[FW][FIX] *: domain field: option allow_expressions #210145

fw-bot · 2025-05-15T14:15:48Z

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts.
Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions.

Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail.

We revert the recent commit a678755 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions.

Forward-Port-Of: #209960
Forward-Port-Of: #208876

Another fix is added here:

The domain field passes a new prop allowExpressions to the domain selector. If that prop is false (default true), the within operator is not proposed for selection for date/datetime fields. This is done to prevent users to introduce expressions in their domains when they are not supported.

robodoo · 2025-05-15T14:15:51Z

fw-bot · 2025-05-15T14:15:52Z

@Polymorphe57 @aab-odoo cherrypicking of pull request #208876 failed.

stdout:

Auto-merging addons/mail/tools/parser.py
CONFLICT (content): Merge conflict in addons/mail/tools/parser.py
Auto-merging addons/web/i18n/web.pot
Auto-merging addons/web/static/src/core/tree_editor/condition_tree.js
Auto-merging addons/web/static/src/views/fields/domain/domain_field.js
CONFLICT (content): Merge conflict in addons/web/static/src/views/fields/domain/domain_field.js
Auto-merging addons/web/static/tests/core/domain_field.test.js
CONFLICT (content): Merge conflict in addons/web/static/tests/core/domain_field.test.js
Auto-merging addons/website/controllers/model_page.py

Either perform the forward-port manually (and push to this branch, proceeding as usual) or close this PR (maybe?).

In the former case, you may want to edit this PR message as well.

⚠️ after resolving this conflict, you will need to merge it via @robodoo.

More info at https://github.com/odoo/odoo/wiki/Mergebot#forward-port

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts. Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions. Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail. We revert the recent commit odoo@f95c494 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions. Forward-port-of: odoo#208876 X-original-commit: 329867a

The domain field passes a new prop allowExpressions to the domain selector. If that prop is false (default true), the within operator is not proposed for selection for date/datetime fields. This is done to prevent users to introduce expressions in their domains when they are not supported.

Polymorphe57 · 2025-05-16T15:29:45Z

@robodoo r+

robodoo · 2025-05-16T15:29:48Z

@Polymorphe57 @aab-odoo because this PR has multiple commits, I need to know how to merge it:

merge to merge directly, using the PR as merge commit message
rebase-merge to rebase and merge, using the PR as merge commit message
rebase-ff to rebase and fast-forward

Polymorphe57 · 2025-05-16T15:29:54Z

robodoo rebase-ff

robodoo · 2025-05-16T15:29:57Z

Merge method set to rebase and fast-forward.

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts. Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions. Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail. We revert the recent commit f95c494 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions. Forward-port-of: #208876 X-original-commit: 329867a Part-of: #210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts. Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions. Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail. We revert the recent commit odoo@f95c494 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions. Forward-port-of: odoo#208876 X-original-commit: 329867a Part-of: odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

The domain field passes a new prop allowExpressions to the domain selector. If that prop is false (default true), the within operator is not proposed for selection for date/datetime fields. This is done to prevent users to introduce expressions in their domains when they are not supported. closes odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts. Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions. Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail. We revert the recent commit odoo@f95c494 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions. Forward-port-of: odoo#208876 X-original-commit: 329867a Part-of: odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

The domain field passes a new prop allowExpressions to the domain selector. If that prop is false (default true), the within operator is not proposed for selection for date/datetime fields. This is done to prevent users to introduce expressions in their domains when they are not supported. closes odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

Some views use a domain widget to edit/save a domain and use it afterwards in several places where domains must have literals only. Typically, a literal_eval is used to evaluate the (string) domain. Thus expressions like "uid" or "context_today()"" should not be used in those contexts. Here we introduce an option "allow_expressions" (default False) for the domain field and use it to mark as invalid domains that contain expressions when the option is set to False. A notification is displayed when a domain contains an unwanted expressions. Since we cannot expect modules like base to be updated, we have to find another system to allow the usage of expressions in the form views for the models ir.filters and base.automation: we simply hardcode those models as allowing expressions. Since for these models, the evaluation of domains is done via safe_eval but with a restricted evaluation context, we also display a notification that alerts the user that the evaluation of expressions (although accepted by the domain field) can fail. We revert the recent commit odoo/odoo@f95c494 that introduced potentially problematic calls to safe_eval in order to allow evaluation of expressions. Forward-port-of: #208876 X-original-commit: 329867ade9a6767388511b81fd0cb298a720657e Part-of: odoo/odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

The domain field passes a new prop allowExpressions to the domain selector. If that prop is false (default true), the within operator is not proposed for selection for date/datetime fields. This is done to prevent users to introduce expressions in their domains when they are not supported. closes odoo/odoo#210145 Related: odoo/enterprise#85620 Signed-off-by: Aaron Bohy (aab) <aab@odoo.com> Signed-off-by: Mathieu Duckerts-Antoine (dam) <dam@odoo.com>

robodoo added forwardport This PR was created by @fw-bot conflict There was an error while creating this forward-port PR labels May 15, 2025

C3POdoo added the RD research & development, internal work label May 15, 2025

Polymorphe57 force-pushed the 18.0-17.0-literal-mode-for-domain-field-dam-436114-fw branch 3 times, most recently from 841b92f to ab457af Compare May 16, 2025 11:26

C3POdoo requested review from a team, aab-odoo and kebeclibre and removed request for a team May 16, 2025 11:26

Polymorphe57 force-pushed the 18.0-17.0-literal-mode-for-domain-field-dam-436114-fw branch from ab457af to 678a0fa Compare May 16, 2025 11:29

Polymorphe57 force-pushed the 18.0-17.0-literal-mode-for-domain-field-dam-436114-fw branch 5 times, most recently from 6fc45ae to a036f18 Compare May 16, 2025 12:03

Polymorphe57 force-pushed the 18.0-17.0-literal-mode-for-domain-field-dam-436114-fw branch from a036f18 to e287f35 Compare May 16, 2025 12:04

robodoo closed this in e22a5a3 May 17, 2025

robodoo temporarily deployed to merge May 17, 2025 04:00 Inactive

fw-bot mentioned this pull request May 17, 2025

[FW][FIX] *: domain field: option allow_expressions #210482

Closed

fw-bot deleted the 18.0-17.0-literal-mode-for-domain-field-dam-436114-fw branch May 24, 2025 04:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FW][FIX] *: domain field: option allow_expressions #210145

[FW][FIX] *: domain field: option allow_expressions #210145

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[FW][FIX] *: domain field: option allow_expressions #210145

[FW][FIX] *: domain field: option allow_expressions #210145

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!