Comments (6)
tomchristie
commented on June 12, 2024
1
Okay, synopsis on this...
- This issue occurs when PUT requests with partially incomplete data are made, on 3.15.0.
- The issue has been resolved in 3.15.1.
- The issue was introduced in #9030.
- There were also a prior attempts to introduce the same (broken) behavior in #8130.
- We do have unit tests covering the change in this
ModelSerializer -> Serializerbehavior, but we didn't have an integration test that would have highlighted the effect of that change. - There were a number of different eyes on that change, the impact wasn't spotted and there was insufficiently strong pushback. "I'm a bit reluctant, simply because at this point in it's lifecycle almost any change in REST framework ends up having unintended side-effects for existing users, and I could easily see this being the case for this change. We've used "default on the model => not required on the serializer" since ~forever."
- We are focused on tightening up project maintainership policies to ensure we're not at risk of similar issues occurring in the future.
Our policy (in my view) should be a very clear...
No pull requests will be accepted except for:
- Changes required to support newer Django releases.
- Security fixes.
- Documentation improvements.
...The project is mature, with plenty of scope for third party packages and adaptation. Further changes at this point are just creating risk, churn, and unnecessary busy-work.
No shade, we're all in the same boat here.
Best any of us can ask is learn and improve.
from django-rest-framework.
astifter
commented on June 12, 2024
Okay, I RTFM and I would use .initial_data to see if the content_type is user provided or not, correct approach?
from django-rest-framework.
henribru
commented on June 12, 2024
There's another side-effect of this change that leads to a huge breaking change for non-partial updates (PUT) of fields with default values. Previously if you didn't include a field with a default value when doing a PUT request, that field wouldn't get updated. It would just retain its current value, similarly to if you had done a partial update (PATCH) (the reason you're allowed to not pass it in the PUT is that the default leads to it not being required)
But now that field gets updated to the default value instead! This seems very dangerous since it could lead to data loss for anyone who's previously not been passing the current value along for all fields with defaults in PUT requests.
from django-rest-framework.
astifter
commented on June 12, 2024
There's another side-effect of this change that leads to a huge breaking change for non-partial updates (PUT) of fields with default values. Previously if you didn't include a field with a default value when doing a PUT request, that field wouldn't get updated. It would just retain its current value, similarly to if you had done a partial update (PATCH) (the reason you're allowed to not pass it in the PUT is that the default leads to it not being required)
But now that field gets updated to the default value instead! This seems very dangerous since it could lead to data loss for anyone who's previously not been passing the current value along for all fields with defaults in PUT requests.
Good point.
from django-rest-framework.
peterthomassen
commented on June 12, 2024
But now that field gets updated to the default value instead! This seems very dangerous since it could lead to data loss for anyone who's previously not been passing the current value along for all fields with defaults in PUT requests.
Indeed! This is actually the most dramatic of all the regressions in this release.
In our case, it means that users sending at PUT request on our /tokens endpoint with a name in the request payload will get their permissions altered in an unexpected way. Uh!
It would be great if such basic REST API guarantees were covered by tests.
from django-rest-framework.
astifter
commented on June 12, 2024
Our policy (in my view) should be a very clear...
No pull requests will be accepted except for:
- Changes required to support newer Django releases.
- Security fixes.
- Documentation improvements.
...The project is mature, with plenty of scope for third party packages and adaptation. Further changes at this point are just creating risk, churn, and unnecessary busy-work.
No shade, we're all in the same boat here. Best any of us can ask is learn and improve.
I welcome the decision of a maintainer to declare a project "done". Its a rare occurrence and would serve other mature projects well.
from django-rest-framework.
Related Issues (20)
- 3.15 not backwards compatible with 3.14 - "View' should either include a `queryset` attribute, or override the `get_queryset()` method." HOT 11
- 3.15 backward compatibility issue with 3.14 - `rest_framework.filters.SearchFilter.get_search_terms` returns `str` instead of `list` HOT 3
- 3.15 regression: ListSerializer ValidationErrors silently changed return type
- 3.15 regression: ListSerializer ValidationError nested structure silently changed HOT 1
- 3.15 regression: UpdateModelMixin breaks views using Manager objects as queryset HOT 4
- Version 3.15.1 HOT 1
- 3.15 regression: Unset default namespace version suddenly raises 404 HOT 3
- 3.15(.1?) regression: optional fields in serializers are suddenly required (or need explicit None passed) HOT 11
- UniqueConstraint violation_error_message as error response in drf
- rest-framework Supports async class views ?
- 3.15 regression: Serializer validation failed for unique together constraint HOT 2
- Revert changes to `CursorPagination` that caused serious performance regression HOT 3
- Router.register cannot merge with urlpatters HOT 3
- UniqueTogetherValidator does not comply to Database standards
- HyperlinkedModelSerializer doesn't respect SECURE_PROXY_SSL_HEADER settings
- 3.15 is raising required error on model nullable fields HOT 6
- DRF generic views not fire post_save signal HOT 11
- [self-tests] cleanup order of `TestUrlPatternTestCase` HOT 1
- a question about BooleanField HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework.