vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
50065 commits 1 branch 0 tags 587 MiB
Commit graph

167 commits

Author SHA1 Message Date
Faris Ansari
63afc0601b fix: restrict child table access if user has only "select" on parent 2025-06-18 16:00:22 +05:30
Faris Ansari
87664ad604 refactor: Enhance field and function parsing in query engine 
- Introduce `SqlFunctionParser` for robust parsing of supported SQL functions (e.g., `COUNT(*)`, `SUM(amount) as total`, `AVG(price - cost)`), replacing get_function_object and has_function.
- Refactor `DynamicTableField.parse` for improved handling of:
    - Aliases (case-insensitive `as`, quoted/unquoted).
    - `tabDocType.fieldname` notation (distinguishing child vs. main doctype refs).
    - Add validation and better error handling during parsing.
- Rewrite filter field validation (`_validate_and_prepare_filter_field`):
    - Disallow backticks (`) in filter field names.
    - Enforce specific patterns for dot notation (link/child fields only, reject `tabDoc.field`).
    - Validate character sets for simple field names.
- Update standard field parsing (`parse_string_field`, `ALLOWED_FIELD_PATTERN`, `FIELD_PARSE_REGEX`):
    - Support quoted table names potentially containing spaces (e.g., `tabTable Name`.`field`).
- Improve `parse_fields` and `_parse_single_field_item` logic:
    - Handle direct pypika `Field`/`AggregateFunction` inputs.
    - Reliably split comma-separated field strings.
```
 2025-06-18 16:00:22 +05:30
Faris Ansari
ddca77429c fix: secure query building 
Add strict validation using regex for fields in SELECT, filters, GROUP BY, and ORDER BY clauses to avoid potential SQL injection risks.

Refactor field parsing and validation logic into dedicated functions.
 2025-06-18 16:00:22 +05:30
Faris Ansari
8aa4c1030f fix: add support for AND, OR, NOT in RawCriterion 2025-06-18 15:56:11 +05:30
Faris Ansari
a94c143314 fix: add support for permission query conditions 2025-06-18 15:56:11 +05:30
Faris Ansari
f707cf5722 fix: raise PermissionError instead of ValidationError 2025-06-18 15:56:11 +05:30
Faris Ansari
f580cb3dad fix: add child query to allowed fields 2025-06-18 15:56:11 +05:30
Faris Ansari
471e001ebb feat: apply permissions in get_query 2025-06-18 15:56:11 +05:30
Sagar Vora
d35c1d958f
perf(query engine): create one less copy (#32889) 2025-06-11 12:51:55 +05:30
Ankush Menat
271fe0e47e
fix!: Dont silently ignore bad filters (#32871) 2025-06-10 12:06:44 +05:30
Ankush Menat
292646a5a7
Revert "Revert "perf: Make get_query query mutable (#32849)" (#32855)" (#32857) 
This reverts commit 85dc9e6981.
 2025-06-09 14:43:27 +00:00
Ankush Menat
85dc9e6981
Revert "perf: Make get_query query mutable (#32849)" (#32855) 
This reverts commit dda62ff784.
 2025-06-09 13:17:16 +00:00
Ankush Menat
dda62ff784
perf: Make get_query query mutable (#32849) 
pypika internally keeps copying query builder object because everything
is supposed to be immutable in pypika design, this however is terribly
slow. Often query generation takes more time than query execution.

This PR makes query builder mutable inside `get_query` function to avoid
copying while applying fields, filters, limit, order etc.

It's marked as immutable again when sending it back to users of the API.
 2025-06-09 13:46:40 +05:30
Akhil Narang
0b5e245507
feat: init sqlite 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-04-15 13:59:16 +05:30
Sagar Vora
ab98d3716f perf: optimize query building code 2025-03-15 10:29:26 +05:30
Ankush Menat
77852fd11f
fix: search instead of match (#31557) 
Match isn't correct usage here
 2025-03-07 06:59:23 +00:00
Ankush Menat
23b5b0c7ae
perf: speedup QB field sanitization (#28818) 2024-12-18 05:47:02 +00:00
David Arnold
86f70b9e98
chore: inline unnecessary indirection (#28250) 2024-10-22 19:33:48 +00:00
David Arnold
2abba7b51b
fix: don't force values into the string type (#28185) 2024-10-19 19:00:25 +00:00
David Arnold
7348572af8
feat: docref identifier / proxy (#27973) 
* feat: add DocRef

* feat: Add comprehensive test cases for DocRef functionality

* chore(db): add field type hints

* fix: ensure document stringer fulfills the DocRef contract
 2024-10-19 09:40:26 +05:30
Ankush Menat
e810fb7eca feat: nowait to skip blocking locks 2024-02-29 16:30:24 +05:30
Akhil Narang
3f1e19de85
refactor(treewide): enable RUF rules 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2024-02-21 16:20:28 +05:30
Akhil Narang
26ae0f3460
fix: ruff fixes 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2024-02-07 17:04:31 +05:30
Ankush Menat
de9ac89748 style: re-format with ruff 2024-02-05 18:53:33 +05:30
Ankush Menat
e45e313bfb
feat: Skip locked rows while selecting (#24298) 2024-01-13 09:49:27 +05:30
Hussain Nagaria
8d2137c265 docs: consistent doc strings 2023-12-18 18:27:39 +05:30
Sagar Vora
1b2d1dd567 chore: move statement to set validate_filters property 2023-05-31 14:20:26 +05:30
Sagar Vora
9f5a994f70 fix!: improved filter validation in Engine.get_query 2023-05-31 14:16:52 +05:30
Ankush Menat
a1c40d9158 feat: support tree-link-fields filtering in QB 2023-05-29 17:00:37 +05:30
Ankush Menat
842195ce29 fix: simplify plucking 
no idea why itertools are used for this dumb operation
 2023-05-29 17:00:37 +05:30
Sagar Vora
38c1207abe
fix: multiple fixes to Engine.get_query (#21135) 2023-05-29 10:48:26 +05:30
Faris Ansari
c4bb732eaa fix: use dict syntax instead of string 2023-05-08 18:55:11 +05:30
Faris Ansari
41d7563aff feat: child_field[] syntax sugar for qb 
- fetch child table rows in qb.get_query
- runs one query each for each child field
 2023-05-08 18:55:11 +05:30
Gavin D'souza
5d3453eeb9 refactor: Re-use DefaultOrderBy value as global constant 2023-02-02 13:43:31 +05:30
Faris Ansari
543458b473 fix: handle empty list as filters 2023-01-16 15:38:15 +05:30
Faris Ansari
52e3d8d58b fix: handle empty string passed to filters 2023-01-16 14:11:37 +05:30
Faris Ansari
a93380ac9c fix: handle empty list for "in" and "not in" 2023-01-13 16:22:25 +05:30
Faris Ansari
5340efd156 fix: don't cast integer value in filter 2023-01-13 16:21:51 +05:30
Faris Ansari
76deeb531c fix: support list of str or int in filters 2023-01-10 18:22:05 +05:30
Faris Ansari
95d8a0f919 fix: allow Table instance 2023-01-10 16:48:38 +05:30
Faris Ansari
fe13108eec fix: refactor 
- move operator map in separate file
- remove unnecessary code
- organize functions
 2023-01-10 16:15:33 +05:30
Faris Ansari
08fc5b5c90 fix: allow list of dict in filters 2023-01-09 19:54:26 +05:30
Faris Ansari
9e9de7053c fix: set default order_by direction to desc 2023-01-09 18:19:31 +05:30
Faris Ansari
6192a9285a fix: use Field objects as is in apply_filter 2023-01-09 17:51:55 +05:30
Faris Ansari
f982439eb9 fix: pass fields explicitly 
- to prevent addition of default `name` field
- also, add fields only if it is a select query
 2023-01-09 16:43:44 +05:30
Faris Ansari
e4ac91a035 fix: ignore string with parenthesis 
if it is not an sql function
 2023-01-09 15:20:30 +05:30
Faris Ansari
b7c0ba1bea fix: allow dynamic fields in filters 
e.g.,
`filters={'link.field': 'value'}`
`filters={'child.field': 'value'}`
 2022-12-31 22:55:00 +05:30
Faris Ansari
e272adb0b1 fix: use table.field instead Field('field') 2022-12-31 22:17:39 +05:30
Faris Ansari
847206222f fix: delete option 2022-12-31 22:17:20 +05:30
Faris Ansari
726fcfdb79 refactor: qb.engine 
- simplify
- qb.engine.get_query -> qb.get_query
- qb.engine.build_conditions -> qb.get_query
 2022-12-25 23:19:11 +05:30