{
    "instance_id": "django__django-10914",
    "repo": "django/django",
    "created_at": "2019-01-30T13:13:20Z",
    "problem_statement": "Set default FILE_UPLOAD_PERMISSION to 0o644.\nDescription\n\t\nHello,\nAs far as I can see, the ​File Uploads documentation page does not mention any permission issues.\nWhat I would like to see is a warning that in absence of explicitly configured FILE_UPLOAD_PERMISSIONS, the permissions for a file uploaded to FileSystemStorage might not be consistent depending on whether a MemoryUploadedFile or a TemporaryUploadedFile was used for temporary storage of the uploaded data (which, with the default FILE_UPLOAD_HANDLERS, in turn depends on the uploaded data size).\nThe tempfile.NamedTemporaryFile + os.rename sequence causes the resulting file permissions to be 0o0600 on some systems (I experience it here on CentOS 7.4.1708 and Python 3.6.5). In all probability, the implementation of Python's built-in tempfile module explicitly sets such permissions for temporary files due to security considerations.\nI found mentions of this issue ​on GitHub, but did not manage to find any existing bug report in Django's bug tracker.",
    "patch": "diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py\n--- a/django/conf/global_settings.py\n+++ b/django/conf/global_settings.py\n@@ -304,7 +304,7 @@ def gettext_noop(s):\n \n # The numeric mode to set newly-uploaded files to. The value should be a mode\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\n-FILE_UPLOAD_PERMISSIONS = None\n+FILE_UPLOAD_PERMISSIONS = 0o644\n \n # The numeric mode to assign to newly-created directories, when uploading files.\n # The value should be a mode as you'd pass to os.chmod;\n",
    "Selected_candidate": {
        "pr_number": 5139,
        "pr_title": "Fixed #19263 -- Fixed crash when filtering using __in and an empty QuerySet.",
        "pr_body": "https://code.djangoproject.com/ticket/19263\n",
        "issue_id": 19263,
        "issue_title": "Filtering __in a sliced queryset with a 0 limit raises an error",
        "issue_body": "I've noticed that after upgrading to Django 1.4,\n__in\nqueries really don't like empty sets. Simple queries still work, like\nUser.objects.filter(groups__in=[])\n, but most failures I've seen are with Paginators. I think this is the minimum set to cause a DatabaseError, create any app, add a models.py with:\nfrom\ndjango.db\nimport\nmodels\nclass\nAuthor\n(\nmodels\n.\nModel\n):\npass\nclass\nBook\n(\nmodels\n.\nModel\n):\nauthor\n=\nmodels\n.\nForeignKey\n(\nAuthor\n)\ndef\ncrash\n():\nfrom\ndjango.core.paginator\nimport\nPaginator\npages\n=\nPaginator\n(\nAuthor\n.\nobjects\n.\nall\n(),\n25\n)\npage\n=\npages\n.\npage\n(\n1\n)\nbooks\n=\nBook\n.\nobjects\n.\nfilter\n(\nauthor__in\n=\npage\n.\nobject_list\n)\nprint\nbooks\ncalling crash() will cause this stack trace:\nC:\\Workspace\\someproject\\src\\someproject\\test.py in <module>()\n      6\n      7 books = Book.objects.filter(author__in=page.object_list)\n----> 8 print books\n      9\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\models\\query.pyc in __repr__(self)\n     70\n     71     def __repr__(self):\n---> 72         data = list(self[:REPR_OUTPUT_SIZE + 1])\n     73         if len(data) > REPR_OUTPUT_SIZE:\n     74             data[-1] = \"...(remaining elements truncated)...\"\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\models\\query.pyc in __len__(self)\n     85                 self._result_cache = list(self.iterator())\n     86         elif self._iter:\n---> 87             self._result_cache.extend(self._iter)\n     88         if self._prefetch_related_lookups and not self._prefetch_done:\n     89             self._prefetch_related_objects()\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\models\\query.pyc in iterator(self)\n    289             klass_info = get_klass_info(model, max_depth=max_depth,\n    290                                         requested=requested, only_load=only_load)\n--> 291         for row in compiler.results_iter():\n    292             if fill_cache:\n    293                 obj, _ = get_cached_row(row, index_start, db, klass_info,\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\models\\sql\\compiler.pyc in results_iter(self)\n    761         if self.query.select_for_update and transaction.is_managed(self.using):\n    762             transaction.set_dirty(self.using)\n--> 763         for rows in self.execute_sql(MULTI):\n    764             for row in rows:\n    765                 if resolve_columns:\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\models\\sql\\compiler.pyc in execute_sql(self, result_type)\n    816\n    817         cursor = self.connection.cursor()\n--> 818         cursor.execute(sql, params)\n    819\n    820         if not result_type:\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\backends\\util.pyc in execute(self, sql, params)\n     38         start = time()\n     39         try:\n---> 40             return self.cursor.execute(sql, params)\n     41         finally:\n     42             stop = time()\n\nC:\\Dev\\Python27\\lib\\site-packages\\django\\db\\backends\\postgresql_psycopg2\\base.pyc in execute(self, query, args)\n     50     def execute(self, query, args=None):\n     51         try:\n---> 52             return self.cursor.execute(query, args)\n     53         except Database.IntegrityError, e:\n     54             raise utils.IntegrityError, utils.IntegrityError(*tuple(e)), sys.exc_info()[2]\n\nDatabaseError: syntax error at or near \")\"\nLINE 1: ...ugtest_book\" WHERE \"bugtest_book\".\"author_id\" IN () LIMIT 21\nThe SQL statement created is:\nSELECT \"bugtest_book\".\"id\", \"bugtest_book\".\"author_id\" FROM \"bugtest_book\" WHERE \"bugtest_book\".\"author_id\" IN () LIMIT 21",
        "issue_closed_at": "2015-09-04T07:00:51",
        "base_commit": "7c0850028f25eebaa9b521b5d02afac084ff2c6f",
        "changes": [
            {
                "file": "django/db/models/sql/compiler.py",
                "type": "function",
                "name": "as_nested_sql",
                "class_name": "SQLCompiler",
                "code": "def as_nested_sql(self):\n        \"\"\"\n        Perform the same functionality as the as_sql() method, returning an\n        SQL string and parameters. However, the alias prefixes are bumped\n        beforehand (in a copy -- the current query isn't changed), and any\n        ordering is removed if the query is unsliced.\n\n        Used when nesting this query inside another.\n        \"\"\"\n        obj = self.query.clone()\n        if obj.low_mark == 0 and obj.high_mark is None and not self.query.distinct_fields:\n            # If there is no slicing in use, then we can safely drop all ordering\n            obj.clear_ordering(True)\n        return obj.get_compiler(connection=self.connection).as_sql(subquery=True)"
            }
        ]
    },
    "Justification": "Candidate A is the most relevant as it involves a filtering error that caused a DatabaseError in Django, which resonates with the CURRENT bug report's concern over how Django handles file uploads and associated permissions. Both reports hint at inconsistencies in the behavior due to certain defaults (e.g., permission settings in file uploads and queryset limits in filtering) that can cause unexpected results. The details regarding error handling and the final output in Candidate A's report can guide similar considerations for permission management in file uploads, making it particularly helpful in diagnosing the underlying issues of the CURRENT bug."
}