Opened 4 years ago

Closed 4 years ago

#25910 closed Bug (fixed)

Model constructors accept read-only property names

Reported by: Joshua Phillips Owned by: nobody
Component: Database layer (models, ORM) Version: 1.9
Severity: Normal Keywords: model db
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A model's constructor uses left-over keyword arguments (that weren't matched to fields) to set properties on the model instance. If the property's setter raises AttributeError (e.g. if it's a read-only property), that exception is ignored. This can lead to bugs when, for example, a field is changed to a property of the same name.

It looks like this behaviour (from 2007) might be unintentional: the try...except looks like it's only supposed to catch the AttributeError from getattr, not from the following settattr.

Fixing this is backwards-incompatible, but trying to set a read-only property in this way is most probably a bug anyway.

Attachments (1)

django-model-ctor-prop.diff (1.4 KB) - added by Joshua Phillips 4 years ago.
Patch to fix the problem, now with test

Download all attachments as: .zip

Change History (6)

comment:1 Changed 4 years ago by Tim Graham

Needs tests: set
Triage Stage: UnreviewedAccepted

A test is also needed.

comment:2 Changed 4 years ago by Klaas van Schelven

#26027 was rightly marked as a duplicate of the present issue; it contains further evidence that the behavior is unintentional as well as a hint as to how a test could be constructed easily.

Last edited 4 years ago by Tim Graham (previous) (diff)

Changed 4 years ago by Joshua Phillips

Attachment: django-model-ctor-prop.diff added

Patch to fix the problem, now with test

comment:3 Changed 4 years ago by Tim Graham

Are you able to submit the patch as a pull request?

comment:4 Changed 4 years ago by Joshua Phillips

comment:5 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 16baec5:

Fixed #25910 -- Rejected read-only property names in model constructors.

Note: See TracTickets for help on using tickets.
Back to Top