Adding a query with a WHERE OR on a soft-delete model ignores soft-delete condition

[john8329]

Using a model with soft-delete enabled, it seems that doing a q.WhereOr() adds the condition at the same level of the implicit soft-delete WHERE condition. The generated SQL looks like:

WHERE (cond1)
  OR (cond2)
  AND "table"."deleted_at" IS NULL

AND takes precedence, but OR shows the record anyway if it satisfies cond1, effectively making the deleted_at column ignored. I believe that since it's an implicit behavior, the ORM should wrap the query to make it look like:

WHERE (
    (cond1)
    OR (cond2)
  )
  AND "table"."deleted_at" IS NULL

For now I'm manually wrapping it. It's a subtle bug, and a gray area where responsibility is partially the developer's, but it may show the user deleted records, which is also a security issue in some cases.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. If there is no update within the next 7 days, this issue will be closed.

[john8329]

sigh bump.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. If there is no update within the next 7 days, this issue will be closed.

[john8329]

Seems like contributing here is pointless. This bot ruins the issues section.