-
-
Notifications
You must be signed in to change notification settings - Fork 7k
Fix validation for ListSerializer when many=True #9774
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
c3a8ad9
33b4977
395cebe
7ef2f1d
44c3552
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -652,6 +652,52 @@ def run_child_validation(self, data): | |||||||||||||||||||||||||||||||||||||||
| self.child.initial_data = data | ||||||||||||||||||||||||||||||||||||||||
| return super().run_child_validation(data) | ||||||||||||||||||||||||||||||||||||||||
| """ | ||||||||||||||||||||||||||||||||||||||||
| child_instance = getattr(self.child, "instance", None) | ||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||
| if self.instance is not None: | ||||||||||||||||||||||||||||||||||||||||
| pk_name = None | ||||||||||||||||||||||||||||||||||||||||
| child_meta = getattr(self.child, "Meta", None) | ||||||||||||||||||||||||||||||||||||||||
| model = getattr(child_meta, "model", None) if child_meta else None | ||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||
| if model is not None: | ||||||||||||||||||||||||||||||||||||||||
| pk_name = model._meta.pk.name | ||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||
| obj_id = None | ||||||||||||||||||||||||||||||||||||||||
| if pk_name: | ||||||||||||||||||||||||||||||||||||||||
| for field_name, field in self.child.fields.items(): | ||||||||||||||||||||||||||||||||||||||||
| if getattr(field, "source", None) == pk_name: | ||||||||||||||||||||||||||||||||||||||||
| obj_id = data.get(field_name) | ||||||||||||||||||||||||||||||||||||||||
| if obj_id is not None: | ||||||||||||||||||||||||||||||||||||||||
| break | ||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+667
to
+671
|
||||||||||||||||||||||||||||||||||||||||
| for field_name, field in self.child.fields.items(): | |
| if getattr(field, "source", None) == pk_name: | |
| obj_id = data.get(field_name) | |
| if obj_id is not None: | |
| break | |
| # Cache the mapping from pk_name to field_name for efficiency | |
| if not hasattr(self, "_pk_field_name_cache"): | |
| self._pk_field_name_cache = {} | |
| cache_key = (self.child.__class__, pk_name) | |
| field_name = self._pk_field_name_cache.get(cache_key) | |
| if field_name is None: | |
| for fname, field in self.child.fields.items(): | |
| if getattr(field, "source", None) == pk_name: | |
| field_name = fname | |
| self._pk_field_name_cache[cache_key] = field_name | |
| break | |
| obj_id = None | |
| if field_name is not None: | |
| obj_id = data.get(field_name) |
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The loop searches for a field with source matching pk_name and breaks on the first match. However, if obj_id is None after this loop, the code falls back to checking data.get(pk_name) || data.get("pk") || data.get("id"). This fallback logic using 'or' will return the first truthy value, which could be problematic if pk_name is "pk" or "id" and data contains both keys with different values. Consider using explicit None checks instead of relying on truthiness.
| obj_id = data.get(pk_name) or data.get("pk") or data.get("id") | |
| if pk_name is not None and data.get(pk_name) is not None: | |
| obj_id = data.get(pk_name) | |
| elif data.get("pk") is not None: | |
| obj_id = data.get("pk") | |
| elif data.get("id") is not None: | |
| obj_id = data.get("id") |
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bare except clause catches all exceptions including SystemExit and KeyboardInterrupt. This should catch a specific exception type such as (ValueError, TypeError) to avoid suppressing unexpected errors that should propagate.
| except Exception: | |
| except (TypeError, ValueError): |
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no test coverage for the scenario where the model's pk field throws an exception in to_python() (line 680) and the exception is silently caught. This could lead to obj_id remaining in an unconverted state, potentially causing lookup failures. A test should verify behavior when pk conversion fails.
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The _instance_index dictionary comprehension assumes self.instance is iterable and creates a persistent cache on the ListSerializer instance. This has two issues: (1) if self.instance is not iterable (e.g., a single object), this will raise a TypeError, and (2) the cache persists across validation runs, which could cause issues if the same serializer instance is reused with different data. Consider adding an iterability check and clearing the cache after validation completes.
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The context.get("allow_create", True) defaults to True, which means a new model instance will be created even when it's not explicitly allowed. This could lead to unintended model creation. Consider whether the default should be False for safer behavior, or document this behavior clearly.
| if model is not None and self.context.get("allow_create", True): | |
| if model is not None and self.context.get("allow_create", False): |
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new code in run_child_validation handles the case when resolved_instance is None by creating a new model instance or using child_instance. However, there's no test coverage for the scenario where obj_id is found but doesn't match any instance in self._instance_index, and allow_create is False. This edge case should be tested to ensure proper behavior.
Copilot
AI
Dec 14, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no test coverage for serializers without a Meta.model (non-ModelSerializer) when using many=True with instances. The code checks if model is None at line 662 and 692, but no tests verify this path works correctly when using plain Serializers instead of ModelSerializers.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -150,3 +150,30 @@ def __new__(cls, *args, **kwargs): | |
| help_text='OneToOneTarget', | ||
| verbose_name='OneToOneTarget', | ||
| on_delete=models.CASCADE) | ||
|
|
||
|
|
||
| class ListModelForTest(RESTFrameworkModel): | ||
| name = models.CharField(max_length=100) | ||
| status = models.CharField(max_length=100, blank=True) | ||
|
|
||
| @property | ||
| def is_valid(self): | ||
| return self.name == 'valid' | ||
|
Comment on lines
+159
to
+161
|
||
|
|
||
|
|
||
| class EmailPKModel(RESTFrameworkModel): | ||
| email = models.EmailField(primary_key=True) | ||
| name = models.CharField(max_length=100) | ||
|
|
||
| @property | ||
| def is_valid(self): | ||
| return self.name == 'valid' | ||
|
Comment on lines
+168
to
+170
|
||
|
|
||
|
|
||
| class PersonUUID(RESTFrameworkModel): | ||
| id = models.UUIDField(primary_key=True) | ||
| name = models.CharField(max_length=100) | ||
|
|
||
| @property | ||
| def is_valid(self): | ||
| return self.name == 'valid' | ||
|
Comment on lines
+177
to
+179
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,8 @@ | |
| from rest_framework import serializers | ||
| from rest_framework.exceptions import ErrorDetail | ||
| from tests.models import ( | ||
| CustomManagerModel, NullableOneToOneSource, OneToOneTarget | ||
| CustomManagerModel, EmailPKModel, ListModelForTest, NullableOneToOneSource, | ||
| OneToOneTarget, PersonUUID | ||
| ) | ||
|
|
||
|
|
||
|
|
@@ -775,3 +776,102 @@ def test(self): | |
| queryset = NullableOneToOneSource.objects.all() | ||
| serializer = self.serializer(queryset, many=True) | ||
| assert serializer.data | ||
|
|
||
|
|
||
| @pytest.mark.django_db | ||
| class TestManyTrueValidationCheck: | ||
| """ | ||
| Tests ListSerializer validation with many=True across different primary key types | ||
| (integer and email). | ||
| """ | ||
|
|
||
| class PersonUUIDSerializer(serializers.ModelSerializer): | ||
| uuid = serializers.UUIDField(source="id") | ||
|
|
||
| class Meta: | ||
| model = PersonUUID | ||
| fields = ("uuid", "name") | ||
| read_only_fields = ("uuid",) | ||
|
|
||
| def validate_name(self, value): | ||
| if value and not self.instance.is_valid: | ||
| return False | ||
| return value | ||
|
Comment on lines
+796
to
+799
|
||
|
|
||
| def setup_method(self): | ||
| self.obj1 = ListModelForTest.objects.create(name="valid", status="new") | ||
| self.obj2 = ListModelForTest.objects.create(name="invalid", status="") | ||
| self.email_obj1 = EmailPKModel.objects.create(email="[email protected]", name="A") | ||
| self.email_obj2 = EmailPKModel.objects.create(email="[email protected]", name="B") | ||
|
|
||
| self.serializer, self.email_serializer = self.get_serializers() | ||
|
|
||
| def get_serializers(self): | ||
| class ListModelForTestSerializer(serializers.ModelSerializer): | ||
| class Meta: | ||
| model = ListModelForTest | ||
| fields = ("id", "name", "status") | ||
|
|
||
| def validate_status(self, value): | ||
| if value and not self.instance.is_valid: | ||
| return False | ||
| return value | ||
|
Comment on lines
+815
to
+818
|
||
|
|
||
| class EmailPKSerializer(serializers.ModelSerializer): | ||
| class Meta: | ||
| model = EmailPKModel | ||
| fields = ("email", "name") | ||
| read_only_fields = ('email',) | ||
|
|
||
| def validate_name(self, value): | ||
| if value and not self.instance.is_valid: | ||
| return False | ||
| return value | ||
|
Comment on lines
+826
to
+829
|
||
|
|
||
| return ListModelForTestSerializer, EmailPKSerializer | ||
|
|
||
| def test_run_child_validation_with_many_true(self): | ||
| input_data = [ | ||
| {"id": self.obj1.pk, "name": "other", "status": "new"}, | ||
| {"id": self.obj2.pk, "name": "valid", "status": "progress"}, | ||
| ] | ||
|
|
||
| serializer = self.serializer([self.obj1, self.obj2], data=input_data, many=True) | ||
| assert serializer.is_valid(), serializer.errors | ||
|
|
||
| serializer = self.serializer(ListModelForTest.objects.all(), data=input_data, many=True) | ||
| assert serializer.is_valid(), serializer.errors | ||
|
|
||
| def test_validation_error_for_invalid_data(self): | ||
| input_data = [{"id": self.obj1.pk, "name": "", "status": "mystatus"}] | ||
|
|
||
| serializer = self.serializer([self.obj1], data=input_data, many=True) | ||
| assert not serializer.is_valid() | ||
| assert "name" in serializer.errors[0] | ||
|
|
||
| def test_email_pk_instance_validation(self): | ||
| input_data = [{"email": "[email protected]", "name": "bar"}] | ||
| serializer = self.email_serializer(instance=EmailPKModel.objects.all(), data=input_data, many=True) | ||
| assert serializer.is_valid(), serializer.errors | ||
|
|
||
| def test_uuid_validate_many(self): | ||
| PersonUUID.objects.create(id="c20f2f31-65a3-451f-ae7d-e939b7d9f84b", name="valid") | ||
| PersonUUID.objects.create(id="3308237e-18d8-4074-9d05-79cc0fdb5bb3", name="other") | ||
|
|
||
| input_data = [ | ||
| { | ||
| "uuid": "c20f2f31-65a3-451f-ae7d-e939b7d9f84b", | ||
| "name": "bar", | ||
| }, | ||
| ] | ||
| serializer = self.PersonUUIDSerializer(instance=list(PersonUUID.objects.all()), data=input_data, many=True) | ||
| assert serializer.is_valid(), serializer.errors | ||
|
|
||
| def test_uuid_validate_single(self): | ||
| instance = PersonUUID.objects.create(id="c20f2f31-65a3-451f-ae7d-e939b7d9f84b", name="food") | ||
|
|
||
| serializer = self.PersonUUIDSerializer( | ||
| instance=instance, | ||
| data={"uuid": "c20f2f31-65a3-451f-ae7d-e939b7d9f84b", "name": "valid"}, | ||
| ) | ||
| assert serializer.is_valid(), serializer.errors | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The docstring example shows calling super().run_child_validation(data), but the actual implementation at line 701 calls self.child.run_validation(data) directly. This makes the example misleading since there's no parent class implementation being called. The example should be updated to match the actual implementation pattern or clarify that this is an example override.