odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] orm.read_group: prepend fields with table names to avoid collisions in SQL queries 

lp bug: https://launchpad.net/bugs/703105 fixed

bzr revid: odo@openerp.com-20110115013109-q1ekx17docisqhd0
This commit is contained in:
Olivier Dony 2011-01-15 02:31:09 +01:00
parent 570d35e824
commit 697eea26e4
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bin/osv/orm.py
View File

@ -2134,10 +2134,11 @@ class orm(orm_template):
# Take care of adding join(s) if groupby is an '_inherits'ed field # Take care of adding join(s) if groupby is an '_inherits'ed field
groupby_list = groupby groupby_list = groupby
qualified_groupby_field = groupby
if groupby: if groupby:
if isinstance(groupby, list): if isinstance(groupby, list):
groupby = groupby[0] groupby = groupby[0]
self._inherits_join_calc(groupby, query) qualified_groupby_field = self._inherits_join_calc(groupby, query)
if groupby: if groupby:
assert not groupby or groupby in fields, "Fields in 'groupby' must appear in the list of fields to read (perhaps it's missing in the list view?)" assert not groupby or groupby in fields, "Fields in 'groupby' must appear in the list of fields to read (perhaps it's missing in the list view?)"
@ -2151,10 +2152,10 @@ class orm(orm_template):
if groupby: if groupby:
if fget.get(groupby): if fget.get(groupby):
if fget[groupby]['type'] in ('date', 'datetime'): if fget[groupby]['type'] in ('date', 'datetime'):
flist = "to_char(%s,'yyyy-mm') as %s " % (groupby, groupby) flist = "to_char(%s,'yyyy-mm') as %s " % (qualified_groupby_field, groupby)
groupby = "to_char(%s,'yyyy-mm')" % (groupby) groupby = "to_char(%s,'yyyy-mm')" % (qualified_groupby_field)
else: else:
flist = groupby flist = qualified_groupby_field
else: else:
# Don't allow arbitrary values, as this would be a SQL injection vector! # Don't allow arbitrary values, as this would be a SQL injection vector!
raise except_orm(_('Invalid group_by'), raise except_orm(_('Invalid group_by'),
@ -2168,10 +2169,11 @@ class orm(orm_template):
if f not in ['id', 'sequence']: if f not in ['id', 'sequence']:
group_operator = fget[f].get('group_operator', 'sum') group_operator = fget[f].get('group_operator', 'sum')
if flist: if flist:
flist += ',' flist += ', '
flist += group_operator+'('+f+') as '+f qualified_field = '"%s"."%s"' % (self._table, f)
flist += "%s(%s) AS %s" % (group_operator, qualified_field, f)
gb = groupby and (' GROUP BY '+groupby) or '' gb = groupby and (' GROUP BY ' + qualified_groupby_field) or ''
from_clause, where_clause, where_clause_params = query.get_sql() from_clause, where_clause, where_clause_params = query.get_sql()
where_clause = where_clause and ' WHERE ' + where_clause where_clause = where_clause and ' WHERE ' + where_clause