Merge pull request #11328 from rmehta/safe-exec-sql
feat(server script): Allow frappe.db.sql for read
This commit is contained in:
Rushabh Mehta
GitHub
commit
f2fe49b5e1
2 changed files with 17 additions and 2 deletions
|
|
@ -1,5 +1,5 @@
|
|||
from __future__ import unicode_literals
|
||||
import unittest
|
||||
import unittest, frappe
|
||||
from frappe.utils.safe_exec import safe_exec
|
||||
|
||||
class TestSafeExec(unittest.TestCase):
|
||||
|
|
@ -7,4 +7,11 @@ class TestSafeExec(unittest.TestCase):
|
|||
self.assertRaises(ImportError, safe_exec, 'import os')
|
||||
|
||||
def test_internal_attributes(self):
|
||||
self.assertRaises(SyntaxError, safe_exec, '().__class__.__call__')
|
||||
self.assertRaises(SyntaxError, safe_exec, '().__class__.__call__')
|
||||
|
||||
def test_sql(self):
|
||||
_locals = dict(out=None)
|
||||
safe_exec('''out = frappe.db.sql("select name from tabDocType where name='DocType'")''', None, _locals)
|
||||
self.assertEqual(_locals['out'][0][0], 'DocType')
|
||||
|
||||
self.assertRaises(frappe.PermissionError, safe_exec, 'frappe.db.sql("update tabToDo set description=NULL")')
|
||||
|
|
@ -116,6 +116,7 @@ def get_safe_globals():
|
|||
get_single_value = frappe.db.get_single_value,
|
||||
get_default = frappe.db.get_default,
|
||||
escape = frappe.db.escape,
|
||||
sql = read_sql
|
||||
)
|
||||
|
||||
if frappe.response:
|
||||
|
|
@ -134,6 +135,13 @@ def get_safe_globals():
|
|||
|
||||
return out
|
||||
|
||||
def read_sql(query, *args, **kwargs):
|
||||
'''a wrapper for frappe.db.sql to allow reads'''
|
||||
if query.strip().split(None, 1)[0].lower() == 'select':
|
||||
return frappe.db.sql(query, *args, **kwargs)
|
||||
else:
|
||||
raise frappe.PermissionError('Only SELECT SQL allowed in scripting')
|
||||
|
||||
def _getitem(obj, key):
|
||||
# guard function for RestrictedPython
|
||||
# allow any key to be accessed as long as it does not start with underscore
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue