8000 fix(refactor): lockdown frappe.desk.reportview by rmehta · Pull Request #12713 · frappe/frappe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(refactor): lockdown frappe.desk.reportview #12713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Mar 31, 2021
Merged

fix(refactor): lockdown frappe.desk.reportview #12713

merged 14 commits into from
Mar 31, 2021

Conversation

rmehta
Copy link
Member
@rmehta rmehta commented Mar 29, 2021
edited
Loading

This method locks down publicly facing frappe.desk.reportview.get and frappe.client.get_list to allow only valid fieldnames as parameters.

@rmehta rmehta requested review from a team and prssanna and removed request for a team March 29, 2021 16:14
leela
leela reviewed Mar 31, 2021
View reviewed changes
frappe/desk/reportview.py
is_report = data.get('view') == 'Report'
return data

def validate_fields(data):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like all validators changing the data inline without returning the data.

I prefer to go with a class here as we are trying to keep the state of the data. May be something like

q = QueryBuilder(data)
q.is_valid_query() - says the query is valid or not
q.data - returns me the constructed data that I can use to query

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validate_fields is also called independently from frappe.client.get_list

surajshetty3416
surajshetty3416 previously requested changes Mar 31, 2021
View reviewed changes
frappe/desk/reportview.py
data.pop('aggregate_function')

def raise_invalid_field(fieldname):
frappe.throw(_('Field not permitted in query') + ': {0}'.format(fieldname), frappe.DataError)
Copy link
Member
@surajshetty3416 surajshetty3416 Mar 31, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
frappe.throw(_('Field not permitted in query') + ': {0}'.format(fieldname), frappe.DataError)
frappe.throw(_('Field {0} is not permitted in query').format(frapp.bold(fieldname)), frappe.DataError)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For readability!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bold will highlight the field and fix readability right?

@rmehta @surajshetty3416
Update frappe/desk/reportview.py
375cdea 
Co-authored-by: Suraj Shetty <13928957+surajshetty3416@users.noreply.github.com>
@rmehta rmehta requested a review from surajshetty3416 March 31, 2021 04:41
@rmehta rmehta dismissed surajshetty3416’s stale review March 31, 2021 04:41

made that choice for readability

leela
leela reviewed Mar 31, 2021
View reviewed changes
frappe/desk/reportview.py
Comment on lines +148 to +151
if (fieldname.startswith('count(')
or fieldname.startswith('sum(')
or fieldname.startswith('avg(')):
if not fieldname.strip().endswith(')'):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be a list of agregator_functions?
allowed_aggregators = ['count', 'sum', 'avg']

frappe/desk/reportview.py
Comment on lines +143 to +145
for sep in (' as ', ' AS '):
if sep in fieldname:
fieldname = fieldname.split(sep)[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use start_index = field.lower().find(' as ').

With this we can handle separators with mixed case aswell.

@rmehta rmehta merged commit ed6468d into frappe:develop Mar 31, 2021
@rmehta
Copy link
Member Author
rmehta commented Mar 31, 2021

@Mergifyio backport version-13-pre-release

@rmehta rmehta deleted the fix-reportview branch March 31, 2021 05:22
@mergify mergify bot mentioned this pull request Mar 31, 2021
Merged
@mergify
Copy link
Contributor
mergify bot commented Mar 31, 2021

Command backport version-13-pre-release: success

Backports have been created

@rmehta
Copy link
Member Author
rmehta commented Mar 31, 2021

@Mergifyio backport version-12-hotfix

rmehta added a commit that referenced this pull request Mar 31, 2021
@rmehta
Merge pull request #12731 from frappe/mergify/bp/version-13-pre-relea…
6ed664b 
…se/pr-12713

fix(refactor): lockdown frappe.desk.reportview (bp #12713)
@mergify mergify bot mentioned this pull request Mar 31, 2021
Closed
@mergify
Copy link
Contributor
mergify bot commented Mar 31, 2021

Command backport version-12-hotfix: success

Backports have been created

@sagarvora sagarvora mentioned this pull request Mar 31, 2021
Merged
@surajshetty3416 surajshetty3416 mentioned this pull request Mar 31, 2021
Merged
@surajshetty3416 surajshetty3416 mentioned this pull request Apr 20, 2021
Merged
@ankush ankush mentioned this pull request Jul 5, 2022
Closed
@surajshetty3416 surajshetty3416 mentioned this pull request Jul 20, 2022
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@leela leela leela left review comments

@prssanna prssanna Awaiting requested review from prssanna

@surajshetty3416 surajshetty3416 Awaiting requested review from surajshetty3416

Assignees

@leela leela

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rmehta @leela @surajshetty3416
0