Project

Profile

Help

Issue #2970

REST API silently ignores object attributes that don't exist on the serializer

Added by mhrivnak almost 3 years ago. Updated 7 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

When creating an object through the DRF-based REST API, if you include attributes that are not part of the model or serializer, they are silently ignored. That should instead result in a failed/rejected request.

I discovered this by trying to create a FileImporter and supplying a "feed" attribute. This was a mistake, because the attribute is named "feed_url". My "feed" was silently ignored, and it wasn't until I tried to sync that I discovered something was wrong.

ttereshc found these relevant discussions of the topic:

https://stackoverflow.com/questions/22178266/django-rest-framework-raise-error-when-extra-fields-are-present-on-post
https://stackoverflow.com/questions/22352960/how-to-make-a-rest-framework-serializer-disallow-superfluous-fields

(pulp) [vagrant@pulp3 pulp]$ http --auth admin:admin --json POST http://127.0.0.1:8000/api/v3/repositories/ name=foo description=foo scratchpad:='{}' notes:='{}' foo=123 bar=456
HTTP/1.0 201 CREATED
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Thu, 10 Aug 2017 19:31:46 GMT
Location: http://127.0.0.1:8000/api/v3/repositories/foo/
Server: WSGIServer/0.2 CPython/3.5.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "_href": "http://127.0.0.1:8000/api/v3/repositories/foo/",
    "content": "http://127.0.0.1:8000/api/v3/repositories/foo/content/",
    "description": "foo",
    "importers": [],
    "last_content_added": null,
    "last_content_removed": null,
    "name": "foo",
    "notes": {},
    "publishers": [],
    "scratchpad": {}
}

Related issues

Related to Pulp - Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate()NEW<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Pulp - Issue #3906: browsable API inserts a csrf token field into all form submissionsCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision c4f8e192 View on GitHub
Added by muattiyah about 2 years ago

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970 https://pulp.plan.io/issues/2970

Revision c4f8e192 View on GitHub
Added by muattiyah about 2 years ago

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970 https://pulp.plan.io/issues/2970

History

#1 Updated by ttereshc almost 3 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes

#3 Updated by daviddavis about 2 years ago

  • Status changed from NEW to POST
  • Assignee set to muattiyah

#4 Updated by muattiyah about 2 years ago

  • Status changed from POST to MODIFIED

#6 Updated by muattiyah about 2 years ago

  • Related to Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate() added

#7 Updated by daviddavis almost 2 years ago

  • Related to Issue #3906: browsable API inserts a csrf token field into all form submissions added

#8 Updated by daviddavis about 1 year ago

  • Sprint/Milestone set to 3.0.0

#9 Updated by bmbouter about 1 year ago

  • Tags deleted (Pulp 3)

#10 Updated by bmbouter 7 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF