mirror of
https://github.com/frappe/erpnext.git
synced 2026-06-07 23:22:52 +00:00
sql injection fixes
This commit is contained in:
Nabin Hait
@@ -141,11 +141,10 @@ class DocType(DocListController):
|
||||
msgprint("Employee : %s has already applied for %s between %s and %s on %s. Please refer Leave Application : <a href=\"#Form/Leave Application/%s\">%s</a>" % (self.doc.employee, cstr(d['leave_type']), formatdate(d['from_date']), formatdate(d['to_date']), formatdate(d['posting_date']), d['name'], d['name']), raise_exception = OverlapError)
|
||||
|
||||
def validate_max_days(self):
|
||||
max_days = frappe.db.sql("select max_days_allowed from `tabLeave Type` where name = '%s'" %(self.doc.leave_type))
|
||||
max_days = max_days and flt(max_days[0][0]) or 0
|
||||
max_days = frappe.db.get_value("Leave Type", self.doc.leave_type, "max_days_allowed")
|
||||
if max_days and self.doc.total_leave_days > max_days:
|
||||
msgprint("Sorry ! You cannot apply for %s for more than %s days" % (self.doc.leave_type, max_days))
|
||||
raise Exception
|
||||
frappe.throw("Sorry ! You cannot apply for %s for more than %s days" %
|
||||
(self.doc.leave_type, max_days))
|
||||
|
||||
def validate_leave_approver(self):
|
||||
employee = frappe.bean("Employee", self.doc.employee)
|
||||
@@ -328,11 +327,12 @@ def query_for_permitted_employees(doctype, txt, searchfield, start, page_len, fi
|
||||
txt = "%" + cstr(txt) + "%"
|
||||
|
||||
if "Leave Approver" in frappe.user.get_roles():
|
||||
user = frappe.session.user.replace('"', '\"')
|
||||
condition = """and (exists(select ela.name from `tabEmployee Leave Approver` ela
|
||||
where ela.parent=`tabEmployee`.name and ela.leave_approver= "%s") or
|
||||
not exists(select ela.name from `tabEmployee Leave Approver` ela
|
||||
where ela.parent=`tabEmployee`.name)
|
||||
or user_id = "%s")""" % (frappe.session.user, frappe.session.user)
|
||||
or user_id = "%s")""" % (user, user)
|
||||
else:
|
||||
from frappe.widgets.reportview import build_match_conditions
|
||||
condition = build_match_conditions("Employee")
|
||||
|
||||
@@ -37,7 +37,7 @@ class DocType:
|
||||
cond = ''
|
||||
for f in ['company', 'branch', 'department', 'designation', 'grade']:
|
||||
if self.doc.fields.get(f):
|
||||
cond += " and t1." + f + " = '" + self.doc.fields.get(f) + "'"
|
||||
cond += " and t1." + f + " = '" + self.doc.fields.get(f).replace("'", "\'") + "'"
|
||||
|
||||
return cond
|
||||
|
||||
@@ -58,7 +58,7 @@ class DocType:
|
||||
|
||||
|
||||
def get_month_details(self, year, month):
|
||||
ysd = frappe.db.sql("select year_start_date from `tabFiscal Year` where name ='%s'"%year)[0][0]
|
||||
ysd = frappe.db.get_value("Fiscal Year", year, "year_start_date")
|
||||
if ysd:
|
||||
from dateutil.relativedelta import relativedelta
|
||||
import calendar, datetime
|
||||
@@ -117,8 +117,8 @@ class DocType:
|
||||
cond = self.get_filter_condition()
|
||||
ss_list = frappe.db.sql("""
|
||||
select t1.name from `tabSalary Slip` t1
|
||||
where t1.docstatus = 0 and month = '%s' and fiscal_year = '%s' %s
|
||||
""" % (self.doc.month, self.doc.fiscal_year, cond))
|
||||
where t1.docstatus = 0 and month = %s and fiscal_year = %s %s
|
||||
""" % ('%s', '%s', cond), (self.doc.month, self.doc.fiscal_year))
|
||||
return ss_list
|
||||
|
||||
|
||||
@@ -179,8 +179,8 @@ class DocType:
|
||||
cond = self.get_filter_condition()
|
||||
tot = frappe.db.sql("""
|
||||
select sum(rounded_total) from `tabSalary Slip` t1
|
||||
where t1.docstatus = 1 and month = '%s' and fiscal_year = '%s' %s
|
||||
""" % (self.doc.month, self.doc.fiscal_year, cond))
|
||||
where t1.docstatus = 1 and month = %s and fiscal_year = %s %s
|
||||
""" % ('%s', '%s', cond), (self.doc.month, self.doc.fiscal_year))
|
||||
|
||||
return flt(tot[0][0])
|
||||
|
||||
|
||||
@@ -1,205 +0,0 @@
|
||||
# Copyright (c) 2013, Web Notes Technologies Pvt. Ltd. and Contributors
|
||||
# License: GNU General Public License v3. See license.txt
|
||||
|
||||
from __future__ import unicode_literals
|
||||
import unittest
|
||||
import frappe
|
||||
|
||||
test_records = []
|
||||
|
||||
# from frappe.model.doc import Document
|
||||
# from frappe.model.code import get_obj
|
||||
# frappe.db.sql = frappe.db.sql
|
||||
#
|
||||
# class TestSalaryManager(unittest.TestCase):
|
||||
# def setUp(self):
|
||||
# frappe.db.begin()
|
||||
# for rec in [des1, dep1, branch1, grade1, comp1, emp1, emp2]:
|
||||
# rec.save(1)
|
||||
#
|
||||
# ss1[0].employee = emp1.name
|
||||
# for s in ss1: s.save(1)
|
||||
# for s in ss1[1:]:
|
||||
# frappe.db.sql("update `tabSalary Structure Earning` set parent = '%s' where name = '%s'" % (ss1[0].name, s.name))
|
||||
# frappe.db.sql("update `tabSalary Structure Deduction` set parent = '%s' where name = '%s'" % (ss1[0].name, s.name))
|
||||
#
|
||||
#
|
||||
# ss2[0].employee = emp2.name
|
||||
# for s in ss2: s.save(1)
|
||||
# for s in ss2[1:]:
|
||||
# frappe.db.sql("update `tabSalary Structure Earning` set parent = '%s' where name = '%s'" % (ss2[0].name, s.name))
|
||||
# frappe.db.sql("update `tabSalary Structure Deduction` set parent = '%s' where name = '%s'" % (ss2[0].name, s.name))
|
||||
#
|
||||
# sman.save()
|
||||
# self.sm = get_obj('Salary Manager')
|
||||
# leave.save(1)
|
||||
# self.sm.create_sal_slip()
|
||||
#
|
||||
# def test_creation(self):
|
||||
# ssid = frappe.db.sql("""
|
||||
# select name, department
|
||||
# from `tabSalary Slip`
|
||||
# where month = '08' and fiscal_year='2011-2012'""")
|
||||
#
|
||||
# self.assertTrue(len(ssid)==1)
|
||||
# self.assertTrue(ssid[0][1] == 'dep1')
|
||||
#
|
||||
#
|
||||
# def test_lwp_calc(self):
|
||||
# ss = frappe.db.sql("""
|
||||
# select payment_days
|
||||
# from `tabSalary Slip`
|
||||
# where month = '08' and fiscal_year='2011-2012' and employee = '%s'
|
||||
# """ % emp1.name)
|
||||
#
|
||||
# self.assertTrue(ss[0][0]==27)
|
||||
#
|
||||
# def test_net_pay(self):
|
||||
# ss = frappe.db.sql("""
|
||||
# select rounded_total
|
||||
# from `tabSalary Slip`
|
||||
# where month = '08'
|
||||
# and fiscal_year='2011-2012' and employee = '%s'""" % emp1.name)
|
||||
# self.assertTrue(ss[0][0]==67)
|
||||
#
|
||||
# def test_submit(self):
|
||||
# self.sm.submit_salary_slip()
|
||||
# ss = frappe.db.sql("""
|
||||
# select docstatus
|
||||
# from `tabSalary Slip`
|
||||
# where month = '08'
|
||||
# and fiscal_year='2011-2012' and employee = '%s'""" % emp1.name)
|
||||
# self.assertTrue(ss[0][0]==1)
|
||||
#
|
||||
# def tearDown(self):
|
||||
# frappe.db.rollback()
|
||||
#
|
||||
# #--------------------------------------------
|
||||
# # test data
|
||||
# #--------------------------------------------
|
||||
# des1 = Document(fielddata={
|
||||
# 'name':'des1',
|
||||
# 'doctype':'Designation',
|
||||
# 'designation_name':'des1'
|
||||
# })
|
||||
#
|
||||
# dep1 = Document(fielddata={
|
||||
# 'name':'dep1',
|
||||
# 'doctype':'Department',
|
||||
# 'department_name' : 'dep1'
|
||||
# })
|
||||
#
|
||||
# branch1 = Document(fielddata={
|
||||
# 'name':'branch1',
|
||||
# 'doctype':'Branch',
|
||||
# 'branch' : 'branch1'
|
||||
# })
|
||||
#
|
||||
# comp1 = Document(fielddata={
|
||||
# 'name':'comp1',
|
||||
# 'doctype':'Company',
|
||||
# 'abbr':'c1',
|
||||
# 'company_name' : 'comp1'
|
||||
# })
|
||||
#
|
||||
# grade1 = Document(fielddata={
|
||||
# 'name':'grade1',
|
||||
# 'doctype':'Grade',
|
||||
# 'grade_name' : 'grade1'
|
||||
# })
|
||||
#
|
||||
# emp1 = Document(fielddata={
|
||||
# 'doctype':'Employee',
|
||||
# 'employee_number':'emp1',
|
||||
# 'department':'dep1',
|
||||
# 'designation':'des1',
|
||||
# 'branch' : 'branch1',
|
||||
# 'company':'comp1',
|
||||
# 'grade':'grade1',
|
||||
# 'naming_series':'EMP/',
|
||||
# 'status':'Active',
|
||||
# 'docstatus':0,
|
||||
# 'employee_name':'emp1'
|
||||
# })
|
||||
#
|
||||
# emp2 = Document(fielddata={
|
||||
# 'doctype':'Employee',
|
||||
# 'employee_number':'emp2',
|
||||
# 'department':'dep1',
|
||||
# 'designation':'des2',
|
||||
# 'branch' : 'branch1',
|
||||
# 'company':'comp1',
|
||||
# 'naming_series':'EMP/',
|
||||
# 'grade':'grade1',
|
||||
# 'status':'Active',
|
||||
#
|
||||
# })
|
||||
#
|
||||
# ss1 = [
|
||||
# Document(fielddata={
|
||||
# 'doctype':'Salary Structure',
|
||||
# 'docstatus':0,
|
||||
# 'employee':'emp1',
|
||||
# 'is_active':'Yes',
|
||||
# 'department': 'dep1',
|
||||
# 'designation' : 'des1',
|
||||
# 'employee_name': 'emp1'
|
||||
# }),
|
||||
# Document(fielddata={
|
||||
# 'parenttype':'Salary Structure',
|
||||
# 'parentfield':'earning_details',
|
||||
# 'doctype':'Salary Structure Earning',
|
||||
# 'e_type' : 'Basic',
|
||||
# 'depend_on_lwp':1,
|
||||
# 'modified_value':100
|
||||
# }),
|
||||
# Document(fielddata={
|
||||
# 'parenttype':'Salary Structure',
|
||||
# 'parentfield':'earning_details',
|
||||
# 'doctype':'Salary Structure Deduction',
|
||||
# 'd_type':'TDS',
|
||||
# 'd_modified_amt':20
|
||||
# })
|
||||
# ]
|
||||
#
|
||||
# ss2 = [
|
||||
# Document(fielddata={
|
||||
# 'doctype':'Salary Structure',
|
||||
# 'is_active':'Yes',
|
||||
# 'docstatus':0,
|
||||
# }),
|
||||
# Document(fielddata={
|
||||
# 'parenttype':'Salary Structure',
|
||||
# 'parentfield':'deduction_details',
|
||||
# 'doctype':'Salary Structure Earning',
|
||||
# 'e_type' : 'Basic',
|
||||
# 'modified_value':100
|
||||
# }),
|
||||
# Document(fielddata={
|
||||
# 'parenttype':'Salary Structure',
|
||||
# 'parentfield':'deduction_details',
|
||||
# 'doctype':'Salary Structure Deduction',
|
||||
# 'd_type':'TDS',
|
||||
# 'd_modified_amt':20
|
||||
# })
|
||||
# ]
|
||||
#
|
||||
# sman = Document(fielddata={
|
||||
# 'name':'Salary Manager',
|
||||
# 'doctype':'Salary Manager',
|
||||
# 'company': 'comp1',
|
||||
# 'department':'dep1',
|
||||
# 'designation':'des1',
|
||||
# 'month': '08',
|
||||
# 'fiscal_year':'2011-2012'
|
||||
# })
|
||||
#
|
||||
# leave = Document(fielddata = {
|
||||
# 'doctype':'Leave Application',
|
||||
# 'employee':'emp1',
|
||||
# 'from_date':'2011-08-12',
|
||||
# 'to_date':'2011-08-15',
|
||||
# 'total_leave_days':'4',
|
||||
# 'leave_type':'Leave Without Pay',
|
||||
# 'docstatus':1
|
||||
# })
|
||||
@@ -32,6 +32,7 @@ def get_conditions(filters):
|
||||
"Dec"].index(filters["month"]) + 1
|
||||
conditions += " and month(date_of_birth) = '%s'" % month
|
||||
|
||||
if filters.get("company"): conditions += " and company = '%s'" % filters["company"]
|
||||
if filters.get("company"): conditions += " and company = '%s'" % \
|
||||
filters["company"].repalce("'", "\'")
|
||||
|
||||
return conditions
|
||||
@@ -18,16 +18,18 @@ def execute(filters=None):
|
||||
fiscal_years = [filters["fiscal_year"]]
|
||||
else:
|
||||
fiscal_years = frappe.db.sql_list("select name from `tabFiscal Year` order by name desc")
|
||||
|
||||
employee_in = '", "'.join([e.name for e in employees])
|
||||
|
||||
|
||||
allocations = frappe.db.sql("""select employee, fiscal_year, leave_type, total_leaves_allocated
|
||||
from `tabLeave Allocation`
|
||||
where docstatus=1 and employee in ("%s")""" % employee_in, as_dict=True)
|
||||
applications = frappe.db.sql("""select employee, fiscal_year, leave_type, SUM(total_leave_days) as leaves
|
||||
from `tabLeave Application`
|
||||
where status="Approved" and docstatus = 1 and employee in ("%s")
|
||||
group by employee, fiscal_year, leave_type""" % employee_in, as_dict=True)
|
||||
where docstatus=1 and employee in (%s)""" %
|
||||
','.join(['%s']*len(employees)), employees, as_dict=True)
|
||||
|
||||
applications = frappe.db.sql("""select employee, fiscal_year, leave_type,
|
||||
SUM(total_leave_days) as leaves
|
||||
from `tabLeave Application`
|
||||
where status="Approved" and docstatus = 1 and employee in (%s)
|
||||
group by employee, fiscal_year, leave_type""" %
|
||||
','.join(['%s']*len(employees)), employees, as_dict=True)
|
||||
|
||||
columns = [
|
||||
"Fiscal Year", "Employee:Link/Employee:150", "Employee Name::200", "Department::150"
|
||||
|
||||
Reference in New Issue
Block a user