def create_default(self):
default = None
if self.python_create_default and getattr(settings,'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',False):
#Pre-supply context with white-listed imports. WARNING: this is probably a security risk!
#If adding more imports here, also update maybe_safe_eval.modules_whitelist, and put a reload a few lines down.
import datetime
context = {'datetime':datetime}
#Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error)
code_to_run = self.python_create_default.replace('\r\n','\n')
maybe_safe_eval(code_to_run, context = context, timeout_secs = 5)
#pull out calculated default value
default = context['default']
#Reload any whitelisted modules (in case semi-untrusted code messed with them.)
#(Won't always help but it's better than nothing)
reload(datetime)
return default
def create_default(self):
default = None
if self.python_create_default and getattr(
settings, 'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',
False):
#Pre-supply context with white-listed imports. WARNING: this is probably a security risk!
#If adding more imports here, also update maybe_safe_eval.modules_whitelist, and put a reload a few lines down.
import datetime
context = {'datetime': datetime}
#Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error)
code_to_run = self.python_create_default.replace('\r\n', '\n')
maybe_safe_eval(code_to_run, context=context, timeout_secs=5)
#pull out calculated default value
default = context['default']
#Reload any whitelisted modules (in case semi-untrusted code messed with them.)
#(Won't always help but it's better than nothing)
reload(datetime)
return default
def run_query(self, submitted_parameters):
conn = self.connection.get_db_connection() #TODO: re-use across object
query = text(self.query)
if submitted_parameters:
result = conn.execute(query, **submitted_parameters.cleaned_data)
else:
result = conn.execute(query)
columns = [item[0] for item in result.cursor.description]
data = result.fetchall()
#Python post processing on data (if any)
if self.python_post_processing and getattr(settings,'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',False):
context = {'data':data}
#Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error)
code_to_run = self.python_post_processing.replace('\r\n','\n')
maybe_safe_eval(code_to_run, context = context, timeout_secs = 10)
#pull out calculated default value
data = context['data']
return data, columns
def run_query(self, submitted_parameters):
conn = self.connection.get_db_connection() #TODO: re-use across object
query = text(self.query)
if submitted_parameters:
result = conn.execute(query, **submitted_parameters.cleaned_data)
else:
result = conn.execute(query)
columns = [item[0] for item in result.cursor.description]
data = result.fetchall()
#Python post processing on data (if any)
if self.python_post_processing and getattr(
settings, 'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',
False):
context = {'data': data}
#Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error)
code_to_run = self.python_post_processing.replace('\r\n', '\n')
maybe_safe_eval(code_to_run, context=context, timeout_secs=10)
#pull out calculated default value
data = context['data']
return data, columns