Skip to content

Commit 6cd7b3b

Browse files
isc-pbartonisc-pbarton
committed
fix: production decomp SQL privilege violations and backwards incompatibilities
1 parent aaa1336 commit 6cd7b3b

File tree

1 file changed

+32
-13
lines changed

1 file changed

+32
-13
lines changed

cls/SourceControl/Git/Production.cls

Lines changed: 32 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ ClassMethod ExportProductionDefinitionShards(productionClass As %String, nameMet
1616
Set internalNames(internalName) = 1
1717

1818
// next, export each item to a separate file
19-
Set rs = ##class(%SQL.Statement).%ExecDirect(,
19+
Set rs = ..ExecDirectNoPriv(
2020
"select Name, ClassName from Ens_Config.Item where Production = ?"
2121
, productionClass
2222
)
@@ -51,10 +51,18 @@ ClassMethod DeleteProductionDefinitionShards(productionClass As %String, deleteM
5151
// if the Production settings PTD exists, delete all PTDs for this Production
5252
if ##class(%File).Exists(settingsPTDFile) {
5353
set ptdDir = ##class(%File).GetDirectory(settingsPTDFile)
54-
set rs = ##class(%ResultSet).%New("%File:FileSet")
55-
$$$ThrowOnError(rs.Execute(ptdDir, "*.xml"))
56-
$$$ThrowSQLIfError(rs.%SQLCODE, rs.%Message)
57-
while rs.Next() {
54+
set statement = ##class(%SQL.Statement).%New()
55+
try {
56+
// execute without priv checking if possible on this IRIS version
57+
set sc = statement.%PrepareClassQuery("%File","FileSet",0)
58+
} catch err {
59+
set sc = statement.%PrepareClassQuery("%File","FileSet")
60+
}
61+
quit:$$$ISERR(sc)
62+
set rs = statement.%Execute(ptdDir, "*.xml")
63+
throw:rs.%SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(rs.%SQLCODE,rs.%Message)
64+
while rs.%Next(.sc) {
65+
quit:$$$ISERR(sc)
5866
set ptdFilename = rs.Data("Name")
5967
set sc = ##class(%Studio.SourceControl.Production).ParseExternalName(ptdFilename, .ptdInternalName)
6068
quit:$$$ISERR(sc)
@@ -216,10 +224,10 @@ ClassMethod GetModifiedItemsBeforeSave(internalName, Location, Output modifiedIt
216224
merge ^IRIS.Temp("sscProd",$job,"modifiedItems") = modifiedItems
217225
// FUTURE: use a percent variable or PPG instead
218226
kill ^IRIS.Temp("sscProd",$job,"items")
219-
set rs = ##class(%SQL.Statement).%ExecDirectNoPriv(
220-
,"select Name, ClassName from Ens_Config.Item where Production = ?"
227+
set rs = ..ExecDirectNoPriv(
228+
"select Name, ClassName from Ens_Config.Item where Production = ?"
221229
, productionName)
222-
$$$ThrowSQLIfError(rs.%SQLCODE, rs.%Message)
230+
throw:rs.%SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(rs.%SQLCODE,rs.%Message)
223231
while rs.%Next() {
224232
set ^IRIS.Temp("sscProd",$job,"items",$listbuild(rs.Name, rs.ClassName)) = 1
225233
}
@@ -231,10 +239,10 @@ ClassMethod GetModifiedItemsAfterSave(internalName, Output modifiedItems)
231239
set productionName = $piece(internalName,".",1,*-1)
232240
if ..IsEnsPortal() {
233241
// If adding/deleting from SMP, get the modified items by comparing items in temp global with items now
234-
set rs = ##class(%SQL.Statement).%ExecDirectNoPriv(
235-
,"select Name, ClassName from Ens_Config.Item where Production = ?"
242+
set rs = ..ExecDirectNoPriv(
243+
"select Name, ClassName from Ens_Config.Item where Production = ?"
236244
, productionName)
237-
$$$ThrowSQLIfError(rs.%SQLCODE, rs.%Message)
245+
throw:rs.%SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(rs.%SQLCODE,rs.%Message)
238246
while rs.%Next() {
239247
if '$get(^IRIS.Temp("sscProd",$job,"items", $listbuild(rs.Name, rs.ClassName))) {
240248
set itemInternalName = ..CreateInternalName(productionName, rs.Name, rs.ClassName, 0)
@@ -429,12 +437,23 @@ ClassMethod CreateProduction(productionName As %String, superClasses = "") As %S
429437
ClassMethod GetUserProductionChanges(productionName As %String, ByRef items)
430438
{
431439
set sql = "SELECT InternalName, Action FROM %Studio_SourceControl.Change WHERE ChangedBy = ? AND Committed = 0 AND InternalName %STARTSWITH ?"
432-
set rs = ##class(%SQL.Statement).%ExecDirect(,sql,$username,productionName_"||")
433-
$$$ThrowSQLIfError(rs.%SQLCODE, rs.%Message)
440+
set rs = ..ExecDirectNoPriv(sql,$username,productionName_"||")
441+
throw:rs.%SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(rs.%SQLCODE,rs.%Message)
434442
while rs.%Next() {
435443
set items(rs.InternalName) = rs.Action
436444
}
437445
quit $$$OK
438446
}
439447

448+
/// Executes a SQL query without privilege checking if possible on this IRIS version
449+
ClassMethod ExecDirectNoPriv(sql, args...) As %SQL.StatementResult
450+
{
451+
try {
452+
set rs = ##class(%SQL.Statement).%ExecDirectNoPriv(,sql,args...)
453+
} catch err {
454+
set rs = ##class(%SQL.Statement).%ExecDirect(,sql,args...)
455+
}
456+
return rs
457+
}
458+
440459
}

0 commit comments

Comments
 (0)