Commit 1894bfea authored by Asier Lostalé's avatar Asier Lostalé
Browse files

fixed bug 40580: used bind parameters in alert action handler and datasource

--HG--
extra : rebase_source : 1c1a0123f318ca04b8296cf3e6e92392f3367316
parent 3a6effb1
......@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
* All portions are Copyright (C) 2015-2018 Openbravo SLU
* All portions are Copyright (C) 2015-2019 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
......@@ -95,20 +95,29 @@ public class ADAlertDatasourceService extends DefaultDataSourceService {
private List<String> getAlertIds(String alertStatus) {
// Get alert rules visible for context's the role/user.
final String sql = "SELECT ad_alertrule_id, filterclause" + " FROM ad_alertrule arule" //
+ " WHERE EXISTS (SELECT 1" //
// @formatter:off
final String sql =
"SELECT ad_alertrule_id, filterclause"
+ " FROM ad_alertrule arule"
+ " WHERE EXISTS (SELECT 1"
+ " FROM ad_alertrecipient arecipient"
+ " WHERE arule.ad_alertrule_id = arecipient.ad_alertrule_id"
+ " AND (ad_user_id = :userId"
+ " OR (ad_user_id is null AND ad_role_id = :roleId)))"
+ " AND ad_client_id " + OBDal.getInstance().getReadableClientsInClause()
+ " AND ad_org_id " + OBDal.getInstance().getReadableOrganizationsInClause()
+ " AND ad_client_id in :clients"
+ " AND ad_org_id in :orgs"
+ " AND isactive='Y'";
// @formatter:on
@SuppressWarnings("rawtypes")
final NativeQuery alertRules = OBDal.getInstance().getSession().createNativeQuery(sql);
alertRules.setParameter("userId", OBContext.getOBContext().getUser().getId());
alertRules.setParameter("roleId", OBContext.getOBContext().getRole().getId());
final NativeQuery alertRules = OBDal.getInstance()
.getSession()
.createNativeQuery(sql)
.setParameter("userId", OBContext.getOBContext().getUser().getId())
.setParameter("roleId", OBContext.getOBContext().getRole().getId())
.setParameterList("clients", OBContext.getOBContext().getReadableClients())
.setParameterList("orgs", OBContext.getOBContext().getReadableOrganizations());
return getAlertIdsFromAlertRules(getAlertRulesGroupedByFilterClause(alertRules), alertStatus);
}
......@@ -151,14 +160,28 @@ public class ADAlertDatasourceService extends DefaultDataSourceService {
} catch (ServletException e) {
throw new IllegalStateException(e);
}
final String sql = "SELECT ad_alert_id FROM ad_alert WHERE isactive='Y'"
+ " AND ad_client_id " + OBDal.getInstance().getReadableClientsInClause()
+ " AND ad_org_id " + OBDal.getInstance().getReadableOrganizationsInClause()
+ " AND ad_alertrule_id IN (" + commaSeparated(alertRuleList.getValue()) + ")"
+ filterClause + " AND coalesce(to_char(status), 'NEW') = :status";
// @formatter:off
final String sql =
"SELECT ad_alert_id "
+ " FROM ad_alert "
+ "WHERE isactive='Y'"
+ " AND ad_client_id in :clients"
+ " AND ad_org_id in :orgs"
+ " AND ad_alertrule_id in :rules "
+ " AND coalesce(to_char(status), 'NEW') = :status "
+ filterClause;
// @formatter:on
@SuppressWarnings("rawtypes")
final NativeQuery sqlQuery = OBDal.getInstance().getSession().createNativeQuery(sql);
sqlQuery.setParameter("status", alertStatus);
final NativeQuery sqlQuery = OBDal.getInstance()
.getSession()
.createNativeQuery(sql)
.setParameter("status", alertStatus)
.setParameterList("clients", OBContext.getOBContext().getReadableClients())
.setParameterList("orgs", OBContext.getOBContext().getReadableOrganizations())
.setParameterList("rules", alertRuleList.getValue());
try {
@SuppressWarnings("unchecked")
List<String> alertsFound = sqlQuery.list();
......
......@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
* All portions are Copyright (C) 2009-2018 Openbravo SLU
* All portions are Copyright (C) 2009-2019 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
......@@ -20,11 +20,8 @@ package org.openbravo.client.application;
import static java.util.stream.Collectors.groupingBy;
import static java.util.stream.Collectors.toList;
import static org.openbravo.erpCommon.utility.StringCollectionUtils.commaSeparated;
import java.io.IOException;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
......@@ -113,20 +110,26 @@ public class AlertActionHandler extends BaseActionHandler implements PortalAcces
return 0L;
}
final String hql = "select distinct(e.alertRule)" + " from ADAlertRecipient"
+ " e where e.alertRule.active = true and (e.userContact.id= :userId "
+ " or (e.userContact.id = null and e.role.id = :roleId))"
// @formatter:off
final String hql =
"select distinct(e.alertRule)"
+ " from ADAlertRecipient e "
+ "where e.alertRule.active = true"
+ " and (e.userContact.id= :userId"
+ " or (e.userContact.id = null and e.role.id = :roleId))"
// select only those rules that are client/org visible from current role
+ " and e.alertRule.client.id " + OBDal.getInstance().getReadableClientsInClause()
+ " and e.alertRule.organization.id "
+ OBDal.getInstance().getReadableOrganizationsInClause();
+ " and e.alertRule.client.id in :clients"
+ " and e.alertRule.organization.id in :orgs";
// @formatter:on
final Query<AlertRule> qry = OBDal.getInstance()
.getSession()
.createQuery(hql, AlertRule.class)
.setParameter("userId", OBContext.getOBContext().getUser().getId())
.setParameter("roleId", OBContext.getOBContext().getRole().getId());
.setParameter("roleId", OBContext.getOBContext().getRole().getId())
.setParameterList("clients", OBContext.getOBContext().getReadableClients())
.setParameterList("orgs", OBContext.getOBContext().getReadableClients());
long total = qry.stream()
.collect(groupingBy(rule -> Objects.toString(rule.getFilterClause(), ""))) // null can't be
......@@ -142,18 +145,27 @@ public class AlertActionHandler extends BaseActionHandler implements PortalAcces
private long countActiveAlertsForRules(List<AlertRule> rules, VariablesSecureApp vars) {
String commonFilterClause = rules.get(0).getFilterClause();
List<String> ruleIds = rules.stream().map(AlertRule::getId).collect(toList());
final String sql = "select count(*) from AD_ALERT where COALESCE(STATUS, 'NEW')='NEW'"
+ " AND AD_CLIENT_ID " + OBDal.getInstance().getReadableClientsInClause()
+ " AND AD_ORG_ID " + OBDal.getInstance().getReadableOrganizationsInClause()
+ " AND AD_ALERTRULE_ID IN (" + commaSeparated(ruleIds) + ")" //
// @formatter:off
final String sql =
" select count(*) "
+ " from AD_ALERT "
+ "where COALESCE(STATUS, 'NEW') = 'NEW'"
+ " AND AD_CLIENT_ID IN :clients"
+ " AND AD_ORG_ID IN :orgs"
+ " AND AD_ALERTRULE_ID IN :rules"
+ getFilterSQL(commonFilterClause, vars);
// @formatter:on
try (PreparedStatement sqlQuery = new DalConnectionProvider(false).getPreparedStatement(sql)) {
sqlQuery.execute();
try (ResultSet rs = sqlQuery.getResultSet()) {
rs.next();
return rs.getLong(1);
}
try {
Number cnt = (Number) OBDal.getInstance()
.getSession()
.createNativeQuery(sql)
.setParameterList("clients", OBContext.getOBContext().getReadableClients())
.setParameterList("orgs", OBContext.getOBContext().getReadableOrganizations())
.setParameterList("rules", ruleIds)
.uniqueResult();
return cnt.longValue();
} catch (Exception e) {
log4j.error("An error has ocurred when trying to process the alerts: " + e.getMessage(), e);
return 0L;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment