Querying API on column that does not exist returns all records

[narzeja]

Querying the flask_peewee API for columns that does not exist, returns all records from the table, instead of an empty set and/or an error that the supplied column name does not exist.

Consider the following code:

from flask import Flask
from peewee import *
from flask_peewee.rest import RestAPI
from datetime import datetime

app = Flask(__name__)
api = RestAPI(app)

class MyUser(Model):
    username = CharField(45, unique=True)
    admin = BooleanField(default=True)
    join_date = DateTimeField(default=datetime.now)
    email = CharField(145)
    class Meta:
        database = SqliteDatabase('mydb.sqlite')

try:
    MyUser.create_table()
    MyUser.create(username='test',
                  admin=True,
                  email='[email protected]')
    MyUser.create(username='test2',
                  admin=False,
                  email='[email protected]')
    MyUser.create(username='test3',
                  admin=False,
                  email='[email protected]')
except:
    pass

api.register(MyUser, allowed_methods=['GET'])
api.setup()

if __name__ == "__main__":
    app.run()

Launching the app, I can now query the API:

curl http://localhost:5000/api/myuser/?name=cheese

Notice, that the 'name' column does not exist in the table. This query returns a paginated result of all records in the table, instead of an (expected) notification that the column is invalid and/or an empty result set.

Using the latest version (0.6.5) installed from pip.