fix(strict_provenance): gate update1 inside make() (target + key consistency)#1480
Open
dimitri-yatsenko wants to merge 1 commit into
Open
fix(strict_provenance): gate update1 inside make() (target + key consistency)#1480dimitri-yatsenko wants to merge 1 commit into
dimitri-yatsenko wants to merge 1 commit into
Conversation
…istency)
The 2.3 post-release audit found update1 was a fully ungated write path under
strict_provenance: inside make(), SideTable.update1({...}) silently mutated any
table past the provenance boundary (empirically demonstrated) while the same
write via insert is blocked. The asymmetry was unintended: the boundary is
'write only to self (and Parts)', and update1 is a write.
update1 now runs the same two checks as insert, before the existence check so a
provenance violation raises as such:
- assert_write_allowed(self, verb='update1 on') — target must be the make()
target or one of its Parts; blocked-update message reads 'update1 on <t> is
not permitted inside make() for <target>...'.
- assert_row_key_allowed(row, action='update') — key columns overlapping the
current make() key must match; mismatch message reads 'updated row's ...
Updates must be consistent with the key being populated.'
Both gate functions gain wording parameters; the insert-path messages are
byte-identical to before. No-op outside make() or with the flag off — update1
behavior outside strict mode is unchanged (pinned by a new test).
Tests: blocked update1 on another table (value verified untouched), blocked
key-mismatched update1 on self, allowed key-consistent update1 on self, and
default-off parity. Full strict suite 12/12; test_update1 4/4.
Companion docs update (write-enforcement table + limits) rides in the
datajoint-docs post-audit reconciliation PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The 2.3 post-release audit of the make-integrity gates found
update1()was a fully ungated write path understrict_provenance: insidemake(),SideTable.update1({...})silently mutated any table past the provenance boundary (empirically demonstrated — value changed 100→999 with no error), while the same write viainsertis blocked. The asymmetry was unintended: the boundary is "write only toself(and Parts)," andupdate1is a write.Fix
update1now runs the same two checks asinsert, placed before the existence check so a provenance violation raises as such rather than as "no matching entry":assert_write_allowed(self, verb="update1 on")— target must be themake()target or one of its Parts. Blocked-update message:strict_provenance=True: update1 on '<t>' is not permitted inside make() for '<target>'. Only the target table and its Part tables may be written.assert_row_key_allowed(row, action="update")— key columns overlapping the current key must match:strict_provenance=True: updated row's '<k>'=<v> does not match the current make() key's '<k>'=<v>. Updates must be consistent with the key being populated.Both gate functions gain wording parameters; the insert-path messages are byte-identical to before (spec-verbatim preserved). No-op outside
make()/ flag off —update1outside strict mode is unchanged (pinned by test).Tests (4 new; strict suite 12/12, test_update1 4/4, both green locally)
update1on another table, with the target row verified untouchedupdate1on self (raises the key-consistency error deterministically)update1on self (corrective update within the boundary)Companion docs update (write-enforcement table rows + limits-list adjustments) rides in the datajoint-docs post-audit reconciliation PR.
delete()/delete_quick()remain ungated by design and are being documented as a limit there, per the audit decision.