views/user: string interpolation in raw SQL is safe here

There's a FIXME asking for some generated SQL that uses string
interpolation to be investigated.

I investigated.

It's safe - it only interpolates table/column names, not
user-controlled data.

Replace the FIXME with an explanatory statement.

Signed-off-by: Daniel Axtens <dja@axtens.net>

diff --git a/patchwork/views/user.py b/patchwork/views/user.py
index 79c615aa2da0461940852a15ea8f5c00af348233..2a2d704679e028a5df905f64a76e19c11a51be04 100644 (file)
--- a/patchwork/views/user.py
+++ b/patchwork/views/user.py
@@ -117,7 +117,11 @@ def profile(request):
         'profileform': form,
     }
 
-    # FIXME(stephenfin): This looks unsafe. Investigate.
+    # This looks unsafe but is actually fine: it just gets the names
+    # of tables and columns, not user-supplied data.
+    #
+    # An example of generated SQL is:
+    # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout)
     optout_query = '%s.%s IN (SELECT %s FROM %s)' % (
         Person._meta.db_table,
         Person._meta.get_field('email').column,