prohibit db_index and unique=True on encrypted fields

timgraham · timgraham · commit 892bb6bae9d3 · 2025-10-16T20:13:40.000-04:00
diff --git a/django_mongodb_backend/fields/encryption.py b/django_mongodb_backend/fields/encryption.py
@@ -7,9 +7,13 @@
 class EncryptedFieldMixin:
     encrypted = True
 
-    def __init__(self, *args, queries=None, **kwargs):
-        if kwargs.get("null", False):
-            raise ValueError("'null=True' is not supported for encrypted fields.")
+    def __init__(self, *args, queries=None, db_index=False, null=False, unique=False, **kwargs):
+        if db_index:
+            raise ValueError("'db_index=True' is not supported on encrypted fields.")
+        if null:
+            raise ValueError("'null=True' is not supported on encrypted fields.")
+        if unique:
+            raise ValueError("'unique=True' is not supported on encrypted fields.")
         self.queries = queries
         super().__init__(*args, **kwargs)
 
diff --git a/docs/ref/models/encrypted-fields.rst b/docs/ref/models/encrypted-fields.rst
@@ -81,6 +81,15 @@ Queryable Encryption.
 | :class:`~django.db.models.SlugField` | :ref:`Queryable Encryption does not support TTL Indexes or Unique Indexes <manual:qe-reference-encryption-limits>` |
 +--------------------------------------+--------------------------------------------------------------------------------------------------------------------+
 
+Limitations
+===========
+
+MongoDB imposes some restrictions on encrypted fields:
+
+* They cannot be indexed.
+* They cannot be part of a unique constraint.
+* They cannot be null.
+
 ``EncryptedFieldMixin``
 =======================
 
diff --git a/tests/encryption_/test_fields.py b/tests/encryption_/test_fields.py
@@ -4,7 +4,7 @@
 
 from bson import ObjectId
 
-from django_mongodb_backend.fields import EncryptedCharField
+from django_mongodb_backend.fields import EncryptedCharField, EncryptedIntegerField
 
 from .models import (
     Actor,
@@ -188,11 +188,20 @@ def test_time(self):
 
 
 class FieldMixinTests(EncryptionTestCase):
-    def test_null_true_raises_error(self):
-        with self.assertRaisesMessage(
-            ValueError, "'null=True' is not supported for encrypted fields."
-        ):
-            EncryptedCharField(max_length=50, null=True)
+    def test_db_index(self):
+        msg = "'db_index=True' is not supported on encrypted fields."
+        with self.assertRaisesMessage(ValueError, msg):
+            EncryptedIntegerField(db_index=True)
+
+    def test_null(self):
+        msg = "'null=True' is not supported on encrypted fields."
+        with self.assertRaisesMessage(ValueError, msg):
+            EncryptedIntegerField(null=True)
+
+    def test_unique(self):
+        msg = "'unique=True' is not supported on encrypted fields."
+        with self.assertRaisesMessage(ValueError, msg):
+            EncryptedIntegerField(unique=True)
 
     def test_deconstruct_preserves_queries_and_rewrites_path(self):
         field = EncryptedCharField(max_length=50, queries={"field": "value"})
