Skip to content

API appears to accept any user when creating objects, but always sets to request.user #1

New issue
New issue
Open
Open
API appears to accept any user when creating objects, but always sets to request.user#1
@boulderdave

Description

@boulderdave
boulderdave
opened on May 24, 2016

Because the serializer does not have "user" as a read only field, the API asks for a user (which would be a security/abuse concern) - and then overwrites it with request.user (which is great - and is not a security/abuse concern).

For example: https://github.com/tixdo/votes/blob/master/votes/api.py#L39

I would suggest setting read_only on 'user' on the serializer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions