Skip to content

Commit

Permalink
Fixed encode#3751 -- Stopped listing all related field choices throug…
Browse files Browse the repository at this point in the history 
…h metadata.

Listing related fields can leak sensitive data and result in poor performance
when dealing with large result sets.

Large result sets should be exposed by a dedicated endpoint instead.
  • Loading branch information
@charettes
charettes committed Mar 29, 2016
1 parent 6b1125a commit 69c69b8
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
4 changes: 3 additions & 1 deletion rest_framework/metadata.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,9 @@ def get_field_info(self, field):
elif getattr(field, 'fields', None):
field_info['children'] = self.get_serializer_info(field)

if not field_info.get('read_only') and hasattr(field, 'choices'):
if (not field_info.get('read_only') and
not isinstance(field, serializers.RelatedField) and
hasattr(field, 'choices')):
field_info['choices'] = [
{
'value': choice_value,
Expand Down
15 changes: 14 additions & 1 deletion tests/test_metadata.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
from rest_framework.request import Request
from rest_framework.test import APIRequestFactory

from .models import BasicModel

request = Request(APIRequestFactory().options('/'))


Expand Down Expand Up @@ -261,10 +263,21 @@ def get_serializer(self):
view = ExampleView.as_view(versioning_class=scheme)
view(request=request)


class TestSimpleMetadataFieldInfo(TestCase):
def test_null_boolean_field_info_type(self):
options = metadata.SimpleMetadata()
field_info = options.get_field_info(serializers.NullBooleanField())
assert field_info['type'] == 'boolean'
self.assertEqual(field_info['type'], 'boolean')

def test_related_field_choices(self):
options = metadata.SimpleMetadata()
BasicModel.objects.create()
with self.assertNumQueries(0):
field_info = options.get_field_info(
serializers.RelatedField(queryset=BasicModel.objects.all())
)
self.assertNotIn('choices', field_info)


class TestModelSerializerMetadata(TestCase):
Expand Down

0 comments on commit 69c69b8

Please sign in to comment.