diff options
| author | Anubhav Joshi <anubhav9042@gmail.com> | 2014-08-10 18:23:37 +0530 |
|---|---|---|
| committer | Anssi Kääriäinen <akaariai@gmail.com> | 2014-08-11 09:51:57 +0300 |
| commit | cdfdcf4b70bebfc68871df885387790c6afbc23c (patch) | |
| tree | eb73c2932c8131cc0abc24155253f6a91839d7df /django/db/models/sql | |
| parent | f0b358880a6825d667c037757caac470bc526a1f (diff) | |
Fixed #23266 -- Prevented queries caused by type checking lookup values
Small modifications done by committer.
Diffstat (limited to 'django/db/models/sql')
| -rw-r--r-- | django/db/models/sql/query.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 89fba2b56a..a590f2796e 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1104,8 +1104,19 @@ class Query(object): if field.rel: # testing for iterable of models if hasattr(value, '__iter__'): - for v in value: - self.check_query_object_type(v, opts) + # Check if the iterable has a model attribute, if so + # it is likely something like a QuerySet. + if hasattr(value, 'model') and hasattr(value.model, '_meta'): + model = value.model + if not (model == opts.concrete_model + or opts.concrete_model in model._meta.get_parent_list() + or model in opts.get_parent_list()): + raise ValueError( + 'Cannot use QuerySet for "%s": Use a QuerySet for "%s".' % + (model._meta.model_name, opts.object_name)) + else: + for v in value: + self.check_query_object_type(v, opts) else: # expecting single model instance here self.check_query_object_type(value, opts) |
