Skip to content

Fix validation for ListSerializer when many=True #9774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+174 −1
Open

Fix validation for ListSerializer when many=True #9774

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c3a8ad9
updated child validation for ListSerializer
p-r-a-v-i-n Sep 1, 2025
33b4977
Add another failing test
browniebroke Sep 2, 2025
395cebe
Add a test to show how single updates work
browniebroke Sep 3, 2025
7ef2f1d
Fix child instance resolution in ListSerializer
p-r-a-v-i-n Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions rest_framework/serializers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,26 @@ def run_child_validation(self, data):
self.child.initial_data = data
return super().run_child_validation(data)
"""
child_instance = getattr(self.child, "instance", None)

if self.instance is not None:
pk_name = None
child_meta = getattr(self.child, "Meta", None)
model = getattr(child_meta, "model", None) if child_meta else None

if model is not None:
pk_name = model._meta.pk.name

if pk_name:
obj_id = data.get(pk_name, data.get("pk", data.get("id")))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see plenty of ways to break this: what if the PK is a UUID field called id but serialized as uuid? Sometimes it's called uid... Are we going to handle all possible field name people are using in the wild?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s true, but the same is already true for single updates. If the PK is serialized under a different name (e.g. uuid, uid, etc.), DRF can’t resolve it automatically there either unless the serializer is customized.

If anything works for single updates, it will also work for bulk updates, the constraints are the same.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree, with a single instance, you have the instance and the data, so it's a 1 to 1 mapping and you know it should match.

With a list of dicts on one hand and a list of instances/queryset on the other, you need to map which dict corresponds to which instance.

This mapping will depend on the use case, and needs a unique identifier somewhere (which could be anything: PK, email, slug, combination of fields...). Hence why users need to do it, DRF can't do it for them.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point about single updates having a direct instance - data mapping. But I’d still argue the difference is one of quantity rather than fundamentals.

Even in single updates, DRF assumes that the mapping is correct only because the caller provided the right instance. If the serializer is misaligned (e.g. PK serialized under another field, or a different uniqueness condition like email/slug), DRF doesn’t solve that, the user has to customize the serializer.

For bulk updates, the requirement is the same: there needs to be some unique identifier to match instance ↔ data. Whether that identifier is pk, uuid, email, or something else, the logic isn’t different from single updates, just applied across a list.

So I don’t see it as “DRF can’t do it at all,” but more that DRF could apply the same assumptions it already makes in the single case, and users who need different identifiers would still override/customize.

if obj_id is not None:
for obj in self.instance:
if hasattr(obj, pk_name) and getattr(obj, pk_name) == obj_id:
child_instance = obj
break

self.child.instance = child_instance
self.child.initial_data = data
return self.child.run_validation(data)

def to_internal_value(self, data):
Expand Down
27 changes: 27 additions & 0 deletions tests/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,30 @@ def __new__(cls, *args, **kwargs):
help_text='OneToOneTarget',
verbose_name='OneToOneTarget',
on_delete=models.CASCADE)


class ListModelForTest(RESTFrameworkModel):
name = models.CharField(max_length=100)
status = models.CharField(max_length=100, blank=True)

@property
def is_valid(self):
return self.name == 'valid'


class EmailPKModel(RESTFrameworkModel):
email = models.EmailField(primary_key=True)
name = models.CharField(max_length=100)

@property
def is_valid(self):
return self.name == 'valid'


class PersonUUID(RESTFrameworkModel):
id = models.UUIDField(primary_key=True)
name = models.CharField(max_length=100)

@property
def is_valid(self):
return self.name == 'valid'
93 changes: 92 additions & 1 deletion tests/test_serializer_lists.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
from rest_framework import serializers
from rest_framework.exceptions import ErrorDetail
from tests.models import (
CustomManagerModel, NullableOneToOneSource, OneToOneTarget
CustomManagerModel, EmailPKModel, ListModelForTest, NullableOneToOneSource,
OneToOneTarget, PersonUUID
)


Expand Down Expand Up @@ -775,3 +776,93 @@ def test(self):
queryset = NullableOneToOneSource.objects.all()
serializer = self.serializer(queryset, many=True)
assert serializer.data


@pytest.mark.django_db
class TestManyTrueValidationCheck:
"""
Tests ListSerializer validation with many=True across different primary key types
(integer and email).
"""

def setup_method(self):
self.obj1 = ListModelForTest.objects.create(name="valid", status="new")
self.obj2 = ListModelForTest.objects.create(name="invalid", status="")
self.email_obj1 = EmailPKModel.objects.create(email="[email protected]", name="A")
self.email_obj2 = EmailPKModel.objects.create(email="[email protected]", name="B")

self.serializer, self.email_serializer = self.get_serializers()

def get_serializers(self):
class ListModelForTestSerializer(serializers.ModelSerializer):
class Meta:
model = ListModelForTest
fields = ("id", "name", "status")

def validate_status(self, value):
if value and not self.instance.is_valid:
return False
return value

class EmailPKSerializer(serializers.ModelSerializer):
class Meta:
model = EmailPKModel
fields = ("email", "name")
read_only_fields = ('email',)

def validate_name(self, value):
if value and not self.instance.is_valid:
return False
return value

return ListModelForTestSerializer, EmailPKSerializer

def test_run_child_validation_with_many_true(self):
input_data = [
{"id": self.obj1.pk, "name": "other", "status": "new"},
{"id": self.obj2.pk, "name": "valid", "status": "progress"},
]

serializer = self.serializer([self.obj1, self.obj2], data=input_data, many=True)
assert serializer.is_valid(), serializer.errors

serializer = self.serializer(ListModelForTest.objects.all(), data=input_data, many=True)
assert serializer.is_valid(), serializer.errors

def test_validation_error_for_invalid_data(self):
input_data = [{"id": self.obj1.pk, "name": "", "status": "mystatus"}]

serializer = self.serializer([self.obj1], data=input_data, many=True)
assert not serializer.is_valid()
assert "name" in serializer.errors[0]

def test_email_pk_instance_validation(self):
input_data = [{"email": "[email protected]", "name": "bar"}]
serializer = self.email_serializer(instance=EmailPKModel.objects.all(), data=input_data, many=True)
assert serializer.is_valid(), serializer.errors

def test_uuid_validate_many(self):
PersonUUID.objects.create(id="c20f2f31-65a3-451f-ae7d-e939b7d9f84b", name="valid")
PersonUUID.objects.create(id="3308237e-18d8-4074-9d05-79cc0fdb5bb3", name="other")

class PersonUUIDSerializer(serializers.ModelSerializer):
uuid = serializers.UUIDField(source="id")

class Meta:
model = PersonUUID
fields = ("uuid", "name")
read_only_fields = ('uuid',)

def validate_name(self, value):
if value and not self.instance.is_valid:
return False
return value

input_data = [
{
"uuid": "t3308237e-18d8-4074-9d05-79cc0fdb5bb3",
"name": "bar",
},
]
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this example is a bit overestimated. If the model’s primary key is id, it’s not a common or practical scenario to remap it to uuid and then expect DRF to resolve it automatically during updates.

In this setup, even single-object updates wouldn’t work without extra customization, since the serializer no longer exposes the real PK field. That’s not a limitation of bulk updates, it’s a limitation of how the serializer is defined. So I don’t think this example shows a specific weakness of many=True updates.

serializer = PersonUUIDSerializer(instance=list(PersonUUID.objects.all()), data=input_data, many=True)
assert serializer.is_valid(), serializer.errors
Loading