Opened 5 years ago
Closed 5 years ago
#30888 closed Uncategorized (duplicate)
Dangerous behavior for queryset combinator
| Reported by: | wckao | Owned by: | nobody |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | 2.2 |
| Severity: | Normal | Keywords: | queryset combinator filter |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Although it is documented that after queryset combinator is used ( union / intersection / difference ), "only LIMIT, OFFSET, COUNT(*), ORDER BY, and specifying columns (i.e. slicing, count(), order_by(), and values()/values_list()) are allowed on the resulting QuerySet".
But when other unsupported filtering is used, it is simply ignored instead of throwing an exception, which can be dangerous and hard to discover/debug.
For example,
User.objects.filter(is_active=True).union(User.objects.filter(is_active=False)).filter(is_active=True)
will actually return all the User instead of just active user, without any warning or exception.
the last filter is simply discarded and ignored.
Note:
See TracTickets
for help on using tickets.
Duplicate of #27995. Is fixed for Django 3.0.