POST should not be treated as PUT

[vesterbaek]

If I have the following model

class MyModel:
    id = models.CharField(primary_key=True)

If I POST the following data

{"id" : "1234"} 

I get a 201 (correct). If I POST the data again, I get a 201 again (not correct). Tastypie should return a HTTP_CONFLICT 409 since an object with the same PK already exists.

For some reason, it seems POSTs are treated as PUTs via the convert_post_to_put function (https://github.com/toastdriven/django-tastypie/blob/5f9b7b040b02aed0ebd3566151a3bce42d5ef300/tastypie/resources.py#L2087). I cannot understand why this is done since POST and PUT are very different in that PUT is an idempotent request while POST is not.

[bohde]

convert_post_to_put only works if the method is PUT. I don't think it comes into play here.

[JohnRandom]

I might not come into play but it feels like.

Saving newly created objects in django that have a pk value already assigned (like an id for example) overrides another resource that has the same pk. This way you can use POST to override an existing resource which make it feel like a PUT -> POST conversion. I'm not really sure it's tastypies job to prevent such a behavior, as it seems like django intents this. It should probably be part of a custom authorization to check for the existence of a pk before a new resource is being created.

Example:

>>> m = Model.objects.get(pk=1, name='example')
<Model: example>
>>> m2 = Model.objects.create(pk=1, name'overriden!')
<Model: overriden!>
>>> m2.pk
1

[nkeilar]

+1 - is there a good workaround for this? I don't really want my admin user being nuked by a crafted POST request.