encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-02-02 20:54:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug where pk could be set in post data

Browse Source
This commit is contained in:
Tom Christie 2012-10-02 15:37:13 +01:00
parent e7685f3eb5
commit ab173fd8f9
3 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/api-guide/serializers.md
View File

@ -230,6 +230,9 @@ The `nested` option may also be set by passing it to the `serialize()` method.
class Meta: class Meta:
model = Account model = Account
def get_pk_field(self, model_field):
return Field(readonly=True)
def get_nested_field(self, model_field): def get_nested_field(self, model_field):
return ModelSerializer() return ModelSerializer()

22
rest_framework/serializers.py
View File

@ -308,17 +308,31 @@ class ModelSerializer(RelatedField, Serializer):
fields += [field for field in opts.many_to_many if field.serialize] fields += [field for field in opts.many_to_many if field.serialize]
ret = SortedDict() ret = SortedDict()
is_pk = True # First field in the list is the pk
for model_field in fields: for model_field in fields:
if model_field.rel and nested: if is_pk:
field = self.get_pk_field(model_field)
is_pk = False
elif model_field.rel and nested:
field = self.get_nested_field(model_field) field = self.get_nested_field(model_field)
elif model_field.rel: elif model_field.rel:
field = self.get_related_field(model_field) field = self.get_related_field(model_field)
else: else:
field = self.get_field(model_field) field = self.get_field(model_field)
field.initialize(parent=self, model_field=model_field)
ret[model_field.name] = field if field is not None:
field.initialize(parent=self, model_field=model_field)
ret[model_field.name] = field
return ret return ret
def get_pk_field(self, model_field):
"""
Returns a default instance of the pk field.
"""
return Field(readonly=True)
def get_nested_field(self, model_field): def get_nested_field(self, model_field):
""" """
Creates a default instance of a nested relational field. Creates a default instance of a nested relational field.
@ -333,7 +347,7 @@ class ModelSerializer(RelatedField, Serializer):
def get_field(self, model_field): def get_field(self, model_field):
""" """
Creates a default instance of a basic field. Creates a default instance of a basic non-relational field.
""" """
return Field() return Field()

12
rest_framework/tests/generics.py
View File

@ -100,6 +100,18 @@ class TestRootView(TestCase):
self.assertEquals(response.status_code, status.HTTP_200_OK) self.assertEquals(response.status_code, status.HTTP_200_OK)
self.assertEquals(response.data, expected) self.assertEquals(response.data, expected)
def test_post_cannot_set_id(self):
"""
POST requests to create a new object should not be able to set the id.
"""
content = {'id': 999, 'text': 'foobar'}
request = factory.post('/', json.dumps(content), content_type='application/json')
response = self.view(request).render()
self.assertEquals(response.status_code, status.HTTP_201_CREATED)
self.assertEquals(response.data, {'id': 4, 'text': u'foobar'})
created = self.objects.get(id=4)
self.assertEquals(created.text, 'foobar')
class TestInstanceView(TestCase): class TestInstanceView(TestCase):
def setUp(self): def setUp(self):