c2c-oerpscenario team mailing list archive

[xrg <xrg@xxxxxxxxx>]

On Monday 09 May 2011, you wrote:
> Hello Panos,
> 
> I understand your concern.
> 
> As a workaround I have tried to convert the SQL queries into OpenERP
> Code and it just takes 4 lines with 2 search() methods and one read().
> 
> Do you recommend that?

I have not seen your code, but you may be right: if we are talking about an 
one-off query (that is, not one in a loop or called frequently), and it doesn't 
do any SQL tricks (optimizations, aggregates etc), yes, it is better to use 
ORM methods rather than SQL.

In the account_followup_print.py, I can surely spot a few cr.execute() 
occurences which look feasible through ORM. On the other hand, view can't be 
replaced, but could expose a 'company_id' column so that an ir.rule can be 
written against that (for example).

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/777850

Title:
  account_followup uses SQL query for getting data, cirmumventing
  security rules

Status in OpenERP Modules (addons):
  In Progress

Bug description:
  this happens in v6 and trunk

  Hi. 
  Currently account_followup uses SQL queries to get invoice and partners to sent followups to. This doesn't take security rules into account, which is wrong. And ORM way would do the right thing here. 

  For example a very bad effect of this is that in a multicompany
  situation any user sees the open invoices of other companies, which
  shouldn't be.

  The interesting stuff happens here:
  http://bazaar.launchpad.net/~openerp/openobject-
  addons/trunk/view/head:/account_followup/wizard/account_followup_print.py

  Thanks!