Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
 
 
 
 
 
 

934 Zeilen
30 KiB

  1. # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
  2. # License: MIT. See LICENSE
  3. """build query for doclistview and return results"""
  4. from typing import List
  5. import frappe.defaults
  6. from frappe.query_builder.utils import Column
  7. import frappe.share
  8. from frappe import _
  9. import frappe.permissions
  10. from datetime import datetime
  11. import frappe, json, copy, re
  12. from frappe.model import optional_fields
  13. from frappe.model.utils.user_settings import get_user_settings, update_user_settings
  14. from frappe.utils import flt, cint, get_time, make_filter_tuple, get_filter, add_to_date, cstr, get_timespan_date_range
  15. from frappe.model.meta import get_table_columns
  16. from frappe.core.doctype.server_script.server_script_utils import get_server_script_map
  17. class DatabaseQuery(object):
  18. def __init__(self, doctype, user=None):
  19. self.doctype = doctype
  20. self.tables = []
  21. self.conditions = []
  22. self.or_conditions = []
  23. self.fields = None
  24. self.user = user or frappe.session.user
  25. self.ignore_ifnull = False
  26. self.flags = frappe._dict()
  27. self.reference_doctype = None
  28. def execute(self, fields=None, filters=None, or_filters=None,
  29. docstatus=None, group_by=None, order_by="KEEP_DEFAULT_ORDERING", limit_start=False,
  30. limit_page_length=None, as_list=False, with_childnames=False, debug=False,
  31. ignore_permissions=False, user=None, with_comment_count=False,
  32. join='left join', distinct=False, start=None, page_length=None, limit=None,
  33. ignore_ifnull=False, save_user_settings=False, save_user_settings_fields=False,
  34. update=None, add_total_row=None, user_settings=None, reference_doctype=None,
  35. run=True, strict=True, pluck=None, ignore_ddl=False, parent_doctype=None) -> List:
  36. if not ignore_permissions and \
  37. not frappe.has_permission(self.doctype, "select", user=user, parent_doctype=parent_doctype) and \
  38. not frappe.has_permission(self.doctype, "read", user=user, parent_doctype=parent_doctype):
  39. frappe.flags.error_message = _('Insufficient Permission for {0}').format(frappe.bold(self.doctype))
  40. raise frappe.PermissionError(self.doctype)
  41. # filters and fields swappable
  42. # its hard to remember what comes first
  43. if (
  44. isinstance(fields, dict)
  45. or (
  46. fields
  47. and isinstance(fields, list)
  48. and isinstance(fields[0], list)
  49. )
  50. ):
  51. # if fields is given as dict/list of list, its probably filters
  52. filters, fields = fields, filters
  53. elif fields and isinstance(filters, list) \
  54. and len(filters) > 1 and isinstance(filters[0], str):
  55. # if `filters` is a list of strings, its probably fields
  56. filters, fields = fields, filters
  57. if fields:
  58. self.fields = fields
  59. else:
  60. self.fields = [f"`tab{self.doctype}`.`{pluck or 'name'}`"]
  61. if start: limit_start = start
  62. if page_length: limit_page_length = page_length
  63. if limit: limit_page_length = limit
  64. self.filters = filters or []
  65. self.or_filters = or_filters or []
  66. self.docstatus = docstatus or []
  67. self.group_by = group_by
  68. self.order_by = order_by
  69. self.limit_start = cint(limit_start)
  70. self.limit_page_length = cint(limit_page_length) if limit_page_length else None
  71. self.with_childnames = with_childnames
  72. self.debug = debug
  73. self.join = join
  74. self.distinct = distinct
  75. self.as_list = as_list
  76. self.ignore_ifnull = ignore_ifnull
  77. self.flags.ignore_permissions = ignore_permissions
  78. self.user = user or frappe.session.user
  79. self.update = update
  80. self.user_settings_fields = copy.deepcopy(self.fields)
  81. self.run = run
  82. self.strict = strict
  83. self.ignore_ddl = ignore_ddl
  84. # for contextual user permission check
  85. # to determine which user permission is applicable on link field of specific doctype
  86. self.reference_doctype = reference_doctype or self.doctype
  87. if user_settings:
  88. self.user_settings = json.loads(user_settings)
  89. self.columns = self.get_table_columns()
  90. # no table & ignore_ddl, return
  91. if not self.columns: return []
  92. result = self.build_and_run()
  93. if with_comment_count and not as_list and self.doctype:
  94. self.add_comment_count(result)
  95. if save_user_settings:
  96. self.save_user_settings_fields = save_user_settings_fields
  97. self.update_user_settings()
  98. if pluck:
  99. return [d[pluck] for d in result]
  100. return result
  101. def build_and_run(self):
  102. args = self.prepare_args()
  103. args.limit = self.add_limit()
  104. if args.conditions:
  105. args.conditions = "where " + args.conditions
  106. if self.distinct:
  107. args.fields = 'distinct ' + args.fields
  108. args.order_by = '' # TODO: recheck for alternative
  109. # Postgres requires any field that appears in the select clause to also
  110. # appear in the order by and group by clause
  111. if frappe.db.db_type == 'postgres' and args.order_by and args.group_by:
  112. args = self.prepare_select_args(args)
  113. query = """select %(fields)s
  114. from %(tables)s
  115. %(conditions)s
  116. %(group_by)s
  117. %(order_by)s
  118. %(limit)s""" % args
  119. return frappe.db.sql(query, as_dict=not self.as_list, debug=self.debug,
  120. update=self.update, ignore_ddl=self.ignore_ddl, run=self.run)
  121. def prepare_args(self):
  122. self.parse_args()
  123. self.sanitize_fields()
  124. self.extract_tables()
  125. self.set_optional_columns()
  126. self.build_conditions()
  127. args = frappe._dict()
  128. if self.with_childnames:
  129. for t in self.tables:
  130. if t != "`tab" + self.doctype + "`":
  131. self.fields.append(t + ".name as '%s:name'" % t[4:-1])
  132. # query dict
  133. args.tables = self.tables[0]
  134. # left join parent, child tables
  135. for child in self.tables[1:]:
  136. args.tables += f" {self.join} {child} on ({child}.parent = {self.tables[0]}.name)"
  137. if self.grouped_or_conditions:
  138. self.conditions.append(f"({' or '.join(self.grouped_or_conditions)})")
  139. args.conditions = ' and '.join(self.conditions)
  140. if self.or_conditions:
  141. args.conditions += (' or ' if args.conditions else "") + \
  142. ' or '.join(self.or_conditions)
  143. self.set_field_tables()
  144. fields = []
  145. # Wrapping fields with grave quotes to allow support for sql keywords
  146. # TODO: Add support for wrapping fields with sql functions and distinct keyword
  147. for field in self.fields:
  148. stripped_field = field.strip().lower()
  149. skip_wrapping = any([
  150. stripped_field.startswith(("`", "*", '"', "'")),
  151. "(" in stripped_field,
  152. "distinct" in stripped_field,
  153. ])
  154. if skip_wrapping:
  155. fields.append(field)
  156. elif "as" in field.lower().split(" "):
  157. col, _, new = field.split()
  158. fields.append(f"`{col}` as {new}")
  159. else:
  160. fields.append(f"`{field}`")
  161. args.fields = ", ".join(fields)
  162. self.set_order_by(args)
  163. self.validate_order_by_and_group_by(args.order_by)
  164. args.order_by = args.order_by and (" order by " + args.order_by) or ""
  165. self.validate_order_by_and_group_by(self.group_by)
  166. args.group_by = self.group_by and (" group by " + self.group_by) or ""
  167. return args
  168. def prepare_select_args(self, args):
  169. order_field = re.sub(r"\ order\ by\ |\ asc|\ ASC|\ desc|\ DESC", "", args.order_by)
  170. if order_field not in args.fields:
  171. extracted_column = order_column = order_field.replace("`", "")
  172. if "." in extracted_column:
  173. extracted_column = extracted_column.split(".")[1]
  174. args.fields += f", MAX({extracted_column}) as `{order_column}`"
  175. args.order_by = args.order_by.replace(order_field, f"`{order_column}`")
  176. return args
  177. def parse_args(self):
  178. """Convert fields and filters from strings to list, dicts"""
  179. if isinstance(self.fields, str):
  180. if self.fields == "*":
  181. self.fields = ["*"]
  182. else:
  183. try:
  184. self.fields = json.loads(self.fields)
  185. except ValueError:
  186. self.fields = [f.strip() for f in self.fields.split(",")]
  187. # remove empty strings / nulls in fields
  188. self.fields = [f for f in self.fields if f]
  189. for filter_name in ["filters", "or_filters"]:
  190. filters = getattr(self, filter_name)
  191. if isinstance(filters, str):
  192. filters = json.loads(filters)
  193. if isinstance(filters, dict):
  194. fdict = filters
  195. filters = []
  196. for key, value in fdict.items():
  197. filters.append(make_filter_tuple(self.doctype, key, value))
  198. setattr(self, filter_name, filters)
  199. def sanitize_fields(self):
  200. '''
  201. regex : ^.*[,();].*
  202. purpose : The regex will look for malicious patterns like `,`, '(', ')', '@', ;' in each
  203. field which may leads to sql injection.
  204. example :
  205. field = "`DocType`.`issingle`, version()"
  206. As field contains `,` and mysql function `version()`, with the help of regex
  207. the system will filter out this field.
  208. '''
  209. sub_query_regex = re.compile("^.*[,();@].*")
  210. blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', 'show']
  211. blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce',
  212. 'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user',
  213. 'system_user', 'user', 'version', 'global']
  214. def _raise_exception():
  215. frappe.throw(_('Use of sub-query or function is restricted'), frappe.DataError)
  216. def _is_query(field):
  217. if re.compile(r"^(select|delete|update|drop|create)\s").match(field):
  218. _raise_exception()
  219. elif re.compile(r"\s*[0-9a-zA-z]*\s*( from | group by | order by | where | join )").match(field):
  220. _raise_exception()
  221. for field in self.fields:
  222. if sub_query_regex.match(field):
  223. if any(keyword in field.lower().split() for keyword in blacklisted_keywords):
  224. _raise_exception()
  225. if any(f"({keyword}" in field.lower() for keyword in blacklisted_keywords):
  226. _raise_exception()
  227. if any(f"{keyword}(" in field.lower() for keyword in blacklisted_functions):
  228. _raise_exception()
  229. if '@' in field.lower():
  230. # prevent access to global variables
  231. _raise_exception()
  232. if re.compile(r"[0-9a-zA-Z]+\s*'").match(field):
  233. _raise_exception()
  234. if re.compile(r"[0-9a-zA-Z]+\s*,").match(field):
  235. _raise_exception()
  236. _is_query(field)
  237. if self.strict:
  238. if re.compile(r".*/\*.*").match(field):
  239. frappe.throw(_('Illegal SQL Query'))
  240. if re.compile(r".*\s(union).*\s").match(field.lower()):
  241. frappe.throw(_('Illegal SQL Query'))
  242. def extract_tables(self):
  243. """extract tables from fields"""
  244. self.tables = [f"`tab{self.doctype}`"]
  245. sql_functions = [
  246. "dayofyear(",
  247. "extract(",
  248. "locate(",
  249. "strpos(",
  250. "count(",
  251. "sum(",
  252. "avg(",
  253. ]
  254. # add tables from fields
  255. if self.fields:
  256. for field in self.fields:
  257. if not ("tab" in field and "." in field) or any(x for x in sql_functions if x in field):
  258. continue
  259. table_name = field.split('.')[0]
  260. if table_name.lower().startswith('group_concat('):
  261. table_name = table_name[13:]
  262. if table_name.lower().startswith('ifnull('):
  263. table_name = table_name[7:]
  264. if not table_name[0]=='`':
  265. table_name = f"`{table_name}`"
  266. if not table_name in self.tables:
  267. self.append_table(table_name)
  268. def append_table(self, table_name):
  269. self.tables.append(table_name)
  270. doctype = table_name[4:-1]
  271. ptype = 'select' if frappe.only_has_select_perm(doctype) else 'read'
  272. if not self.flags.ignore_permissions and \
  273. not frappe.has_permission(doctype, ptype=ptype, parent_doctype=self.doctype):
  274. frappe.flags.error_message = _('Insufficient Permission for {0}').format(frappe.bold(doctype))
  275. raise frappe.PermissionError(doctype)
  276. def set_field_tables(self):
  277. '''If there are more than one table, the fieldname must not be ambiguous.
  278. If the fieldname is not explicitly mentioned, set the default table'''
  279. def _in_standard_sql_methods(field):
  280. methods = ('count(', 'avg(', 'sum(', 'extract(', 'dayofyear(')
  281. return field.lower().startswith(methods)
  282. if len(self.tables) > 1:
  283. for idx, field in enumerate(self.fields):
  284. if '.' not in field and not _in_standard_sql_methods(field):
  285. self.fields[idx] = f"{self.tables[0]}.{field}"
  286. def get_table_columns(self):
  287. try:
  288. return get_table_columns(self.doctype)
  289. except frappe.db.TableMissingError:
  290. if self.ignore_ddl:
  291. return None
  292. else:
  293. raise
  294. def set_optional_columns(self):
  295. """Removes optional columns like `_user_tags`, `_comments` etc. if not in table"""
  296. # remove from fields
  297. to_remove = []
  298. for fld in self.fields:
  299. for f in optional_fields:
  300. if f in fld and not f in self.columns:
  301. to_remove.append(fld)
  302. for fld in to_remove:
  303. del self.fields[self.fields.index(fld)]
  304. # remove from filters
  305. to_remove = []
  306. for each in self.filters:
  307. if isinstance(each, str):
  308. each = [each]
  309. for element in each:
  310. if element in optional_fields and element not in self.columns:
  311. to_remove.append(each)
  312. for each in to_remove:
  313. if isinstance(self.filters, dict):
  314. del self.filters[each]
  315. else:
  316. self.filters.remove(each)
  317. def build_conditions(self):
  318. self.conditions = []
  319. self.grouped_or_conditions = []
  320. self.build_filter_conditions(self.filters, self.conditions)
  321. self.build_filter_conditions(self.or_filters, self.grouped_or_conditions)
  322. # match conditions
  323. if not self.flags.ignore_permissions:
  324. match_conditions = self.build_match_conditions()
  325. if match_conditions:
  326. self.conditions.append(f"({match_conditions})")
  327. def build_filter_conditions(self, filters, conditions, ignore_permissions=None):
  328. """build conditions from user filters"""
  329. if ignore_permissions is not None:
  330. self.flags.ignore_permissions = ignore_permissions
  331. if isinstance(filters, dict):
  332. filters = [filters]
  333. for f in filters:
  334. if isinstance(f, str):
  335. conditions.append(f)
  336. else:
  337. conditions.append(self.prepare_filter_condition(f))
  338. def prepare_filter_condition(self, f):
  339. """Returns a filter condition in the format:
  340. ifnull(`tabDocType`.`fieldname`, fallback) operator "value"
  341. """
  342. from frappe.boot import get_additional_filters_from_hooks
  343. additional_filters_config = get_additional_filters_from_hooks()
  344. f = get_filter(self.doctype, f, additional_filters_config)
  345. tname = ('`tab' + f.doctype + '`')
  346. if not tname in self.tables:
  347. self.append_table(tname)
  348. if 'ifnull(' in f.fieldname:
  349. column_name = f.fieldname
  350. else:
  351. column_name = f"{tname}.{f.fieldname}"
  352. can_be_null = True
  353. if f.operator.lower() in additional_filters_config:
  354. f.update(get_additional_filter_field(additional_filters_config, f, f.value))
  355. # prepare in condition
  356. if f.operator.lower() in ('ancestors of', 'descendants of', 'not ancestors of', 'not descendants of'):
  357. values = f.value or ''
  358. # TODO: handle list and tuple
  359. # if not isinstance(values, (list, tuple)):
  360. # values = values.split(",")
  361. ref_doctype = f.doctype
  362. if frappe.get_meta(f.doctype).get_field(f.fieldname) is not None :
  363. ref_doctype = frappe.get_meta(f.doctype).get_field(f.fieldname).options
  364. result=[]
  365. lft, rgt = '', ''
  366. if f.value:
  367. lft, rgt = frappe.db.get_value(ref_doctype, f.value, ["lft", "rgt"])
  368. # Get descendants elements of a DocType with a tree structure
  369. if f.operator.lower() in ('descendants of', 'not descendants of') :
  370. result = frappe.get_all(ref_doctype, filters={
  371. 'lft': ['>', lft],
  372. 'rgt': ['<', rgt]
  373. }, order_by='`lft` ASC')
  374. else :
  375. # Get ancestor elements of a DocType with a tree structure
  376. result = frappe.get_all(ref_doctype, filters={
  377. 'lft': ['<', lft],
  378. 'rgt': ['>', rgt]
  379. }, order_by='`lft` DESC')
  380. fallback = "''"
  381. value = [frappe.db.escape((v.name or '').strip(), percent=False) for v in result]
  382. if len(value):
  383. value = f"({', '.join(value)})"
  384. else:
  385. value = "('')"
  386. # changing operator to IN as the above code fetches all the parent / child values and convert into tuple
  387. # which can be directly used with IN operator to query.
  388. f.operator = 'not in' if f.operator.lower() in ('not ancestors of', 'not descendants of') else 'in'
  389. elif f.operator.lower() in ('in', 'not in'):
  390. values = f.value or ''
  391. if isinstance(values, str):
  392. values = values.split(",")
  393. fallback = "''"
  394. value = [frappe.db.escape((v or '').strip(), percent=False) for v in values]
  395. if len(value):
  396. value = f"({', '.join(value)})"
  397. else:
  398. value = "('')"
  399. else:
  400. df = frappe.get_meta(f.doctype).get("fields", {"fieldname": f.fieldname})
  401. df = df[0] if df else None
  402. if df and df.fieldtype in ("Check", "Float", "Int", "Currency", "Percent"):
  403. can_be_null = False
  404. if f.operator.lower() in ('previous', 'next', 'timespan'):
  405. date_range = get_date_range(f.operator.lower(), f.value)
  406. f.operator = "Between"
  407. f.value = date_range
  408. fallback = "'0001-01-01 00:00:00'"
  409. if f.operator in ('>', '<') and (f.fieldname in ('creation', 'modified')):
  410. value = cstr(f.value)
  411. fallback = "'0001-01-01 00:00:00'"
  412. elif f.operator.lower() in ('between') and \
  413. (f.fieldname in ('creation', 'modified') or (df and (df.fieldtype=="Date" or df.fieldtype=="Datetime"))):
  414. value = get_between_date_filter(f.value, df)
  415. fallback = "'0001-01-01 00:00:00'"
  416. elif f.operator.lower() == "is":
  417. if f.value == 'set':
  418. f.operator = '!='
  419. elif f.value == 'not set':
  420. f.operator = '='
  421. value = ""
  422. fallback = "''"
  423. can_be_null = True
  424. if 'ifnull' not in column_name:
  425. column_name = f'ifnull({column_name}, {fallback})'
  426. elif df and df.fieldtype=="Date":
  427. value = frappe.db.format_date(f.value)
  428. fallback = "'0001-01-01'"
  429. elif (df and df.fieldtype=="Datetime") or isinstance(f.value, datetime):
  430. value = frappe.db.format_datetime(f.value)
  431. fallback = "'0001-01-01 00:00:00'"
  432. elif df and df.fieldtype=="Time":
  433. value = get_time(f.value).strftime("%H:%M:%S.%f")
  434. fallback = "'00:00:00'"
  435. elif f.operator.lower() in ("like", "not like") or (isinstance(f.value, str) and
  436. (not df or df.fieldtype not in ["Float", "Int", "Currency", "Percent", "Check"])):
  437. value = "" if f.value==None else f.value
  438. fallback = "''"
  439. if f.operator.lower() in ("like", "not like") and isinstance(value, str):
  440. # because "like" uses backslash (\) for escaping
  441. value = value.replace("\\", "\\\\").replace("%", "%%")
  442. elif f.operator == '=' and df and df.fieldtype in ['Link', 'Data']: # TODO: Refactor if possible
  443. value = f.value or "''"
  444. fallback = "''"
  445. elif f.fieldname == 'name':
  446. value = f.value or "''"
  447. fallback = "''"
  448. else:
  449. value = flt(f.value)
  450. fallback = 0
  451. if isinstance(f.value, Column):
  452. can_be_null = False # added to avoid the ifnull/coalesce addition
  453. quote = '"' if frappe.conf.db_type == 'postgres' else "`"
  454. value = f"{tname}.{quote}{f.value.name}{quote}"
  455. # escape value
  456. elif isinstance(value, str) and not f.operator.lower() == 'between':
  457. value = f"{frappe.db.escape(value, percent=False)}"
  458. if (
  459. self.ignore_ifnull
  460. or not can_be_null
  461. or (f.value and f.operator.lower() in ('=', 'like'))
  462. or 'ifnull(' in column_name.lower()
  463. ):
  464. if f.operator.lower() == 'like' and frappe.conf.get('db_type') == 'postgres':
  465. f.operator = 'ilike'
  466. condition = f'{column_name} {f.operator} {value}'
  467. else:
  468. condition = f'ifnull({column_name}, {fallback}) {f.operator} {value}'
  469. return condition
  470. def build_match_conditions(self, as_condition=True):
  471. """add match conditions if applicable"""
  472. self.match_filters = []
  473. self.match_conditions = []
  474. only_if_shared = False
  475. if not self.user:
  476. self.user = frappe.session.user
  477. if not self.tables: self.extract_tables()
  478. meta = frappe.get_meta(self.doctype)
  479. role_permissions = frappe.permissions.get_role_permissions(meta, user=self.user)
  480. self.shared = frappe.share.get_shared(self.doctype, self.user)
  481. if (
  482. not meta.istable and
  483. not (role_permissions.get("select") or role_permissions.get("read")) and
  484. not self.flags.ignore_permissions and
  485. not has_any_user_permission_for_doctype(self.doctype, self.user, self.reference_doctype)
  486. ):
  487. only_if_shared = True
  488. if not self.shared:
  489. frappe.throw(_("No permission to read {0}").format(self.doctype), frappe.PermissionError)
  490. else:
  491. self.conditions.append(self.get_share_condition())
  492. else:
  493. # skip user perm check if owner constraint is required
  494. if requires_owner_constraint(role_permissions):
  495. self.match_conditions.append(
  496. f"`tab{self.doctype}`.`owner` = {frappe.db.escape(self.user, percent=False)}"
  497. )
  498. # add user permission only if role has read perm
  499. elif role_permissions.get("read") or role_permissions.get("select"):
  500. # get user permissions
  501. user_permissions = frappe.permissions.get_user_permissions(self.user)
  502. self.add_user_permissions(user_permissions)
  503. if as_condition:
  504. conditions = ""
  505. if self.match_conditions:
  506. # will turn out like ((blog_post in (..) and blogger in (...)) or (blog_category in (...)))
  507. conditions = "((" + ") or (".join(self.match_conditions) + "))"
  508. doctype_conditions = self.get_permission_query_conditions()
  509. if doctype_conditions:
  510. conditions += (' and ' + doctype_conditions) if conditions else doctype_conditions
  511. # share is an OR condition, if there is a role permission
  512. if not only_if_shared and self.shared and conditions:
  513. conditions = f"({conditions}) or ({self.get_share_condition()})"
  514. return conditions
  515. else:
  516. return self.match_filters
  517. def get_share_condition(self):
  518. return f"`tab{self.doctype}`.name in ({', '.join(frappe.db.escape(s, percent=False) for s in self.shared)})"
  519. def add_user_permissions(self, user_permissions):
  520. meta = frappe.get_meta(self.doctype)
  521. doctype_link_fields = []
  522. doctype_link_fields = meta.get_link_fields()
  523. # append current doctype with fieldname as 'name' as first link field
  524. doctype_link_fields.append(dict(
  525. options=self.doctype,
  526. fieldname='name',
  527. ))
  528. match_filters = {}
  529. match_conditions = []
  530. for df in doctype_link_fields:
  531. if df.get('ignore_user_permissions'): continue
  532. user_permission_values = user_permissions.get(df.get('options'), {})
  533. if user_permission_values:
  534. docs = []
  535. if frappe.get_system_settings("apply_strict_user_permissions"):
  536. condition = ""
  537. else:
  538. empty_value_condition = f"ifnull(`tab{self.doctype}`.`{df.get('fieldname')}`, '')=''"
  539. condition = empty_value_condition + " or "
  540. for permission in user_permission_values:
  541. if not permission.get('applicable_for'):
  542. docs.append(permission.get('doc'))
  543. # append docs based on user permission applicable on reference doctype
  544. # this is useful when getting list of docs from a link field
  545. # in this case parent doctype of the link
  546. # will be the reference doctype
  547. elif df.get('fieldname') == 'name' and self.reference_doctype:
  548. if permission.get('applicable_for') == self.reference_doctype:
  549. docs.append(permission.get('doc'))
  550. elif permission.get('applicable_for') == self.doctype:
  551. docs.append(permission.get('doc'))
  552. if docs:
  553. values = ", ".join(frappe.db.escape(doc, percent=False) for doc in docs)
  554. condition += f"`tab{self.doctype}`.`{df.get('fieldname')}` in ({values})"
  555. match_conditions.append(f"({condition})")
  556. match_filters[df.get('options')] = docs
  557. if match_conditions:
  558. self.match_conditions.append(" and ".join(match_conditions))
  559. if match_filters:
  560. self.match_filters.append(match_filters)
  561. def get_permission_query_conditions(self):
  562. conditions = []
  563. condition_methods = frappe.get_hooks("permission_query_conditions", {}).get(self.doctype, [])
  564. if condition_methods:
  565. for method in condition_methods:
  566. c = frappe.call(frappe.get_attr(method), self.user)
  567. if c:
  568. conditions.append(c)
  569. permision_script_name = get_server_script_map().get("permission_query", {}).get(self.doctype)
  570. if permision_script_name:
  571. script = frappe.get_doc("Server Script", permision_script_name)
  572. condition = script.get_permission_query_conditions(self.user)
  573. if condition:
  574. conditions.append(condition)
  575. return " and ".join(conditions) if conditions else ""
  576. def set_order_by(self, args):
  577. meta = frappe.get_meta(self.doctype)
  578. if self.order_by and self.order_by != "KEEP_DEFAULT_ORDERING":
  579. args.order_by = self.order_by
  580. else:
  581. args.order_by = ""
  582. # don't add order by from meta if a mysql group function is used without group by clause
  583. group_function_without_group_by = (len(self.fields)==1 and
  584. ( self.fields[0].lower().startswith("count(")
  585. or self.fields[0].lower().startswith("min(")
  586. or self.fields[0].lower().startswith("max(")
  587. ) and not self.group_by)
  588. if not group_function_without_group_by:
  589. sort_field = sort_order = None
  590. if meta.sort_field and ',' in meta.sort_field:
  591. # multiple sort given in doctype definition
  592. # Example:
  593. # `idx desc, modified desc`
  594. # will covert to
  595. # `tabItem`.`idx` desc, `tabItem`.`modified` desc
  596. args.order_by = ', '.join(
  597. f"`tab{self.doctype}`.`{f.split()[0].strip()}` {f.split()[1].strip()}" for f in meta.sort_field.split(',')
  598. )
  599. else:
  600. sort_field = meta.sort_field or 'modified'
  601. sort_order = (meta.sort_field and meta.sort_order) or 'desc'
  602. if self.order_by:
  603. args.order_by = f"`tab{self.doctype}`.`{sort_field or 'modified'}` {sort_order or 'desc'}"
  604. # draft docs always on top
  605. if hasattr(meta, 'is_submittable') and meta.is_submittable:
  606. if self.order_by:
  607. args.order_by = f"`tab{self.doctype}`.docstatus asc, {args.order_by}"
  608. def validate_order_by_and_group_by(self, parameters):
  609. """Check order by, group by so that atleast one column is selected and does not have subquery"""
  610. if not parameters:
  611. return
  612. _lower = parameters.lower()
  613. if 'select' in _lower and 'from' in _lower:
  614. frappe.throw(_('Cannot use sub-query in order by'))
  615. if re.compile(r".*[^a-z0-9-_ ,`'\"\.\(\)].*").match(_lower):
  616. frappe.throw(_('Illegal SQL Query'))
  617. for field in parameters.split(","):
  618. if "." in field and field.strip().startswith("`tab"):
  619. tbl = field.strip().split('.')[0]
  620. if tbl not in self.tables:
  621. if tbl.startswith('`'):
  622. tbl = tbl[4:-1]
  623. frappe.throw(_("Please select atleast 1 column from {0} to sort/group").format(tbl))
  624. def add_limit(self):
  625. if self.limit_page_length:
  626. return 'limit %s offset %s' % (self.limit_page_length, self.limit_start)
  627. else:
  628. return ''
  629. def add_comment_count(self, result):
  630. for r in result:
  631. if not r.name:
  632. continue
  633. r._comment_count = 0
  634. if "_comments" in r:
  635. r._comment_count = len(json.loads(r._comments or "[]"))
  636. def update_user_settings(self):
  637. # update user settings if new search
  638. user_settings = json.loads(get_user_settings(self.doctype))
  639. if hasattr(self, 'user_settings'):
  640. user_settings.update(self.user_settings)
  641. if self.save_user_settings_fields:
  642. user_settings['fields'] = self.user_settings_fields
  643. update_user_settings(self.doctype, user_settings)
  644. def check_parent_permission(parent, child_doctype):
  645. if parent:
  646. # User may pass fake parent and get the information from the child table
  647. if child_doctype and not frappe.db.exists('DocField',
  648. {'parent': parent, 'options': child_doctype}):
  649. raise frappe.PermissionError
  650. if frappe.permissions.has_permission(parent):
  651. return
  652. # Either parent not passed or the user doesn't have permission on parent doctype of child table!
  653. raise frappe.PermissionError
  654. def get_order_by(doctype, meta):
  655. order_by = ""
  656. sort_field = sort_order = None
  657. if meta.sort_field and ',' in meta.sort_field:
  658. # multiple sort given in doctype definition
  659. # Example:
  660. # `idx desc, modified desc`
  661. # will covert to
  662. # `tabItem`.`idx` desc, `tabItem`.`modified` desc
  663. order_by = ', '.join(f"`tab{doctype}`.`{f.split()[0].strip()}` {f.split()[1].strip()}" for f in meta.sort_field.split(','))
  664. else:
  665. sort_field = meta.sort_field or 'modified'
  666. sort_order = (meta.sort_field and meta.sort_order) or 'desc'
  667. order_by = f"`tab{doctype}`.`{sort_field or 'modified'}` {sort_order or 'desc'}"
  668. # draft docs always on top
  669. if meta.is_submittable:
  670. order_by = f"`tab{doctype}`.docstatus asc, {order_by}"
  671. return order_by
  672. def is_parent_only_filter(doctype, filters):
  673. #check if filters contains only parent doctype
  674. only_parent_doctype = True
  675. if isinstance(filters, list):
  676. for flt in filters:
  677. if doctype not in flt:
  678. only_parent_doctype = False
  679. if 'Between' in flt:
  680. flt[3] = get_between_date_filter(flt[3])
  681. return only_parent_doctype
  682. def has_any_user_permission_for_doctype(doctype, user, applicable_for):
  683. user_permissions = frappe.permissions.get_user_permissions(user=user)
  684. doctype_user_permissions = user_permissions.get(doctype, [])
  685. for permission in doctype_user_permissions:
  686. if not permission.applicable_for or permission.applicable_for == applicable_for:
  687. return True
  688. return False
  689. def get_between_date_filter(value, df=None):
  690. '''
  691. return the formattted date as per the given example
  692. [u'2017-11-01', u'2017-11-03'] => '2017-11-01 00:00:00.000000' AND '2017-11-04 00:00:00.000000'
  693. '''
  694. from_date = frappe.utils.nowdate()
  695. to_date = frappe.utils.nowdate()
  696. if value and isinstance(value, (list, tuple)):
  697. if len(value) >= 1: from_date = value[0]
  698. if len(value) >= 2: to_date = value[1]
  699. if not df or (df and df.fieldtype == 'Datetime'):
  700. to_date = add_to_date(to_date, days=1)
  701. if df and df.fieldtype == 'Datetime':
  702. data = "'%s' AND '%s'" % (
  703. frappe.db.format_datetime(from_date),
  704. frappe.db.format_datetime(to_date))
  705. else:
  706. data = "'%s' AND '%s'" % (
  707. frappe.db.format_date(from_date),
  708. frappe.db.format_date(to_date))
  709. return data
  710. def get_additional_filter_field(additional_filters_config, f, value):
  711. additional_filter = additional_filters_config[f.operator.lower()]
  712. f = frappe._dict(frappe.get_attr(additional_filter['get_field'])())
  713. if f.query_value:
  714. for option in f.options:
  715. option = frappe._dict(option)
  716. if option.value == value:
  717. f.value = option.query_value
  718. return f
  719. def get_date_range(operator, value):
  720. timespan_map = {
  721. '1 week': 'week',
  722. '1 month': 'month',
  723. '3 months': 'quarter',
  724. '6 months': '6 months',
  725. '1 year': 'year',
  726. }
  727. period_map = {
  728. 'previous': 'last',
  729. 'next': 'next',
  730. }
  731. timespan = period_map[operator] + ' ' + timespan_map[value] if operator != 'timespan' else value
  732. return get_timespan_date_range(timespan)
  733. def requires_owner_constraint(role_permissions):
  734. """Returns True if "select" or "read" isn't available without being creator."""
  735. if not role_permissions.get("has_if_owner_enabled"):
  736. return
  737. if_owner_perms = role_permissions.get("if_owner")
  738. if not if_owner_perms:
  739. return
  740. # has select or read without if owner, no need for constraint
  741. for perm_type in ("select", "read"):
  742. if role_permissions.get(perm_type) and perm_type not in if_owner_perms:
  743. return
  744. # not checking if either select or read if present in if_owner_perms
  745. # because either of those is required to perform a query
  746. return True