[Sqlalchemy-tickets] Issue #3349: _no_select_modifiers does not check for joins, which can result in dangerous behavior (zzzeek/sqlalchemy)

[Saif H. <iss...@bi...>]

New issue 3349: _no_select_modifiers does not check for joins, which can result in dangerous behavior
https://bitbucket.org/zzzeek/sqlalchemy/issue/3349/_no_select_modifiers-does-not-check-for

Saif Hakim:

I noticed that `_no_select_modifiers` and `_no_criterion_assertion` in `orm/query.py` differ only in checking `self._statement` and `self._from_obj`. It seems that `_no_criterion_assertion` should be equivalent to `self._statement is None and _no_select_modifiers`; it is surprising that `_from_obj` is omitted, as this can result in a very dangerous situation when doing bulk updates, since `_from_obj` is ignored entirely.

For example, someone may mistakenly use a join instead of a filter:

```
(session.query(File)
 .join(File.folder)
 .filter(Folder.owner_id == 1)
 .update({'content': 'USER 1'}, synchronize_session=False))
```

results in `UPDATE file SET content='USER 1' FROM folder WHERE folder.owner_id = 1`
which will touch every file instead of just ones belong to user 1.

The suggested fix is to add: `('_from_obj', 'join()', ())` in `_no_select_modifiers`, which will error, as demonstrated in attached file.