-
Notifications
You must be signed in to change notification settings - Fork 23.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADD] sql_shell: get easy access to database without having access to server #115744
base: 16.0
Are you sure you want to change the base?
Conversation
243a376
to
d10ce92
Compare
Hi @william-andre If you want, you can take a look on some community modules developed some years ago : Note : in your current implementation, it is possible to call INSERT, UPDATE, TRUNCATE. Is it intended ? (I'm available to talk with you if you want some feedbacks, talk about the design, etc...) |
|
The purpose is indeed to be able to execute any SQL queries, such as INSERT, UPDATE, DELETE FROM, but also EXPLAIN ANALYZE or CREATE INDEX. |
Hi @ajepe.
Thanks for your quick review. Could you elaborate on this, though ? I don't get your point.
I see. Thanks for the explanation.
Indeed, but the ORM "protects" data inconsistency. In the other hand, I understand the need, that is valid. But as you propose the PR against a stable version, I think odoo SA should communicate on that topic. I'm sure some integrators will disable this module to prevent their client from accessing this functionality. In other words, if today, someone would find the possibility to perform SQL write/read queries on the database via UI or xml-rpc, this would be considered as a severe security flaw. @rco-odoo, a point of view on this topic? Thanks. |
You can run any SQL query in a server action by running |
You're right. Sorry for the noice, then. |
addons/sql_shell/models/sql_shell.py
Outdated
self.env.cr.execute(self.query) | ||
self.result = { | ||
'header': [d.name for d in self.env.cr.description], | ||
'rows': self.env.cr.fetchall(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some request (update, delete) doesn't return rows
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note : maybe add a limit to prevent browser crash
'rows': self.env.cr.fetchall()[:1000],
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some request (update, delete) doesn't return rows
They return how many rows were updated, for instance
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note : maybe add a limit to prevent browser crash
'rows': self.env.cr.fetchall()[:1000],
This depends on the browser/computer. Use at your own risks.
The purpose is not to fetch a bajillion rows. The way it is (temporarily) currently implemented would make the server's memory explode too btw.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad, I was too quick in testing, I fixed both remarks in the latest commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my 2 cents when reading it
71b4221
to
f1355f5
Compare
This commit adds a new widget to the field registry. This button is represented with an icon and acts as a boolean field widget. The label is shown as a tooltip when hovered. A test file has also been added to verify its behavior. task #3121078 backport of 1f02263
e2309d2
to
f5b1fbf
Compare
f5b1fbf
to
6f8d110
Compare
<field name="view_mode">form</field> | ||
</record> | ||
|
||
<menuitem name="SQL Shell" id="sql_shell_menu" parent="base.menu_custom" groups="base.group_no_one" action="sql_shell_action" sequence="10000"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<menuitem name="SQL Shell" id="sql_shell_menu" parent="base.menu_custom" groups="base.group_no_one" action="sql_shell_action" sequence="10000"/> | |
<menuitem name="SQL Shell" id="sql_shell_menu" parent="base.next_id_9" groups="base.group_no_one" action="sql_shell_action" sequence="100"/> |
For the time being, this entry is set at the very last position of the technical menu, that doesn't make much sense.
Propose to replace : "Setting > Technical > SQL Shell" by "Setting > Technical > Database Structure > SQL Shell"
|
||
from odoo import models, fields, api | ||
|
||
class SQLShell(models.Model): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naive question : Is there a reason to not use classic Transient Model like other wizard ?
hi @william-andre. What is the state of this PR ? Some functional review. Something is wrong if the max rows is small. could you take a look ? Otherwise, LGTM. SELECT with max > 40 : OK SELECT with max < 40 : KO EXPLAIN ANALYZE : OK (nice feature, BTW) Destroy the database : OK Then |
The issue you raised with "Max Rows" is actually a protection to avoid crashing the browser and making too much traffic on the network; increase the limit at your own risk And this PR will probably never get accepted because of you We might implement it someday only for Odoo support and only on duplicate databases. |
Hi @william-andre, thanks for your answer !
No : take a look again on my prinscreen. I set 5 to max rows, and an error is raised and I can not see the result. That's not expected, don't you think ?
Well, indeed, there is no warning, but we could imagine quite simply to add a warning with some confirmation, if it is a "write" or a "delete" requests. (similar algorithm than the community module that prohibit the non select requests : https://github.com/OCA/reporting-engine/blob/16.0/sql_request_abstract/models/sql_request_mixin.py#L39)
well, go to "application > select |
No description provided.