#22046: unhelpful queryset handling for model formsets with data
----------------------------+------------------------------------
Reporter: Jim Bailey | Owner:
Type: Bug | Status: closed
Component: Forms | Version: 1.6
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
----------------------------+------------------------------------
Comment (by spookylukey):
@timgraham
I accept your last comment, but I don't see how that results in a WONTFIX
for this bug. As far as I can see, it's a real bug - when you save a model
formset, and the underlying queryset returns different rows from what it
did previously (which can happen on various insertions/deletions/changes),
then you are going to get very unexpected behaviour.
AFAICS, the logic of `BaseModelFormSet._existing_object` is only correct
if the queryset passed in to the formset contains all applicable records
both times.
There is also the security concern that it is currently very easy to get
this wrong. If you forget to pass in the queryset argument to the formset
when you are POSTing, then you will have a major security issue, because
the user can specify any ID they like and update the record.
--
Ticket URL: <https://code.djangoproject.com/ticket/22046#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.28fb0811f93100fae4600eb076b3d370%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
