Serializer does not respect Python's C3 MRO #7735

iamahuman · 2021-03-01T09:35:14Z

Checklist

I have verified that that issue exists against the master branch of Django REST framework.
I have searched for similar issues in both open and closed tickets and cannot find a duplicate. (Fix serializer multiple inheritance bug #6980 and Inheriting multiple Serializers gives unexpected order of overloading of fields #5798 are related.)
This is not a usage question. (Those should be directed to the discussion group instead.)
This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
I have reduced the issue to the simplest possible case.
I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

from rest_framework import serializers

# dummy fields for demonstration
class AllProductsField(serializers.Field): pass
class SupportedProductsField(serializers.Field): pass

class CommonSerializer(serializers.Serializer):
    product = AllProductsField()

class CustomerAccess(CommonSerializer):
    def validate_product(self, value):
        return do_something(value)

class TicketSerializer(CommonSerializer):
    product = SupportedProductsField()

class CustomerTicketSerializer(CustomerAccess, TicketSerializer):
    pass

print('[' + ' > '.join(x.__name__ for x in CustomerTicketSerializer.mro()[:4]) + ']')
print(str(CustomerTicketSerializer()))

Expected behavior

[CustomerTicketSerializer > CustomerAccess > TicketSerializer > CommonSerializer]
CustomerTicketSerializer():
    product = SupportedProductsField()

Actual behavior

[CustomerTicketSerializer > CustomerAccess > TicketSerializer > CommonSerializer]
CustomerTicketSerializer():
    product = AllProductsField()

Remarks

For compatibility I think this behavior shall be kept for a while, but not respecting Python MRO may turn out to be astonishing for some users and even lead to potential security problems (e.g. choice-limiting queryset not properly overridden).

The text was updated successfully, but these errors were encountered:

tomchristie · 2021-03-09T10:41:51Z

When I was working through this, my expected behaviour was product = AllProductsField(), because CustomerAccess > TicketSerializer.

So I'd suggest it's a usage to be avoided, given that it's unclear which behaviour you'd expect to see.

iamahuman · 2021-03-09T15:18:03Z

When I was working through this, my expected behaviour was product = AllProductsField(), because CustomerAccess > TicketSerializer.

Thanks for sharing your thoughts! I respect your idea on this.

So I'd suggest it's a usage to be avoided,

Are you open to having this usage documented as a pattern to be avoided?

If this is the case, I'd be happy to make a pull request on it. Perhaps it might be a good idea to also detect and explicitly warn the user about this at runtime.

given that it's unclear which behaviour you'd expect to see.

IMHO some folks used to how Python resolves multiple base classes may find the expected behavior stated above more "intuitive."

For anyone not familiar with MRO, suppose the serializers.Serializer inheritance is removed:

from rest_framework import serializers

# dummy fields for demonstration
class AllProductsField(serializers.Field): pass
class SupportedProductsField(serializers.Field): pass

class CommonSerializer:
    product = AllProductsField()

class CustomerAccess(CommonSerializer):
    def validate_product(self, value):
        return do_something(value)

class TicketSerializer(CommonSerializer):
    product = SupportedProductsField()

class CustomerTicketSerializer(CustomerAccess, TicketSerializer):
    pass

print('product =', CustomerTicketSerializer().product)

This code would produce product = SupportedProductsField().

Although this case may be solved by omitting the base class from the CustomerAccess mixin, I'm afraid some users might get tripped by this edge case. Plus there may be other instances that may not be immediately obvious.

tomchristie · 2021-03-10T09:10:50Z

Personally I think this kind of usage invites confusion either ways around, and is best avoided.

iamahuman · 2021-03-11T01:31:52Z

Personally I think this kind of usage invites confusion either ways around, and is best avoided.

Do you think if this (anti-)pattern is worth being documented?

If this is the case, I'd be happy to make a pull request on it. Perhaps it might be a good idea to also detect and explicitly warn the user about this at runtime.

tomchristie · 2021-03-11T09:12:28Z

Not particularly, no. I think it's just one of those things that comes with the territory.
Python's a dynamic language that lets you do all sorts of weirdness if you want too.

tomchristie closed this as completed Mar 9, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Serializer does not respect Python's C3 MRO #7735

Serializer does not respect Python's C3 MRO #7735

iamahuman commented Mar 1, 2021 •

edited

tomchristie commented Mar 9, 2021

iamahuman commented Mar 9, 2021 •

edited

tomchristie commented Mar 10, 2021

iamahuman commented Mar 11, 2021

tomchristie commented Mar 11, 2021

Serializer does not respect Python's C3 MRO #7735

Serializer does not respect Python's C3 MRO #7735

Comments

iamahuman commented Mar 1, 2021 • edited

Checklist

Steps to reproduce

Expected behavior

Actual behavior

Remarks

tomchristie commented Mar 9, 2021

iamahuman commented Mar 9, 2021 • edited

tomchristie commented Mar 10, 2021

iamahuman commented Mar 11, 2021

tomchristie commented Mar 11, 2021

iamahuman commented Mar 1, 2021 •

edited

iamahuman commented Mar 9, 2021 •

edited