Fix bug where pk could be set in post data

1 files changed, 18 insertions, 4 deletions

diff --git a/rest_framework/serializers.py b/rest_framework/serializers.py
index bb48e381..d0d34094 100644
--- a/rest_framework/serializers.py
+++ b/rest_framework/serializers.py
@@ -308,17 +308,31 @@ class ModelSerializer(RelatedField, Serializer):
         fields += [field for field in opts.many_to_many if field.serialize]
 
         ret = SortedDict()
+        is_pk = True  # First field in the list is the pk
+
         for model_field in fields:
-            if model_field.rel and nested:
+            if is_pk:
+                field = self.get_pk_field(model_field)
+                is_pk = False
+            elif model_field.rel and nested:
                 field = self.get_nested_field(model_field)
             elif model_field.rel:
                 field = self.get_related_field(model_field)
             else:
                 field = self.get_field(model_field)
-            field.initialize(parent=self, model_field=model_field)
-            ret[model_field.name] = field
+
+            if field is not None:
+                field.initialize(parent=self, model_field=model_field)
+                ret[model_field.name] = field
+
         return ret
 
+    def get_pk_field(self, model_field):
+        """
+        Returns a default instance of the pk field.
+        """
+        return Field(readonly=True)
+
     def get_nested_field(self, model_field):
         """
         Creates a default instance of a nested relational field.
@@ -333,7 +347,7 @@ class ModelSerializer(RelatedField, Serializer):
 
     def get_field(self, model_field):
         """
-        Creates a default instance of a basic field.
+        Creates a default instance of a basic non-relational field.
         """
         return Field()