- attached sqlalchemy_rollback_bug.py
Session.rollback() can commit
Issue #2389
resolved
Much to my surprise, it is possible to add an object to a database via the ORM and commit it by calling Session.rollback(). This is IMO a rather nasty data corruption bug. The script below will 100% reliably commit an object to a sqlite database on python-sqlalchemy-0.7.3-1.fc16 from Fedora. It seems to work on mysql and on sqlalchemy 0.6 from Ubuntu as well.
Marking as highest priority because this can (and did!) cause data corruption. Admittedly, I can't trigger the problem without a slight abuse of the API so far.
Comments (3)
-
reporter
-
repo owner
very nice, that is not actually very much abuse of the API, as the same thing could occur if an attribute were only mutated on a persistent object - not something entirely appropriate in between the exception and the rollback, but well within the realm of things that could happen. f9c2f85a3ac35cd0158dbd818ba0b9d209003304 does an extra check and re-emits the call to self._restore_snapshot(), emitting a warning that state was modified. Another option would be to raise an exception here like calls to flush() and commit() do, though it's not as much flat out "wrong" if someone for example just set an attribute on a persistent object.
-
repo owner
- removed milestone
Removing milestone: 0.7.5 (automated comment)
- Log in to comment
Test case. It adds a row to a table and commits it by calling Session.rollback()