Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

#2951: Confusing Query.get() behaviour. Possible insufficient criterion checking.
-----------------------------------+-----------------------------------
      Reporter:  enomad            |      Owner:  zzzeek
          Type:  defect            |     Status:  closed
      Priority:  high              |  Milestone:  0.8.xx
     Component:  orm               |   Severity:  trivial - <10 minutes
    Resolution:  fixed             |   Keywords:  Query get criterion
Progress State:  completed/closed  |
-----------------------------------+-----------------------------------

Comment (by enomad):

 >please explain fully why you think this bug is a security breach
 It can be security breach... when we want to check ownership of related
 item by something like

 {{{
 item = Item.query.join(User).filter(User == current_user).filter(Item.id
 == requested_item).one()
 if not item:
     raise 404
 }}}

 and think of get(id) is sugar of filter_by(id=id).one()

--
Ticket URL: <http://www.sqlalchemy.org/trac/ticket/2951#comment:3>
sqlalchemy <http://www.sqlalchemy.org/>
The Database Toolkit for Python

Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient

Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient criterion checking.