Shiloh/brotherton-erpnext
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: specify allowed doctype in queries (#31761)

Browse Source
This commit is contained in:
Sagar Vora 2022-08-03 05:42:30 +00:00 committed by GitHub
parent 0ef9c03f05
commit 9baa222976
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
erpnext/controllers/queries.py
View File

@ -18,8 +18,9 @@ from erpnext.stock.get_item_details import _get_item_tax_template
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def employee_query(doctype, txt, searchfield, start, page_len, filters): def employee_query(doctype, txt, searchfield, start, page_len, filters):
doctype = "Employee"
conditions = [] conditions = []
fields = get_fields("Employee", ["name", "employee_name"]) fields = get_fields(doctype, ["name", "employee_name"])
return frappe.db.sql( return frappe.db.sql(
"""select {fields} from `tabEmployee` """select {fields} from `tabEmployee`
@ -49,7 +50,8 @@ def employee_query(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def lead_query(doctype, txt, searchfield, start, page_len, filters): def lead_query(doctype, txt, searchfield, start, page_len, filters):
fields = get_fields("Lead", ["name", "lead_name", "company_name"]) doctype = "Lead"
fields = get_fields(doctype, ["name", "lead_name", "company_name"])
return frappe.db.sql( return frappe.db.sql(
"""select {fields} from `tabLead` """select {fields} from `tabLead`
@ -77,6 +79,7 @@ def lead_query(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def customer_query(doctype, txt, searchfield, start, page_len, filters): def customer_query(doctype, txt, searchfield, start, page_len, filters):
doctype = "Customer"
conditions = [] conditions = []
cust_master_name = frappe.defaults.get_user_default("cust_master_name") cust_master_name = frappe.defaults.get_user_default("cust_master_name")
@ -85,9 +88,9 @@ def customer_query(doctype, txt, searchfield, start, page_len, filters):
else: else:
fields = ["name", "customer_name", "customer_group", "territory"] fields = ["name", "customer_name", "customer_group", "territory"]
fields = get_fields("Customer", fields) fields = get_fields(doctype, fields)
searchfields = frappe.get_meta("Customer").get_search_fields() searchfields = frappe.get_meta(doctype).get_search_fields()
searchfields = " or ".join(field + " like %(txt)s" for field in searchfields) searchfields = " or ".join(field + " like %(txt)s" for field in searchfields)
return frappe.db.sql( return frappe.db.sql(
@ -116,6 +119,7 @@ def customer_query(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def supplier_query(doctype, txt, searchfield, start, page_len, filters): def supplier_query(doctype, txt, searchfield, start, page_len, filters):
doctype = "Supplier"
supp_master_name = frappe.defaults.get_user_default("supp_master_name") supp_master_name = frappe.defaults.get_user_default("supp_master_name")
if supp_master_name == "Supplier Name": if supp_master_name == "Supplier Name":
@ -123,7 +127,7 @@ def supplier_query(doctype, txt, searchfield, start, page_len, filters):
else: else:
fields = ["name", "supplier_name", "supplier_group"] fields = ["name", "supplier_name", "supplier_group"]
fields = get_fields("Supplier", fields) fields = get_fields(doctype, fields)
return frappe.db.sql( return frappe.db.sql(
"""select {field} from `tabSupplier` """select {field} from `tabSupplier`
@ -147,6 +151,7 @@ def supplier_query(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def tax_account_query(doctype, txt, searchfield, start, page_len, filters): def tax_account_query(doctype, txt, searchfield, start, page_len, filters):
doctype = "Account"
company_currency = erpnext.get_company_currency(filters.get("company")) company_currency = erpnext.get_company_currency(filters.get("company"))
def get_accounts(with_account_type_filter): def get_accounts(with_account_type_filter):
@ -197,13 +202,14 @@ def tax_account_query(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def item_query(doctype, txt, searchfield, start, page_len, filters, as_dict=False): def item_query(doctype, txt, searchfield, start, page_len, filters, as_dict=False):
doctype = "Item"
conditions = [] conditions = []
if isinstance(filters, str): if isinstance(filters, str):
filters = json.loads(filters) filters = json.loads(filters)
# Get searchfields from meta and use in Item Link field query # Get searchfields from meta and use in Item Link field query
meta = frappe.get_meta("Item", cached=True) meta = frappe.get_meta(doctype, cached=True)
searchfields = meta.get_search_fields() searchfields = meta.get_search_fields()
# these are handled separately # these are handled separately
@ -257,7 +263,7 @@ def item_query(doctype, txt, searchfield, start, page_len, filters, as_dict=Fals
filters.pop("supplier", None) filters.pop("supplier", None)
description_cond = "" description_cond = ""
if frappe.db.count("Item", cache=True) < 50000: if frappe.db.count(doctype, cache=True) < 50000:
# scan description only if items are less than 50000 # scan description only if items are less than 50000
description_cond = "or tabItem.description LIKE %(txt)s" description_cond = "or tabItem.description LIKE %(txt)s"
return frappe.db.sql( return frappe.db.sql(
@ -300,8 +306,9 @@ def item_query(doctype, txt, searchfield, start, page_len, filters, as_dict=Fals
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def bom(doctype, txt, searchfield, start, page_len, filters): def bom(doctype, txt, searchfield, start, page_len, filters):
doctype = "BOM"
conditions = [] conditions = []
fields = get_fields("BOM", ["name", "item"]) fields = get_fields(doctype, ["name", "item"])
return frappe.db.sql( return frappe.db.sql(
"""select {fields} """select {fields}
@ -331,6 +338,7 @@ def bom(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def get_project_name(doctype, txt, searchfield, start, page_len, filters): def get_project_name(doctype, txt, searchfield, start, page_len, filters):
doctype = "Project"
cond = "" cond = ""
if filters and filters.get("customer"): if filters and filters.get("customer"):
cond = """(`tabProject`.customer = %s or cond = """(`tabProject`.customer = %s or
@ -338,8 +346,8 @@ def get_project_name(doctype, txt, searchfield, start, page_len, filters):
frappe.db.escape(filters.get("customer")) frappe.db.escape(filters.get("customer"))
) )
fields = get_fields("Project", ["name", "project_name"]) fields = get_fields(doctype, ["name", "project_name"])
searchfields = frappe.get_meta("Project").get_search_fields() searchfields = frappe.get_meta(doctype).get_search_fields()
searchfields = " or ".join(["`tabProject`." + field + " like %(txt)s" for field in searchfields]) searchfields = " or ".join(["`tabProject`." + field + " like %(txt)s" for field in searchfields])
return frappe.db.sql( return frappe.db.sql(
@ -366,7 +374,8 @@ def get_project_name(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def get_delivery_notes_to_be_billed(doctype, txt, searchfield, start, page_len, filters, as_dict): def get_delivery_notes_to_be_billed(doctype, txt, searchfield, start, page_len, filters, as_dict):
fields = get_fields("Delivery Note", ["name", "customer", "posting_date"]) doctype = "Delivery Note"
fields = get_fields(doctype, ["name", "customer", "posting_date"])
return frappe.db.sql( return frappe.db.sql(
""" """
@ -402,6 +411,7 @@ def get_delivery_notes_to_be_billed(doctype, txt, searchfield, start, page_len,
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def get_batch_no(doctype, txt, searchfield, start, page_len, filters): def get_batch_no(doctype, txt, searchfield, start, page_len, filters):
doctype = "Batch"
cond = "" cond = ""
if filters.get("posting_date"): if filters.get("posting_date"):
cond = "and (batch.expiry_date is null or batch.expiry_date >= %(posting_date)s)" cond = "and (batch.expiry_date is null or batch.expiry_date >= %(posting_date)s)"
@ -420,7 +430,7 @@ def get_batch_no(doctype, txt, searchfield, start, page_len, filters):
if filters.get("is_return"): if filters.get("is_return"):
having_clause = "" having_clause = ""
meta = frappe.get_meta("Batch", cached=True) meta = frappe.get_meta(doctype, cached=True)
searchfields = meta.get_search_fields() searchfields = meta.get_search_fields()
search_columns = "" search_columns = ""
@ -496,6 +506,7 @@ def get_batch_no(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def get_account_list(doctype, txt, searchfield, start, page_len, filters): def get_account_list(doctype, txt, searchfield, start, page_len, filters):
doctype = "Account"
filter_list = [] filter_list = []
if isinstance(filters, dict): if isinstance(filters, dict):
@ -514,7 +525,7 @@ def get_account_list(doctype, txt, searchfield, start, page_len, filters):
filter_list.append([doctype, searchfield, "like", "%%%s%%" % txt]) filter_list.append([doctype, searchfield, "like", "%%%s%%" % txt])
return frappe.desk.reportview.execute( return frappe.desk.reportview.execute(
"Account", doctype,
filters=filter_list, filters=filter_list,
fields=["name", "parent_account"], fields=["name", "parent_account"],
limit_start=start, limit_start=start,
@ -553,6 +564,7 @@ def get_income_account(doctype, txt, searchfield, start, page_len, filters):
if not filters: if not filters:
filters = {} filters = {}
doctype = "Account"
condition = "" condition = ""
if filters.get("company"): if filters.get("company"):
condition += "and tabAccount.company = %(company)s" condition += "and tabAccount.company = %(company)s"
@ -628,6 +640,7 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
if not filters: if not filters:
filters = {} filters = {}
doctype = "Account"
condition = "" condition = ""
if filters.get("company"): if filters.get("company"):
condition += "and tabAccount.company = %(company)s" condition += "and tabAccount.company = %(company)s"
@ -650,6 +663,7 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def warehouse_query(doctype, txt, searchfield, start, page_len, filters): def warehouse_query(doctype, txt, searchfield, start, page_len, filters):
# Should be used when item code is passed in filters. # Should be used when item code is passed in filters.
doctype = "Warehouse"
conditions, bin_conditions = [], [] conditions, bin_conditions = [], []
filter_dict = get_doctype_wise_filters(filters) filter_dict = get_doctype_wise_filters(filters)