I noticed a problem in AppSettingAPI.set(): When attempting to update an existing setting, the non-existence of an app plugin in the AppSetting model is not explicitly included in the query:
q_kwargs = {'name': setting_name, 'project': project, 'user': user}
if not plugin_name == 'projectroles':
q_kwargs['app_plugin__name'] = plugin_name
setting = AppSetting.objects.get(**q_kwargs)
This means that if there is a similarly named setting to projectroles in another app (which is of course allowed), we risk either updating the wrong object or raising an exception if multiple objects are found with the same get() query.
mikkonie
commented
1 month ago
I noticed a problem in
AppSettingAPI.set(): When attempting to update an existing setting, the non-existence of an app plugin in theAppSettingmodel is not explicitly included in the query:This means that if there is a similarly named setting to projectroles in another app (which is of course allowed), we risk either updating the wrong object or raising an exception if multiple objects are found with the same
get()query.I will fix this while doing #1450.