QRunIO/qqq
2
0
Fork 0
mirror of https://github.com/Kingsrook/qqq.git synced 2025-07-18 13:10:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix for table being added to query twice, if it's added for security, and then for being in a where clause.

Browse Source
This commit is contained in:
darin.kelkhoff
2023-05-15 15:07:38 -05:00
parent 14fc7b0ba8
commit 4eb28cd1b7
3 changed files with 59 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
qqq-backend-core/src/main/java/com/kingsrook/qqq/backend/core/model/actions/tables/query/JoinsContext.java
View File

@ -111,13 +111,13 @@ public class JoinsContext
if(join.getLeftTable().equals(tmpTable.getName()))
{
QueryJoin queryJoin = new ImplicitQueryJoinForSecurityLock().withJoinMetaData(join).withType(QueryJoin.Type.INNER);
this.queryJoins.add(queryJoin); // todo something else with aliases? probably.
this.addQueryJoin(queryJoin);
tmpTable = instance.getTable(join.getRightTable());
}
else if(join.getRightTable().equals(tmpTable.getName()))
{
QueryJoin queryJoin = new ImplicitQueryJoinForSecurityLock().withJoinMetaData(join.flip()).withType(QueryJoin.Type.INNER);
this.queryJoins.add(queryJoin); // todo something else with aliases? probably.
this.addQueryJoin(queryJoin); //
tmpTable = instance.getTable(join.getLeftTable());
}
else
@ -145,6 +145,20 @@ public class JoinsContext
/*******************************************************************************
** Add a query join to the list of query joins, and "process it"
**
** use this method to add to the list, instead of ever adding directly, as it's
** important do to that process step (and we've had bugs when it wasn't done).
*******************************************************************************/
private void addQueryJoin(QueryJoin queryJoin) throws QException
{
this.queryJoins.add(queryJoin);
processQueryJoin(queryJoin);
}
/*******************************************************************************
** If there are any joins in the context that don't have a join meta data, see
** if we can find the JoinMetaData to use for them by looking at the main table's
@ -236,8 +250,7 @@ public class JoinsContext
QueryJoin queryJoinToAdd = makeQueryJoinFromJoinAndTableNames(nextTable, tmpTable, joinToAdd);
queryJoinToAdd.setType(queryJoin.getType());
addedAnyQueryJoins = true;
this.queryJoins.add(queryJoinToAdd); // todo something else with aliases? probably.
processQueryJoin(queryJoinToAdd);
this.addQueryJoin(queryJoin);
}
}
@ -410,8 +423,7 @@ public class JoinsContext
QueryJoin queryJoin = makeQueryJoinFromJoinAndTableNames(mainTableName, filterTable, join);
if(queryJoin != null)
{
this.queryJoins.add(queryJoin); // todo something else with aliases? probably.
processQueryJoin(queryJoin);
this.addQueryJoin(queryJoin);
found = true;
break;
}
@ -420,8 +432,7 @@ public class JoinsContext
if(!found)
{
QueryJoin queryJoin = new QueryJoin().withJoinTable(filterTable).withType(QueryJoin.Type.INNER);
this.queryJoins.add(queryJoin); // todo something else with aliases? probably.
processQueryJoin(queryJoin);
this.addQueryJoin(queryJoin);
}
}
}

9
qqq-backend-module-rdbms/src/main/java/com/kingsrook/qqq/backend/module/rdbms/actions/RDBMSQueryAction.java
View File

@ -131,10 +131,10 @@ public class RDBMSQueryAction extends AbstractRDBMSAction implements QueryInterf
}
}
try
{
Long mark = System.currentTimeMillis();
try
{
//////////////////////////////////////////////
// execute the query - iterate over results //
//////////////////////////////////////////////
@ -173,6 +173,11 @@ public class RDBMSQueryAction extends AbstractRDBMSAction implements QueryInterf
return queryOutput;
}
catch(Exception e)
{
logSQL(sql, params, mark);
throw (e);
}
finally
{
if(needToCloseConnection)

33
qqq-backend-module-rdbms/src/test/java/com/kingsrook/qqq/backend/module/rdbms/actions/RDBMSQueryActionTest.java
View File

@ -1416,6 +1416,39 @@ public class RDBMSQueryActionTest extends RDBMSActionTest
/*******************************************************************************
**
*******************************************************************************/
@Test
void testRecordSecurityFromJoinTableAlsoImplicitlyInQuery() throws QException
{
QueryInput queryInput = new QueryInput();
queryInput.setTableName(TestUtils.TABLE_NAME_ORDER_LINE);
///////////////////////////////////////////////////////////////////////////////////////////
// orders 1, 2, and 3 are from store 1, so their lines (5 in total) should be found. //
// note, order 2 has the line with mis-matched store id - but, that shouldn't apply here //
///////////////////////////////////////////////////////////////////////////////////////////
queryInput.setFilter(new QQueryFilter(new QFilterCriteria("order.id", QCriteriaOperator.IN, List.of(1, 2, 3, 4))));
QContext.setQSession(new QSession().withSecurityKeyValue(TestUtils.TABLE_NAME_STORE, 1));
assertThat(new QueryAction().execute(queryInput).getRecords()).hasSize(5);
///////////////////////////////////////////////////////////////////
// order 4 should be the only one found this time (with 2 lines) //
///////////////////////////////////////////////////////////////////
queryInput.setFilter(new QQueryFilter(new QFilterCriteria("order.id", QCriteriaOperator.IN, List.of(1, 2, 3, 4))));
QContext.setQSession(new QSession().withSecurityKeyValue(TestUtils.TABLE_NAME_STORE, 2));
assertThat(new QueryAction().execute(queryInput).getRecords()).hasSize(2);
////////////////////////////////////////////////////////////////
// make sure we're also good if we explicitly join this table //
////////////////////////////////////////////////////////////////
queryInput.withQueryJoin(new QueryJoin().withJoinTable(TestUtils.TABLE_NAME_ORDER).withSelect(true));
assertThat(new QueryAction().execute(queryInput).getRecords()).hasSize(2);
}
/*******************************************************************************
**
*******************************************************************************/