diff --git a/addons/account/account.py b/addons/account/account.py index bebcfc0383a..ac58a16cb90 100644 --- a/addons/account/account.py +++ b/addons/account/account.py @@ -31,6 +31,7 @@ from openerp import tools from openerp.osv import fields, osv, expression from openerp.tools.translate import _ from openerp.tools.float_utils import float_round as round +from openerp.tools.safe_eval import safe_eval as eval import openerp.addons.decimal_precision as dp @@ -2029,7 +2030,7 @@ class account_tax(osv.osv): for tax in taxes: if tax.applicable_type=='code': localdict = {'price_unit':price_unit, 'product':product, 'partner':partner} - exec tax.python_applicable in localdict + eval(tax.python_applicable, localdict, mode="exec", nocopy=True) if localdict.get('result', False): res.append(tax) else: @@ -2070,7 +2071,7 @@ class account_tax(osv.osv): # data['amount'] = quantity elif tax.type=='code': localdict = {'price_unit':cur_price_unit, 'product':product, 'partner':partner} - exec tax.python_compute in localdict + eval(tax.python_compute, localdict, mode="exec", nocopy=True) amount = localdict['result'] data['amount'] = amount elif tax.type=='balance': @@ -2206,7 +2207,7 @@ class account_tax(osv.osv): elif tax.type=='code': localdict = {'price_unit':cur_price_unit, 'product':product, 'partner':partner} - exec tax.python_compute_inv in localdict + eval(tax.python_compute_inv, localdict, mode="exec", nocopy=True) amount = localdict['result'] elif tax.type=='balance': amount = cur_price_unit - reduce(lambda x,y: y.get('amount',0.0)+x, res, 0.0) diff --git a/addons/account/account_move_line.py b/addons/account/account_move_line.py index 32141e9f554..af6ad48a747 100644 --- a/addons/account/account_move_line.py +++ b/addons/account/account_move_line.py @@ -45,68 +45,77 @@ class account_move_line(osv.osv): context = {} initial_bal = context.get('initial_bal', False) company_clause = " " - if context.get('company_id', False): - company_clause = " AND " +obj+".company_id = %s" % context.get('company_id', False) - if not context.get('fiscalyear', False): - if context.get('all_fiscalyear', False): + query = '' + query_params = {} + if context.get('company_id'): + company_clause = " AND " +obj+".company_id = %(company_id)s" + query_params['company_id'] = context['company_id'] + if not context.get('fiscalyear'): + if context.get('all_fiscalyear'): #this option is needed by the aged balance report because otherwise, if we search only the draft ones, an open invoice of a closed fiscalyear won't be displayed fiscalyear_ids = fiscalyear_obj.search(cr, uid, []) else: fiscalyear_ids = fiscalyear_obj.search(cr, uid, [('state', '=', 'draft')]) else: #for initial balance as well as for normal query, we check only the selected FY because the best practice is to generate the FY opening entries - fiscalyear_ids = [context['fiscalyear']] + fiscalyear_ids = context['fiscalyear'] + if isinstance(context['fiscalyear'], (int, long)): + fiscalyear_ids = [fiscalyear_ids] - fiscalyear_clause = (','.join([str(x) for x in fiscalyear_ids])) or '0' + query_params['fiscalyear_ids'] = tuple(fiscalyear_ids) or (0,) state = context.get('state', False) where_move_state = '' where_move_lines_by_date = '' - if context.get('date_from', False) and context.get('date_to', False): + if context.get('date_from') and context.get('date_to'): + query_params['date_from'] = context['date_from'] + query_params['date_to'] = context['date_to'] if initial_bal: - where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date < '" +context['date_from']+"')" + where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date < %(date_from)s)" else: - where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date >= '" +context['date_from']+"' AND date <= '"+context['date_to']+"')" + where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date >= %(date_from)s AND date <= %(date_to)s)" if state: if state.lower() not in ['all']: - where_move_state= " AND "+obj+".move_id IN (SELECT id FROM account_move WHERE account_move.state = '"+state+"')" - if context.get('period_from', False) and context.get('period_to', False) and not context.get('periods', False): + query_params['state'] = state + where_move_state= " AND "+obj+".move_id IN (SELECT id FROM account_move WHERE account_move.state = %(state)s)" + if context.get('period_from') and context.get('period_to') and not context.get('periods'): if initial_bal: period_company_id = fiscalperiod_obj.browse(cr, uid, context['period_from'], context=context).company_id.id first_period = fiscalperiod_obj.search(cr, uid, [('company_id', '=', period_company_id)], order='date_start', limit=1)[0] context['periods'] = fiscalperiod_obj.build_ctx_periods(cr, uid, first_period, context['period_from']) else: context['periods'] = fiscalperiod_obj.build_ctx_periods(cr, uid, context['period_from'], context['period_to']) - if context.get('periods', False): + if context.get('periods'): + query_params['period_ids'] = tuple(context['periods']) if initial_bal: - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s)) %s %s" % (fiscalyear_clause, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s)" + where_move_state + where_move_lines_by_date period_ids = fiscalperiod_obj.search(cr, uid, [('id', 'in', context['periods'])], order='date_start', limit=1) if period_ids and period_ids[0]: first_period = fiscalperiod_obj.browse(cr, uid, period_ids[0], context=context) - ids = ','.join([str(x) for x in context['periods']]) - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s) AND date_start <= '%s' AND id NOT IN (%s)) %s %s" % (fiscalyear_clause, first_period.date_start, ids, where_move_state, where_move_lines_by_date) + query_params['date_start'] = first_period.date_start + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s AND date_start <= %(date_start)s AND id NOT IN %(period_ids)s)" + where_move_state + where_move_lines_by_date else: - ids = ','.join([str(x) for x in context['periods']]) - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s) AND id IN (%s)) %s %s" % (fiscalyear_clause, ids, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s AND id IN %(period_ids)s)" + where_move_state + where_move_lines_by_date else: - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s)) %s %s" % (fiscalyear_clause, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s)" + where_move_state + where_move_lines_by_date - if initial_bal and not context.get('periods', False) and not where_move_lines_by_date: + if initial_bal and not context.get('periods') and not where_move_lines_by_date: #we didn't pass any filter in the context, and the initial balance can't be computed using only the fiscalyear otherwise entries will be summed twice #so we have to invalidate this query raise osv.except_osv(_('Warning!'),_("You have not supplied enough arguments to compute the initial balance, please select a period and a journal in the context.")) + if context.get('journal_ids'): + query_params['journal_ids'] = tuple(context['journal_ids']) + query += ' AND '+obj+'.journal_id IN %(journal_ids)s' - if context.get('journal_ids', False): - query += ' AND '+obj+'.journal_id IN (%s)' % ','.join(map(str, context['journal_ids'])) - - if context.get('chart_account_id', False): + if context.get('chart_account_id'): child_ids = account_obj._get_children_and_consol(cr, uid, [context['chart_account_id']], context=context) - query += ' AND '+obj+'.account_id IN (%s)' % ','.join(map(str, child_ids)) + query_params['child_ids'] = tuple(child_ids) + query += ' AND '+obj+'.account_id IN %(child_ids)s' query += company_clause - return query + return cr.mogrify(query, query_params) def _amount_residual(self, cr, uid, ids, field_names, args, context=None): """ diff --git a/addons/account/wizard/account_fiscalyear_close.py b/addons/account/wizard/account_fiscalyear_close.py index 52708b6e87a..a87a5304eb3 100644 --- a/addons/account/wizard/account_fiscalyear_close.py +++ b/addons/account/wizard/account_fiscalyear_close.py @@ -113,7 +113,7 @@ class account_fiscalyear_close(osv.osv_memory): cr.execute("SELECT id FROM account_fiscalyear WHERE date_stop < %s", (str(new_fyear.date_start),)) result = cr.dictfetchall() - fy_ids = ','.join([str(x['id']) for x in result]) + fy_ids = [x['id'] for x in result] query_line = obj_acc_move_line._query_get(cr, uid, obj='account_move_line', context={'fiscalyear': fy_ids}) #create the opening move diff --git a/addons/account/wizard/account_invoice_refund.py b/addons/account/wizard/account_invoice_refund.py index 02b046edfcf..15d8d24646c 100644 --- a/addons/account/wizard/account_invoice_refund.py +++ b/addons/account/wizard/account_invoice_refund.py @@ -23,6 +23,7 @@ import time from openerp.osv import fields, osv from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval as eval class account_invoice_refund(osv.osv_memory): diff --git a/addons/account_test/report/account_test_report.py b/addons/account_test/report/account_test_report.py index 0cfbc040d82..8fbe2061774 100644 --- a/addons/account_test/report/account_test_report.py +++ b/addons/account_test/report/account_test_report.py @@ -25,6 +25,7 @@ import time from openerp.report import report_sxw from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval as eval # # Use period and Journal for selection or resources @@ -66,7 +67,7 @@ class report_assert_account(report_sxw.rml_parse): 'result': None, #used to store the result of the test 'column_order': None, #used to choose the display order of columns (in case you are returning a list of dict) } - exec code_exec in localdict + eval(code_exec, localdict, mode="exec", nocopy=True) result = localdict['result'] column_order = localdict.get('column_order', None) diff --git a/addons/anonymization/anonymization.py b/addons/anonymization/anonymization.py index c82afde103f..844764e671f 100644 --- a/addons/anonymization/anonymization.py +++ b/addons/anonymization/anonymization.py @@ -31,6 +31,7 @@ import random import datetime from openerp.osv import fields, osv from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval as eval from itertools import groupby from operator import itemgetter diff --git a/addons/base_action_rule/base_action_rule.py b/addons/base_action_rule/base_action_rule.py index 91433b2bf4c..9ac12e275fc 100644 --- a/addons/base_action_rule/base_action_rule.py +++ b/addons/base_action_rule/base_action_rule.py @@ -27,6 +27,7 @@ import openerp from openerp import SUPERUSER_ID from openerp.osv import fields, osv from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT +from openerp.tools.safe_eval import safe_eval as eval _logger = logging.getLogger(__name__) diff --git a/addons/delivery/delivery.py b/addons/delivery/delivery.py index 7b3791bfcee..d116807af5d 100644 --- a/addons/delivery/delivery.py +++ b/addons/delivery/delivery.py @@ -23,6 +23,7 @@ import time from openerp.osv import fields,osv from openerp.tools.translate import _ import openerp.addons.decimal_precision as dp +from openerp.tools.safe_eval import safe_eval as eval class delivery_carrier(osv.osv): _name = "delivery.carrier" diff --git a/addons/l10n_fr/report/base_report.py b/addons/l10n_fr/report/base_report.py index bc2cd308bf8..d17bc273638 100644 --- a/addons/l10n_fr/report/base_report.py +++ b/addons/l10n_fr/report/base_report.py @@ -29,6 +29,7 @@ import time from openerp.report import report_sxw +from openerp.tools.safe_eval import safe_eval as eval class base_report(report_sxw.rml_parse): def __init__(self, cr, uid, name, context=None): diff --git a/addons/mail/mail_alias.py b/addons/mail/mail_alias.py index 8729f7edf5f..73221fd6ffd 100644 --- a/addons/mail/mail_alias.py +++ b/addons/mail/mail_alias.py @@ -27,6 +27,7 @@ from openerp.osv import fields, osv from openerp.tools import ustr from openerp.modules.registry import RegistryManager from openerp import SUPERUSER_ID +from openerp.tools.safe_eval import safe_eval as eval from openerp.tools.translate import _ _logger = logging.getLogger(__name__) diff --git a/addons/process/process.py b/addons/process/process.py index d6a72148fa6..a516aaf9732 100644 --- a/addons/process/process.py +++ b/addons/process/process.py @@ -21,6 +21,7 @@ from openerp import tools from openerp.osv import fields, osv +from openerp.tools.safe_eval import safe_eval as eval class Env(dict): diff --git a/addons/purchase/purchase.py b/addons/purchase/purchase.py index 60c1ac51397..6e775b26595 100644 --- a/addons/purchase/purchase.py +++ b/addons/purchase/purchase.py @@ -32,6 +32,7 @@ import openerp.addons.decimal_precision as dp from openerp.osv.orm import browse_record, browse_null from openerp.tools import DEFAULT_SERVER_DATE_FORMAT, DEFAULT_SERVER_DATETIME_FORMAT, DATETIME_FORMATS_MAP from openerp.tools.float_utils import float_compare +from openerp.tools.safe_eval import safe_eval as eval class purchase_order(osv.osv): diff --git a/addons/share/wizard/share_wizard.py b/addons/share/wizard/share_wizard.py index 7e43c3d2d42..493857fb88a 100644 --- a/addons/share/wizard/share_wizard.py +++ b/addons/share/wizard/share_wizard.py @@ -597,8 +597,8 @@ class share_wizard(osv.TransientModel): # other groups, so we duplicate if needed rule = self._check_personal_rule_or_duplicate(cr, group_id, rule, context=context) eval_ctx = rule_obj._eval_context_for_combinations() - org_domain = expression.normalize_domain(eval(rule.domain_force, eval_ctx)) - new_clause = expression.normalize_domain(eval(domain, eval_ctx)) + org_domain = expression.normalize_domain(safe_eval(rule.domain_force, eval_ctx)) + new_clause = expression.normalize_domain(safe_eval(domain, eval_ctx)) combined_domain = expression.AND([new_clause, org_domain]) rule.write({'domain_force': combined_domain, 'name': rule.name + _('(Modified)')}) _logger.debug("Combining sharing rule %s on model %s with domain: %s", rule.id, model_id, domain) diff --git a/addons/web_diagram/controllers/main.py b/addons/web_diagram/controllers/main.py index d9a435f1924..c7b202098c8 100644 --- a/addons/web_diagram/controllers/main.py +++ b/addons/web_diagram/controllers/main.py @@ -1,4 +1,5 @@ import openerp +from openerp.tools.safe_eval import safe_eval as eval class DiagramView(openerp.http.Controller): diff --git a/openerp/report/report_sxw.py b/openerp/report/report_sxw.py index d7329de7f39..fe3a9ee9301 100644 --- a/openerp/report/report_sxw.py +++ b/openerp/report/report_sxw.py @@ -38,6 +38,7 @@ from openerp import SUPERUSER_ID from openerp.osv.fields import float as float_field, function as function_field, datetime as datetime_field from openerp.tools.translate import _ from openerp.tools import DEFAULT_SERVER_DATE_FORMAT, DEFAULT_SERVER_DATETIME_FORMAT +from openerp.tools.safe_eval import safe_eval as eval _logger = logging.getLogger(__name__)