fix(search): Reduce restrictions on field contents
This commit is contained in:
Aditya Hase
parent
8ac155f7b6
commit
5d04fb4eb7
3 changed files with 11 additions and 6 deletions
|
|
@ -68,6 +68,7 @@ def get_form_params():
|
|||
|
||||
# queries must always be server side
|
||||
data.query = None
|
||||
data.strict = None
|
||||
|
||||
return data
|
||||
|
||||
|
|
|
|||
|
|
@ -153,7 +153,8 @@ def search_widget(doctype, txt, query=None, searchfield=None, start=0,
|
|||
order_by=order_by,
|
||||
ignore_permissions=ignore_permissions,
|
||||
reference_doctype=reference_doctype,
|
||||
as_list=not as_dict)
|
||||
as_list=not as_dict,
|
||||
strict=False)
|
||||
|
||||
if doctype in UNTRANSLATED_DOCTYPES:
|
||||
values = tuple([v for v in list(values) if re.search(txt+".*", (_(v.name) if as_dict else _(v[0])), re.IGNORECASE)])
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ class DatabaseQuery(object):
|
|||
ignore_permissions=False, user=None, with_comment_count=False,
|
||||
join='left join', distinct=False, start=None, page_length=None, limit=None,
|
||||
ignore_ifnull=False, save_user_settings=False, save_user_settings_fields=False,
|
||||
update=None, add_total_row=None, user_settings=None, reference_doctype=None, return_query=False):
|
||||
update=None, add_total_row=None, user_settings=None, reference_doctype=None, return_query=False, strict=True):
|
||||
if not ignore_permissions and not frappe.has_permission(self.doctype, "read", user=user):
|
||||
frappe.flags.error_message = _('Insufficient Permission for {0}').format(frappe.bold(self.doctype))
|
||||
raise frappe.PermissionError(self.doctype)
|
||||
|
|
@ -80,6 +80,7 @@ class DatabaseQuery(object):
|
|||
self.update = update
|
||||
self.user_settings_fields = copy.deepcopy(self.fields)
|
||||
self.return_query = return_query
|
||||
self.strict = strict
|
||||
|
||||
# for contextual user permission check
|
||||
# to determine which user permission is applicable on link field of specific doctype
|
||||
|
|
@ -244,11 +245,12 @@ class DatabaseQuery(object):
|
|||
|
||||
_is_query(field)
|
||||
|
||||
if re.compile(r".*/\*.*").match(field):
|
||||
frappe.throw(_('Illegal SQL Query'))
|
||||
if self.strict:
|
||||
if re.compile(r".*/\*.*").match(field):
|
||||
frappe.throw(_('Illegal SQL Query'))
|
||||
|
||||
if re.compile(r".*\s(union).*\s").match(field.lower()):
|
||||
frappe.throw(_('Illegal SQL Query'))
|
||||
if re.compile(r".*\s(union).*\s").match(field.lower()):
|
||||
frappe.throw(_('Illegal SQL Query'))
|
||||
|
||||
def extract_tables(self):
|
||||
"""extract tables from fields"""
|
||||
|
|
@ -766,6 +768,7 @@ def get_list(doctype, *args, **kwargs):
|
|||
kwargs.pop('cmd', None)
|
||||
kwargs.pop('ignore_permissions', None)
|
||||
kwargs.pop('data', None)
|
||||
kwargs.pop('strict', None)
|
||||
|
||||
# If doctype is child table
|
||||
if frappe.is_table(doctype):
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue