Fix bug where pk could be set in post data

2025-01-23 15:54:16 +03:00 · 2012-10-02 15:37:13 +01:00 · 2012-10-02 15:37:13 +01:00 · ab173fd8f9
commit ab173fd8f9
parent e7685f3eb5
3 changed files with 33 additions and 4 deletions
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@ -230,6 +230,9 @@ The `nested` option may also be set by passing it to the `serialize()` method.
        class Meta:
            model = Account

+        def get_pk_field(self, model_field):
+            return Field(readonly=True)
+
        def get_nested_field(self, model_field):
            return ModelSerializer()

--- a/rest_framework/serializers.py
+++ b/rest_framework/serializers.py
@ -308,17 +308,31 @@ class ModelSerializer(RelatedField, Serializer):
        fields += [field for field in opts.many_to_many if field.serialize]

        ret = SortedDict()
+        is_pk = True  # First field in the list is the pk
+
        for model_field in fields:
-            if model_field.rel and nested:
+            if is_pk:
+                field = self.get_pk_field(model_field)
+                is_pk = False
+            elif model_field.rel and nested:
                field = self.get_nested_field(model_field)
            elif model_field.rel:
                field = self.get_related_field(model_field)
            else:
                field = self.get_field(model_field)
+
+            if field is not None:
                field.initialize(parent=self, model_field=model_field)
                ret[model_field.name] = field
+
        return ret

+    def get_pk_field(self, model_field):
+        """
+        Returns a default instance of the pk field.
+        """
+        return Field(readonly=True)
+
    def get_nested_field(self, model_field):
        """
        Creates a default instance of a nested relational field.
@ -333,7 +347,7 @@ class ModelSerializer(RelatedField, Serializer):

    def get_field(self, model_field):
        """
-        Creates a default instance of a basic field.
+        Creates a default instance of a basic non-relational field.
        """
        return Field()

--- a/rest_framework/tests/generics.py
+++ b/rest_framework/tests/generics.py
@ -100,6 +100,18 @@ class TestRootView(TestCase):
        self.assertEquals(response.status_code, status.HTTP_200_OK)
        self.assertEquals(response.data, expected)

+    def test_post_cannot_set_id(self):
+        """
+        POST requests to create a new object should not be able to set the id.
+        """
+        content = {'id': 999, 'text': 'foobar'}
+        request = factory.post('/', json.dumps(content), content_type='application/json')
+        response = self.view(request).render()
+        self.assertEquals(response.status_code, status.HTTP_201_CREATED)
+        self.assertEquals(response.data, {'id': 4, 'text': u'foobar'})
+        created = self.objects.get(id=4)
+        self.assertEquals(created.text, 'foobar')
+

 class TestInstanceView(TestCase):
    def setUp(self):