[Django]-Django rest framework: limit fields that can be updated

by

13👍

Django REST Framework provides the read_only and write_only attributes for controlling what is used for editing and what is not.

serializers.py

class SnippetSerializer(serializers.ModelSerializer):
    class Meta:
        model = Snippet
        fields = ('id', 'title', 'code', 'linenos', 'language', 'style')
        extra_kwargs = {
            'id': {'read_only': True},
            'code': {'read_only': True},
            'lineos': {'read_only': True},
            'language': {'read_only': True},
            'style': {'read_only': True}
        }

The above will return all the fields on read requests but only title will be writable.
You can find more at the official documentation:
http://www.django-rest-framework.org/api-guide/serializers/#specifying-read-only-fields

👤petkostas

0👍

While @petkostas answer is correct, it doesn’t give you a full picture of how to achieve it.

First, Create a new serializer; let’s call it SnippetUpdateSerializer

Now, you may have custom serializer fields like serializers.MethodFieldSerializer that you would have defined in SnipperSerializer; which you may not want to write again in your new serializer. A good approach is to use inheritance.

Taking the example from the question

class SnippetUpdateSerializer(SnippetSerializer): #<- pay attention here 

    class Meta(SnippetSerializer.Meta): # <- pay attention here 
    
        SnippetSerializer.Meta.extra_kwargs.update({ # update the dictionary
            'id': {'read_only': True},
            'code': {'read_only': True}, # you can also use {write_only: True} if you want this to be write only
            'lineos': {'read_only': True},
            'language': {'read_only': True},
            'style': {'read_only': True}
        }) # you may completely override  by just using extra_kwargs, instead of SnippetSerializer.Meta.extra_kwargs

Now in your SnippetUpdateView, use the above serializer.

If you are using class based views then set serializer_class = SnippetUpdateSerializer

Another approach is to return bad request, from your update view if the user requests contain read_only fields. (not recommended)

👤Art

Leave a comment