Some properties do not remain private after constructing a serialised model

[danielniccoli]

Initial Checks

• I confirm that I'm using Pydantic V2

Description

After constructing a model from the same serialised model, some properties do not remain private.

SecurityGroupRequest.model_construct(**group_req.model_serialize())

This seems caused by inheritance.

Example Code

tl;dr the penultimate line should not fail

from uuid import uuid4

from pydantic import (
    BaseModel,
    ConfigDict,
    PrivateAttr,
    StrictBool,
    computed_field,
    constr,
)
from pydantic.alias_generators import to_camel
from pydantic.config import ConfigDict

config = ConfigDict(
    extra="forbid",
    frozen=True,
    hide_input_errors=True,
    validate_assignment=True,
    alias_generator=to_camel,
    populate_by_name=True,
)


class BaseRequest(BaseModel):
    model_config = config

    _requestor: tuple[str, str] = PrivateAttr()  # Todo: Make a list

    # Required properties for business process
    owner: str
    deputy: str
    description: constr(max_length=1000)

    def model_serialize(self):
        return {
            **dict(self),
            **self.__pydantic_private__,
        }

    @classmethod
    def model_deserialize(cls, serialized_model: dict):
        return cls.model_construct(**serialized_model)

    def to_json(self):
        return self.model_serialize()

    @classmethod
    def from_json(cls, serialized_model: dict):
        return cls.model_deserialize(serialized_model)


class SecurityGroupRequest(BaseRequest):
    display_name: constr(max_length=256)
    mail_enabled: StrictBool = False
    _mail_nickname = PrivateAttr(default_factory=lambda: str(uuid4())[:10])
    security_enabled: StrictBool = True

    @computed_field
    @property
    def mail_nickname(self) -> str:
        return self._mail_nickname


body: str = """
{
    "owner": "jon.doe@example.com",
    "deputy": "2e5467fc-9637-44ce-95b3-d4ded0fb86f3",
    "description": "This group contains all members of the finance department.",
    "displayName": "Finance",
    "mailEnabled": true,
    "securityEnabled": true
}
"""


group_req: SecurityGroupRequest = SecurityGroupRequest.model_validate_json(body)
group_req._requestor = ("jon.doe@example.com", "97a69865-1972-48fd-9639-0599be35e17c")

# Test that _mail_nickname and _requestor are `__pydantic_private__` fields.
assert group_req.__pydantic_private__.get("_mail_nickname")
assert group_req.__pydantic_private__.get("_requestor")

# Test that model_serialize() contains both, public and private properties
assert group_req.model_serialize().get("owner")
assert group_req.model_serialize().get("deputy")
assert group_req.model_serialize().get("description")
assert group_req.model_serialize().get("display_name")
assert group_req.model_serialize().get("mail_enabled")
assert group_req.model_serialize().get("security_enabled")
assert group_req.model_serialize().get("_mail_nickname")
assert group_req.model_serialize().get("_requestor")

# Test that model_construct() recreates all properties
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).owner == group_req.owner
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).deputy == group_req.deputy
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).description == group_req.description
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).display_name == group_req.display_name
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).mail_enabled == group_req.mail_enabled
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).security_enabled == group_req.security_enabled
assert SecurityGroupRequest.model_construct(**group_req.model_serialize())._mail_nickname == group_req._mail_nickname
assert SecurityGroupRequest.model_construct(**group_req.model_serialize())._requestor == group_req._requestor

# Test that model_dump_json() output not changed
assert group_req.model_dump_json() == SecurityGroupRequest.model_construct(**group_req.model_serialize()).model_dump_json()

# Test that priavte attributes remain private
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).__pydantic_private__.get("_requestor") # fails
assert SecurityGroupRequest.model_construct(**group_req.model_serialize()).__pydantic_private__.get("_mail_nickname") # succeeds

Python, Pydantic & OS Version

pydantic version: 2.5.3
        pydantic-core version: 2.14.6
          pydantic-core build: profile=release pgo=true
                 install path: C:\code\bug_pydantic\venv\Lib\site-packages\pydantic
               python version: 3.11.4 (tags/v3.11.4:d2340ef, Jun  7 2023, 05:45:37) [MSC v.1934 64 bit (AMD64)]
                     platform: Windows-10-10.0.19045-SP0
             related packages: email-validator-2.1.0.post1 typing_extensions-4.9.0

[sydney-runkle]

@danielniccoli,

Thanks for reporting this bug. Looks to be an issue specifically with the model_construct logic. We'll dig into this and come up with a fix.

If you're interested, feel free to submit a PR with a solution!