subject:"Re\: \[Django\] #30702\: Form leaks all objects of model"

Re: [Django] #30702: Form leaks all objects of model

2019-08-13 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Kevin Olbrich):

 I've got the point and you are right: AssertionError.
 Thank you very much for pointing me in the right direction!

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.ac8b6e7bc6b6fbe5887607342c2786ae%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-13 Thread Django

Comment (by Carlton Gibson):

This is an issue with your usage of the django-braces mixin, not Django.
You need to ask for help on the support channels for django-braces, or
django-users or StackOverflow, rather than here.

It's not a bug with Django. To see this add an `assert self.user is not
None` in your form's `__init__()` after the `super()` call. Follow the
traceback when that fails.

In general, a bug is 99% likely to be in your code and only 1% likely (if
that for something like ORM filtering which is as exercised as can be) to
be in the framework. So, please, before opening an issue pursue support
channels to help you pin down exactly what's going on. To show a fault in
Django, at the least you need to remove additional code such as django-
braces.

Sorry if that seems harsh, but we can't offer usage support here. We just
don't have the capacity. I hope that makes sense to you.

--
Ticket URL:
Django
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/071.d5bc89a576a9305b3b10a48e7e5417df%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

Comment (by Kevin Olbrich):

Sure, np.

Project:
https://bitbucket.org/code-orange/django-playground-project
(recursive clone!)

Steps to reproduce:
0. Clone, pip, migrate, etc.
1. Create user (initial superadmin is sufficient)
2. Create customer #1 "Allowed Customer Example"
3. Create customer #2 "Super Secret Customer"
4. Add user + "Allowed Customer Example" relation in multitenancy table
5. Access website under /playground/forms/register
6. Enter a domain and choose customer (only "Allowed Customer Example"
will be visible)
7. Submit form
8. Error will be displayed, Customer only shows "Super Secret Customer"
("Allowed Customer Example" missing!).

I can confirm this for SQLite and MySQL.

The user should never be able to see other customers, as the filter is
"MdatCustomers.objects.filter(mdatmultitenancyusers__user=self.user)".

--
Ticket URL:
Django
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/071.32b01d8b0a2aed4c52179d47e59f80e3%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Claude Paroz):

 Sorry, but for us this code is not sufficient. Maybe upload a sample
 project?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.e6725af0eb25ef66db37d0558a221f8c%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Kevin Olbrich):

 I've attached some demo code in my initial description. That code is
 enough to reproduce the issue.
 I was unable to spot where in the code it decides to drop all filters.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.71daf00219adcc89c1c190f42c07e5a7%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Claude Paroz):

 I guess Carlton closed your report because it sounds like an error in your
 code. Your report does not contain any hint that Django is at fault.
 Please explore a little more what's happening in your case.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.1f3469f77b920ee1c38dfb64f1c47f00%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Kevin Olbrich):

 Actually I think this is a serious bug.
 Do you expect Django to leak all model data on an error?
 You can try it yourself, all model data will be rendered instead of the
 query sets filtered data.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.5cfd4e846b20fb3bd25f8b4343e3d112%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

2019-08-12 Thread Django

#30702: Form leaks all objects of model
-+-
 Reporter:  Kevin Olbrich|Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Forms|  Version:  2.2
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  form, forms, | Triage Stage:
  queryset   |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 Sorry, this isn't an Issue Report as it stands. (It's a usage question.)
 Please see TicketClosingReasons/UseSupportChannels.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.39fa6ef8bd28b4897ee938248dcc8ff9%40djangoproject.com.

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

Re: [Django] #30702: Form leaks all objects of model

8 matches

Site Navigation

Mail list logo

Footer information