diff options
| author | Tom Christie | 2012-10-02 15:37:13 +0100 |
|---|---|---|
| committer | Tom Christie | 2012-10-02 15:37:13 +0100 |
| commit | ab173fd8f9070ccdb70f86f400d2ffa780977ce4 (patch) | |
| tree | 0c66097d32b47038fd92e020fc8665d7cc55e5d9 | |
| parent | e7685f3eb5c7d7e8fb1678d673f03688012b00cb (diff) | |
| download | django-rest-framework-ab173fd8f9070ccdb70f86f400d2ffa780977ce4.tar.bz2 | |
Fix bug where pk could be set in post data
| -rw-r--r-- | docs/api-guide/serializers.md | 3 | ||||
| -rw-r--r-- | rest_framework/serializers.py | 22 | ||||
| -rw-r--r-- | rest_framework/tests/generics.py | 12 |
3 files changed, 33 insertions, 4 deletions
diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md index 38a1e560..4ddc6e0a 100644 --- a/docs/api-guide/serializers.md +++ b/docs/api-guide/serializers.md @@ -230,6 +230,9 @@ The `nested` option may also be set by passing it to the `serialize()` method. class Meta: model = Account + def get_pk_field(self, model_field): + return Field(readonly=True) + def get_nested_field(self, model_field): return ModelSerializer() diff --git a/rest_framework/serializers.py b/rest_framework/serializers.py index bb48e381..d0d34094 100644 --- a/rest_framework/serializers.py +++ b/rest_framework/serializers.py @@ -308,17 +308,31 @@ class ModelSerializer(RelatedField, Serializer): fields += [field for field in opts.many_to_many if field.serialize] ret = SortedDict() + is_pk = True # First field in the list is the pk + for model_field in fields: - if model_field.rel and nested: + if is_pk: + field = self.get_pk_field(model_field) + is_pk = False + elif model_field.rel and nested: field = self.get_nested_field(model_field) elif model_field.rel: field = self.get_related_field(model_field) else: field = self.get_field(model_field) - field.initialize(parent=self, model_field=model_field) - ret[model_field.name] = field + + if field is not None: + field.initialize(parent=self, model_field=model_field) + ret[model_field.name] = field + return ret + def get_pk_field(self, model_field): + """ + Returns a default instance of the pk field. + """ + return Field(readonly=True) + def get_nested_field(self, model_field): """ Creates a default instance of a nested relational field. @@ -333,7 +347,7 @@ class ModelSerializer(RelatedField, Serializer): def get_field(self, model_field): """ - Creates a default instance of a basic field. + Creates a default instance of a basic non-relational field. """ return Field() diff --git a/rest_framework/tests/generics.py b/rest_framework/tests/generics.py index ec46b427..79c01f9e 100644 --- a/rest_framework/tests/generics.py +++ b/rest_framework/tests/generics.py @@ -100,6 +100,18 @@ class TestRootView(TestCase): self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEquals(response.data, expected) + def test_post_cannot_set_id(self): + """ + POST requests to create a new object should not be able to set the id. + """ + content = {'id': 999, 'text': 'foobar'} + request = factory.post('/', json.dumps(content), content_type='application/json') + response = self.view(request).render() + self.assertEquals(response.status_code, status.HTTP_201_CREATED) + self.assertEquals(response.data, {'id': 4, 'text': u'foobar'}) + created = self.objects.get(id=4) + self.assertEquals(created.text, 'foobar') + class TestInstanceView(TestCase): def setUp(self): |