vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
51974 commits 1 branch 0 tags 587 MiB
Commit graph

207 commits

Author SHA1 Message Date
Akhil Narang
9e380bc33c
fix(query): don't create 2 error logs for the same thing (#34925) 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-28 12:39:31 +05:30
Akhil Narang
1bcdec6283
fix(query): check standard field definitions (#34828) 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-26 18:14:03 +05:30
Akhil Narang
b640faa80b
fix: allow selecting optional fields (#34901) 
Simplification/follow up to 9455721c77

Resolves #34861

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-26 17:31:17 +05:30
Corentin Forler
afa0cedfca
fix(query): Add set to valid types for the fields parameter (#34866) 2025-11-25 05:56:45 +00:00
Akhil Narang
bd044e520c
fix(query): don't allow using Document as a filter value (#34823) 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-24 11:13:43 +05:30
Akhil Narang
ea03bd020e
Merge pull request #34800 from akhilnarang/skip-null-fields 
fix(qb): skip null fields
 2025-11-20 18:48:23 +05:30
Akhil Narang
28a00251b1
fix(qb): skip null fields 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-20 18:39:28 +05:30
Akhil Narang
ba192648f3
fix(qb): track field aliases 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-20 18:05:33 +05:30
Akhil Narang
0f3fc00f00
fix: handle converting datetime -> date for fieldtype date 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
15588de6cd
fix(query): ensure backwards compatibility for sorting, filtering 
If `db_query_compat=True` (set by `qb_query.py`), then we default to some `db_query.py` behaviour.
Otherwise, we'll retail the previous query builder behaviour, this is to minimize breakage on either side.

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
2c15bb4a5b
fix(query): extend regex for allow backticked aliases 
For example:

```
`tabSerial and Batch Entry`.`name` as `child_row`
```

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
bd84d7a66a
fix: match db_query behaviour for certain cases like 
`filters.append(["reports_to", "=", ""])`

Earlier this generated:
```
( `tabEmployee`.`reports_to` is NULL OR `tabEmployee`.`reports_to` = '' )
```

Without this change, with qb it was

```
`reports_to`=''
```

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
9455721c77
fix: skip group by permission check for certain columns 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
978edeaa1d
feat: add in some functions 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
0bb1b4477c
fix(query): case insensitive check 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
07e8c987cb
fix(check_field_permissions): allow if no permissions defined 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
1ba9c14cd5
fix: check for shared documents 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
943df998d6
feat: support certain backticked expressions 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
7ad6f7e2c6
refactor: ensure no meta recursion 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
a5e44c4c6e
fix(query): check whether filter fields belong to child tables if not part of parent 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
ea926b0f31
fix(search): adjust query formation to align with new restrictions 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:58 +05:30
Akhil Narang
ddcda11d67
fix: function detection 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
b407fe8093
fix: allow function aliases 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
3040ab7eb2
feat(query): add in IFNULL logic from db_query 
Use `IFNULL(var, "") == ""` instead of `isnull()`

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
e420e7646f
fix(query): match db_query, add parentheses around condition 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
b4cf69732b
fix(query): allow numeric strings 
For things like `COUNT(1)`

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
e15ec47ba1
fix(query): allow passing as in any case 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
8e03924356
fix(query): allow AggregateFunction as well in apply_field_permissions 
Without this `fields=[{"COUNT": "name"}]` didn't work, although fields=[{"COUNT": "NAME"}] did.

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
7183caf871
fix(query_builder): default sorting based on doctype meta 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
90ed0502fa
refactor: support new function style 
- Migrate all SQL function usage from string format to dict format
- Old: fields=['count(*) as count']
- New: fields=[{'COUNT': '*', 'as': 'count'}]
- Add `NULLIF`

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
340fe279b3
feat: add in initial version of DatabaseQuery using query builder 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Ejaaz Khan
a52da6c8d6 fix(db_query): != condition not working in case of None 2025-09-30 13:23:16 +05:30
Faris Ansari
c2e08b3822 chore: remove unused code 2025-06-23 14:54:22 +05:30
Faris Ansari
f2a0724f9a feat: add back sql functions support with json syntax 
```
fields=['user_type', {'COUNT': 'name', 'as': 'total'}]
fields=[{"IFNULL": ["first_name", "'Unknown'"], "as": "safe_name"}]
```
 2025-06-18 16:15:25 +05:30
Faris Ansari
840e7991ce fix: dont allow partial backticks 
- add tests
 2025-06-18 16:14:32 +05:30
Faris Ansari
3f65806a0b fix: harden group by and order by inputs 
- only field, link_field.field, child_field.field allowed
- dont allow backticks
- add permlevel check
- add tests
 2025-06-18 16:10:52 +05:30
Faris Ansari
420e891d96 feat: remove support for sql functions in fields 2025-06-18 16:10:52 +05:30
Faris Ansari
9a84f20436 feat: add support for nested AND and OR conditions 2025-06-18 16:10:52 +05:30
Faris Ansari
b2a37f86b3 fix: filtering should only be allowed on permitted fields 2025-06-18 16:00:22 +05:30
Faris Ansari
f77a940582 fix: check permlevel for fields like "link_field.fieldname" 2025-06-18 16:00:22 +05:30
Faris Ansari
63afc0601b fix: restrict child table access if user has only "select" on parent 2025-06-18 16:00:22 +05:30
Faris Ansari
87664ad604 refactor: Enhance field and function parsing in query engine 
- Introduce `SqlFunctionParser` for robust parsing of supported SQL functions (e.g., `COUNT(*)`, `SUM(amount) as total`, `AVG(price - cost)`), replacing get_function_object and has_function.
- Refactor `DynamicTableField.parse` for improved handling of:
    - Aliases (case-insensitive `as`, quoted/unquoted).
    - `tabDocType.fieldname` notation (distinguishing child vs. main doctype refs).
    - Add validation and better error handling during parsing.
- Rewrite filter field validation (`_validate_and_prepare_filter_field`):
    - Disallow backticks (`) in filter field names.
    - Enforce specific patterns for dot notation (link/child fields only, reject `tabDoc.field`).
    - Validate character sets for simple field names.
- Update standard field parsing (`parse_string_field`, `ALLOWED_FIELD_PATTERN`, `FIELD_PARSE_REGEX`):
    - Support quoted table names potentially containing spaces (e.g., `tabTable Name`.`field`).
- Improve `parse_fields` and `_parse_single_field_item` logic:
    - Handle direct pypika `Field`/`AggregateFunction` inputs.
    - Reliably split comma-separated field strings.
```
 2025-06-18 16:00:22 +05:30
Faris Ansari
ddca77429c fix: secure query building 
Add strict validation using regex for fields in SELECT, filters, GROUP BY, and ORDER BY clauses to avoid potential SQL injection risks.

Refactor field parsing and validation logic into dedicated functions.
 2025-06-18 16:00:22 +05:30
Faris Ansari
8aa4c1030f fix: add support for AND, OR, NOT in RawCriterion 2025-06-18 15:56:11 +05:30
Faris Ansari
a94c143314 fix: add support for permission query conditions 2025-06-18 15:56:11 +05:30
Faris Ansari
f707cf5722 fix: raise PermissionError instead of ValidationError 2025-06-18 15:56:11 +05:30
Faris Ansari
f580cb3dad fix: add child query to allowed fields 2025-06-18 15:56:11 +05:30
Faris Ansari
471e001ebb feat: apply permissions in get_query 2025-06-18 15:56:11 +05:30
Sagar Vora
d35c1d958f
perf(query engine): create one less copy (#32889) 2025-06-11 12:51:55 +05:30
Ankush Menat
271fe0e47e
fix!: Dont silently ignore bad filters (#32871) 2025-06-10 12:06:44 +05:30