projects / odoo / odoo.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[FIX] Security fixes for sql injections
[odoo/odoo.git] / addons / account / project / report / analytic_balance.py
diff --git a/addons/account/project/report/analytic_balance.py b/addons/account/project/report/analytic_balance.py
index 0486496..57209f6 100644 (file)
--- a/addons/account/project/report/analytic_balance.py
+++ b/addons/account/project/report/analytic_balance.py
@@ -27,20 +27,14 @@ from report import report_sxw
 class account_analytic_balance(report_sxw.rml_parse):
     def __init__(self, cr, uid, name, context):
         super(account_analytic_balance, self).__init__(cr, uid, name, context=context)
-        self.localcontext.update({
+        self.localcontext.update( {
             'time': time,
             'get_objects': self._get_objects,
             'lines_g': self._lines_g,
             'move_sum': self._move_sum,
-#            'move_sum_debit': self._move_sum_debit,
-#            'move_sum_credit': self._move_sum_credit,
             'sum_all': self._sum_all,
-#            'sum_debit': self._sum_debit,
-#            'sum_credit': self._sum_credit,
             'sum_balance': self._sum_balance,
-#            'sum_quantity': self._sum_quantity,
             'move_sum_balance': self._move_sum_balance,
-#            'move_sum_quantity': self._move_sum_quantity,
         })
         self.acc_ids = []
         self.read_data = []
@@ -50,10 +44,10 @@ class account_analytic_balance(report_sxw.rml_parse):
 
     def get_children(self, ids):
         ids2 = []
-        read_data = self.pool.get('account.analytic.account').read(self.cr, self.uid, ids, ['child_ids', 'code', 'complete_name', 'balance'])
+        read_data = self.pool.get('account.analytic.account').read(self.cr, self.uid, ids,['child_ids','code','complete_name','balance'])
         for data in read_data:
             if (data['id'] not in self.acc_ids):
-                inculde_empty = True
+                inculde_empty =  True
                 if (not self.empty_acc) and data['balance'] == 0.00:
                     inculde_empty = False
                 if inculde_empty:
@@ -81,10 +75,10 @@ class account_analytic_balance(report_sxw.rml_parse):
                     sum(aal.amount) AS balance, sum(aal.unit_amount) AS quantity \
                 FROM account_analytic_line AS aal, account_account AS aa \
                 WHERE (aal.general_account_id=aa.id) \
-                    AND (aal.account_id in (" + ','.join(map(str, ids)) + "))\
+                    AND (aal.account_id in aal.account_id in %s)\
                     AND (date>=%s) AND (date<=%s) AND aa.active \
                 GROUP BY aal.general_account_id, aa.name, aa.code, aal.code \
-                ORDER BY aal.code", (date1, date2))
+                ORDER BY aal.code", (tuple(ids),date1, date2))
         res = self.cr.dictfetchall()
 
         for r in res:
@@ -103,65 +97,29 @@ class account_analytic_balance(report_sxw.rml_parse):
     def _move_sum(self, account_id, date1, date2, option):
         if account_id not in self.acc_data_dict:
             account_analytic_obj = self.pool.get('account.analytic.account')
-            ids = account_analytic_obj.search(self.cr, self.uid, [('parent_id', 'child_of', [account_id])])
+            ids = account_analytic_obj.search(self.cr, self.uid,[('parent_id', 'child_of', [account_id])])
             self.acc_data_dict[account_id] = ids
         else:
             ids = self.acc_data_dict[account_id]
-
+            
+        query_params = (tuple(ids), date1, date2)
         if option == "credit" :
             self.cr.execute("SELECT -sum(amount) FROM account_analytic_line \
-                    WHERE account_id =ANY(%s) AND date>=%s AND date<=%s AND amount<0",
-                    (ids, date1, date2))
+                    WHERE account_id in %s AND date>=%s AND date<=%s AND amount<0",query_params)
         elif option == "debit" :
             self.cr.execute("SELECT sum(amount) FROM account_analytic_line \
-                    WHERE account_id =ANY(%s)\
-                        AND date>=%s AND date<=%s AND amount>0",
-                    (ids, date1, date2))
+                    WHERE account_id in %s\
+                        AND date>=%s AND date<=%s AND amount>0",query_params)
         elif option == "quantity" :
             self.cr.execute("SELECT sum(unit_amount) FROM account_analytic_line \
-                WHERE account_id =ANY(%s)\
-                    AND date>=%s AND date<=%s",
-                (ids, date1, date2))
+                WHERE account_id in %s\
+                    AND date>=%s AND date<=%s",query_params)
         return self.cr.fetchone()[0] or 0.0
 
-
-#    def _move_sum_debit(self, account_id, date1, date2):
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', [account_id])])
-#        self.cr.execute("SELECT sum(amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id in ("+ ','.join(map(str, ids)) +") \
-#                    AND date>=%s AND date<=%s AND amount>0",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
-#
-#    def _move_sum_credit(self, account_id, date1, date2):
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', [account_id])])
-#        self.cr.execute("SELECT -sum(amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id in ("+ ','.join(map(str, ids)) +") \
-#                    AND date>=%s AND date<=%s AND amount<0",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
-#
     def _move_sum_balance(self, account_id, date1, date2):
         debit = self._move_sum(account_id, date1, date2, 'debit')
         credit = self._move_sum(account_id, date1, date2, 'credit')
-        return (debit - credit)
-
-#    def _move_sum_quantity(self, account_id, date1, date2):
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', [account_id])])
-#        self.cr.execute("SELECT sum(unit_amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id in ("+ ','.join(map(str, ids)) +") \
-#                    AND date>=%s AND date<=%s",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
+        return (debit-credit)
 
     def _sum_all(self, accounts, date1, date2, option):
         ids = map(lambda x: x['id'], accounts)
@@ -170,72 +128,29 @@ class account_analytic_balance(report_sxw.rml_parse):
 
         if not self.acc_sum_list:
             account_analytic_obj = self.pool.get('account.analytic.account')
-            ids2 = account_analytic_obj.search(self.cr, self.uid, [('parent_id', 'child_of', ids)])
+            ids2 = account_analytic_obj.search(self.cr, self.uid,[('parent_id', 'child_of', ids)])
             self.acc_sum_list = ids2
         else:
             ids2 = self.acc_sum_list
+            query_params = (tuple(ids2), date1, date2)
         if option == "debit" :
             self.cr.execute("SELECT sum(amount) FROM account_analytic_line \
-                    WHERE account_id =ANY(%s) AND date>=%s AND date<=%s AND amount>0",
-                    (ids, date1, date2,))
+                    WHERE account_id =ANY(%s) AND date>=%s AND date<=%s AND amount>0",query_params)
         elif option == "credit" :
             self.cr.execute("SELECT -sum(amount) FROM account_analytic_line \
-                    WHERE account_id =ANY(%s) AND date>=%s AND date<=%s AND amount<0",
-                    (ids, date1, date2,))
+                    WHERE account_id =ANY(%s) AND date>=%s AND date<=%s AND amount<0",query_params)
         elif option == "quantity" :
             self.cr.execute("SELECT sum(unit_amount) FROM account_analytic_line \
-                    WHERE account_id =ANY(%s)AND date>=%s AND date<=%s",
-                    (ids, date1, date2,))
+                    WHERE account_id =ANY(%s)AND date>=%s AND date<=%s",query_params)
         return self.cr.fetchone()[0] or 0.0
 
 
-#    def _sum_debit(self, accounts, date1, date2):
-#        ids = map(lambda x: x['id'], accounts)
-#        if not len(ids):
-#            return 0.0
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids2 = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', ids)])
-#        self.cr.execute("SELECT sum(amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id IN ("+','.join(map(str, ids2))+") \
-#                    AND date>=%s AND date<=%s AND amount>0",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
-#
-#    def _sum_credit(self, accounts, date1, date2):
-#        ids = map(lambda x: x['id'], accounts)
-#        if not len(ids):
-#            return 0.0
-#        ids = map(lambda x: x['id'], accounts)
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids2 = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', ids)])
-#        self.cr.execute("SELECT -sum(amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id IN ("+','.join(map(str, ids2))+") \
-#                    AND date>=%s AND date<=%s AND amount<0",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
 
     def _sum_balance(self, accounts, date1, date2):
         debit = self._sum_all(accounts, date1, date2, 'debit') or 0.0
         credit = self._sum_all(accounts, date1, date2, 'credit') or 0.0
-        return (debit - credit)
-
-#    def _sum_quantity(self, accounts, date1, date2):
-#        ids = map(lambda x: x['id'], accounts)
-#        if not len(ids):
-#            return 0.0
-#        account_analytic_obj = self.pool.get('account.analytic.account')
-#        ids2 = account_analytic_obj.search(self.cr, self.uid,
-#                [('parent_id', 'child_of', ids)])
-#        self.cr.execute("SELECT sum(unit_amount) \
-#                FROM account_analytic_line \
-#                WHERE account_id IN ("+','.join(map(str, ids2))+") \
-#                    AND date>=%s AND date<=%s",
-#                (date1, date2))
-#        return self.cr.fetchone()[0] or 0.0
+        return (debit-credit)
+
 
 report_sxw.report_sxw('report.account.analytic.account.balance',
         'account.analytic.account', 'addons/account/project/report/analytic_balance.rml',
Unnamed repository; edit this file 'description' to name the repository.