New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nested excludes get overwritten #728

Closed
timc13 opened this Issue Jan 25, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@timc13

timc13 commented Jan 25, 2018

It seems whenever an parent level exclude is specified with dot notation, the child field level excludes are overwritten. It would be great if they could be concatenated.

Here's an example:

from marshmallow import fields, Schema

class FooChildSchema(Schema):
    boo = fields.String()
    far = fields.String()
    faz = fields.String()

class FooSchema(Schema):
    foo = fields.String()
    bar = fields.String()
    baz = fields.String()
    child = fields.Nested(FooChildSchema, exclude=('boo',))

obj = {
    'foo': 'foo',
    'bar': 'bar',
    'baz': 'baz',
    'child': {
        'boo': 'boo',
        'far': 'far',
        'faz': 'faz',
    },
}

serialized = FooSchema(exclude=('foo', 'child.faz')).dump(obj).data
print(serialized)

I expect :

{'child': {'far': 'far'}, 'baz': 'baz', 'bar': 'bar'}

instead, I get:

{'child': {'far': 'far', 'boo': 'boo'}, 'baz': 'baz', 'bar': 'bar'}
@timc13

This comment has been minimized.

timc13 commented Jan 30, 2018

is this expected behavior? Do we want nesting to include parent excludes ?

@timc13

This comment has been minimized.

timc13 commented Feb 12, 2018

@sloria any thoughts on this?

@lafrech

This comment has been minimized.

Member

lafrech commented Apr 12, 2018

I also think the child schema should exclude the union of the two exclude parameters. In fact, it should include only the intersection of the only parameters minus the union of the exclude.

Would you like to propose a PR for this?

@deckar01

This comment has been minimized.

Member

deckar01 commented Apr 12, 2018

I will start writing some tests for this issue and see if there are any edge cases that need more discussion. I implemented the offending feature in #468, and it turned out a little more complex than I expected.

@deckar01

This comment has been minimized.

Member

deckar01 commented Apr 12, 2018

I ran into a funky edge case that has security implications. I reported the underlying issue as #772.

class ChildSchema(Schema):
    foo = fields.Field()
    bar = fields.Field()

class ParentSchema(Schema):
    baz = fields.Nested(ChildSchema, only=('bar',))

schema = ParentSchema(only=('baz.foo',))

The result of the intersections of these only options is an empty set, which we treat as disabling the only filter...

This change to only would make it possible to get unfiltered data without explicitly supplying any falsy values to only, so I think #772 needs to be fixed first.

@deckar01 deckar01 self-assigned this Apr 12, 2018

@deckar01

This comment has been minimized.

Member

deckar01 commented Apr 12, 2018

Here is a working fix for this issue: 2.x-line...deckar01:728-only-exclude-inheritance-fix

It has a failing test due to #772.

@deckar01

This comment has been minimized.

Member

deckar01 commented Apr 26, 2018

I will pick this back up now that #772 is fixed. Thanks @lafrech.

@timc13

This comment has been minimized.

timc13 commented May 8, 2018

@deckar01 don't mean to be annoying - but hopefully you havent forgotten about this? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment