Project

Profile

Help

Issue #2970

REST API silently ignores object attributes that don't exist on the serializer

Added by mhrivnak about 2 years ago. Updated 6 months ago.

Status:
MODIFIED
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

When creating an object through the DRF-based REST API, if you include attributes that are not part of the model or serializer, they are silently ignored. That should instead result in a failed/rejected request.

I discovered this by trying to create a FileImporter and supplying a "feed" attribute. This was a mistake, because the attribute is named "feed_url". My "feed" was silently ignored, and it wasn't until I tried to sync that I discovered something was wrong.

@ttereshc found these relevant discussions of the topic:

https://stackoverflow.com/questions/22178266/django-rest-framework-raise-error-when-extra-fields-are-present-on-post
https://stackoverflow.com/questions/22352960/how-to-make-a-rest-framework-serializer-disallow-superfluous-fields

(pulp) [vagrant@pulp3 pulp]$ http --auth admin:admin --json POST http://127.0.0.1:8000/api/v3/repositories/ name=foo description=foo scratchpad:='{}' notes:='{}' foo=123 bar=456
HTTP/1.0 201 CREATED
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Thu, 10 Aug 2017 19:31:46 GMT
Location: http://127.0.0.1:8000/api/v3/repositories/foo/
Server: WSGIServer/0.2 CPython/3.5.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "_href": "http://127.0.0.1:8000/api/v3/repositories/foo/",
    "content": "http://127.0.0.1:8000/api/v3/repositories/foo/content/",
    "description": "foo",
    "importers": [],
    "last_content_added": null,
    "last_content_removed": null,
    "name": "foo",
    "notes": {},
    "publishers": [],
    "scratchpad": {}
}

Related issues

Related to Pulp - Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate() NEW Actions
Related to Pulp - Issue #3906: browsable API inserts a csrf token field into all form submissions MODIFIED Actions

Associated revisions

Revision c4f8e192 View on GitHub
Added by muattiyah over 1 year ago

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970
https://pulp.plan.io/issues/2970

Revision c4f8e192 View on GitHub
Added by muattiyah over 1 year ago

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970
https://pulp.plan.io/issues/2970

Revision c4f8e192 View on GitHub
Added by muattiyah over 1 year ago

Raise error on unexpected parameters

Raise a ValidationError when unexpected parameters are passed to an endpoint.

fixes #2970
https://pulp.plan.io/issues/2970

History

#1 Updated by ttereshc about 2 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes

#2 Updated by muattiyah over 1 year ago

#3 Updated by daviddavis over 1 year ago

  • Status changed from NEW to POST
  • Assignee set to muattiyah

#4 Updated by muattiyah over 1 year ago

  • Status changed from POST to MODIFIED

#5 Updated by daviddavis over 1 year ago

  • Smash Test set to 1085

#6 Updated by muattiyah over 1 year ago

  • Related to Issue #3785: pulpcore-plugin does not have documentation for ModelSerializer.validate() added

#7 Updated by daviddavis about 1 year ago

  • Related to Issue #3906: browsable API inserts a csrf token field into all form submissions added

#8 Updated by daviddavis 6 months ago

  • Sprint/Milestone set to 3.0

#9 Updated by bmbouter 6 months ago

  • Tags deleted (Pulp 3)

Please register to edit this issue

Also available in: Atom PDF