I am curious as to why the decision was made to not append a WHERE clause to deletes and updates that could be affected by a session filter. I was looking at the source for HqlSqlWalker.postProcessDML, and it has the comment "append any filter fragments; the EMPTY_MAP is used under the assumption that currently enabled filters should not affect this process." So, it seems this was a conscious choice. I would actually like filters to affect updates and deletes and will probably modify this class to enable this. My reasoning is that if you have a filter turned on and perform a select then perform an update using HQL you would expect it to only modify those things returned in the select (lets ignore the fact that this is a race condition as I am oversimplifying). We are using session filters to automatically restrict a logged in user's view of certain data. This works great for selects, but obviously allows HQL updates and deletes to bypass this restricted view.
So, my questions are, why this choice? and would you consider changing your mind? Thanks, Jason _______________________________________________ hibernate-dev mailing list hibernate-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/hibernate-dev
