Without proper grouping, OR conditions from shared docs could bypass WHERE filters:
WHERE filter=X AND perm_cond OR shared_cond -- shared_cond ignores filter!
With proper grouping:
WHERE filter=X AND (perm_cond OR shared_cond) -- correct behavior
This produces better query plan with index intersection using 2
conditions instead of fulltable scan on dumb condition
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
- Extract _raise_permission_error helper for reuse
- Simplify get_user_permission_conditions to return list[Criterion]
- Rewrite add_permission_conditions to match documented logic:
- No role perms → apply only share permissions
- Role perms → (owner OR user perms) AND query conditions
- Shared docs OR other conditions when applicable
- Move apply_permissions check inside add_permission_conditions
* feat: implement field masking for query builder
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
* fix: add series and sessions to "core doctypes" list
This is so that we don't try to query their meta
This should also resolve#35030
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---------
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
* fix(query): check standard field definitions
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
* fix(postgres): fix order_by problem in pg
* fix(postgres): fix order_by in get_all for _test_connection_query
* fix: add check to a proper numeric fallback in _get_ifnull_fallback
* test(postgres): fix pg query used in assertion in test_permission_query
* fix(postgres): fix order_by in get_all for possible_link
* fix(postgres): fix order_by in get_all for set_modules
* fix(postgres): fix pg query count *
* fix(postgres): fix order_by in get_all for ask_pass_update
* fix(postgres): fix order_by statement in search_widget
* fix(postgres): fix order_by in get_list for get_stats
* test(postgres): normalize_sql for pg queries in test_arithmetic_operators_in_fields
* test(postgres): normalize_sql for pg queries in test_field_alias_in_group_by
* test(postgres): normalize_sql for pg queries in test_field_alias_permission_check
* test(postgres): fix order_by statement in get_all for test_db_keywords_as_fields
* test(postgres): fix order_by statement in get_all for test_prepare_select_args
* fix(treeview): use 0 instead of false to check since check field is an integer
* fix(postgres): fix order_by in get_all for sync_communication
* fix(postgres): fix order_by in get_all for get_references_across_doctypes_by_dynamic_link_field
* test(postgres): fix order_by in get_all for test_list_summary
* fix(postgres): fix order_by in get_all for email queries
* test(postgres): use order_by none and update assertion for postgres
* fix(postgres): use ILIKE to support case insensitive search in postgres
* test(test_query): update pg specific query assert to use ILIKE
* test(test_query): update test_nested_filters to use ilike instead for PG
* test(postgres): update pg query in assert to test updated qb query
* fix(search): update query to be db-agnostic
* test(postgres): normalize query for pg in test_build_match_conditions
* fix(postgres): suppress ORDER BY when SELECT DISTINCT in query for postgres specific behavior
* fix(postgres): suppress ORDER BY when GROUP BY is explicitly asked for pg specific behavior
* test(postgres): fix test behavior for pg ORDER BY drop when used with GROUP BY
* refactor: reducing noise in code by formatting code
* fix(query): use Star() to handle SQL wildcard character * correctly
* fix(postgres): display warning for ORDER BY fields that will be dropped
---------
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
Co-authored-by: Akhil Narang <me@akhilnarang.dev>
- Add STAR_ALLOWED_FUNCTIONS frozenset with COUNT
- Pass function_name through parse chain to validate '*' usage
- Prevents '*' in functions like SUM(*), AVG(*) where it's invalid
- Remove sqlparse import (no longer used anywhere in query.py)
- Add FUNCTION_CALL_PATTERN regex for detecting SQL function calls
- Simplify _is_function_call from 6-line sqlparse parsing to 1-line regex match
Added SIMPLE_FIELD_PATTERN and IDENTIFIER_PATTERN at module level
to avoid repeated regex compilation in hot paths like filter validation
and alias checking.
ALLOWED_FIELD_PATTERN already restricts fields to simple identifiers
that cannot contain SQL comments, making the sqlparse.format(strip_comments=True)
and MARIADB_SPECIFIC_COMMENT.sub() calls unnecessary overhead.
Merged _sanitize_field into _validate_select_field.
has_permission() already checks for shared documents internally when
role permissions do not grant access, so the separate frappe.share.get_shared()
call was dead code.
