vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
51791 commits 1 branch 0 tags 587 MiB
Commit graph

181 commits

Author SHA1 Message Date
Akhil Narang
e15ec47ba1
fix(query): allow passing as in any case 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
8e03924356
fix(query): allow AggregateFunction as well in apply_field_permissions 
Without this `fields=[{"COUNT": "name"}]` didn't work, although fields=[{"COUNT": "NAME"}] did.

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
7183caf871
fix(query_builder): default sorting based on doctype meta 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
90ed0502fa
refactor: support new function style 
- Migrate all SQL function usage from string format to dict format
- Old: fields=['count(*) as count']
- New: fields=[{'COUNT': '*', 'as': 'count'}]
- Add `NULLIF`

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Akhil Narang
340fe279b3
feat: add in initial version of DatabaseQuery using query builder 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-11-19 21:15:57 +05:30
Ejaaz Khan
a52da6c8d6 fix(db_query): != condition not working in case of None 2025-09-30 13:23:16 +05:30
Faris Ansari
c2e08b3822 chore: remove unused code 2025-06-23 14:54:22 +05:30
Faris Ansari
f2a0724f9a feat: add back sql functions support with json syntax 
```
fields=['user_type', {'COUNT': 'name', 'as': 'total'}]
fields=[{"IFNULL": ["first_name", "'Unknown'"], "as": "safe_name"}]
```
 2025-06-18 16:15:25 +05:30
Faris Ansari
840e7991ce fix: dont allow partial backticks 
- add tests
 2025-06-18 16:14:32 +05:30
Faris Ansari
3f65806a0b fix: harden group by and order by inputs 
- only field, link_field.field, child_field.field allowed
- dont allow backticks
- add permlevel check
- add tests
 2025-06-18 16:10:52 +05:30
Faris Ansari
420e891d96 feat: remove support for sql functions in fields 2025-06-18 16:10:52 +05:30
Faris Ansari
9a84f20436 feat: add support for nested AND and OR conditions 2025-06-18 16:10:52 +05:30
Faris Ansari
b2a37f86b3 fix: filtering should only be allowed on permitted fields 2025-06-18 16:00:22 +05:30
Faris Ansari
f77a940582 fix: check permlevel for fields like "link_field.fieldname" 2025-06-18 16:00:22 +05:30
Faris Ansari
63afc0601b fix: restrict child table access if user has only "select" on parent 2025-06-18 16:00:22 +05:30
Faris Ansari
87664ad604 refactor: Enhance field and function parsing in query engine 
- Introduce `SqlFunctionParser` for robust parsing of supported SQL functions (e.g., `COUNT(*)`, `SUM(amount) as total`, `AVG(price - cost)`), replacing get_function_object and has_function.
- Refactor `DynamicTableField.parse` for improved handling of:
    - Aliases (case-insensitive `as`, quoted/unquoted).
    - `tabDocType.fieldname` notation (distinguishing child vs. main doctype refs).
    - Add validation and better error handling during parsing.
- Rewrite filter field validation (`_validate_and_prepare_filter_field`):
    - Disallow backticks (`) in filter field names.
    - Enforce specific patterns for dot notation (link/child fields only, reject `tabDoc.field`).
    - Validate character sets for simple field names.
- Update standard field parsing (`parse_string_field`, `ALLOWED_FIELD_PATTERN`, `FIELD_PARSE_REGEX`):
    - Support quoted table names potentially containing spaces (e.g., `tabTable Name`.`field`).
- Improve `parse_fields` and `_parse_single_field_item` logic:
    - Handle direct pypika `Field`/`AggregateFunction` inputs.
    - Reliably split comma-separated field strings.
```
 2025-06-18 16:00:22 +05:30
Faris Ansari
ddca77429c fix: secure query building 
Add strict validation using regex for fields in SELECT, filters, GROUP BY, and ORDER BY clauses to avoid potential SQL injection risks.

Refactor field parsing and validation logic into dedicated functions.
 2025-06-18 16:00:22 +05:30
Faris Ansari
8aa4c1030f fix: add support for AND, OR, NOT in RawCriterion 2025-06-18 15:56:11 +05:30
Faris Ansari
a94c143314 fix: add support for permission query conditions 2025-06-18 15:56:11 +05:30
Faris Ansari
f707cf5722 fix: raise PermissionError instead of ValidationError 2025-06-18 15:56:11 +05:30
Faris Ansari
f580cb3dad fix: add child query to allowed fields 2025-06-18 15:56:11 +05:30
Faris Ansari
471e001ebb feat: apply permissions in get_query 2025-06-18 15:56:11 +05:30
Sagar Vora
d35c1d958f
perf(query engine): create one less copy (#32889) 2025-06-11 12:51:55 +05:30
Ankush Menat
271fe0e47e
fix!: Dont silently ignore bad filters (#32871) 2025-06-10 12:06:44 +05:30
Ankush Menat
292646a5a7
Revert "Revert "perf: Make get_query query mutable (#32849)" (#32855)" (#32857) 
This reverts commit 85dc9e6981.
 2025-06-09 14:43:27 +00:00
Ankush Menat
85dc9e6981
Revert "perf: Make get_query query mutable (#32849)" (#32855) 
This reverts commit dda62ff784.
 2025-06-09 13:17:16 +00:00
Ankush Menat
dda62ff784
perf: Make get_query query mutable (#32849) 
pypika internally keeps copying query builder object because everything
is supposed to be immutable in pypika design, this however is terribly
slow. Often query generation takes more time than query execution.

This PR makes query builder mutable inside `get_query` function to avoid
copying while applying fields, filters, limit, order etc.

It's marked as immutable again when sending it back to users of the API.
 2025-06-09 13:46:40 +05:30
Akhil Narang
0b5e245507
feat: init sqlite 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2025-04-15 13:59:16 +05:30
Sagar Vora
ab98d3716f perf: optimize query building code 2025-03-15 10:29:26 +05:30
Ankush Menat
77852fd11f
fix: search instead of match (#31557) 
Match isn't correct usage here
 2025-03-07 06:59:23 +00:00
Ankush Menat
23b5b0c7ae
perf: speedup QB field sanitization (#28818) 2024-12-18 05:47:02 +00:00
David Arnold
86f70b9e98
chore: inline unnecessary indirection (#28250) 2024-10-22 19:33:48 +00:00
David Arnold
2abba7b51b
fix: don't force values into the string type (#28185) 2024-10-19 19:00:25 +00:00
David Arnold
7348572af8
feat: docref identifier / proxy (#27973) 
* feat: add DocRef

* feat: Add comprehensive test cases for DocRef functionality

* chore(db): add field type hints

* fix: ensure document stringer fulfills the DocRef contract
 2024-10-19 09:40:26 +05:30
Ankush Menat
e810fb7eca feat: nowait to skip blocking locks 2024-02-29 16:30:24 +05:30
Akhil Narang
3f1e19de85
refactor(treewide): enable RUF rules 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2024-02-21 16:20:28 +05:30
Akhil Narang
26ae0f3460
fix: ruff fixes 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
 2024-02-07 17:04:31 +05:30
Ankush Menat
de9ac89748 style: re-format with ruff 2024-02-05 18:53:33 +05:30
Ankush Menat
e45e313bfb
feat: Skip locked rows while selecting (#24298) 2024-01-13 09:49:27 +05:30
Hussain Nagaria
8d2137c265 docs: consistent doc strings 2023-12-18 18:27:39 +05:30
Sagar Vora
1b2d1dd567 chore: move statement to set validate_filters property 2023-05-31 14:20:26 +05:30
Sagar Vora
9f5a994f70 fix!: improved filter validation in Engine.get_query 2023-05-31 14:16:52 +05:30
Ankush Menat
a1c40d9158 feat: support tree-link-fields filtering in QB 2023-05-29 17:00:37 +05:30
Ankush Menat
842195ce29 fix: simplify plucking 
no idea why itertools are used for this dumb operation
 2023-05-29 17:00:37 +05:30
Sagar Vora
38c1207abe
fix: multiple fixes to Engine.get_query (#21135) 2023-05-29 10:48:26 +05:30
Faris Ansari
c4bb732eaa fix: use dict syntax instead of string 2023-05-08 18:55:11 +05:30
Faris Ansari
41d7563aff feat: child_field[] syntax sugar for qb 
- fetch child table rows in qb.get_query
- runs one query each for each child field
 2023-05-08 18:55:11 +05:30
Gavin D'souza
5d3453eeb9 refactor: Re-use DefaultOrderBy value as global constant 2023-02-02 13:43:31 +05:30
Faris Ansari
543458b473 fix: handle empty list as filters 2023-01-16 15:38:15 +05:30
Faris Ansari
52e3d8d58b fix: handle empty string passed to filters 2023-01-16 14:11:37 +05:30