I agree. A database user is a better choice in this instance since it is easier to understand the effective permissions of that user. I think it is dangerous to encourage queries at the ORM level that bypass all safety checks the ORM provides. If we do this, we then have very little idea what a user can and cannot do via XMLRPC. Raw SQL can be extremely useful but also very dangerous. By creating a separate database user, you _explicitly_ define that user's level of access to the database. Thus, there is no surprise when an intern accidentally drops the entire database because you handed him a root PostgreSQL account. :)
On Tue, Oct 15, 2013 at 8:57 AM, Nicolas Bessi <[email protected] > wrote: > Hello, > > You should take a look at erppeek it is a nice abstraction library to > interface OpenERP with external system. > > If you really needs a fast read access to your system to do stats or what > else, maybe you should setup a limited postgresql user with strong > authentication and read permission on needed table instead of using xmlrpc > > My two cents > > Nicolas > > > Christophe Dubuit <[email protected]> a écrit : >> >> Okay, but what if this method would be restricted to user with >> "administator" privileges only ? >> >> Plus, we have to see the context. Someone who uses XMLRPC queries... >> usually is an admin, don't you think ? >> >> XMLRPC / JSON queries are for "behind work", "plumber work"... Not >> reallly regular front users. >> >> CD >> >> ------------------------------ >> *De :* Alexandre Fayolle <[email protected]> >> *À :* Christophe Dubuit <[email protected]> >> *Cc :* "[email protected]" < >> [email protected]> >> *Envoyé le :* Mardi 15 octobre 2013 13h40 >> *Objet :* Re: [Openerp-community] XMLRPC : special method for raw SQL >> instead of search + read ? >> >> >> >> On mar. 15 oct. 2013 13:32:11 CEST, Christophe Dubuit wrote: >> > Hello, >> > >> > [this is my first message to the mailing list] >> > >> > I would like to make a suggestion regarding XMLRPC (and even JSON). >> > >> > Would it be good to add a special method, in order to be able to send >> > raw SQL queries (SELECT only ) ? >> > >> > Personal background : I've started to use XMLRPC (and some JSON) with >> > OpenERP, and I've found it's much easier (and faster) to deal with SQL >> > queries, rather than to compose XML queries for "search" and "read" >> > methods. >> > >> > Each basic query needs 2 XMLRPC queries : first a search, to fetch the >> > IDs, and then a read. And it's double work on the client side, to >> > process all XML data that are returned. Then we have to manage domain, >> > context etc. >> > >> > It's a tedious work for a simple SELECT. >> > >> > And furthermore SQL is easier for complex queries, like JOIN. >> > >> > I'm not an expert, so maybe there is a technical reason for OpenERP to >> > not go this way. If that's the case, could someone explain it to me ? >> > >> > Some people advised me to develop my own module, that would allow the >> > direct processing of SQL SELECT queries. But a real"standard" >> > solution, plug and play, would always be better. >> > >> > What do you think about it ? >> >> >> I'd strongly advise against this : using raw SQL bypasses the the >> security rules which are enforced by the ORM. >> >> >> -- >> Alexandre Fayolle >> Chef de Projet >> Tel : + 33 (0)4 79 26 57 94 >> >> Camptocamp France SAS >> Savoie Technolac, BP 352 >> 73377 Le Bourget du Lac Cedex >> http://www.camptocamp.com >> >> >> >> >> ------------------------------ >> >> Mailing list: https://launchpad.net/~openerp-community >> >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~openerp-community >> >> More help : https://help.launchpad.net/ListHelp >> >> > _______________________________________________ > Mailing list: https://launchpad.net/~openerp-community > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openerp-community > More help : https://help.launchpad.net/ListHelp > > -- Brendan Clune Information Technology Logic Supply, Inc. Direct: 802 861 7459 | Main: 802 861 2300 www.logicsupply.com | www.lgxsystems.com
_______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
