Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[discuss] Validation behavior during deserialization vs. serialization

See original GitHub issue

Is it ok that required fields doesn’t work in load() method?

From quickstart example:

class UserSchema(Schema):
    name = fields.String(required=True)
    email = fields.Email()

user = {'name': None, 'email': 'foo@bar.com'}
data, errors = UserSchema().dump(user)
errors  # {'name': 'Missing data for required field.'}

user = {'name': None, 'email': 'foo@bar.com'}
data, errors = UserSchema().load(user)
errors  # {}

I thought that load() method is used for loading model objects from input data and SHOULD support required fields. On the contrary, method dump() is used to serialize inner data and not requires validation at all. Whether I understand everything correctly?

Issue Analytics

  • State:closed
  • Created 9 years ago
  • Comments:16 (10 by maintainers)

github_iconTop GitHub Comments

1reaction
sloriacommented, Jan 17, 2015

As discussed in the above thread, defaults for deserialization can be defined in make_object or in a preprocessor. For example, if you want the deserialization defaults to be the same as serialization defaults, you could do the following:

from marshmallow import fields, Schema
from marshmallow.validate import Range

class GETSchema(Schema):

    page = fields.Integer(default=1)
    per_page = fields.Integer(default=10, validate=Range(min=10, max=50))
    order_by = fields.Select(['id', 'name', 'priority'], default='priority')
    sort = fields.Select(['asc', 'desc'], default='desc')

    def make_object(schema, in_data):
        for name, field in schema.fields.items():
            if name not in in_data:
                in_data[name] = field.default
        return in_data

schema = GETSchema()
schema.load({}).data  # {'order_by': 'priority', 'per_page': 10, 'sort': 'asc', 'page': 1}

In lieu of the missing parameter discussed in previous comments, you can take advantage of the fact that extra kwargs passed to fields are stored in each field’s metadata attribute. This would allow you to have different defaults between serialization/deserialization.

from marshmallow import fields, Schema
from marshmallow.validate import Range

class GETSchema(Schema):

    page = fields.Integer(default=1, missing='null')
    per_page = fields.Integer(default=10, missing='null', validate=Range(min=10, max=50))
    order_by = fields.Select(['id', 'name', 'priority'], default='priority', missing='id')
    sort = fields.Select(['asc', 'desc'], default='desc', missing='asc')

    def make_object(schema, in_data):
        for name, field in schema.fields.items():
            if name not in in_data and field.metadata.get('missing'):
                in_data[name] = field.metadata['missing']
        return in_data

schema = GETSchema()
schema.load({}).data  # {'order_by': 'id', 'per_page': 'null', 'sort': 'asc', 'page': 'null'}

Yes, I am aware that these workarounds are just that: hacky workarounds. I will open up an issue to reopen discussion of a built-in missing param.

EDIT: Fix first example

0reactions
andrewbaxtercommented, Apr 16, 2015

Yeah, thanks, I’m afraid I hadn’t noticed that. #189 still is a problem, but I think that’s not by design so I’ll go back to that issue. I’ll open another issue regarding the docs.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Serialization and deserialization in Java | Snyk Blog
A Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into ...
Read more >
Serialization and Deserialization: Languages they work with
During deserialization of data, vulnerability occurs when an attacker manipulates the data during serialization, which is then passed for ...
Read more >
Serialization
Validation during deserialization ... If so desired, JSON can be validated by a JSON Schema before deserialization of client-defined types. The schema must...
Read more >
Deserialization - OWASP Cheat Sheet Series
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order...
Read more >
Serialization Validation in Java - Baeldung
2. Serialization and Deserialization ... Serialization is the process of converting the state of an object into a byte stream. Serialized objects ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[question] Skip missing fields instead of default values

Next page

Creating additional fields on the fly