Fix unique_together validation with source #9482
Conversation
There was a problem hiding this comment.
hey thanks for the patch! whats your take on this comment #9442 (comment) ?
| @@ -159,17 +159,18 @@ def __call__(self, attrs, serializer): | |||
| queryset = self.filter_queryset(attrs, queryset, serializer) | |||
| queryset = self.exclude_current_instance(attrs, queryset, serializer.instance) | |||
|
|
|||
| checked_names = [ | |||
| serializer.fields[field_name].source for field_name in self.fields | |||
There was a problem hiding this comment.
Since fields is a dict it is more readable to iterate over values, also it should be a little faster.
| serializer.fields[field_name].source for field_name in self.fields | |
| field.source for field in self.fields.values() |
There was a problem hiding this comment.
Hi @sevdog thanks for the comment, but I believe self.fields is a list of strings, not dict.
There was a problem hiding this comment.
Yeah, sorry I was considering to be in an other class/file.
|
@encode/maintainers One of the most important aspects for REST framework right now is a maintenance team who consistently push back on pull requests. (See pinned discussion #9130, and PR #9392) In my view the churn and security issues associated with the 3.15 release and subsequent follow-ups clearly demonstrate that we need to draw a clear line here and stop accepting code pull requests, with absolutely the only exceptions being CVE'ed security issues and changes in Django versions don't pass against our CI. |
|
It a was a fix for a regression.... |
|
Fantastic! Thanks. Would it be possible to have a release with this fix? |
|
Are there any plans to release this fix? |
|
Sorry to bump again, but this is preventing us from upgrading and thus fixing a security advisory. Can you please do a release? |
upgrade `django-rest-framework` to `3.16.0` The reverted commit is purely an optimization which unfortunately breaks authentik, specifically Blueprints. It adds `getattr(serializer.instance, field)` to a validator. If `field` is a `RelatedObject`, that invocation queries the database. When authentik creates objects using Blueprints, it doesn't place related objects into the database before the validator tries to get them from there, so with the reverted commit, it produces `RelatedObjectDoesNotExist`. Perhaps a long-term solution is to revise how Blueprints work, or perhaps it is to change upstream. But in the meantime, Django 5.0 support ended and upgrading to Django 5.1 requires an upgrade of `django-rest-framework` to `3.16.0`, hence this workaround. See - encode/django-rest-framework#9154 - encode/django-rest-framework#9358 - encode/django-rest-framework#9482 - encode/django-rest-framework#9483
This fixed #9442
Fields with specified sources should now be handled correctly.
The unique together queryset with condition is another separated issue, which should be addressed in #9360