def test_call(self): # call non whitelisted method self.assertRaises(frappe.PermissionError, safe_exec, """frappe.call("frappe.get_user")""") # call whitelisted method safe_exec("""frappe.call("ping")""")
def test_enqueue(self): # enqueue non whitelisted method self.assertRaises(frappe.PermissionError, safe_exec, """frappe.enqueue("frappe.get_user", now=True)""") # enqueue whitelisted method safe_exec("""frappe.enqueue("ping", now=True)""")
def execute(filters=None): doc = frappe.get_doc("Report", "Aptronics Profit and Loss Statement") data = [] month_start = parse_date("{} {}".format(filters.current_period, filters.fiscal_year)) month_start = month_start.replace(day=1) month_end = month_start.replace( day=(monthrange(month_start.year, month_start.month)[1]) ) fiscal_year_start = frappe.get_value("Fiscal Year", filters.fiscal_year, "year_start_date") for row in doc.report_rows: if not row.subtotal: current_period = get_total_for_account( filters.company, row.account, month_start, month_end ) year_to_date = get_total_for_account( filters.company, row.account, fiscal_year_start, month_end ) else: year_to_date = 0 current_period = 0 data.append(frappe._dict({ "account": "<strong> {} </strong>".format(row.row_label) if row.subtotal else row.account, "current_period": current_period, "year_to_date": year_to_date })) exec_globals = get_safe_globals() exec_globals.__builtins__['sum'] = __builtins__['sum'] exec_globals.__builtins__['format'] = __builtins__['format'] for row in doc.report_rows: if row.subtotal and row.formula: loc = {"filters": frappe._dict(filters), 'data': data} safe_exec(row.formula, None, loc) return get_columns(), data
def execute_doc(self, doc: Document): """Specific to Document Event triggered Server Scripts Args: doc (Document): Executes script with for a certain document's events """ safe_exec(self.script, _locals={"doc": doc}, restrict_commit_rollback=True)
def execute_script(self, filters): # server script loc = {"filters": frappe._dict(filters), "data": None, "result": None} safe_exec(self.report_script, None, loc) if loc["data"]: return loc["data"] else: return self.get_columns(), loc["result"]
def execute_script(self, filters): # server script loc = {"filters": frappe._dict(filters), 'data':None, 'result':None} safe_exec(self.report_script, None, loc) if loc['data']: return loc['data'] else: return self.get_columns(), loc['result']
def execute_method(self): if self.script_type == 'API': # validate if guest is allowed if frappe.session.user == 'Guest' and not self.allow_guest: raise frappe.PermissionError safe_exec(self.script) else: # wrong report type! raise frappe.DoesNotExistError
def test_query_builder(self): _locals = dict(out=None) safe_exec( script= '''out = frappe.qb.from_("User").select(frappe.qb.terms.PseudoColumn("Max(name)")).run()''', _globals=None, _locals=_locals) self.assertEqual(frappe.db.sql("SELECT Max(name) FROM tabUser"), _locals["out"])
def test_sql(self): _locals = dict(out=None) safe_exec( """out = frappe.db.sql("select name from tabDocType where name='DocType'")""", None, _locals) self.assertEqual(_locals["out"][0][0], "DocType") self.assertRaises( frappe.PermissionError, safe_exec, 'frappe.db.sql("update tabToDo set description=NULL")')
def execute_scheduled_method(self): """Specific to Scheduled Jobs via Server Scripts Raises: frappe.DoesNotExistError: If script type is not a scheduler event """ if self.script_type != "Scheduler Event": raise frappe.DoesNotExistError safe_exec(self.script)
def get_permission_query_conditions(self, user: str) -> List[str]: """Specific to Permission Query Server Scripts Args: user (str): Takes user email to execute script and return list of conditions Returns: list: Returns list of conditions defined by rules in self.script """ locals = {"user": user, "conditions": ""} safe_exec(self.script, None, locals) if locals["conditions"]: return locals["conditions"]
def run(self): frappe.only_for("System Manager") try: frappe.debug_log = [] safe_exec(self.console) self.output = "\n".join(frappe.debug_log) except: # noqa: E722 self.output = frappe.get_traceback() if self.commit: frappe.db.commit() else: frappe.db.rollback() frappe.get_doc( dict(doctype="Console Log", script=self.console, output=self.output)).insert() frappe.db.commit()
def execute_method(self): if self.script_type == 'API': # validate if guest is allowed if frappe.session.user == 'Guest' and not self.allow_guest: raise frappe.PermissionError _globals, _locals = safe_exec(self.script) return _globals.frappe.flags # output can be stored in flags else: # wrong report type! raise frappe.DoesNotExistError
def run(self): frappe.only_for('System Manager') try: frappe.debug_log = [] if self.type == 'Python': safe_exec(self.console) self.output = '\n'.join(frappe.debug_log) elif self.type == 'SQL': self.output = frappe.as_json(read_sql(self.console, as_dict=1)) except: # noqa: E722 self.output = frappe.get_traceback() if self.commit: frappe.db.commit() else: frappe.db.rollback() frappe.get_doc( dict(doctype='Console Log', script=self.console, output=self.output)).insert() frappe.db.commit()
def get_context(self, context): context.main_section = get_html_content_based_on_type( self, 'main_section', self.content_type) context.source_content_type = self.content_type context.title = self.title if self.context_script: _locals = dict(context=frappe._dict()) safe_exec(self.context_script, None, _locals) context.update(_locals['context']) self.render_dynamic(context) # if static page, get static content if context.slideshow: context.update(get_slideshow(self)) if self.enable_comments: context.comment_list = get_comment_list(self.doctype, self.name) context.guest_allowed = True context.update({ "style": self.css or "", "script": self.javascript or "", "header": self.header, "text_align": self.text_align, }) if not self.show_title: context["no_header"] = 1 self.set_metatags(context) self.set_breadcrumbs(context) self.set_title_and_header(context) self.set_page_blocks(context) return context
def execute_method(self) -> Dict: """Specific to API endpoint Server Scripts Raises: frappe.DoesNotExistError: If self.script_type is not API frappe.PermissionError: If self.allow_guest is unset for API accessed by Guest user Returns: dict: Evaluates self.script with frappe.utils.safe_exec.safe_exec and returns the flags set in it's safe globals """ # wrong report type! if self.script_type != "API": raise frappe.DoesNotExistError # validate if guest is allowed if frappe.session.user == "Guest" and not self.allow_guest: raise frappe.PermissionError # output can be stored in flags _globals, _locals = safe_exec(self.script) return _globals.frappe.flags
def test_utils(self): _locals = dict(out=None) safe_exec('''out = frappe.utils.cint("1")''', None, _locals) self.assertEqual(_locals['out'], 1)
def test_utils(self): _locals = dict(out=None) safe_exec("""out = frappe.utils.cint("1")""", None, _locals) self.assertEqual(_locals["out"], 1)
def execute_doc(self, doc): # execute event safe_exec(self.script, None, dict(doc = doc))
def execute_scheduled_method(self): if self.script_type == 'Scheduler Event': safe_exec(self.script) else: # wrong report type! raise frappe.DoesNotExistError
def execute_script(self, filters): # server script loc = {"filters": frappe._dict(filters), 'data': []} safe_exec(self.report_script, None, loc) return loc['data']