openerp-community team mailing list archive

Thread
Date

Re: XMLRPC : special method for raw SQL instead of search + read ?

To: "openerp-community@xxxxxxxxxxxxxxxxxxx" <openerp-community@xxxxxxxxxxxxxxxxxxx>
From: Brendan Clune <brendan.clune@xxxxxxxxxxxxxxx>
Date: Tue, 15 Oct 2013 09:17:59 -0400
In-reply-to: <beae45d9-6fad-427f-9a64-90d7f61e23d6@email.android.com>

I agree.  A database user is a better choice in this instance since it is
easier to understand the effective permissions of that user. I think it is
dangerous to encourage queries at the ORM level that bypass all safety
checks the ORM provides. If we do this, we then have very little idea what
a user can and cannot do via XMLRPC. Raw SQL can be extremely useful but
also very dangerous. By creating a separate database user, you _explicitly_
define that user's level of access to the database. Thus, there is no
surprise when an intern accidentally drops the entire database because you
handed him a root PostgreSQL account. :)


On Tue, Oct 15, 2013 at 8:57 AM, Nicolas Bessi <nicolas.bessi@xxxxxxxxxxxxxx
> wrote:

> Hello,
>
> You should take a look at erppeek it is a nice abstraction library to
> interface OpenERP with external system.
>
> If you really needs a fast read access to your system to do stats or what
> else, maybe you should setup a limited postgresql user with strong
> authentication and read permission on needed table instead of using xmlrpc
>
> My two cents
>
> Nicolas
>
>
> Christophe Dubuit <cdubuit@xxxxxxxxx> a écrit :
>>
>>  Okay, but what if this method would be restricted to user with
>> "administator" privileges only ?
>>
>> Plus, we have to see the context. Someone who uses XMLRPC queries...
>> usually is an admin, don't you think ?
>>
>> XMLRPC / JSON queries are for "behind work", "plumber work"... Not
>> reallly regular front users.
>>
>> CD
>>
>>   ------------------------------
>>  *De :* Alexandre Fayolle <alexandre.fayolle@xxxxxxxxxxxxxx>
>> *À :* Christophe Dubuit <cdubuit@xxxxxxxxx>
>> *Cc :* "openerp-community@xxxxxxxxxxxxxxxxxxx" <
>> openerp-community@xxxxxxxxxxxxxxxxxxx>
>> *Envoyé le :* Mardi 15 octobre 2013 13h40
>> *Objet :* Re: [Openerp-community] XMLRPC : special method for raw SQL
>> instead of search + read ?
>>
>>
>>
>> On mar. 15 oct. 2013 13:32:11 CEST, Christophe Dubuit wrote:
>> > Hello,
>> >
>> > [this is my first message to the mailing list]
>> >
>> > I would like to make a suggestion regarding XMLRPC (and even JSON).
>> >
>> > Would it be good to add a special method, in order to be able to send
>> > raw SQL queries (SELECT only ) ?
>> >
>> > Personal background : I've started to use XMLRPC (and some JSON) with
>> > OpenERP, and I've found it's much easier (and faster) to deal with SQL
>> > queries, rather than to compose XML queries for "search" and "read"
>> > methods.
>> >
>> > Each basic query needs 2 XMLRPC queries : first a search, to fetch the
>> > IDs, and then a read. And it's double work on the client side, to
>> > process all XML data that are returned. Then we have to manage domain,
>> > context etc.
>> >
>> > It's a tedious work for a simple SELECT.
>> >
>> > And furthermore SQL is easier for complex queries, like JOIN.
>> >
>> > I'm not an expert, so maybe there is a technical reason for OpenERP to
>> > not go this way. If that's the case, could someone explain it to me ?
>> >
>> > Some people advised me to develop my own module, that would allow the
>> > direct processing of SQL SELECT queries. But a real"standard"
>> > solution, plug and play, would always be better.
>> >
>> > What do you think about it ?
>>
>>
>> I'd strongly advise against this : using raw SQL bypasses the the
>> security rules which are enforced by the ORM.
>>
>>
>> --
>> Alexandre Fayolle
>> Chef de Projet
>> Tel : + 33 (0)4 79 26 57 94
>>
>> Camptocamp France SAS
>> Savoie Technolac, BP 352
>> 73377 Le Bourget du Lac Cedex
>> http://www.camptocamp.com
>>
>>
>>
>>
>>  ------------------------------
>>
>> Mailing list: https://launchpad.net/~openerp-community
>>
>> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openerp-community
>>
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openerp-community
> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openerp-community
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Brendan Clune
Information Technology
Logic Supply, Inc.
Direct: 802 861 7459 | Main: 802 861 2300
www.logicsupply.com | www.lgxsystems.com

Follow ups

Re: XMLRPC : special method for raw SQL instead of search + read ?
From: Raphael Valyi, 2013-10-16

References

XMLRPC : special method for raw SQL instead of search + read ?
From: Christophe Dubuit, 2013-10-15
Re: XMLRPC : special method for raw SQL instead of search + read ?
From: Alexandre Fayolle, 2013-10-15
Re: XMLRPC : special method for raw SQL instead of search + read ?
From: Christophe Dubuit, 2013-10-15
Re: XMLRPC : special method for raw SQL instead of search + read ?
From: Nicolas Bessi, 2013-10-15