Project

Profile

Help

Issue #2970

closed

REST API silently ignores object attributes that don't exist on the serializer

Added by mhrivnak over 7 years ago. Updated about 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

When creating an object through the DRF-based REST API, if you include attributes that are not part of the model or serializer, they are silently ignored. That should instead result in a failed/rejected request.

I discovered this by trying to create a FileImporter and supplying a "feed" attribute. This was a mistake, because the attribute is named "feed_url". My "feed" was silently ignored, and it wasn't until I tried to sync that I discovered something was wrong.

ttereshc found these relevant discussions of the topic:

https://stackoverflow.com/questions/22178266/django-rest-framework-raise-error-when-extra-fields-are-present-on-post
https://stackoverflow.com/questions/22352960/how-to-make-a-rest-framework-serializer-disallow-superfluous-fields

(pulp) [vagrant@pulp3 pulp]$ http --auth admin:admin --json POST http://127.0.0.1:8000/api/v3/repositories/ name=foo description=foo scratchpad:='{}' notes:='{}' foo=123 bar=456
HTTP/1.0 201 CREATED
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Thu, 10 Aug 2017 19:31:46 GMT
Location: http://127.0.0.1:8000/api/v3/repositories/foo/
Server: WSGIServer/0.2 CPython/3.5.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "_href": "http://127.0.0.1:8000/api/v3/repositories/foo/",
    "content": "http://127.0.0.1:8000/api/v3/repositories/foo/content/",
    "description": "foo",
    "importers": [],
    "last_content_added": null,
    "last_content_removed": null,
    "name": "foo",
    "notes": {},
    "publishers": [],
    "scratchpad": {}
}

Related issues

Related to Pulp - Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate()CLOSED - WONTFIXActions
Related to Pulp - Issue #3906: browsable API inserts a csrf token field into all form submissionsCLOSED - CURRENTRELEASEmilanActions
Actions #1

Updated by ttereshc over 7 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes
Actions #2

Updated by muattiyah over 6 years ago

Actions #3

Updated by daviddavis over 6 years ago

  • Status changed from NEW to POST
  • Assignee set to muattiyah

Added by muattiyah over 6 years ago

Revision c4f8e192 | View on GitHub

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970 https://pulp.plan.io/issues/2970

Added by muattiyah over 6 years ago

Revision c4f8e192 | View on GitHub

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970 https://pulp.plan.io/issues/2970

Actions #4

Updated by muattiyah over 6 years ago

  • Status changed from POST to MODIFIED
Actions #6

Updated by muattiyah over 6 years ago

  • Related to Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate() added
Actions #7

Updated by daviddavis over 6 years ago

  • Related to Issue #3906: browsable API inserts a csrf token field into all form submissions added
Actions #8

Updated by daviddavis over 5 years ago

  • Sprint/Milestone set to 3.0.0
Actions #9

Updated by bmbouter over 5 years ago

  • Tags deleted (Pulp 3)
Actions #10

Updated by bmbouter about 5 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF