Serializer accepts int parameter although allow int lookup is false

[frossigneux]

Hello,

I have observed that the serializer converts a int parameter to object, even if int lookup is forbidden.
My serializer is:
foo = serializers.PrimaryKeyRelatedField(pk_field=HashidSerializerCharField(), queryset=Foo.objects.all(), required=False)

Then I have a validate method:
def validate_foo(self, value)

Both integer and string parameter triggers the validate_foo method with the retrieved object in argument.
However, HASHID_FIELD_ALLOW_INT_LOOKUP is False.

This leads to a security hole, where a user can retrieve the integer behind the obfuscated id of its objects.

[nshafer]

Thank you for the detailed report. I will look into as soon as I can.

[nshafer]

Thanks for catching this... I have never used my own module with any writable DRF APIs, so just hadn't dog-fooded this particular issue, and haven't touched the DRF stuff much since the original release. I have modified HashidSerializerCharField to now disallow int lookups if allow_int_lookup is false.

BTW, in your example you don't pass source_field to HashidSerializerCharField in your PrimaryKeyRelatedField. Probably just in your example, but make sure you're doing such in your actual code per https://github.com/nshafer/django-hashid-field#primary-key-related-fields.

Thanks!