Fix bug where pk could be set in post data

author: Tom Christie 2012-10-02 15:37:13 +0100
committer: Tom Christie 2012-10-02 15:37:13 +0100
commit: ab173fd8f9070ccdb70f86f400d2ffa780977ce4 (patch)
tree: 0c66097d32b47038fd92e020fc8665d7cc55e5d9 /rest_framework/tests/generics.py
parent: e7685f3eb5c7d7e8fb1678d673f03688012b00cb (diff)
download: django-rest-framework-ab173fd8f9070ccdb70f86f400d2ffa780977ce4.tar.bz2
1 files changed, 12 insertions, 0 deletions
diff --git a/rest_framework/tests/generics.py b/rest_framework/tests/generics.py
index ec46b427..79c01f9e 100644
--- a/rest_framework/tests/generics.py
+++ b/rest_framework/tests/generics.py
@@ -100,6 +100,18 @@ class TestRootView(TestCase):
         self.assertEquals(response.status_code, status.HTTP_200_OK)
         self.assertEquals(response.data, expected)
 
+    def test_post_cannot_set_id(self):
+        """
+        POST requests to create a new object should not be able to set the id.
+        """
+        content = {'id': 999, 'text': 'foobar'}
+        request = factory.post('/', json.dumps(content), content_type='application/json')
+        response = self.view(request).render()
+        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
+        self.assertEquals(response.data, {'id': 4, 'text': u'foobar'})
+        created = self.objects.get(id=4)
+        self.assertEquals(created.text, 'foobar')
+
 
 class TestInstanceView(TestCase):
     def setUp(self):
author	Tom Christie	2012-10-02 15:37:13 +0100
committer	Tom Christie	2012-10-02 15:37:13 +0100
commit	ab173fd8f9070ccdb70f86f400d2ffa780977ce4 (patch)
tree	0c66097d32b47038fd92e020fc8665d7cc55e5d9 /rest_framework/tests/generics.py
parent	e7685f3eb5c7d7e8fb1678d673f03688012b00cb (diff)
download	django-rest-framework-ab173fd8f9070ccdb70f86f400d2ffa780977ce4.tar.bz2