Tastypie - 在PUT上创建错误的捆绑对象

Question

我发现Tastypie创建捆绑对象的方式存在一些问题：

1）当我对Card资源的详细端点进行PUT（参见下面的tests.py）而不包括“id”字段时，不是从URI更新资源，而是创建新资源。

2）另一个更重要的问题是，如果我包含“id”字段，则更新“id”中指示的资源，而不是URI中的资源;这意味着我可以通过指向任何其他细节URI来更新任何资源（我还没有内置auth，但这可能是将来的授权问题。）

下面的第一个测试失败（除非我在模型字段定义中删除default = uuid1_as_base64并在模型的save方法中实现逻辑）并且下面的第二个测试通过，即使它不应该通过。

这里发生了什么？

tests.py

def test_PUT_detail(self):

    # Test 1: PUT to detail endpoint of card 1 without an ID field

    put_data = {'text': 'wakka wakka'}
    response = self.api_client.put(
        uri='/api/v1/cards/rpHBJNOkEeKr2hTa6Uod1w/', # card 1 uri
        data=put_data
    )
    self.assertEqual(self.card_1.read_file(), 'wakka wakka')


    # Test 2: PUT to detail endpoint of card 1 with ID field of card 2

    put_data = {'id': 'twt_UtOkEeKsuxTa6Uod1w', 'text': 'wakka wakka'}
    response = self.api_client.put(
        uri='/api/v1/cards/rpHBJNOkEeKr2hTa6Uod1w/', # still card 1 uri
        data=put_data
    )
    self.assertEqual(self.card_2.read_file(), 'wakka wakka')

在上述测试期间创建的Bundle对象：

#Test 1
<Bundle for obj: 'rpHBJNOkEeKr2hTa6Uod1w' and with data: '{'text': u'wakka wakka', 'pk': u'rpHBJNOkEeKr2hTa6Uod1w'}'>

#Test 2 (notice how both the id field and pk field are included)
<Bundle for obj: 'twt_UtOkEeKsuxTa6Uod1w' and with data: '{'text': u'wakka wakka', 'id':   u'twt_UtOkEeKsuxTa6Uod1w', 'pk': u'rpHBJNOkEeKr2hTa6Uod1w'}'>

api.py

class CardResource(ModelResource):
    text = fields.CharField()

    def __init__(self, *args, **kwargs):
        super(CardResource, self).__init__(*args, **kwargs)
        self.fields['id'].read_only = True

    class Meta:
        queryset = Card.objects.all()
        fields = ['id', 'text']
        resource_name = 'cards'
        list_allowed_methods = ['get', 'post']
        detail_allowed_methods = ['get', 'put', 'delete']
        authorization = Authorization()
        validation = CardValidation()
        include_resource_uri = False

    def dehydrate_text(self, bundle):
        return bundle.obj.read_file()

    def save(self, *args, **kwargs):
        bundle = super(CardResource, self).save(*args, **kwargs)
        bundle.obj.write_file(bundle.data['text'])
        return bundle

models.py

class Card(TimeStampedModel):
    id = models.CharField(max_length=22, db_index=True, primary_key=True,
                          default=uuid1_as_base64) # default is a callable

    def file_path(self):
        return '/'.join([settings.CARD_ROOT, self.id + '.txt'])

    def read_file(self):
        try:
            with open(self.file_path(), 'rb') as f:
                content = f.read()
            return content
        except IOError:
            self.write_file(text='')
            return self.read_file()

    def write_file(self, text=''):
        with open(self.file_path(), 'wb') as f:
            f.write(text)

    def __unicode__(self):
        return u'%s' % self.id