| Age | Commit message (Collapse) | Author |
|
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
|
|
injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
|
|
values()/values_list().
Thanks Jacob Walls and Simon Charette for tests.
Signed-off-by: SaJH <wogur981208@gmail.com>
Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main
|
|
composite pk selects too many columns.
Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main.
|
|
values()/values_list().
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for
annotations to be SELECT'ed before model field references through
values()/values_list() and broke assumptions the select_for_update(of)
table infererence logic had about model fields always being first.
Refs #28900.
Thanks OutOfFocus4 for the report and Sarah for the test.
Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main
|
|
values().
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900.
Thanks Jeff Iadarola for the report and tests.
Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
|
|
transforms and references.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900
Thanks Patrick Altman for the report.
Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main
|
|
Adding proper support for subquery right-hand-sides to TupleIn made it
obsolete.
Backport of d386405e04dac50656af50d100a14efdf8c58e8f from main
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
lookups.
Non-tuple exact and in lookups have specialized logic for subqueries that can
be adapted to properly assign select mask if unspecified and ensure the number
of involved members are matching on both side of the operator.
Backport of 41239fe34d64e801212dccaa4585e4802d0fac68 from main.
|
|
The original queryset._next_is_sticky() call never had the intended effect as
no further filtering was applied internally after the pk__in lookup making it
a noop.
In order to be coherent with how related filters are applied when retrieving
objects from a related manager the effects of what calling _next_is_sticky()
prior to applying annotations and filters to the queryset provided for
prefetching are emulated by allowing the reuse of all pre-existing JOINs.
Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and
tests.
Backport of 2598b371a93e21d84b7a2a99b2329535c8c0c138 from main.
|
|
reference value.
Thanks Jacob Walls for the report and test.
Backport of efec74b90868c2e611f863bf4301d92ce08067e8 from main.
|
|
key field with QuerySet.update().
Backport of 72ff18d41cfb004ae180bdf87fd8bad93041c691 from main.
|
|
joins.
Backport of 8eca4077f60fa0705ecfd9437c9ceaeef7a3808b from main.
|
|
The previous logic was systematically attempting to retrieve last_insert_id
even for models without an AutoField primary key when they had a GeneratedField
on backends that can't return columns from INSERT.
The issue affected MySQL, SQLite < 3.35, and Oracle when the use_returning_into
option was disabled and could result in either crashes when the non-auto
primary key wasn't an IntegerField subclass or silent misassignment of bogus
insert ids (0 or the previous auto primary key insert value) to the first
defined generated field value.
|
|
This logic could only be exercised if the composite primary key included an
AutoField but it's not allowed yet (refs #35957).
It was also slightly broken as it expected the AutoField to always be the first
member of returning_fields.
|
|
Thanks Jacob Walls for the report and test and Csirmaz Bendegúz for the review.
|
|
|
|
FilteredRelation.
|
|
By building the list of placeholders for each inserted fields once it
doesn't have to be looked up for each inserted rows twice.
The query_values_10000.benchmark.QueryValues10000.time_query_values_10000 ASV
benchmark showed a 5% speed up for 10k items on SQLite for a single field
insertion. Larger performance gains are expected when more fields are involved.
|
|
Thanks Lily Foote and Simon Charette for reviews and mentoring
this Google Summer of Code 2024 project.
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Lily Foote <code@lilyf.org>
|
|
Just like normal queries, combined queries' outer references might fully
resolve before their reference is assigned its final alias.
Refs #29338.
Thanks Antony_K for the report and example, and thanks Mariusz Felisiak
for the review.
|
|
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres.
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
against JSON fields.
Thanks Eyal (eyalgabay) for the report.
|
|
containing "__".
Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376.
Refs #34013. The initial logic did not consider that annotation aliases
can include lookup or transform separators.
Thanks Gert Van Gool for the report and Mariusz Felisiak for the review.
|
|
|
|
|
|
a query.
|
|
While refs #34125 focused on the SQL correctness of slicing of union of
potentially empty queries it missed an optimization opportunity to avoid
performing a query at all when all queries are empty.
Thanks Lucidiot for the report.
|
|
It was added in 01d440fa1e6b5c62acfa8b3fde43dfa1505f93c6 to
prevent "RuntimeError: OrderedDict mutated during iteration".
That particular issue was fixed in d660cee5bc68b597503c2a16f3d9928d52f93fb4
but the issue could remain in Join.as_sql() subclasses.
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
Follow up from f7f5edd50d03e8482f8a6da5fb5202b895d68cd6.
|
|
|
|
This should ensure it never drifts from Query.selected while maintaining
backward compatibility.
|
|
Previously, only the selected column aliases would be propagated and
annotations were ignored.
|
|
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.
This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.
It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.
Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67.
Thanks Mariusz Felisiak and Sarah Boyce for review.
|
|
This avoids manual .annotations and .append_annotation_mask manipulations.
|
|
By always including related objects in the select mask via adjusting the
defer logic (_get_defer_select_mask()), it becomes possible for
select_related_descend() to treat forward and reverse relationships
indistinctively.
This work also simplifies and adds comments to
select_related_descend() to make it easier to understand.
|
|
While refs #34612 surfaced issues with reverse one-to-one fields
deferrals, it missed that switching to storing remote fields would break
self-referential relationships.
This change switches to storing related objects in the select mask
instead of remote fields to prevent collisions when dealing with
self-referential relationships that might have a different directional
mask.
Despite fixing #21204 introduced a crash under some self-referential
deferral conditions, it was simply not working even before that as it
aggregated the sets of deferred fields by model.
Thanks Joshua van Besouw for the report and Mariusz Felisiak for the
review.
|
|
co-authored-by: Gordon <gordon.wrigley@gmail.com>
co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
co-authored-by: Keryn Knight <keryn@kerynknight.com>
co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
co-authored-by: David Smith <smithdc@gmail.com>
co-authored-by: Paolo Melchiorre <paolo@melchiorre.org>
|
|
operators.
Thanks Alan for the report.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
early return.
This avoids costly hashing.
Thanks Anthony Shaw for the report.
Co-Authored-By: Simon Charette <charette.s@gmail.com>
|
|
Thanks Mark Zorn for the report.
Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
|
|
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7.
Thanks Marcin for the report.
|
|
Thanks Eugene Morozov and Ben Nace for the reports.
|
|
GeneratedField.output_field with backend converters.
Regression in d9de74141e8a920940f1b91ed0a3ccb835b55729.
This is a long standing issue, however it caused a crash of
GeneratedFields for all output fields that have backend-specific
converters when the RETURNING clause is not supported
(MySQL and SQLite < 3.35).
That's why severity was exacerbated.
|
|
|
|
While this isn't a regression it's clear that similar logic should be
applied when dealing with lists of expressions passed as a lookup value.
|
|
Adjustments made to solve_lookup_type to defer the resolving of
references for summarized aggregates failed to account for similar
requirements for lookup values which can also reference annotations
through Aggregate.filter.
Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d.
Refs #25307.
Thanks Sergey Nesterenko for the report.
|