|
|
|
@@ -110,8 +110,15 @@ class Report(Document): |
|
|
|
if not self.query: |
|
|
|
frappe.throw(_("Must specify a Query to run"), title=_('Report Document Error')) |
|
|
|
|
|
|
|
if not self.query.lower().startswith("select"): |
|
|
|
frappe.throw(_("Query must be a SELECT"), title=_('Report Document Error')) |
|
|
|
# Disallow SQL that writes to the database. |
|
|
|
if (not self.query.lower().startswith("select") and |
|
|
|
not self.query.lower().startswith("with")): |
|
|
|
frappe.throw(_("Query must be a SELECT or WITH"), title=_('Report Document Error')) |
|
|
|
|
|
|
|
# As of MariaDB 10.9, CTE WITH statements can only be combined with a SELECT clause and |
|
|
|
# therefore are read-only. Postgres allows WITH ... INSERT INTO statements. |
|
|
|
if (self.query.lower().startswith("with") and frappe.db.db_type != "mariadb"): |
|
|
|
frappe.throw(_("WITH queries are only allowed for MariaDB databases"), title=_('Report Document Error')) |
|
|
|
|
|
|
|
result = [list(t) for t in frappe.db.sql(self.query, filters)] |
|
|
|
columns = self.get_columns() or [cstr(c[0]) for c in frappe.db.get_description()] |
|
|
|
|
Carsten Tschense
3 年前
Ankush Menat