Issue #2970
closedREST API silently ignores object attributes that don't exist on the serializer
Description
When creating an object through the DRF-based REST API, if you include attributes that are not part of the model or serializer, they are silently ignored. That should instead result in a failed/rejected request.
I discovered this by trying to create a FileImporter and supplying a "feed" attribute. This was a mistake, because the attribute is named "feed_url". My "feed" was silently ignored, and it wasn't until I tried to sync that I discovered something was wrong.
ttereshc found these relevant discussions of the topic:
https://stackoverflow.com/questions/22178266/django-rest-framework-raise-error-when-extra-fields-are-present-on-post
https://stackoverflow.com/questions/22352960/how-to-make-a-rest-framework-serializer-disallow-superfluous-fields
(pulp) [vagrant@pulp3 pulp]$ http --auth admin:admin --json POST http://127.0.0.1:8000/api/v3/repositories/ name=foo description=foo scratchpad:='{}' notes:='{}' foo=123 bar=456
HTTP/1.0 201 CREATED
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Thu, 10 Aug 2017 19:31:46 GMT
Location: http://127.0.0.1:8000/api/v3/repositories/foo/
Server: WSGIServer/0.2 CPython/3.5.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"_href": "http://127.0.0.1:8000/api/v3/repositories/foo/",
"content": "http://127.0.0.1:8000/api/v3/repositories/foo/content/",
"description": "foo",
"importers": [],
"last_content_added": null,
"last_content_removed": null,
"name": "foo",
"notes": {},
"publishers": [],
"scratchpad": {}
}
Related issues
Updated by ttereshc over 7 years ago
- Priority changed from Normal to High
- Triaged changed from No to Yes
Updated by muattiyah over 6 years ago
Working on this here https://github.com/pulp/pulp/pull/3531
Updated by daviddavis over 6 years ago
- Status changed from NEW to POST
- Assignee set to muattiyah
Added by muattiyah over 6 years ago
Added by muattiyah over 6 years ago
Revision c4f8e192 | View on GitHub
Raise error on unexpected parameters
Raise a ValidationError when unexpected parameters are passed to an endpoint.
Updated by muattiyah over 6 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|c4f8e192629d1d07216c784df375013bd5bdbf67.
Updated by muattiyah over 6 years ago
- Related to Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate() added
Updated by daviddavis over 6 years ago
- Related to Issue #3906: browsable API inserts a csrf token field into all form submissions added
Updated by bmbouter almost 5 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Raise error on unexpected parameters
Raise a ValidationError when unexpected parameters are passed to an endpoint.
fixes #2970 https://pulp.plan.io/issues/2970