return '"%s"' % (f,)
fields_pre2 = map(convert_field, fields_pre)
order_by = self._parent_order or self._order
- for i in range(0, len(ids), cr.IN_MAX):
- sub_ids = ids[i:i+cr.IN_MAX]
+ for sub_ids in cr.split_for_in_conditions(ids):
if d1:
- cr.execute('SELECT %s FROM %s WHERE %s.id = ANY (%%s) AND %s ORDER BY %s' % \
+ cr.execute('SELECT %s FROM %s WHERE %s.id IN %%s AND %s ORDER BY %s' % \
(','.join(fields_pre2 + [self._table + '.id']), ','.join(tables), self._table, ' and '.join(d1),
order_by),[sub_ids,]+d2)
- if not cr.rowcount == len({}.fromkeys(sub_ids)):
+ if cr.rowcount != len(sub_ids):
raise except_orm(_('AccessError'),
_('You try to bypass an access rule while reading (Document type: %s).') % self._description)
else:
- cr.execute('SELECT %s FROM \"%s\" WHERE id = ANY (%%s) ORDER BY %s' %
+ cr.execute('SELECT %s FROM \"%s\" WHERE id IN %%s ORDER BY %s' %
(','.join(fields_pre2 + ['id']), self._table,
order_by), (sub_ids,))
res.extend(cr.dictfetchall())
if res and res[0]:
raise except_orm('ConcurrencyException', _('Records were modified in the meanwhile'))
- def check_access_rule(self, cr, uid, ids, mode, context=None):
- d1, d2, tables = self.pool.get('ir.rule').domain_get(cr, uid, self._name, mode, context=context)
- if d1:
- d1 = ' and '+' and '.join(d1)
-
- for i in range(0, len(ids), cr.IN_MAX):
- sub_ids = ids[i:i+cr.IN_MAX]
- if d1:
- cr.execute('SELECT '+self._table+'.id FROM '+','.join(tables)+' ' \
- 'WHERE '+self._table+'.id IN %s'+d1, (tuple(sub_ids),d2))
- if not cr.rowcount == len(sub_ids):
- raise except_orm(_('AccessError'),
- _('You try to bypass an access rule to '+mode+
- ' (Document type: %s).') % self._name)
- else:
- cr.execute('SELECT id FROM "'+self._table+'" WHERE id IN %s',
- (tuple(sub_ids),))
- if not cr.rowcount == len(sub_ids):
+ def check_access_rule(self, cr, uid, ids, operation, context=None):
+ """Verifies that the operation given by ``operation`` is allowed for the user
+ according to ir.rules.
+ @param ``operation``: one of ``'read'``, ``'write'``, ``'unlink'``
+ @raise ``except_orm``: if current ir.rules do not permit this operation.
+ @return: ``None`` if the operation is allowed
+ """
+ where_clause, where_params, tables = self.pool.get('ir.rule').domain_get(cr, uid, self._name, operation, context=context)
+ if where_clause:
+ where_clause = ' and ' + ' and '.join(where_clause)
+ for sub_ids in cr.split_for_in_conditions(ids):
+ cr.execute('SELECT ' + self._table + '.id FROM ' + ','.join(tables) +
+ ' WHERE ' + self._table + '.id IN %s' + where_clause,
+ [sub_ids] + where_params)
+ if cr.rowcount != len(sub_ids):
raise except_orm(_('AccessError'),
- _('You try to ' +mode+ ' a record that doesn\'t exist (Document type: %s).')
- % self._name)
- #TODO: this is a SQL injection pattern again, need to refactor it
- return ','.join(map(str,ids))
+ _('Operation prohibited by access rules (Operation: %s, Document type: %s).')
+ % (operation, self._name))
def unlink(self, cr, uid, ids, context=None):
if not ids:
# ids2 = [x[self._inherits[key]] for x in res]
# self.pool.get(key).unlink(cr, uid, ids2)
- ids_str = self.check_access_rule(cr, uid, ids, 'unlink', context=context)
- cr.execute('delete from '+self._table+' ' \
- 'where id in ('+ids_str+')', ids)
+ self.check_access_rule(cr, uid, ids, 'unlink', context=context)
+ for sub_ids in cr.split_for_in_conditions(ids):
+ cr.execute('delete from ' + self._table + ' ' \
+ 'where id in %s', sub_ids)
for order, object, store_ids, fields in result_store:
- if object<>self._name:
+ if object != self._name:
obj = self.pool.get(object)
cr.execute('select id from '+obj._table+' where id in ('+','.join(map(str, store_ids))+')')
rids = map(lambda x: x[0], cr.fetchall())
upd1.append(user)
if len(upd0):
- ids_str = self.check_access_rule(cr, user, ids, 'write', context=context)
- cr.execute('update '+self._table+' set '+string.join(upd0, ',')+' ' \
- 'where id in ('+ids_str+')', upd1)
+ self.check_access_rule(cr, user, ids, 'write', context=context)
+ for sub_ids in cr.split_for_in_conditions(ids):
+ cr.execute('update ' + self._table + ' set ' + ','.join(upd0) + ' ' \
+ 'where id in %s', upd1 + [sub_ids])
if totranslate:
# TODO: optimize
for table in self._inherits:
col = self._inherits[table]
nids = []
- for i in range(0, len(ids), cr.IN_MAX):
- sub_ids = ids[i:i+cr.IN_MAX]
- ids_str = string.join(map(str, sub_ids), ',')
+ for sub_ids in cr.split_for_in_conditions(ids):
cr.execute('select distinct "'+col+'" from "'+self._table+'" ' \
- 'where id in ('+ids_str+')', upd1)
+ 'where id in %s', (sub_ids,))
nids.extend([x[0] for x in cr.fetchall()])
v = {}