)
finally:
self._rollback_savepoint(rollback_name)
return res
@api.multi
def _prepare_request_check_execution(self):
"""Overload me to replace some part of the query, if it contains
parameters"""
self.ensure_one()
return self.query
def _hook_executed_request(self):
"""Overload me to insert custom code, when the SQL request has
been executed, before the rollback.
"""
self.ensure_one()
return False

4
sql_request_abstract/security/ir.model.access.csv
View File

@ -0,0 +1,4 @@
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0
access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0
access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1

9
sql_request_abstract/security/ir_module_category.xml
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<openerp><data>
<record model="ir.module.category" id="category_sql_abstract">
<field name="name">Sql Request</field>
</record>
</data></openerp>

23
sql_request_abstract/security/res_groups.xml
View File

@ -0,0 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
@author Sylvain LE GAL (https://twitter.com/legalsylvain)
License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
-->
<openerp><data>
<record model="res.groups" id="group_sql_request_user">
<field name="name">User</field>
<field name="category_id" ref="category_sql_abstract" />
</record>
<record model="res.groups" id="group_sql_request_manager">
<field name="name">Manager</field>
<field name="category_id" ref="category_sql_abstract" />
<field name="users" eval="[(4, ref('base.user_root'))]"/>
<field name="implied_ids" eval="[(4, ref('group_sql_request_user'))]" />
</record>
</data></openerp>

BIN
sql_request_abstract/static/description/icon.png
View File

Side by Side

After

Width: 128  |  Height: 128  |  Size: 9.2 KiB

Write Preview
Loading…
Cancel
Save