Using a model with soft-delete enabled, it seems that doing a q.WhereOr() adds the condition at the same level of the implicit soft-delete WHERE condition. The generated SQL looks like:
WHERE (cond1)
OR (cond2)
AND "table"."deleted_at" IS NULL
AND takes precedence, but OR shows the record anyway if it satisfies cond1, effectively making the deleted_at column ignored. I believe that since it's an implicit behavior, the ORM should wrap the query to make it look like:
WHERE (
(cond1)
OR (cond2)
)
AND "table"."deleted_at" IS NULLFor now I'm manually wrapping it. It's a subtle bug, and a gray area where responsibility is partially the developer's, but it may show the user deleted records, which is also a security issue in some cases.
Using a model with soft-delete enabled, it seems that doing a
q.WhereOr()adds the condition at the same level of the implicit soft-deleteWHEREcondition. The generated SQL looks like:AND takes precedence, but OR shows the record anyway if it satisfies cond1, effectively making the deleted_at column ignored. I believe that since it's an implicit behavior, the ORM should wrap the query to make it look like:
For now I'm manually wrapping it. It's a subtle bug, and a gray area where responsibility is partially the developer's, but it may show the user deleted records, which is also a security issue in some cases.