vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
50065 commits 1 branch 0 tags 587 MiB
Commit graph

50065 commits

This branch
This branch
All branches
Author SHA1 Message Date
Faris Ansari
63afc0601b fix: restrict child table access if user has only "select" on parent 2025-06-18 16:00:22 +05:30
Faris Ansari
a9fb29fb8e test: test for invalid inputs in fields, filters, group_by, order_by 
- comment out invalid tests
 2025-06-18 16:00:22 +05:30
Faris Ansari
87664ad604 refactor: Enhance field and function parsing in query engine 
- Introduce `SqlFunctionParser` for robust parsing of supported SQL functions (e.g., `COUNT(*)`, `SUM(amount) as total`, `AVG(price - cost)`), replacing get_function_object and has_function.
- Refactor `DynamicTableField.parse` for improved handling of:
    - Aliases (case-insensitive `as`, quoted/unquoted).
    - `tabDocType.fieldname` notation (distinguishing child vs. main doctype refs).
    - Add validation and better error handling during parsing.
- Rewrite filter field validation (`_validate_and_prepare_filter_field`):
    - Disallow backticks (`) in filter field names.
    - Enforce specific patterns for dot notation (link/child fields only, reject `tabDoc.field`).
    - Validate character sets for simple field names.
- Update standard field parsing (`parse_string_field`, `ALLOWED_FIELD_PATTERN`, `FIELD_PARSE_REGEX`):
    - Support quoted table names potentially containing spaces (e.g., `tabTable Name`.`field`).
- Improve `parse_fields` and `_parse_single_field_item` logic:
    - Handle direct pypika `Field`/`AggregateFunction` inputs.
    - Reliably split comma-separated field strings.
```
 2025-06-18 16:00:22 +05:30
Faris Ansari
ddca77429c fix: secure query building 
Add strict validation using regex for fields in SELECT, filters, GROUP BY, and ORDER BY clauses to avoid potential SQL injection risks.

Refactor field parsing and validation logic into dedicated functions.
 2025-06-18 16:00:22 +05:30
Faris Ansari
8aa4c1030f fix: add support for AND, OR, NOT in RawCriterion 2025-06-18 15:56:11 +05:30
Faris Ansari
39a65a1300 test: enable server script temporarily 2025-06-18 15:56:11 +05:30
Faris Ansari
601df8268f test: simpler assertions 2025-06-18 15:56:11 +05:30
Faris Ansari
a94c143314 fix: add support for permission query conditions 2025-06-18 15:56:11 +05:30
Faris Ansari
b3a05896ea fix: remove doc.reload 2025-06-18 15:56:11 +05:30
Faris Ansari
3ab0e8756f test: mandatory field 2025-06-18 15:56:11 +05:30
Faris Ansari
f3af0c582c test: fix test_api_v2 2025-06-18 15:56:11 +05:30
Faris Ansari
ccca6bffab test: add permissions tests for qb.get_query 2025-06-18 15:56:11 +05:30
Faris Ansari
f707cf5722 fix: raise PermissionError instead of ValidationError 2025-06-18 15:56:11 +05:30
Faris Ansari
f580cb3dad fix: add child query to allowed fields 2025-06-18 15:56:11 +05:30
Faris Ansari
56c3a55665 fix: print traceback instead of errprint 2025-06-18 15:56:11 +05:30
Faris Ansari
471e001ebb feat: apply permissions in get_query 2025-06-18 15:56:11 +05:30
Ankush Menat
7d26eca678 fix: basic perm checks 2025-06-18 15:51:13 +05:30
Faris Ansari
11602c1e6b fix: revert document_list return format 2025-06-18 15:51:13 +05:30
Faris Ansari
09ae9ad086 fix: rename method typing 2025-06-18 15:51:13 +05:30
Faris Ansari
fc86f9737b fix: print error traceback in api/v2 2025-06-18 15:51:13 +05:30
Faris Ansari
79893f0248 fix: return updated doc from execute_doc_method 2025-06-18 15:51:13 +05:30
Faris Ansari
e089b2d723 fix: explicitly return doc as dict 
because json serializer of Document doesn't return fields with null values
 2025-06-18 15:51:12 +05:30
Faris Ansari
bbf46eb4ef fix: use frappe.qb.get_query 
- static controller method get_list to modify query object
 2025-06-18 15:50:25 +05:30
Ankush Menat
8fbe452b4d
chore: Drop pdbpp (#32992) 
Breaks console sometimes, don't see as much value TBH

```
Traceback (most recent call last):
  File "/Users/mihirkandoi/Developer/frappe-develop/apps/frappe/frappe/utils/bench_helper.py", line 48, in invoke
    return super().invoke(ctx)
           ~~~~~~~~~~~~~~^^^^^
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/Users/mihirkandoi/Developer/frappe-develop/apps/frappe/frappe/commands/__init__.py", line 28, in _func
    ret = f(ctx.obj, *args, **kwargs)
  File "/Users/mihirkandoi/Developer/frappe-develop/apps/frappe/frappe/commands/utils.py", line 646, in console
    from IPython.terminal.embed import InteractiveShellEmbed
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/IPython/__init__.py", line 53, in <module>
    from .core.application import Application
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/IPython/core/application.py", line 26, in <module>
    from IPython.core import release, crashhandler
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/IPython/core/crashhandler.py", line 27, in <module>
    from IPython.core import ultratb
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/IPython/core/ultratb.py", line 111, in <module>
    from IPython.core import debugger
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/IPython/core/debugger.py", line 122, in <module>
    from pdb import Pdb as OldPdb
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/_pdbpp_path_hack/pdb.py", line 5, in <module>
    exec(compile(f.read(), pdb_path, 'exec'))
    ~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/mihirkandoi/Developer/frappe-develop/env/lib/python3.13/site-packages/pdb.py", line 28, in <module>
    __version__ = fancycompleter.LazyVersion('pdbpp')
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'fancycompleter' has no attribute 'LazyVersion'

module 'fancycompleter' has no attribute 'LazyVersion'
```
 2025-06-18 07:19:35 +00:00
Akhil Narang
865e086bd4
build: bump dependencies (#32975) 
* build(deps): bump babel

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump filelock

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump GitPython

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump Jinja2

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump Pillow

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump PyJWT

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pypdf

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pydyf

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump werkzeug

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump bs4

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump bleach

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump chardet

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump croniter

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump cryptography

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pyopenssl

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump cssutils

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump markdown2

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump markupsafe

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump num2words

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump openpyxl

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump phonenumbers

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump psutil

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pydantic

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pyotp

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump dateutil

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump ipython

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump pytz

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump hiredis

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump requests-oauthlib

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump requests

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump rsa

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump sql_metadata

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump tenacity

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump traceback-with-variables

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump tomli

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump uuid-utils

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump xlrd

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump zxcvbn

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump markdownify

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump google libraries

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump posthog

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* build(deps): bump vobject

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

* fix(zxcvbn): set max password length as 128

We allow checking till 128 characters, v4.5.0 has a default max of 72

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

---------

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-06-18 12:33:36 +05:30
Ejaaz Khan
cdb297da17
Merge pull request #32988 from iamejaaz/41272-rate-limit-issue 
fix: rate limit issue on sending email login link
 2025-06-18 12:17:18 +05:30
Ejaaz Khan
e5b208079d fix: rate limit issue on sending email login link 2025-06-18 12:00:41 +05:30
Ankush Menat
3a7db9cbb7
refactor: Default to mysqlclient (#32987) 2025-06-18 06:04:24 +00:00
Ankush Menat
3bb70a905d
fix: restrict method types in few whitelisted funcs (#32984) 2025-06-18 11:02:57 +05:30
Sagar Vora
f62bae6f5a
refactor: reduce branching in init_request (#32981) 2025-06-18 10:01:20 +05:30
Sagar Vora
e355a175d8
fix: always defer access log insertion (#32976) 2025-06-18 07:03:11 +05:30
Sagar Vora
514a9a6e59
Merge pull request #32977 from sokumon/savedocs-field-issue 2025-06-17 18:29:04 +00:00
Soham Kulkarni
77eda41443
Merge pull request #32351 from sokumon/offsite-backups-removal 
refactor: separating backup integrations into an app
 2025-06-17 23:30:51 +05:30
sokumon
b79c5476a7 fix: restrict fields according to permlevel after update as well 2025-06-17 20:17:50 +05:30
Ankush Menat
6091040e97
fix: Skip redis cache signal if redis is down (#32967) 
https://github.com/frappe/frappe/pull/32888#issuecomment-2975345660
 2025-06-17 13:59:31 +00:00
Sagar Vora
b3e1eda4c8
feat: global frappe.in_test flag (#32960) 
* feat: global `frappe.in_test` flag

* feat: helper utility to toggle `frappe.in_test`

* fix: use `toggle_test_mode` util

* fix: use `frappe.in_test`

* chore: add comment explaining global `in_test`

* chore: ignore commit replacing flag usage

* test: temporarily disable `frappe.in_test`

this worked earlier because flag was set in werkzeug.local which was separate for API test client

* test: add comment explaining change
 2025-06-17 19:19:31 +05:30
Ankush Menat
7e2b4955f8
test: Cancel pending jobs in RQ tests (#32970) 
This casues flake sometimes when other tests don't cleanup long running
pending jobs.
 2025-06-17 13:27:36 +00:00
Ankush Menat
764410761f
build: Bump RQ (#32969) 
https://github.com/rq/rq/compare/v2.3.2...v2.4
 2025-06-17 18:48:29 +05:30
sokumon
63cf3676a0 fix: remove utils file and typo 2025-06-17 18:39:21 +05:30
Sagar Vora
6db6361a3c
Merge pull request #32961 from sagarvora/use-_dev_server 2025-06-17 09:14:52 +00:00
Sagar Vora
b7fb654688 chore: use frappe._dev_server 2025-06-17 14:26:17 +05:30
Sagar Vora
482020552c
Merge pull request #32957 from sagarvora/use-global 2025-06-17 06:47:05 +00:00
Sagar Vora
cb0d06455b chore: use frappe._dev_server instead of local.dev_server 2025-06-17 12:03:08 +05:30
MochaMind
74d780d771
fix: sync translations from crowdin (#32921) 2025-06-16 23:55:35 +02:00
Sagar Vora
e8bfad678b
Merge pull request #32946 from sagarvora/remove-underscore-fn 2025-06-16 11:58:16 +00:00
Sagar Vora
821e2dc689 chore: remove _make_access_log 2025-06-16 17:16:13 +05:30
sokumon
a9b9ddde3a fix: add warning for module seperation 2025-06-15 00:00:22 +05:30
sokumon
80aaf1f31e fix: add a better config dict to GoogleOAuth instead of args 2025-06-14 23:59:22 +05:30
sokumon
a639828bd4 fix: add abiltiy to extend the Domain callback methods via google oauth constructor 2025-06-14 23:59:22 +05:30
sokumon
422995cd45 fix: seperate backup options into app 2025-06-14 23:59:22 +05:30