28201137575

Committed 25 Jun 2026 09:18PM UTC coverage: 80.341% (-1.0%) from 81.374%

Build # 28201137575

Build Type

push

github

Committed by

web-flow

Commit Message

feat(search): restrict relational lookups in `q` searches (#7189)

## Summary

`q` searches build ORM filters from caller-supplied lookup paths, and
the search grammar allows arbitrary relational traversal (e.g.
`owner__username`). This restricts which lookups are accepted.

## Notes

- No new DB queries or joins; the generated SQL for accepted searches is
unchanged (sub-microsecond validation per term).
- Legitimate searches are unaffected (e.g. `owner__username`,
`parent__uid`, `settings__sector`, `asset_type`, `user__is_superuser`).

Coverage Stats

8764 of 12135 branches covered (72.22%)

32 of 34 new or added lines in 4 files covered. (94.12%)

25 existing lines in 2 files now uncovered.

28909 of 35983 relevant lines covered (80.34%)

4.89 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.59

/kpi/utils/query_parser/query_parser.py

kobotoolbox / kpi / 28201137575

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous