[FIX][IMP] SQL-Injection ,minor improvement.
bzr revid: vra@tinyerp.com-20100618140537-mjbviu7sxxwn83x8
This commit is contained in:
parent
e0d94956c1
commit
1cf10a7daa
|
@ -840,7 +840,7 @@ def load_modules(db, force_demo=False, status=None, update_module=False):
|
|||
has_updates = has_updates or r
|
||||
|
||||
if has_updates:
|
||||
cr.execute("""select model,name from ir_model where id not in (select model_id from ir_model_access)""")
|
||||
cr.execute("""select model,name from ir_model where id NOT IN (select model_id from ir_model_access)""")
|
||||
for (model, name) in cr.fetchall():
|
||||
logger.notifyChannel('init', netsvc.LOG_WARNING, 'object %s (%s) has no access rules!' % (model, name))
|
||||
|
||||
|
|
|
@ -160,7 +160,7 @@ class act_window(osv.osv):
|
|||
]
|
||||
|
||||
def get_filters(self, cr, uid, model):
|
||||
cr.execute('SELECT id FROM ir_act_window a WHERE a.id not IN (SELECT act_id FROM ir_act_window_user_rel) AND a.res_model=\''+model+'\' and a.filter=\'1\';')
|
||||
cr.execute('SELECT id FROM ir_act_window a WHERE a.id NOT IN (SELECT act_id FROM ir_act_window_user_rel) AND a.res_model=\''+model+'\' and a.filter=\'1\';')
|
||||
all_ids = cr.fetchall()
|
||||
filter_ids = map(lambda x:x[0],all_ids)
|
||||
act_ids = self.search(cr,uid,[('res_model','=',model),('filter','=',1),('default_user_ids','in',(','.join(map(str,[uid,])),))])
|
||||
|
@ -380,7 +380,7 @@ class actions_server(osv.osv):
|
|||
def _select_signals(self, cr, uid, context={}):
|
||||
cr.execute("SELECT distinct w.osv, t.signal FROM wkf w, wkf_activity a, wkf_transition t \
|
||||
WHERE w.id = a.wkf_id AND t.act_from = a.id OR t.act_to = a.id AND t.signal!='' \
|
||||
AND t.signal not IN (null, NULL)")
|
||||
AND t.signal NOT IN (null, NULL)")
|
||||
result = cr.fetchall() or []
|
||||
res = []
|
||||
for rs in result:
|
||||
|
|
|
@ -314,7 +314,7 @@ class ir_model_access(osv.osv):
|
|||
if not grouparr:
|
||||
return False
|
||||
|
||||
cr.execute("select 1 from res_groups_users_rel where uid=%s and gid in(select res_id from ir_model_data where module=%s and name=%s)", (uid, grouparr[0], grouparr[1],))
|
||||
cr.execute("select 1 from res_groups_users_rel where uid=%s and gid IN (select res_id from ir_model_data where module=%s and name=%s)", (uid, grouparr[0], grouparr[1],))
|
||||
return bool(cr.fetchone())
|
||||
|
||||
def check_group(self, cr, uid, model, mode, group_ids):
|
||||
|
|
|
@ -107,8 +107,8 @@ class ir_translation(osv.osv):
|
|||
'where lang=%s ' \
|
||||
'and type=%s ' \
|
||||
'and name=%s ' \
|
||||
'and res_id IN ('+','.join(map(str, ids))+')',
|
||||
(lang,tt,name))
|
||||
'and res_id IN %s',
|
||||
(lang,tt,name,tuple(ids),))
|
||||
cr.commit()
|
||||
for id in ids:
|
||||
self.create(cr, uid, {
|
||||
|
|
|
@ -77,7 +77,7 @@ class res_config_configurable(osv.osv_memory):
|
|||
todo_obj = todos.browse(cr, uid, active_todos[0], context=None)
|
||||
todo_groups = map(lambda x:x.id, todo_obj.groups_id)
|
||||
if todo_groups:
|
||||
cr.execute("select 1 from res_groups_users_rel where uid=%s and gid=ANY(%s)",(uid, todo_groups,))
|
||||
cr.execute("select 1 from res_groups_users_rel where uid=%s and gid IN %s",(uid, tuple(todo_groups),))
|
||||
dont_skip_todo = bool(cr.fetchone())
|
||||
if dont_skip_todo:
|
||||
return todos.browse(cr, uid, active_todos[0], context=None)
|
||||
|
|
|
@ -2928,7 +2928,7 @@ class orm(orm_template):
|
|||
for group in groups:
|
||||
module = group.split(".")[0]
|
||||
grp = group.split(".")[1]
|
||||
cr.execute("select count(*) from res_groups_users_rel where gid in (select res_id from ir_model_data where name=%s and module=%s and model=%s) and uid=%s" \
|
||||
cr.execute("select count(*) from res_groups_users_rel where gid IN (select res_id from ir_model_data where name=%s and module=%s and model=%s) and uid=%s" \
|
||||
(grp, module, 'res.groups', user))
|
||||
readonly = cr.fetchall()
|
||||
if readonly[0][0] >= 1:
|
||||
|
@ -3070,7 +3070,7 @@ class orm(orm_template):
|
|||
self.check_access_rule(cr, uid, ids, 'unlink', context=context)
|
||||
for sub_ids in cr.split_for_in_conditions(ids):
|
||||
cr.execute('delete from ' + self._table + ' ' \
|
||||
'where id in %s', (sub_ids,))
|
||||
'where id IN %s', (sub_ids,))
|
||||
for order, object, store_ids, fields in result_store:
|
||||
if object != self._name:
|
||||
obj = self.pool.get(object)
|
||||
|
@ -3230,7 +3230,7 @@ class orm(orm_template):
|
|||
self.check_access_rule(cr, user, ids, 'write', context=context)
|
||||
for sub_ids in cr.split_for_in_conditions(ids):
|
||||
cr.execute('update ' + self._table + ' set ' + ','.join(upd0) + ' ' \
|
||||
'where id in %s', upd1 + [sub_ids])
|
||||
'where id IN %s', upd1 + [sub_ids])
|
||||
|
||||
if totranslate:
|
||||
# TODO: optimize
|
||||
|
@ -3603,7 +3603,7 @@ class orm(orm_template):
|
|||
field_flag = False
|
||||
field_dict = {}
|
||||
if self._log_access:
|
||||
cr.execute('select id,write_date from '+self._table+' where id IN ('+','.join(map(str, ids))+')')
|
||||
cr.execute('select id,write_date from '+self._table+' where id IN %s',(tuple(ids),))
|
||||
res = cr.fetchall()
|
||||
for r in res:
|
||||
if r[1]:
|
||||
|
|
|
@ -33,7 +33,7 @@ Font_size= 10.0
|
|||
def verbose(text):
|
||||
sys.stderr.write(text+"\n");
|
||||
|
||||
class textbox():
|
||||
class textbox(object):
|
||||
"""A box containing plain text.
|
||||
It can have an offset, in chars.
|
||||
Lines can be either text strings, or textbox'es, recursively.
|
||||
|
|
|
@ -116,7 +116,7 @@ registered_reports = cr.fetchall()
|
|||
reg_reports_ids = ','.join([str(id) for (id,) in registered_reports])
|
||||
|
||||
for report in reports_wh_duplicates:
|
||||
cr.execute("select id from ir_act_report_xml where model=%s and report_name=%s and id not IN ("+reg_reports_ids+")", (report['model'], report['report_name']))
|
||||
cr.execute("select id from ir_act_report_xml where model=%s and report_name=%s and id NOT IN ("+reg_reports_ids+")", (report['model'], report['report_name']))
|
||||
(id,) = cr.fetchone()
|
||||
cr.execute("delete from ir_act_report_xml where id=%d", (id,))
|
||||
cr.execute("delete from ir_values where value='ir.actions.report.xml,%d'", (id,))
|
||||
|
@ -129,7 +129,7 @@ cr.commit()
|
|||
|
||||
# this removes all transitions which are not registered in ir_model_data
|
||||
|
||||
cr.execute("delete from wkf_transition where id not in (select res_id from ir_model_data where model='workflow.transition')")
|
||||
cr.execute("delete from wkf_transition where id NOT IN (select res_id from ir_model_data where model='workflow.transition')")
|
||||
cr.commit()
|
||||
|
||||
# -------------------------------- #
|
||||
|
|
|
@ -70,7 +70,7 @@ cr = db.cursor()
|
|||
# remove old menu #
|
||||
# --------------- #
|
||||
|
||||
cr.execute("delete from ir_ui_menu where (id not in (select parent_id from ir_ui_menu where parent_id is not null)) and (id not in (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
cr.execute("delete from ir_ui_menu where (id NOT IN (select parent_id from ir_ui_menu where parent_id is not null)) and (id not in (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
cr.commit()
|
||||
|
||||
# --------------- #
|
||||
|
|
|
@ -78,10 +78,10 @@ cr.commit()
|
|||
# --------------- #
|
||||
|
||||
while True:
|
||||
cr.execute("select id from ir_ui_menu where (id not IN (select parent_id from ir_ui_menu where parent_id is not null)) and (id not IN (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
cr.execute("select id from ir_ui_menu where (id NOT IN (select parent_id from ir_ui_menu where parent_id is not null)) and (id NOT IN (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
if not cr.rowcount:
|
||||
break
|
||||
cr.execute("delete from ir_ui_menu where (id not IN (select parent_id from ir_ui_menu where parent_id is not null)) and (id not IN (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
cr.execute("delete from ir_ui_menu where (id NOT IN (select parent_id from ir_ui_menu where parent_id is not null)) and (id NOT IN (select res_id from ir_values where model='ir.ui.menu'))")
|
||||
cr.commit()
|
||||
|
||||
# ----------------------------------------- #
|
||||
|
|
|
@ -102,10 +102,10 @@ if not cr.rowcount:
|
|||
# --------------- #
|
||||
|
||||
while True:
|
||||
cr.execute("select id from ir_ui_menu where id not IN (select parent_id from ir_ui_menu where parent_id is not null) and id not IN (select res_id from ir_model_data where model='ir.ui.menu')")
|
||||
cr.execute("select id from ir_ui_menu where id NOT IN (select parent_id from ir_ui_menu where parent_id is not null) and id NOT IN (select res_id from ir_model_data where model='ir.ui.menu')")
|
||||
if not cr.rowcount:
|
||||
break
|
||||
cr.execute("delete from ir_ui_menu where id not IN (select parent_id from ir_ui_menu where parent_id is not null) and id not IN (select res_id from ir_model_data where model='ir.ui.menu')")
|
||||
cr.execute("delete from ir_ui_menu where id NOT IN (select parent_id from ir_ui_menu where parent_id is not null) and id NOT IN (select res_id from ir_model_data where model='ir.ui.menu')")
|
||||
cr.commit()
|
||||
|
||||
# ----------------------------------------------------- #
|
||||
|
|
|
@ -79,7 +79,7 @@ for c in res:
|
|||
res2 = cr.fetchone()
|
||||
cr.execute('SELECT id from res_country where code = %s', (c[0],))
|
||||
ids = ','.join(map(lambda x: str(x[0]), cr.fetchall()))
|
||||
cr.execute('UPDATE res_partner_address set country_id = %d where country_id in ('+ids+')', (res2[0],))
|
||||
cr.execute('UPDATE res_partner_address set country_id = %d where country_id IN ('+ids+')', (res2[0],))
|
||||
cr.execute('DELETE FROM res_country WHERE code = %s and id <> %d', (c[0], res2[0],))
|
||||
cr.commit()
|
||||
|
||||
|
|
Loading…
Reference in New Issue