From 106f3834062033c784b12e53d997599934e9bd74 Mon Sep 17 00:00:00 2001
From: Grzegorz Marczynski <gmarczynski>
Date: Tue, 5 Apr 2022 08:28:53 +0200
Subject: [PATCH 1/2] [IMP] make the list of progress bars in the navabr
 dropdown scrollable

---
 web_progress/static/src/css/views.css | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/web_progress/static/src/css/views.css b/web_progress/static/src/css/views.css
index de0f6b8..81a7cd0 100644
--- a/web_progress/static/src/css/views.css
+++ b/web_progress/static/src/css/views.css
@@ -54,4 +54,10 @@
     margin: 10px;
     width: 350px;
     overflow: auto;
-}
\ No newline at end of file
+}
+
+.o_progress_navbar_dropdown {
+    overflow: auto;
+    max-height: 90vh;
+    padding-right: 5px;
+}

From 6f99a05bb850358e164395fda7dbc4a7a3273207 Mon Sep 17 00:00:00 2001
From: Grzegorz Marczynski <gmarczynski@teclib.com>
Date: Thu, 10 Aug 2023 21:06:20 +0200
Subject: [PATCH 2/2] [FIX] Escape parameter of SQL query, closes #34

---
 web_progress/models/web_progress.py     |  4 +--
 web_progress/tests/test_web_progress.py | 33 ++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/web_progress/models/web_progress.py b/web_progress/models/web_progress.py
index f5a3539..1b29ce0 100644
--- a/web_progress/models/web_progress.py
+++ b/web_progress/models/web_progress.py
@@ -158,7 +158,7 @@ def get_all_progress(self, recency=_progress_period_secs * 2):
         """
         query = """
         SELECT code, array_agg(state) FROM web_progress
-        WHERE create_date > timezone('utc', now()) - INTERVAL '{recency} SECOND'
+        WHERE create_date > timezone('utc', now()) - INTERVAL '%s SECOND'
               AND recur_depth = 0 {user_id}
         GROUP BY code
         """.format(
@@ -168,7 +168,7 @@ def get_all_progress(self, recency=_progress_period_secs * 2):
                 user_id=self.env.user.id,
             ) or '')
         # superuser has right to see (and cancel) progress of everybody
-        self.env.cr.execute(query)
+        self.env.cr.execute(query, (recency, ))
         result = self.env.cr.fetchall()
         ret = [{
             'code': r[0],
diff --git a/web_progress/tests/test_web_progress.py b/web_progress/tests/test_web_progress.py
index cbfd2c6..4eea2ec 100644
--- a/web_progress/tests/test_web_progress.py
+++ b/web_progress/tests/test_web_progress.py
@@ -1,5 +1,7 @@
 from odoo.tests import common
-from odoo import exceptions
+from odoo import exceptions, api, registry
+from odoo.tools import mute_logger
+from psycopg2.errors import SyntaxError
 import uuid
 import logging
 from ..models.web_progress import last_report_time
@@ -116,3 +118,32 @@ def test_web_progress_percent(self):
         self.partner_ids.web_progress_percent(0, "Start")
         self.partner_ids.web_progress_percent(50, "Middle")
         self.partner_ids.web_progress_percent(100, "End")
+
+
+class WebProgressTestAllProgress(common.SavepointCase):
+    at_install = True
+    post_install = False
+
+    @mute_logger('odoo.sql_db')
+    def test_get_all_progress(self):
+        """
+        Check call to get_all_progress without and with parameters.
+        Verify if the parameter is properly escaped in the internal SQL query.
+        """
+        progress_code = str(uuid.uuid4())
+        partner_obj = self.env['res.partner'].with_context(progress_code=progress_code)
+        partner_obj.web_progress_percent(0, "Start")
+        with api.Environment.manage():
+            with registry(self.env.cr.dbname).cursor() as new_cr:
+                # Create a new environment with a new cursor
+                new_env = api.Environment(new_cr, self.env.uid, self.env.context)
+                progress_obj = self.env['web.progress'].with_env(new_env)
+                res = progress_obj.get_all_progress()
+                self.assertEqual(res, [{'code': progress_code}])
+                res = progress_obj.get_all_progress(0)
+                self.assertEqual(res, [])
+                with self.assertRaises(SyntaxError) as e:
+                    progress_obj.get_all_progress("0 SECOND' GROUP BY code; "
+                                                  "SELECT code, array_agg(state) FROM web_progress "
+                                                  "WHERE create_date > timezone('utc', now()) - INTERVAL '10")
+                new_cr.rollback()