Fix validation for ListSerializer when many=True

[p-r-a-v-i-n]

Added tests and ensured that ListSerializer properly validates multiple objects when many=True.
Covers both valid and invalid data scenarios.

Changes include:

• Tests for validating multiple instances when many=True was passed.
• Tests for handling invalid data in a list
• Simplified ListSerializer usage in tests without custom run_child_validation

This aligns with the ongoing Django REST Framework issue #8926

[browniebroke]

This line assumes that the primary key field is called "id" or "pk" but it could be called anything and DRF can't know it in advance so this fix will work in a limited subset of cases.

[p-r-a-v-i-n]

You are correct , but in the existing TestListSerializerContainingNestedSerializer class was using hardcoded 'pk' keys.
But your argument make sense and i have updated the it.

[browniebroke]

The difference with TestListSerializerContainingNestedSerializer is that this is demonstrating something that would be implemented by the consumers of DRF, showing how one would override run_child_validation to match up the instance with the provided data, which is highly dependant on the use case.

Here, you're doing that in the library code.

[browniebroke]

Minor: would be nice to not duplicate this serializer in each test function (see the other classes above for some examples on how to do that).

[browniebroke]

I can see plenty of ways to break this: what if the PK is a UUID field called id but serialized as uuid? Sometimes it's called uid... Are we going to handle all possible field name people are using in the wild?

[p-r-a-v-i-n]

That’s true, but the same is already true for single updates. If the PK is serialized under a different name (e.g. uuid, uid, etc.), DRF can’t resolve it automatically there either unless the serializer is customized.

If anything works for single updates, it will also work for bulk updates, the constraints are the same.

[browniebroke]

I disagree, with a single instance, you have the instance and the data, so it's a 1 to 1 mapping and you know it should match.

With a list of dicts on one hand and a list of instances/queryset on the other, you need to map which dict corresponds to which instance.

This mapping will depend on the use case, and needs a unique identifier somewhere (which could be anything: PK, email, slug, combination of fields...). Hence why users need to do it, DRF can't do it for them.

[p-r-a-v-i-n]

I see your point about single updates having a direct instance - data mapping. But I’d still argue the difference is one of quantity rather than fundamentals.

Even in single updates, DRF assumes that the mapping is correct only because the caller provided the right instance. If the serializer is misaligned (e.g. PK serialized under another field, or a different uniqueness condition like email/slug), DRF doesn’t solve that, the user has to customize the serializer.

For bulk updates, the requirement is the same: there needs to be some unique identifier to match instance ↔ data. Whether that identifier is pk, uuid, email, or something else, the logic isn’t different from single updates, just applied across a list.

So I don’t see it as “DRF can’t do it at all,” but more that DRF could apply the same assumptions it already makes in the single case, and users who need different identifiers would still override/customize.

[p-r-a-v-i-n]

I think this example is a bit overestimated. If the model’s primary key is id, it’s not a common or practical scenario to remap it to uuid and then expect DRF to resolve it automatically during updates.

In this setup, even single-object updates wouldn’t work without extra customization, since the serializer no longer exposes the real PK field. That’s not a limitation of bulk updates, it’s a limitation of how the serializer is defined. So I don’t think this example shows a specific weakness of many=True updates.