#22046: unhelpful queryset handling for model formsets with data ----------------------------+------------------------------------ Reporter: Jim Bailey | Owner: Type: Bug | Status: closed Component: Forms | Version: 1.6 Severity: Normal | Resolution: wontfix Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 ----------------------------+------------------------------------
Comment (by spookylukey): @timgraham I accept your last comment, but I don't see how that results in a WONTFIX for this bug. As far as I can see, it's a real bug - when you save a model formset, and the underlying queryset returns different rows from what it did previously (which can happen on various insertions/deletions/changes), then you are going to get very unexpected behaviour. AFAICS, the logic of `BaseModelFormSet._existing_object` is only correct if the queryset passed in to the formset contains all applicable records both times. There is also the security concern that it is currently very easy to get this wrong. If you forget to pass in the queryset argument to the formset when you are POSTing, then you will have a major security issue, because the user can specify any ID they like and update the record. -- Ticket URL: <https://code.djangoproject.com/ticket/22046#comment:9> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.28fb0811f93100fae4600eb076b3d370%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.