summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
AgeCommit message (Collapse)Author
2024-08-06[5.1.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-04-23Refs #35356 -- Clarified select related with masked field logic.Simon Charette
By always including related objects in the select mask via adjusting the defer logic (_get_defer_select_mask()), it becomes possible for select_related_descend() to treat forward and reverse relationships indistinctively. This work also simplifies and adds comments to select_related_descend() to make it easier to understand.
2024-04-23Fixed #35356 -- Deferred self-referential foreign key fields adequately.Simon Charette
While refs #34612 surfaced issues with reverse one-to-one fields deferrals, it missed that switching to storing remote fields would break self-referential relationships. This change switches to storing related objects in the select mask instead of remote fields to prevent collisions when dealing with self-referential relationships that might have a different directional mask. Despite fixing #21204 introduced a crash under some self-referential deferral conditions, it was simply not working even before that as it aggregated the sets of deferred fields by model. Thanks Joshua van Besouw for the report and Mariusz Felisiak for the review.
2024-02-07Fixed #35099 -- Prevented mutating queryset when combining with & and | ↵Hisham Mahmood
operators. Thanks Alan for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-01-29Fixed #35135 -- Made FilteredRelation raise ValueError on querysets as rhs.Nicolas Delaby
Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-15Refs #35102 -- Optimized replace_expressions()/relabelling aliases by adding ↵Mariusz Felisiak
early return. This avoids costly hashing. Thanks Anthony Shaw for the report. Co-Authored-By: Simon Charette <charette.s@gmail.com>
2023-12-23Fixed #35050 -- Fixed prefixing field names in FilteredRelation().David Wobrock
Thanks Mark Zorn for the report. Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2023-12-16Fixed #35042 -- Fixed a count() crash on combined queries.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Thanks Marcin for the report.
2023-11-18Refs #34717 -- Avoided computing aggregate refs twice.Simon Charette
2023-11-18Refs #34975 -- Complemented rhs filtering aggregations for __in lookup.Simon Charette
While this isn't a regression it's clear that similar logic should be applied when dealing with lists of expressions passed as a lookup value.
2023-11-18Fixed #34975 -- Fixed crash of conditional aggregate() over aggregations.Simon Charette
Adjustments made to solve_lookup_type to defer the resolving of references for summarized aggregates failed to account for similar requirements for lookup values which can also reference annotations through Aggregate.filter. Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d. Refs #25307. Thanks Sergey Nesterenko for the report.
2023-10-16Fixed #34798 -- Fixed QuerySet.aggregate() crash when referencing ↵Simon Charette
expressions containing subqueries. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7, complements e5c844d6f2a4ac6ae674d741b5f1fa2a688cedf4. Refs #28477, #34551. Thanks Haldun Komsuoglu for the report.
2023-08-11Fixed #34362 -- Fixed FilteredRelation() crash on conditional expressions.Francesco Panico
Thanks zhu for the report and Simon Charette for reviews.
2023-08-11Fixed #34743 -- Fixed Meta.constraints validation crash when using pk.Francesco Panico
Thanks Nwawel A Iroume for the report.
2023-08-02Removed unneeded escapes in regexes.Mariusz Felisiak
Special characters lose their special meaning inside sets of characters. "-" lose its special meaning if it's placed as the first or last character. Follow up to 7c6b66383da5f9a67142334cd2ed2d769739e8f1.
2023-08-01Fixed #34750 -- Fixed QuerySet.count() when grouping by unused multi-valued ↵Mariusz Felisiak
annotations. Thanks Toan Vuong for the report. Thanks Simon Charette for the review. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7.
2023-07-21Refs #34362 -- Added get_child_with_renamed_prefix() hook.Francesco Panico
2023-07-19Fixed #34717 -- Fixed QuerySet.aggregate() crash when referencing window ↵Simon Charette
functions. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks younes-chaoui for the report.
2023-06-14Refs #32143 -- Removed superflous constraints on excluded query.Simon Charette
The outer query reference is not necessary when alias can be reused and can even be harmful by confusing query planers. Refs #34597.
2023-06-14Refs #32143 -- Adjusted a comment about subquery usage in Query.split_exclude().Simon Charette
2023-06-01Fixed #34612 -- Fixed QuerySet.only() crash on reverse relationships.Simon Charette
Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879. Thanks Ian Cubitt for the report. This also corrected test_inheritance_deferred2() test which was previously properly defined and marked as an expected failure but was then wrongly adjusted to mask the lack of support for per-alias deferral that was fixed by #21204.
2023-05-23Fixed #34551 -- Fixed QuerySet.aggregate() crash when referencing subqueries.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks Denis Roldán and Mariusz for the test.
2023-05-23Refs #34551 -- Fixed QuerySet.aggregate() crash on precending aggregation ↵Simon Charette
reference. Regression in 1297c0d0d76a708017fe196b61a0ab324df76954. Refs #31679.
2023-05-17Fixed #34570 -- Silenced noop deferral of many-to-many and GFK.Simon Charette
While deferring many-to-many and GFK has no effect, the previous implementation of QuerySet.defer() ignore them instead of crashing. Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879. Thanks Paco Martínez for the report.
2023-04-24Refs #33766 -- Removed sql.Query.build_filtered_relation_q().Simon Charette
It was a copy of sql.Query._add_q that avoided JOIN updates.
2023-04-24Fixed #33766 -- Resolved FilteredRelation.condition at referencing time.Simon Charette
The previous implementation resolved condition at Join compilation time which required introducing a specialized expression resolving mode to alter the join reuse logic solely during that phase. FilteredRelation.condition is now resolved when the relation is first referenced which maintains the existing behavior while allowing the removal of the specialized resolving mode and address an issue where conditions couldn't spawn new joins.
2023-04-07Fixed #34464 -- Fixed queryset aggregation over group by reference.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks Ian Cubitt for the report.
2023-04-05Fixed #34458 -- Fixed QuerySet.defer() crash on attribute names.Simon Charette
Thanks Andrew Cordery for the report. Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879.
2023-04-04Fixed #34450 -- Fixed multi-valued JOIN reuse when filtering by expressions.Simon Charette
Thanks Roman Odaisky for the report.
2023-03-28Refs #29799 -- Added field instance lookups to suggestions in FieldErrors.Mariusz Felisiak
Bug in cd1afd553f9c175ebccfc0f50e72b43b9604bd97.
2023-03-25Fixed #34437 -- Made values() resolving error mention selected annotations.Simon Charette
While the add_fields() call from set_values() does trigger validation it does so after annotations are masked resulting in them being excluded from the choices of valid options surfaced through a FieldError.
2023-03-24Fixed #28553 -- Fixed annotation mismatch with ↵David Wobrock
QuerySet.values()/values_list() on compound queries. Co-authored-by: Matthias Kestenholz <mk@feinheit.ch>
2023-03-20Fixed some typos in comments, docstrings, and tests.Liyang Zhang
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2023-01-09Fixed #34176 -- Fixed grouping by ambiguous aliases.Simon Charette
Regression in b7b28c7c189615543218e81319473888bc46d831. Refs #31377. Thanks Shai Berger for the report and reviews. test_aggregation_subquery_annotation_values_collision() has been updated as queries that are explicitly grouped by a subquery should always be grouped by it and not its outer columns even if its alias collides with referenced table columns. This was not possible to accomplish at the time 10866a10 landed because we didn't have compiler level handling of colliding aliases.
2022-12-01Refs #33308 -- Deprecated support for passing encoded JSON string literals ↵Simon Charette
to JSONField & co. JSON should be provided as literal Python objects an not in their encoded string literal forms.
2022-11-23Fixed #31679 -- Delayed annotating aggregations.Simon Charette
By avoiding to annotate aggregations meant to be possibly pushed to an outer query until their references are resolved it is possible to aggregate over a query with the same alias. Even if #34176 is a convoluted case to support, this refactor seems worth it given the reduction in complexity it brings with regards to annotation removal when performing a subquery pushdown.
2022-11-14Refs #25307 -- Replaced SQLQuery.rewrite_cols() by replace_expressions().Simon Charette
The latter offers a more generic interface that doesn't require specialized expression types handling.
2022-11-14Reduced nesting inside Query.get_aggregation().Simon Charette
2022-11-14Refs #28477 -- Fixed handling aliased annotations on aggregation.Simon Charette
Just like when using .annotate(), the .alias() method will generate the necessary JOINs to resolve the alias even if not selected. Since these JOINs could be multi-valued non-selected aggregates must be considered to require subquery wrapping as a GROUP BY is required to combine duplicated tuples from the base table. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7.
2022-11-11Refs #28477 -- Reduced complexity of aggregation over qualify queries.Simon Charette
2022-11-09Fixed #28477 -- Stripped unused annotations on aggregation.Simon Charette
Also avoid an unnecessary pushdown when aggregating over a query that doesn't have aggregate annotations.
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-10-06Refs #30158 -- Removed alias argument for Expression.get_group_by_cols().Simon Charette
Recent refactors allowed GROUP BY aliasing allowed for aliasing to be entirely handled by the sql.Query.set_group_by and compiler layers.
2022-10-06Refs #33992 -- Refactored subquery grouping logic.Simon Charette
This required moving the combined queries slicing logic to the compiler in order to allow Query.exists() to be called at expression resolving time. It allowed for Query.exists() to be called at Exists() initialization time and thus ensured that get_group_by_cols() was operating on the terminal representation of the query that only has a single column selected.
2022-10-06Refs #33308 -- Enabled explicit GROUP BY and ORDER BY aliases.Simon Charette
This ensures explicit grouping from using values() before annotating an aggregate function groups by selected aliases if supported. The GROUP BY feature is disabled on Oracle because it doesn't support it.
2022-10-04Fixed #34012 -- Made QuerySet.order_by() apply transforms on related fields ↵David Sanders
for models with Meta.ordering. This makes QuerySet.order_by() no longer ignore trailing transforms for models with Meta.ordering. As a consequence, FieldError is raised in such cases for non-existent fields. Thanks to Klaas van Schelven for the report and Mariusz Felisiak for the review and advice.
2022-09-22Fixed #34015 -- Allowed filtering by transforms on relation fields.Mariusz Felisiak
2022-09-09Fixed #33975 -- Fixed __in lookup when rhs is a queryset with annotate() and ↵DevilsAutumn
alias(). This fixes clearing selected fields.