Consider I have models, a serializer and a viewset as below:
# models.py
class Foo(models.Model):
owner = models.ForeignKey(User, models.CASCADE, related_name="bars")
# serializers.py
class FooSerializer(serializers.ModelSerializer):
owner = serializers.PrimaryKeyRelatedField(
default=serializers.CurrentUserDefault(),
queryset=User.objects.all(),
)
class Meta:
fields = ["pk", "owner"]
# viewsets.py
# registered to /api/foos/
class FooViewSet(viewsets.ModelViewSet):
serializer_class = FooSerializer
permission_classes = [permissions.IsAuthenticated]
queryset = Foo.objects.all()
So, when I send a POST request to /api/foos/ with an empty body, it creates a Foo instance with its owner field set to the current logged-in user, which is fine.
However, I also want to totally ignore what the currently authenticated user sends as a value to owner. For example, if I do a POST request to /api/foos/ with body user=5 (another user, basically), CurrentUserDefault sets the Foo.owner to that user, which is not the behavior I want to have.
I always want to have the current authenticated user as the value of the field owner of a new Foo instance, or, in other words, I want FooSerializer.owner field to be set as currently authenticated user as a value and ignore what is sent on POST request as a value of owner.
How do I do that?
Thanks in advance.
Environment
- django ^2.2
- djangorestframework ^3.12.4
CodePudding user response:
Since you don't want owner to be modifiable via your serializer, I'd suggest you to remove the field from the serializer or make it read-only.
You can then set the owner using the serializer's save method that allows you to inject additional data.
A good place for this in your example would be the perform_create method of your ModelViewSet. For example:
class FooViewSet(viewsets.ModelViewSet):
serializer_class = FooSerializer
permission_classes = [permissions.IsAuthenticated]
queryset = Foo.objects.all()
def perform_create(self, serializer):
serializer.save(owner=self.request.user)