def test_call(self):
# call non whitelisted method
self.assertRaises(frappe.PermissionError, safe_exec,
"""frappe.call("frappe.get_user")""")
# call whitelisted method
safe_exec("""frappe.call("ping")""")
def test_enqueue(self):
# enqueue non whitelisted method
self.assertRaises(frappe.PermissionError, safe_exec,
"""frappe.enqueue("frappe.get_user", now=True)""")
# enqueue whitelisted method
safe_exec("""frappe.enqueue("ping", now=True)""")
def execute(filters=None):
doc = frappe.get_doc("Report", "Aptronics Profit and Loss Statement")
data = []
month_start = parse_date("{} {}".format(filters.current_period, filters.fiscal_year))
month_start = month_start.replace(day=1)
month_end = month_start.replace(
day=(monthrange(month_start.year, month_start.month)[1])
)
fiscal_year_start = frappe.get_value("Fiscal Year", filters.fiscal_year, "year_start_date")
for row in doc.report_rows:
if not row.subtotal:
current_period = get_total_for_account(
filters.company, row.account, month_start, month_end
)
year_to_date = get_total_for_account(
filters.company, row.account, fiscal_year_start, month_end
)
else:
year_to_date = 0
current_period = 0
data.append(frappe._dict({
"account": "<strong> {} </strong>".format(row.row_label) if row.subtotal else row.account,
"current_period": current_period,
"year_to_date": year_to_date
}))
exec_globals = get_safe_globals()
exec_globals.__builtins__['sum'] = __builtins__['sum']
exec_globals.__builtins__['format'] = __builtins__['format']
for row in doc.report_rows:
if row.subtotal and row.formula:
loc = {"filters": frappe._dict(filters), 'data': data}
safe_exec(row.formula, None, loc)
return get_columns(), data
def execute_doc(self, doc: Document):
"""Specific to Document Event triggered Server Scripts
Args:
doc (Document): Executes script with for a certain document's events
"""
safe_exec(self.script, _locals={"doc": doc}, restrict_commit_rollback=True)
def execute_script(self, filters):
# server script
loc = {"filters": frappe._dict(filters), "data": None, "result": None}
safe_exec(self.report_script, None, loc)
if loc["data"]:
return loc["data"]
else:
return self.get_columns(), loc["result"]
def execute_script(self, filters):
# server script
loc = {"filters": frappe._dict(filters), 'data':None, 'result':None}
safe_exec(self.report_script, None, loc)
if loc['data']:
return loc['data']
else:
return self.get_columns(), loc['result']
def execute_method(self): if self.script_type == 'API': # validate if guest is allowed if frappe.session.user == 'Guest' and not self.allow_guest: raise frappe.PermissionError safe_exec(self.script) else: # wrong report type! raise frappe.DoesNotExistError
def test_query_builder(self):
_locals = dict(out=None)
safe_exec(
script=
'''out = frappe.qb.from_("User").select(frappe.qb.terms.PseudoColumn("Max(name)")).run()''',
_globals=None,
_locals=_locals)
self.assertEqual(frappe.db.sql("SELECT Max(name) FROM tabUser"),
_locals["out"])
def test_sql(self):
_locals = dict(out=None)
safe_exec(
"""out = frappe.db.sql("select name from tabDocType where name='DocType'")""",
None, _locals)
self.assertEqual(_locals["out"][0][0], "DocType")
self.assertRaises(
frappe.PermissionError, safe_exec,
'frappe.db.sql("update tabToDo set description=NULL")')
def execute_scheduled_method(self):
"""Specific to Scheduled Jobs via Server Scripts
Raises:
frappe.DoesNotExistError: If script type is not a scheduler event
"""
if self.script_type != "Scheduler Event":
raise frappe.DoesNotExistError
safe_exec(self.script)
def get_permission_query_conditions(self, user: str) -> List[str]:
"""Specific to Permission Query Server Scripts
Args:
user (str): Takes user email to execute script and return list of conditions
Returns:
list: Returns list of conditions defined by rules in self.script
"""
locals = {"user": user, "conditions": ""}
safe_exec(self.script, None, locals)
if locals["conditions"]:
return locals["conditions"]
def run(self):
frappe.only_for("System Manager")
try:
frappe.debug_log = []
safe_exec(self.console)
self.output = "\n".join(frappe.debug_log)
except: # noqa: E722
self.output = frappe.get_traceback()
if self.commit:
frappe.db.commit()
else:
frappe.db.rollback()
frappe.get_doc(
dict(doctype="Console Log",
script=self.console,
output=self.output)).insert()
frappe.db.commit()
def execute_method(self):
if self.script_type == 'API':
# validate if guest is allowed
if frappe.session.user == 'Guest' and not self.allow_guest:
raise frappe.PermissionError
_globals, _locals = safe_exec(self.script)
return _globals.frappe.flags # output can be stored in flags
else:
# wrong report type!
raise frappe.DoesNotExistError
def run(self):
frappe.only_for('System Manager')
try:
frappe.debug_log = []
if self.type == 'Python':
safe_exec(self.console)
self.output = '\n'.join(frappe.debug_log)
elif self.type == 'SQL':
self.output = frappe.as_json(read_sql(self.console, as_dict=1))
except: # noqa: E722
self.output = frappe.get_traceback()
if self.commit:
frappe.db.commit()
else:
frappe.db.rollback()
frappe.get_doc(
dict(doctype='Console Log',
script=self.console,
output=self.output)).insert()
frappe.db.commit()
def get_context(self, context):
context.main_section = get_html_content_based_on_type(
self, 'main_section', self.content_type)
context.source_content_type = self.content_type
context.title = self.title
if self.context_script:
_locals = dict(context=frappe._dict())
safe_exec(self.context_script, None, _locals)
context.update(_locals['context'])
self.render_dynamic(context)
# if static page, get static content
if context.slideshow:
context.update(get_slideshow(self))
if self.enable_comments:
context.comment_list = get_comment_list(self.doctype, self.name)
context.guest_allowed = True
context.update({
"style": self.css or "",
"script": self.javascript or "",
"header": self.header,
"text_align": self.text_align,
})
if not self.show_title:
context["no_header"] = 1
self.set_metatags(context)
self.set_breadcrumbs(context)
self.set_title_and_header(context)
self.set_page_blocks(context)
return context
def execute_method(self) -> Dict:
"""Specific to API endpoint Server Scripts
Raises:
frappe.DoesNotExistError: If self.script_type is not API
frappe.PermissionError: If self.allow_guest is unset for API accessed by Guest user
Returns:
dict: Evaluates self.script with frappe.utils.safe_exec.safe_exec and returns the flags set in it's safe globals
"""
# wrong report type!
if self.script_type != "API":
raise frappe.DoesNotExistError
# validate if guest is allowed
if frappe.session.user == "Guest" and not self.allow_guest:
raise frappe.PermissionError
# output can be stored in flags
_globals, _locals = safe_exec(self.script)
return _globals.frappe.flags
def test_utils(self):
_locals = dict(out=None)
safe_exec('''out = frappe.utils.cint("1")''', None, _locals)
self.assertEqual(_locals['out'], 1)
def test_utils(self):
_locals = dict(out=None)
safe_exec("""out = frappe.utils.cint("1")""", None, _locals)
self.assertEqual(_locals["out"], 1)
def execute_doc(self, doc): # execute event safe_exec(self.script, None, dict(doc = doc))
def execute_scheduled_method(self): if self.script_type == 'Scheduler Event': safe_exec(self.script) else: # wrong report type! raise frappe.DoesNotExistError
def execute_script(self, filters):
# server script
loc = {"filters": frappe._dict(filters), 'data': []}
safe_exec(self.report_script, None, loc)
return loc['data']
