Skip to content

[PR #7717/e2c3f4db backport][3.111] Don't leak overwrite kwarg into plugin validated_data#7718

Merged
ggainey merged 1 commit into
3.111from
patchback/backports/3.111/e2c3f4dbf4620feb16b27c5c11b3a9ae920d067e/pr-7717
May 14, 2026
Merged

[PR #7717/e2c3f4db backport][3.111] Don't leak overwrite kwarg into plugin validated_data#7718
ggainey merged 1 commit into
3.111from
patchback/backports/3.111/e2c3f4dbf4620feb16b27c5c11b3a9ae920d067e/pr-7717

Conversation

@patchback
Copy link
Copy Markdown

@patchback patchback Bot commented May 14, 2026

This is a backport of PR #7717 as merged into main (e2c3f4d).

Problem

The overwrite field added in #7550 (commit f6dc7b9) on NoArtifactContentSerializer was declared with default=True. DRF auto-injects any field with a default=... into validated_data even when the caller does not supply it, so plugins that splat **serializer.validated_data into a content model constructor were broken by the unexpected overwrite=True kwarg.

For example, in pulp_deb's sync stage (pulp_deb/app/tasks/synchronizing.py:1057):

serializer = serializer_class.from822(data=package_paragraph)
serializer.is_valid(raise_exception=True)
package_content_unit = package_class(
    relative_path=package_relpath,
    sha256=package_sha256,
    **serializer.validated_data,   # <-- now contains overwrite=True
)

The Django Package model has no overwrite field, so:

TypeError: Package() got unexpected keyword arguments: 'overwrite'

This caused 10 functional test_sync tests in pulp_deb to fail.

The other inherited control fields on NoArtifactContentSerializer (repository, pulp_labels) don't trigger the same issue because none of them declare a default=, so DRF only puts them into validated_data when explicitly supplied. overwrite was the only one that leaked unconditionally.

Fix

Remove the default=True from the field declaration. The existing validated_data.pop("overwrite", True) in NoArtifactContentSerializer.create() already encodes the "absent ⇒ True" semantics, so there is no behavior change for REST API callers:

Caller behavior Before After
Omits overwrite validated_data["overwrite"] = True, pop returns True → silent overwrite Field absent from validated_data, pop("overwrite", True) returns True → silent overwrite
Sends overwrite: false Field validates → False in validated_data → check runs Same
Sends overwrite: true Field validates → True in validated_data → silent overwrite Same

Verification

  • All 7 existing tests in pulp_file/tests/functional/api/test_overwrite_content.py still pass.
  • The 10 pulp_deb test_sync failures are resolved by this change alone.

AI attribution

AI-Generated: github-copilot

@daviddavis @patchback
Don't leak overwrite kwarg into plugin validated_data
df02ac4 
The overwrite field on NoArtifactContentSerializer was declared with
default=True, which causes DRF to inject overwrite=True into
validated_data even when the caller omits it. This broke plugins that
splat **validated_data into a content model constructor (e.g. pulp_deb
sync), producing:

    TypeError: Package() got unexpected keyword arguments: 'overwrite'

Drop the field-level default and rely on the existing
validated_data.pop('overwrite', True) in create() to preserve the
'absent => True' semantics. No behavior change for API callers.

AI-Generated: github-copilot
(cherry picked from commit e2c3f4d)
@patchback patchback Bot mentioned this pull request May 14, 2026
Merged
@ggainey ggainey enabled auto-merge (rebase) May 14, 2026 17:26
@ggainey ggainey merged commit 9661f13 into 3.111 May 14, 2026
25 of 27 checks passed
@ggainey ggainey deleted the patchback/backports/3.111/e2c3f4dbf4620feb16b27c5c11b3a9ae920d067e/pr-7717 branch May 14, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggainey ggainey ggainey approved these changes

Assignees

No one assigned

Labels

no-issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ggainey @daviddavis