From 53980b7c524a054dc497e314e8bcfff0e76ee3db Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 20 May 2015 13:42:14 +0200 Subject: [PATCH 1/2] [FIX] account, mail, etc.: uniformize evaluated expressions opw-626694 --- addons/account/account.py | 7 ++++--- addons/account/wizard/account_invoice_refund.py | 1 + addons/account_test/report/account_test_report.py | 4 +++- addons/anonymization/anonymization.py | 1 + addons/base_action_rule/base_action_rule.py | 1 + addons/delivery/delivery.py | 1 + addons/l10n_fr/report/base_report.py | 1 + addons/mail/mail_alias.py | 1 + addons/process/process.py | 1 + addons/purchase/purchase.py | 1 + addons/share/wizard/share_wizard.py | 4 ++-- addons/web_diagram/controllers/main.py | 1 + openerp/report/report_sxw.py | 1 + 13 files changed, 19 insertions(+), 6 deletions(-) diff --git a/addons/account/account.py b/addons/account/account.py index a9a5b30e4b1..e06e59d008d 100644 --- a/addons/account/account.py +++ b/addons/account/account.py @@ -31,6 +31,7 @@ from openerp import pooler, tools from openerp.osv import fields, osv, expression from openerp.tools.translate import _ from openerp.tools.float_utils import float_round as round +from openerp.tools.safe_eval import safe_eval as eval import openerp.addons.decimal_precision as dp @@ -2033,7 +2034,7 @@ class account_tax(osv.osv): for tax in taxes: if tax.applicable_type=='code': localdict = {'price_unit':price_unit, 'product':product, 'partner':partner} - exec tax.python_applicable in localdict + eval(tax.python_applicable, localdict, mode="exec", nocopy=True) if localdict.get('result', False): res.append(tax) else: @@ -2074,7 +2075,7 @@ class account_tax(osv.osv): # data['amount'] = quantity elif tax.type=='code': localdict = {'price_unit':cur_price_unit, 'product':product, 'partner':partner} - exec tax.python_compute in localdict + eval(tax.python_compute, localdict, mode="exec", nocopy=True) amount = localdict['result'] data['amount'] = amount elif tax.type=='balance': @@ -2210,7 +2211,7 @@ class account_tax(osv.osv): elif tax.type=='code': localdict = {'price_unit':cur_price_unit, 'product':product, 'partner':partner} - exec tax.python_compute_inv in localdict + eval(tax.python_compute_inv, localdict, mode="exec", nocopy=True) amount = localdict['result'] elif tax.type=='balance': amount = cur_price_unit - reduce(lambda x,y: y.get('amount',0.0)+x, res, 0.0) diff --git a/addons/account/wizard/account_invoice_refund.py b/addons/account/wizard/account_invoice_refund.py index d046d3d3572..10aecef84a9 100644 --- a/addons/account/wizard/account_invoice_refund.py +++ b/addons/account/wizard/account_invoice_refund.py @@ -24,6 +24,7 @@ import time from openerp.osv import fields, osv from openerp.tools.translate import _ from openerp import netsvc +from openerp.tools.safe_eval import safe_eval as eval class account_invoice_refund(osv.osv_memory): diff --git a/addons/account_test/report/account_test_report.py b/addons/account_test/report/account_test_report.py index abf0385be86..8cf5c5f0191 100644 --- a/addons/account_test/report/account_test_report.py +++ b/addons/account_test/report/account_test_report.py @@ -24,6 +24,8 @@ import datetime import time from report import report_sxw from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval as eval + # # Use period and Journal for selection or resources # @@ -64,7 +66,7 @@ class report_assert_account(report_sxw.rml_parse): 'result': None, #used to store the result of the test 'column_order': None, #used to choose the display order of columns (in case you are returning a list of dict) } - exec code_exec in localdict + eval(code_exec, localdict, mode="exec", nocopy=True) result = localdict['result'] column_order = localdict.get('column_order', None) diff --git a/addons/anonymization/anonymization.py b/addons/anonymization/anonymization.py index 3e86dbbd2e1..2b0b4c3b1f2 100644 --- a/addons/anonymization/anonymization.py +++ b/addons/anonymization/anonymization.py @@ -31,6 +31,7 @@ import random import datetime from openerp.osv import fields, osv from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval as eval from itertools import groupby from operator import itemgetter diff --git a/addons/base_action_rule/base_action_rule.py b/addons/base_action_rule/base_action_rule.py index 398bf00286a..f47f94894bd 100644 --- a/addons/base_action_rule/base_action_rule.py +++ b/addons/base_action_rule/base_action_rule.py @@ -27,6 +27,7 @@ import openerp from openerp import SUPERUSER_ID from openerp.osv import fields, osv from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT +from openerp.tools.safe_eval import safe_eval as eval _logger = logging.getLogger(__name__) diff --git a/addons/delivery/delivery.py b/addons/delivery/delivery.py index 62d513c8bff..c240ab19f6e 100644 --- a/addons/delivery/delivery.py +++ b/addons/delivery/delivery.py @@ -23,6 +23,7 @@ import time from openerp.osv import fields,osv from openerp.tools.translate import _ import openerp.addons.decimal_precision as dp +from openerp.tools.safe_eval import safe_eval as eval class delivery_carrier(osv.osv): _name = "delivery.carrier" diff --git a/addons/l10n_fr/report/base_report.py b/addons/l10n_fr/report/base_report.py index bc2cd308bf8..d17bc273638 100644 --- a/addons/l10n_fr/report/base_report.py +++ b/addons/l10n_fr/report/base_report.py @@ -29,6 +29,7 @@ import time from openerp.report import report_sxw +from openerp.tools.safe_eval import safe_eval as eval class base_report(report_sxw.rml_parse): def __init__(self, cr, uid, name, context=None): diff --git a/addons/mail/mail_alias.py b/addons/mail/mail_alias.py index bd935498bc8..6366430a234 100644 --- a/addons/mail/mail_alias.py +++ b/addons/mail/mail_alias.py @@ -27,6 +27,7 @@ from openerp.osv import fields, osv from openerp.tools import ustr from openerp.modules.registry import RegistryManager from openerp import SUPERUSER_ID +from openerp.tools.safe_eval import safe_eval as eval _logger = logging.getLogger(__name__) diff --git a/addons/process/process.py b/addons/process/process.py index 30b37a8b0e2..e9d11156f30 100644 --- a/addons/process/process.py +++ b/addons/process/process.py @@ -22,6 +22,7 @@ from openerp import pooler from openerp import tools from openerp.osv import fields, osv +from openerp.tools.safe_eval import safe_eval as eval class Env(dict): diff --git a/addons/purchase/purchase.py b/addons/purchase/purchase.py index a56813774eb..3e80966e410 100644 --- a/addons/purchase/purchase.py +++ b/addons/purchase/purchase.py @@ -33,6 +33,7 @@ import openerp.addons.decimal_precision as dp from openerp.osv.orm import browse_record, browse_null from openerp.tools import DEFAULT_SERVER_DATE_FORMAT, DEFAULT_SERVER_DATETIME_FORMAT, DATETIME_FORMATS_MAP from openerp.tools.float_utils import float_compare +from openerp.tools.safe_eval import safe_eval as eval class purchase_order(osv.osv): diff --git a/addons/share/wizard/share_wizard.py b/addons/share/wizard/share_wizard.py index c01ad220be1..41ccf0bead5 100644 --- a/addons/share/wizard/share_wizard.py +++ b/addons/share/wizard/share_wizard.py @@ -615,8 +615,8 @@ class share_wizard(osv.TransientModel): # other groups, so we duplicate if needed rule = self._check_personal_rule_or_duplicate(cr, group_id, rule, context=context) eval_ctx = rule_obj._eval_context_for_combinations() - org_domain = expression.normalize_domain(eval(rule.domain_force, eval_ctx)) - new_clause = expression.normalize_domain(eval(domain, eval_ctx)) + org_domain = expression.normalize_domain(safe_eval(rule.domain_force, eval_ctx)) + new_clause = expression.normalize_domain(safe_eval(domain, eval_ctx)) combined_domain = expression.AND([new_clause, org_domain]) rule.write({'domain_force': combined_domain, 'name': rule.name + _('(Modified)')}) _logger.debug("Combining sharing rule %s on model %s with domain: %s", rule.id, model_id, domain) diff --git a/addons/web_diagram/controllers/main.py b/addons/web_diagram/controllers/main.py index 3f3c1065504..0415d3d2452 100644 --- a/addons/web_diagram/controllers/main.py +++ b/addons/web_diagram/controllers/main.py @@ -1,4 +1,5 @@ import openerp +from openerp.tools.safe_eval import safe_eval as eval class DiagramView(openerp.addons.web.http.Controller): _cp_path = "/web_diagram/diagram" diff --git a/openerp/report/report_sxw.py b/openerp/report/report_sxw.py index c0260656133..9bfa330cab9 100644 --- a/openerp/report/report_sxw.py +++ b/openerp/report/report_sxw.py @@ -36,6 +36,7 @@ import common from openerp.osv.fields import float as float_field, function as function_field, datetime as datetime_field from openerp.tools.translate import _ from openerp.tools import DEFAULT_SERVER_DATE_FORMAT, DEFAULT_SERVER_DATETIME_FORMAT +from openerp.tools.safe_eval import safe_eval as eval _logger = logging.getLogger(__name__) From 99c87b627318574e241ba1abd1a46edc97c055ac Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Thu, 21 May 2015 16:08:17 +0200 Subject: [PATCH 2/2] [FIX] account: prevent crashes when mixing types in context parameters --- addons/account/account_move_line.py | 59 +++++++++++-------- .../wizard/account_fiscalyear_close.py | 2 +- 2 files changed, 35 insertions(+), 26 deletions(-) diff --git a/addons/account/account_move_line.py b/addons/account/account_move_line.py index 0262f83fbfe..230626d0b9a 100644 --- a/addons/account/account_move_line.py +++ b/addons/account/account_move_line.py @@ -45,68 +45,77 @@ class account_move_line(osv.osv): context = {} initial_bal = context.get('initial_bal', False) company_clause = " " - if context.get('company_id', False): - company_clause = " AND " +obj+".company_id = %s" % context.get('company_id', False) - if not context.get('fiscalyear', False): - if context.get('all_fiscalyear', False): + query = '' + query_params = {} + if context.get('company_id'): + company_clause = " AND " +obj+".company_id = %(company_id)s" + query_params['company_id'] = context['company_id'] + if not context.get('fiscalyear'): + if context.get('all_fiscalyear'): #this option is needed by the aged balance report because otherwise, if we search only the draft ones, an open invoice of a closed fiscalyear won't be displayed fiscalyear_ids = fiscalyear_obj.search(cr, uid, []) else: fiscalyear_ids = fiscalyear_obj.search(cr, uid, [('state', '=', 'draft')]) else: #for initial balance as well as for normal query, we check only the selected FY because the best practice is to generate the FY opening entries - fiscalyear_ids = [context['fiscalyear']] + fiscalyear_ids = context['fiscalyear'] + if isinstance(context['fiscalyear'], (int, long)): + fiscalyear_ids = [fiscalyear_ids] - fiscalyear_clause = (','.join([str(x) for x in fiscalyear_ids])) or '0' + query_params['fiscalyear_ids'] = tuple(fiscalyear_ids) or (0,) state = context.get('state', False) where_move_state = '' where_move_lines_by_date = '' - if context.get('date_from', False) and context.get('date_to', False): + if context.get('date_from') and context.get('date_to'): + query_params['date_from'] = context['date_from'] + query_params['date_to'] = context['date_to'] if initial_bal: - where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date < '" +context['date_from']+"')" + where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date < %(date_from)s)" else: - where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date >= '" +context['date_from']+"' AND date <= '"+context['date_to']+"')" + where_move_lines_by_date = " AND " +obj+".move_id IN (SELECT id FROM account_move WHERE date >= %(date_from)s AND date <= %(date_to)s)" if state: if state.lower() not in ['all']: - where_move_state= " AND "+obj+".move_id IN (SELECT id FROM account_move WHERE account_move.state = '"+state+"')" - if context.get('period_from', False) and context.get('period_to', False) and not context.get('periods', False): + query_params['state'] = state + where_move_state= " AND "+obj+".move_id IN (SELECT id FROM account_move WHERE account_move.state = %(state)s)" + if context.get('period_from') and context.get('period_to') and not context.get('periods'): if initial_bal: period_company_id = fiscalperiod_obj.browse(cr, uid, context['period_from'], context=context).company_id.id first_period = fiscalperiod_obj.search(cr, uid, [('company_id', '=', period_company_id)], order='date_start', limit=1)[0] context['periods'] = fiscalperiod_obj.build_ctx_periods(cr, uid, first_period, context['period_from']) else: context['periods'] = fiscalperiod_obj.build_ctx_periods(cr, uid, context['period_from'], context['period_to']) - if context.get('periods', False): + if context.get('periods'): + query_params['period_ids'] = tuple(context['periods']) if initial_bal: - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s)) %s %s" % (fiscalyear_clause, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s)" + where_move_state + where_move_lines_by_date period_ids = fiscalperiod_obj.search(cr, uid, [('id', 'in', context['periods'])], order='date_start', limit=1) if period_ids and period_ids[0]: first_period = fiscalperiod_obj.browse(cr, uid, period_ids[0], context=context) - ids = ','.join([str(x) for x in context['periods']]) - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s) AND date_start <= '%s' AND id NOT IN (%s)) %s %s" % (fiscalyear_clause, first_period.date_start, ids, where_move_state, where_move_lines_by_date) + query_params['date_start'] = first_period.date_start + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s AND date_start <= %(date_start)s AND id NOT IN %(period_ids)s)" + where_move_state + where_move_lines_by_date else: - ids = ','.join([str(x) for x in context['periods']]) - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s) AND id IN (%s)) %s %s" % (fiscalyear_clause, ids, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s AND id IN %(period_ids)s)" + where_move_state + where_move_lines_by_date else: - query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN (%s)) %s %s" % (fiscalyear_clause, where_move_state, where_move_lines_by_date) + query = obj+".state <> 'draft' AND "+obj+".period_id IN (SELECT id FROM account_period WHERE fiscalyear_id IN %(fiscalyear_ids)s)" + where_move_state + where_move_lines_by_date - if initial_bal and not context.get('periods', False) and not where_move_lines_by_date: + if initial_bal and not context.get('periods') and not where_move_lines_by_date: #we didn't pass any filter in the context, and the initial balance can't be computed using only the fiscalyear otherwise entries will be summed twice #so we have to invalidate this query raise osv.except_osv(_('Warning!'),_("You have not supplied enough arguments to compute the initial balance, please select a period and a journal in the context.")) + if context.get('journal_ids'): + query_params['journal_ids'] = tuple(context['journal_ids']) + query += ' AND '+obj+'.journal_id IN %(journal_ids)s' - if context.get('journal_ids', False): - query += ' AND '+obj+'.journal_id IN (%s)' % ','.join(map(str, context['journal_ids'])) - - if context.get('chart_account_id', False): + if context.get('chart_account_id'): child_ids = account_obj._get_children_and_consol(cr, uid, [context['chart_account_id']], context=context) - query += ' AND '+obj+'.account_id IN (%s)' % ','.join(map(str, child_ids)) + query_params['child_ids'] = tuple(child_ids) + query += ' AND '+obj+'.account_id IN %(child_ids)s' query += company_clause - return query + return cr.mogrify(query, query_params) def _amount_residual(self, cr, uid, ids, field_names, args, context=None): """ diff --git a/addons/account/wizard/account_fiscalyear_close.py b/addons/account/wizard/account_fiscalyear_close.py index 5b6881f6ae1..59f3fe93c1a 100644 --- a/addons/account/wizard/account_fiscalyear_close.py +++ b/addons/account/wizard/account_fiscalyear_close.py @@ -113,7 +113,7 @@ class account_fiscalyear_close(osv.osv_memory): cr.execute("SELECT id FROM account_fiscalyear WHERE date_stop < %s", (str(new_fyear.date_start),)) result = cr.dictfetchall() - fy_ids = ','.join([str(x['id']) for x in result]) + fy_ids = [x['id'] for x in result] query_line = obj_acc_move_line._query_get(cr, uid, obj='account_move_line', context={'fiscalyear': fy_ids}) #create the opening move