[IMP] account: moved the build of the query_get used in the reports, on the reports file... to avoid sql injections

bzr revid: qdp-launchpad@tinyerp.com-20101001081202-n2yc97fvh3rqdl7m

addons/account/report/account_general_ledger.py

@@ -38,9 +38,10 @@ class general_ledger(rml_parse.rml_parse, common_report_header):
 
     def set_context(self, objects, data, ids, report_type=None):
         new_ids = ids
+        obj_move = self.pool.get('account.move.line')
         self.sortby = data['form'].get('sortby', 'sort_date')
-        self.query = data['form'].get('query_line', '')
-        self.init_query = data['form']['initial_bal_query']
+        self.query = obj_move._query_get(cr, uid, obj='l', context=data['form'].get('used_context',{}))
+        self.init_query = obj_move._query_get(cr, uid, obj='l', context=data['form'].get('used_context_initial_bal', {}))
         self.init_balance = data['form']['initial_balance']
         self.display_account = data['form']['display_account']
         self.target_move = data['form'].get('target_move', 'all')

addons/account/wizard/account_report_common.py

@@ -148,8 +148,8 @@ class account_common_report(osv.osv_memory):
         used_context, used_context_initial_bal = self._build_contexts(cr, uid, ids, data, context=context)
         query_line = obj_move._query_get(cr, uid, obj='l', context=used_context)
         data['form']['periods'] = used_context.get('periods', False) and used_context['periods'] or []
-        data['form']['query_line'] = query_line
-        data['form']['initial_bal_query'] = obj_move._query_get(cr, uid, obj='l', context=used_context_initial_bal)
+        data['form']['used_context'] = used_context
+        data['form']['used_context_initial_bal'] = used_context_initial_bal
         return self._print_report(cr, uid, ids, data, query_line, context=context)
 
 account_common_report()