[Django] #25425: Enforce calling resolve_expression before as_sql on all expressions

[Django]

#25425: Enforce calling resolve_expression before as_sql on all expressions
-------------------------------------+-------------------------------------
               Reporter:  jarshwah   |          Owner:  nobody
                   Type:  Bug        |         Status:  new
              Component:  Database   |        Version:  master
  layer (models, ORM)                |
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 There are many places in the ORM that will try to compile an expression
 without first having ensured it was resolved.  The contract of expressions
 is as follows:

 {{{
 resolved = expression.resolve_expression(*kwargs)
 sql, params = compiler.compile(resolved)
 }}}

 Resolving the expression does two major things. First, it creates a copy
 so that expressions can be shared without clashing with each other.
 Secondly, the resolve_expression method may do necessary validation or
 extra query work.

 There are a few known places where expression like objects are used
 without first being resolved.

 - Most `Where` nodes are not resolved correctly (anywhere where self.where
 or self.query.where is compiled)
 - SQLUpdateCompiler
 - SQLDeleteCompiler
 - django.db.models.lookups.Lookup
 - django.db.models.related_lookups.RelatedIn

 I wonder if we should consider enforcing this at the code level. Refuse to
 compile the expression unless it has been resolved first. A naive way of
 doing this would be to maintain a `resolved` boolean flag, and switch it
 to `True` when resolved. The `as_sql` method could then error if the
 expression has not been resolved.

--
Ticket URL: <https://code.djangoproject.com/ticket/25425>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/051.f4adfacf12ffd334baa507a41a334282%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.