From 200a80375f1213ec1e1899cf684fa6f85fb2dcc7 Mon Sep 17 00:00:00 2001
From: "robin.keunen" <robin@keunen.net>
Date: Mon, 25 May 2020 17:51:44 +0200
Subject: [PATCH] [IMP] partner_age: justify pylint: disable=sql-injection

---
 partner_age/models/partner.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/partner_age/models/partner.py b/partner_age/models/partner.py
index babe892..9b8197f 100644
--- a/partner_age/models/partner.py
+++ b/partner_age/models/partner.py
@@ -19,14 +19,14 @@ class ResPartner(models.Model):
         if operator not in ("=", "!=", "<", "<=", ">", ">=", "in", "not in"):
             return []
         # pylint: disable=sql-injection
-        # fixme while you're here, please fix the query to pass
-        #  pylint sql-injection
-        query = """SELECT id
-                   FROM "%s"
-                   WHERE extract(year from age(CURRENT_DATE,
-                                               birthdate_date)) %s %%s""" % (
-            self._table,
-            operator,
+        # the value of operator is checked, no risk of injection
+        query = """
+            SELECT id
+            FROM res_partner
+            WHERE extract(year from age(CURRENT_DATE, birthdate_date))
+              {operator} %s
+            """.format(
+            operator=operator
         )
         self.env.cr.execute(query, (value,))
         ids = [t[0] for t in self.env.cr.fetchall()]