DRF wrongly moves validation business logic from models to views

[grjones]

I realize this was an intentional change in 3.0 where ModelSerializers no longer run model-level clean or full_clean, however I am submitting this as a bug because to me and others it is a violation of business logic residing in views instead of models. It's ok of course to close this out immediately, but I hope this behavior will be reconsidered one day. Here are some questions I would like us to think about:

• If validations happen in the serializers (at the view-level), how do I ensure the same validations occur at the model level if for example I am running one off scripts that have nothing to do with views or http? Do I have to implement that logic twice?
• Is there an expectation by developers that if you have implemented custom validations at the model level that these will be run by serializers, especially since ModelForm does?
• What happens in the case where in your models you are forcing a full_clean (perhaps by including it in the save method)? Will serializers know how to handle an exception from an explicit full_clean?

[tomchristie]

:)

I'll come back with a fuller answer to these points shortly, but in the meantime here's a couple of links relevant to my thoughts on this area.

• http://www.dabapps.com/blog/django-models-and-encapsulation/
• https://m.youtube.com/watch?v=3cSsbe-tA0E

[tomchristie]

So, point by point:

• Serializers are not tied to HTTP requests - you can use (and reuse) serializer validation for any input.
• It doesn't do that, no. We do document that the behavior is different, and the design reasons behind this http://www.django-rest-framework.org/api-guide/validators/#validation-in-rest-framework - In my view there's design issues with ModelForm that REST framework's serializers make an improvement over. We're moving towards providing a full form API as well so that you can reuse serializer in both API and HTML form use-cases.
• I'd recommend that application level validation should generally happen prior to save, not during it. Personally I'd avoid full_clean, and instead ensure that state changing operations on model instances are only ever made via method calls that can provide a boundary that ensures that only valid state changes may ever be made by the rest of the application.

Of course alternative serializer implementations are perfectly possible, and I'd welcome third party packages in this area.

The input is appreciated, but we had good reasons for making this switch in 3.x. While there are clearly trade-offs, the benefits of not having to handle partial-instantiated-objects-plus-some-relationships-that-haven't-yet-been-saved cases, and the direct transition between Serializerand ModelSerializer classes has been more than worth the break from the approach that ModelForm takes.

[rhfung]

@grjones I agree with Tom Christie that full_clean shouldn't be automatically called on a ModelSerializer, but a pre-save hook could be provided for calling full_clean in the default create and update methods. Here's what I came up with: rhfung@7fd18fb

The only problem here is that if someone overrides create and save then they have to manually call full_clean and cannot rely on the pre-save hook.

[rrauenza]

I'm trying to implement a workaround for this -- I've started with a mixin that overrides validate() in the ModelSerializer.

The first problem I'm finding is that the attrs passed to validate() aren't complete enough to call Model(**attrs).full_clean() against if some of the attrs are read only -- they are omitted.

Can we reconsider @rhfung 's pre_save() hook? This would allow the ModelSerializer to make the unsaved instance and for us to inject a instance.full_clean() against the Model class...

We could alternately override create() and update() in the ModelSerializer, but for update we have to replicate the setting code since the method returns an instance -- i.e., we can't call super() first. Similar with create().

[swehba]

I am new to Django, and my opinions are therefore rather misinformed or "underinformed", but I tend to agree with @grjones. IMHO a model should be valid whether it is created by virtue of Django REST Framework, or by Django Admin, or by Django forms. This, to me, implies that all validation logic should reside at the model level. It doesn't make much sense to me to have validation code in the model for the sake of, say, Django Admin, and then have to replicate that code in a serializer. It also seems strange that a Django ValidationError is not the same as a DRF ValidationError, and within DRF you have to catch one and translate it into the other. Am I missing something here?

[jacek-jablonski]

I also find it strange to have two places where I can provide validation. It is fully understandable that in serializer I should provide validation for serializers that aren't bound to django's models. But when serializer is bound to django's model, then in which situations should I provide additional validation in serializer?

[tomchristie]

Welcome to talk this over amongst yourselves, but I don't see us having any change on this.
There's a chunk of context on the design considerations in this Django Under the Hood video.

[gonzaloamadio]

@tomchristie , If we put all the validation logic in the serializer. What happens if we want to reuse it when use the django admin for example? I mean, if we create some model using django admin

[xordoquy]

We didn't say it should be in serializer either. Have your business rules in some specific place that you can easily unit test and reuse it from serializers or model's full_clean if that's what you want though I'd rather agree with this statement:

ensure that state changing operations on model instances are only ever made via method calls that can provide a boundary that ensures that only valid state changes may ever be made by the rest of the application.

[gonzaloamadio]

We didn't say it should be in serializer either. Have your business rules in some specific place that you can easily unit test and reuse it from serializers or model's full_clean if that's what you want though I'd rather agree with this statement:

ensure that state changing operations on model instances are only ever made via method calls that can provide a boundary that ensures that only valid state changes may ever be made by the rest of the application.

So what that proposes, if I do not missunderstand, is that I do not use field validators, but I use a method for create/update, where I do all my validations? (something like here? https://medium.com/@hakibenita/bullet-proofing-django-models-c080739be4e)

So no matter if we create it via API or admin, validation will occur

[yhoiseth]

I have found django-fullclean useful when I need existing validations work with DRF.

It adds a pre_save signal that calls full_clean() every time a model is saved.

[alfonsrv]

@yhoiseth how do you handle django.core.exceptions ValidationError to rest_framework.exceptions ValidationError translation?

[reeshabhranjan]

I would still like the developers to rethink this after six years of this change because instead of making the application code simpler, all it is encouraging me to do is duplicate my code for Serializer and Form, or trying out hacky ways to reuse my validation code. One other design choice as mentioned by @swehba above is the different ValidationError class.

[Vektrat]

I have to comment on this again, because after years using DRF I stumbled upon this issue after a colleague put a validators=[...] arg in a model field.

While due to a responsibility principple of layers (domain/API) I defend the existence and distinction between Django.ValidationError and DRF.ValidationError (though the naming is asking for trouble... ^^), I have to say that the current behaviour seems to be forcing the devs to embark on a contradictory path in here...

If the model field specifies validators (which makes sense as pointed out by @swehba, since a model might also need to validate in a more global scale), DRF is taking those into consideration, and doing so before any other DRF validation, and if an exception is raised, DRF wraps it with a str() over the original exception error, resulting in the API returning a string representation of an internal error, rather than an API specific one, not even giving the opportunity to manage this specific error, or provide an adequate error code or string rather than returning the internal error info straight away.

Not asking for a change nor I do have a solution, I suppose (as specified in the docs) this change is justified and the caveats are listed, plus as it is already said as well, we can always go back to using a Serializer rather than a ModelSerializer, but like the original poster, I wanted to leave it here that the way in which such exceptions are being handled is probably not ideal.

[auvipy]

Welcome to talk this over amongst yourselves, but I don't see us having any change on this.
There's a chunk of context on the design considerations in this Django Under the Hood video.

never mind, I can see lots of sentiment for this issue. we could consider moving this to discussion

[alexerhardt]

I too wish we could have a single model validation rule that was respected by all interfaces (DRF serializers, admin, etc.)

The alternatives we are left with as I understand them are:

• Use model managers and custom methods for the affected model. Except now I cannot use many of Django's and DRF's time-saving abstractions - the very reason many of us use these frameworks -, since I need to remember to override them in many methods that would otherwise would use the normal create / update flows.
• Override serializer methods, use non model serialziers
• Use pre_save hooks

All solutions create a cascade of complexity that inevitably burden the developer.

It should be easier than this to ensure that my model does not allow instances to be in garbage states. I shouldn't be drifting anywhere else than the model to do this.

[d3lav3ga]

Was very interesting to see how many people got the same issues around DRF vs. Django model validation.
Here's what can be done to keep it a bit DRY for a basic case where you have model clean and ModelSerializer. One can simply catch the django.core.exceptions.ValidationError and re-raise it as serializers.ValidationError with the help of as_serializer_error.
This allows you at least to keep your validation code in one place.

models.py

from django.core.exceptions import ValidationError

class ModelToBeCleaned(models.Model):
...
    def clean(self):
        if condition:
            raise ValidationError("condition not met")
...		

serializers.py

from django.core.exceptions import ValidationError

class SerializerForTheModel(serializers.ModelSerializer):
...
    def create(self, validated_data):
        instance = ModelToBeCleaned.objects.create(**validated_data)
        try:
            instance.clean()
        except ValidationError as error:
            raise serializers.ValidationError(serializers.as_serializer_error(error))
...

[tsepulvedacaroca01]

After a long search, I found an elegant way to retrieve the validations of our models. We generate our custom exception handling (https://www.django-rest-framework.org/api-guide/exceptions/#custom-exception-handling) so that it catches django errors (ValidationError)

Our model

# models.py

from django.db import models
from django.core.exceptions import ValidationError


class MyModel(models.Model):
    start = ...
    finish = ...
    ...

    def clean(self):
        if self.finish < self.start:
            raise ValidationError("Finish must occur after start")

    def save(self, *args, **kwargs):
        self.full_clean()
        super().save(*args, **kwargs)

Our custom exception handling

# myapp/exceptions.py

from django.core.exceptions import ValidationError

from rest_framework.views import exception_handler
from rest_framework.response import Response
from rest_framework import status


def django_error_handler(exc, context):
    """Handle django core's errors."""
    # Call REST framework's default exception handler first,
    # to get the standard error response.
    response = exception_handler(exc, context)
    if response is None and isinstance(exc, ValidationError):
        return Response(status=status.HTTP_400_BAD_REQUEST, data=exc.message_dict)
    return response

# settings.py

REST_FRAMEWORK = {
    ...,
    'EXCEPTION_HANDLER': 'myapp.exceptions.django_error_handler'
}

I have relied on an answer from this post https://stackoverflow.com/questions/65912181/how-to-validate-against-full-model-data-in-django-rest-framework.

[simensol]

I have tried both solutions proposed by @tsepulvedacaroca01 and @d3lav3ga, but I cannot get the Browsable API to handle the field errors correctly. The only way I can get the Browsable API to handle the field errors correctly, is to throw serializers.ValidationError() from within the serializer's validate_<FieldName>(). Here are two examples:

Solution 1: Throw serializers.ValidationError() from validate_<FieldName>()

class PersonSerializer(serializers.ModelSerializer):
    ...

    def validate_name(self, name: str) -> str:
        if name == "Simen":
            raise serializers.ValidationError("Name is Simen")

        return name
    ...

The response seems correct:

http -a debtor0:password123 --json --debug POST http://localhost:8000/api/creditors/persons/ \
name="Simen" \
email="simen@example.com"
HTTPie 3.0.2
Requests 2.27.1
Pygments 2.11.2
Python 3.10.2 (main, Jan 18 2022, 19:45:14) [GCC 10.2.1 20210110]
/usr/local/bin/python3.10
Linux 5.10.47-linuxkit

<Environment {'as_silent': <function Environment.as_silent at 0x7f133ccf8940>,
 'colors': 256,
 'config': {'default_options': []},
 'config_dir': PosixPath('/root/.config/httpie'),
 'devnull': <property object at 0x7f133ccecd60>,
 'is_windows': False,
 'log_error': <function Environment.log_error at 0x7f133ccf89d0>,
 'program_name': 'http',
 'stderr': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'>,
 'stderr_isatty': True,
 'stdin': <_io.TextIOWrapper name='<stdin>' mode='r' encoding='utf-8'>,
 'stdin_encoding': 'utf-8',
 'stdin_isatty': True,
 'stdout': <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>,
 'stdout_encoding': 'utf-8',
 'stdout_isatty': True}>

<PluginManager {'adapters': [],
 'auth': [<class 'httpie.plugins.builtin.BasicAuthPlugin'>,
          <class 'httpie.plugins.builtin.DigestAuthPlugin'>,
          <class 'httpie.plugins.builtin.BearerAuthPlugin'>],
 'converters': [],
 'formatters': [<class 'httpie.output.formatters.headers.HeadersFormatter'>,
                <class 'httpie.output.formatters.json.JSONFormatter'>,
                <class 'httpie.output.formatters.xml.XMLFormatter'>,
                <class 'httpie.output.formatters.colors.ColorFormatter'>]}>

>>> requests.request(**{'auth': <httpie.plugins.builtin.HTTPBasicAuth object at 0x7f133cb95d20>,
 'data': b'{"name": "Simen", "email": "simen@example.com"}',
 'headers': <HTTPHeadersDict('User-Agent': b'HTTPie/3.0.2', 'Accept': b'application/json, */*;q=0.5', 'Content-Type': b'application/json')>,
 'method': 'post',
 'params': <generator object MultiValueOrderedDict.items at 0x7f133cb763b0>,
 'url': 'http://localhost:8000/api/creditors/persons/'})

HTTP/1.1 400 Bad Request
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 26
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Sat, 05 Feb 2022 06:42:17 GMT
Referrer-Policy: same-origin
Server: WSGIServer/0.2 CPython/3.10.2
Vary: Accept, Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

{
    "name": [
        "Name is Simen"
    ]
}

The error is handled correctly by the Browsable API:

This solution will obviously not work with the Django Admin, since the error is thrown in the serializer.

Solution 2: Throw serializers.ValidationError() from clean()

class Person(models.Model):
    ...

    def clean(self):
        if self.name == "Stine":
            raise ValidationError({"name": "Name is Stine"})
    ...

The response seems correct:

http -a debtor0:password123 --json --debug POST http://localhost:8000/api/creditors/persons/ \
name="Stine" \
email="stine@example.com"
HTTPie 3.0.2
Requests 2.27.1
Pygments 2.11.2
Python 3.10.2 (main, Jan 18 2022, 19:45:14) [GCC 10.2.1 20210110]
/usr/local/bin/python3.10
Linux 5.10.47-linuxkit

<Environment {'as_silent': <function Environment.as_silent at 0x7f69d879c940>,
 'colors': 256,
 'config': {'default_options': []},
 'config_dir': PosixPath('/root/.config/httpie'),
 'devnull': <property object at 0x7f69d8790cc0>,
 'is_windows': False,
 'log_error': <function Environment.log_error at 0x7f69d879c9d0>,
 'program_name': 'http',
 'stderr': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'>,
 'stderr_isatty': True,
 'stdin': <_io.TextIOWrapper name='<stdin>' mode='r' encoding='utf-8'>,
 'stdin_encoding': 'utf-8',
 'stdin_isatty': True,
 'stdout': <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>,
 'stdout_encoding': 'utf-8',
 'stdout_isatty': True}>

<PluginManager {'adapters': [],
 'auth': [<class 'httpie.plugins.builtin.BasicAuthPlugin'>,
          <class 'httpie.plugins.builtin.DigestAuthPlugin'>,
          <class 'httpie.plugins.builtin.BearerAuthPlugin'>],
 'converters': [],
 'formatters': [<class 'httpie.output.formatters.headers.HeadersFormatter'>,
                <class 'httpie.output.formatters.json.JSONFormatter'>,
                <class 'httpie.output.formatters.xml.XMLFormatter'>,
                <class 'httpie.output.formatters.colors.ColorFormatter'>]}>

>>> requests.request(**{'auth': <httpie.plugins.builtin.HTTPBasicAuth object at 0x7f69d8631d20>,
 'data': b'{"name": "Stine", "email": "stine@example.com"}',
 'headers': <HTTPHeadersDict('User-Agent': b'HTTPie/3.0.2', 'Accept': b'application/json, */*;q=0.5', 'Content-Type': b'application/json')>,
 'method': 'post',
 'params': <generator object MultiValueOrderedDict.items at 0x7f69d86123b0>,
 'url': 'http://localhost:8000/api/creditors/persons/'})

HTTP/1.1 400 Bad Request
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 26
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Sat, 05 Feb 2022 06:41:10 GMT
Referrer-Policy: same-origin
Server: WSGIServer/0.2 CPython/3.10.2
Vary: Accept, Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

{
    "name": [
        "Name is Stine"
    ]
}

The error is not handled correctly by the Browsable API, as the error is not shown in the UI and the form data (name and email) is not persistent:

However, the Django Admin works:

Questions

1. Is this expected behavior by the Browsable API?
2. Are there any way to define the validators in one place that is handled correctly by the Django Admin and the Browsable API?

[tsepulvedacaroca01]

I understand your problem, when generating the validator in the serializer, the Django admin will not detect it, because it gets the validations from the model (full_clean() and clean()) and not from the validate and validate_<fieldName> of the serializers. In the case of DRF it is the other way around, it only validates from validate and validate_<fieldName> and not from the model.

The idea of the solution implemented is to avoid duplicating the validation in the model and the serializer. Validate the following:

1. Verify that EXCEPTION_HANDLER is set correctly, trigger an error and see if the error is passed through the django_error_handler function using a print or a debugger.
2. Verify that you are getting the error triggered by the model (note that the ValidationError class is different between DRF and Django knowing that they do the same job). Validation from the model must use the ValidationError class from django.core.exceptions (from django.core.exceptions import ValidationError) so that it can be detected by the Django admin and EXCEPTION_HANDLER since the ValidationError which validates your django_error_handler function (Check my imports). . In the case of serializers, it must be from serializers (from rest_framework.serializers import ValidationError) so that DRF detects it.

If everything is correct, when triggering a model error from the serializer it should be received by the django_error_handler and enter the if since the model generated an error from django.core.exceptions and it will respond with an error 400 with their respective fields. If you trigger the error from the admin, you should also see it reflecting from the admin.

[alfonsrv]

The best solution to this issue as written up by HackSoftware:

from rest_framework import exceptions as rest_exceptions

def get_first_matching_attr(obj, *attrs, default=None):
    for attr in attrs:
        if hasattr(obj, attr):
            return getattr(obj, attr)

    return default


def get_error_message(exc):
    """ Used for DRF error message extraction """
    if hasattr(exc, 'message_dict'):
        return exc.message_dict

    error_msg = get_first_matching_attr(exc, 'message', 'messages')

    if isinstance(error_msg, list):
        error_msg = ', '.join(error_msg)

    if error_msg is None:
        error_msg = str(exc)

    return error_msg


class ApiErrorsMixin:
    """
    Mixin that transforms Django and Python exceptions into rest_framework ones.
    without the mixin, they return 500 status code which is not desired.
    """
    expected_exceptions = {
        ValueError: rest_exceptions.ValidationError,
        ValidationError: rest_exceptions.ValidationError,
        PermissionError: rest_exceptions.NotFound  # PermissionDenied
    }

    def handle_exception(self, exc):
        if isinstance(exc, tuple(self.expected_exceptions.keys())):
            drf_exception_class = self.expected_exceptions[exc.__class__]
            drf_exception = drf_exception_class(get_error_message(exc))

            return super().handle_exception(drf_exception)

        return super().handle_exception(exc)

Simply add the mixin to your View / ViewSet and worry no more.

[simensol]

Thanks for the reference, @alfonsrv! The link didn't work, but I found a fork of the style guide here. You also forgot to include the required functions. I'll add them here for reference:

def get_first_matching_attr(obj, *attrs, default=None):
    for attr in attrs:
        if hasattr(obj, attr):
            return getattr(obj, attr)

    return default

def get_error_message(exc):
    if hasattr(exc, 'message_dict'):
        return exc.message_dict
    error_msg = get_first_matching_attr(exc, 'message', 'messages')

    if isinstance(error_msg, list):
        error_msg = ', '.join(error_msg)

    if error_msg is None:
        error_msg = str(exc)

    return error_msg

from rest_framework import exceptions as rest_exceptions

from django.core.exceptions import ValidationError

from project.common.utils import get_error_message


class ApiErrorsMixin:
    """
    Mixin that transforms Django and Python exceptions into rest_framework ones.
    Without the mixin, they return 500 status code which is not desired.
    """
    expected_exceptions = {
        ValueError: rest_exceptions.ValidationError,
        ValidationError: rest_exceptions.ValidationError,
        PermissionError: rest_exceptions.PermissionDenied
    }

    def handle_exception(self, exc):
        if isinstance(exc, tuple(self.expected_exceptions.keys())):
            drf_exception_class = self.expected_exceptions[exc.__class__]
            drf_exception = drf_exception_class(get_error_message(exc))

            return super().handle_exception(drf_exception)

        return super().handle_exception(exc)

However, including the ApiErrorsMixin in my ModelViewSet didn't work. Actually, throwing serializers.ValidationError from the model's clean() was never catched by the ApiErrorsMixin. handle_exception() at all. Maybe it is because my ViewSet inherits from ModelViewSet and not APIView?

[alfonsrv]

Ha, cheers! Was in a rush this morning, but thought I'd finally share it.

Try registering the Mixin as the first class of your view – e.g. class UpdateViewSet(ApiErrorsMixin, GenericViewSet)

[simensol]

ApiErrorsMixin.handle_exception() catches the exceptions (I was able to catch an IntegrityError raised in the serializer.create() method which normally raises a 500 error). However, the Browsable API handles the error incorrectly. As you see, the error message doesn't appear next to the Name input field, and both the Name and Email input fields are not persistent:

If I define a validate_name() on the serializer, like:

class PersonSerializer(serializers.ModelSerializer):
    ...
    def validate_name(self, name):
        raise serializers.ValidationError("This works as expected")
    ...

it works as expected:

[orokusaki]

I did not know this - the lack of model validation support - was still a thing in DRF.

Problem

I need validation of my data, regardless of the point of ingress.

Solution?

1. Use the age-old, tried-and-true method of validating data in your model, since the model is as close to the database as you'll get
2. Do it all over, a second time, in your serializers!
3. Maintain both versions, in perpetuity

That's No Good

1. This makes no sense, whatsoever, and, unless I'm mistaken (apologies, if so), the docs indicate that this is still the case
2. It is axiomatic that "it is not a good idea to maintain duplicate forms of the same validation"
3. The number of thumbs-up on the comments suggesting that this is not the way, alone, should be a good indicator that this is one design decision that isn't right
4. There aren't any good suggestions for an alternate means of supporting a clean and obvious single point of validation, especially one that doesn't lead to vendor lock-in (e.g., moving all validation to DRF, and then forcing DRF as the only point of ingress)
5. Django is the primary framework, so why fight against it? Models support centralized validation, and this can propagate upward to forms, the admin, and whatever else, so why try to convince people that this is a bad idea?

[divSelector]

I only came to say, thank you all for talking about this. I only found out just now that my model validation was not being implemented at all. 🙃 😩

[Termuellinator]

Welp, if only i found this issue earlier. I really like @tsepulvedacaroca01 's approach, but as i came up with my own solution already i thought i'd share it, too.

As many, i didn't want to maintain separate validators for forms and serializers, so i've written a validator that can be used by both:

class ValidateFuzzyUnique:
    """Matches the validation value with all existing target_field values and raises
    an ValidationError exception if it is too similar.

    Args:
        queryset: The queryset to be used.
        target_field: The field of the queryset that should be compared.
        source: Where the validator is called from: 'serializer' or 'form'.
        value: The value to be validated on calling.

    Raises:
        ValidationError: Raised if SequenceMatcher ratio is > 0.85.
    """
    def __init__(self, queryset, target_field, source="form"):
        self.queryset = queryset
        self.target_field = target_field
        self.source = source
        self.model = self.queryset.model.__name__

    def __call__(self, value):
        values = [getattr(row, self.target_field)
                  for row in self.queryset]
        value = value.lower()
        for val in values:
            if SequenceMatcher(None, val.lower(), value).ratio() > 0.85:
                message = (
                    f"Name too similar to existing {self.model} {val}.")
                if self.source.lower() == "serializer":
                    raise serializers.ValidationError(message)
                else:
                    raise ValidationError(message)

This can then be used in forms and serializers:

class TagModelSerializer(serializers.ModelSerializer):
    name = serializers.CharField(validators=[
        validators.ValidateFuzzyUnique(
            queryset=models.Tag.objects.all(),
            target_field="name",
            source="serializer"          
        )
    ])
    class Meta:
        model = models.Tag
        fields = "__all__"

Let me know if there are any issues or downsides with this that i might have missed of course ;)

[mjvankampen]

I feel there is a bit of an asymmetry that if I write validation logic in the model for a single field DRF picks it up automatically and there is no opinionated way to do this when there is a dependency between fields.

I could imagine having a validators field at the model level, which takes a list of functions get an attr dict. Something like (bear with me I'm a bit new to Python & Django):

# model_validators_mixin.py
from django.forms import model_to_dict


class ModelValidatorsMixin(object):
    validators = []
    fields_to_include_in_validation = []

    def clean(self):
        attr = model_to_dict(instance=self, fields=self.fields_to_include_in_validation if len(self.fields_to_include_in_validation) > 0 else None)
        for validator in self.validators:
            validator(attr)
        super(ModelValidatorsMixin, self).clean()

# model_serializer_validators_mixin.py
from django.core.exceptions import ValidationError as DjangoValidationError
from rest_framework.exceptions import ValidationError


class ModelSerializerValidatorsMixin(object):
    def validate(self, attrs):
        for validator in self.Meta.model.validators:
            try:
                validator(attrs)
            except DjangoValidationError as exc:
                raise ValidationError(exc)
        return attrs


# some_model.py
from django.core.exceptions import ValidationError
from django.db import models
from shared.model_validators import ModelValidatorsMixin


def validate_a(attr: dict):
    a = attr.get("a")
    b = attr.get("b")
    if a == b:
        raise ValidationError("a cannot be equal to b")

def validate_b(attr: dict):
    a = attr.get("a")
    b = attr.get("b")
    c = attr.get("c")
    if len(a) - len(b) - len(c) < 0:
        raise ValidationError("a - b - c cannot be less than 0")

class SomeModel(models.Model, ModelValidatorsMixin):
    a = models.CharField(max_length=255)
    b = models.CharField(max_length=255)
    c = models.CharField(max_length=255)

    validators = [validate_a, validate_b]
    fields_to_include_in_validation = ["a", "b", "c"]

[shuryhin-oleksandr]

I can see important staff in both approaches.

I really like Tom Christie's article: http://www.dabapps.com/blog/django-models-and-encapsulation/.
It forces me encapsulate logic in a model layer, which is great.

Also, as @swehba mentioned, I need some common validation, no matter if I use Serializer, django admin, django forms, management command, invoke model method from Celery task or use shell. This almost matches Tom Christie's approach - I can set model field validators.
amount = models.PositiveSmallIntegerField(null=True, blank=True, validators=[MaxValueValidator(60)])
This way I am happy: I have both common validation logic for everywhere, still being able to adjust it for specific serializers.

The only problem here - how will I will make a multi field validation?

================

So in my situation, I was thinking about the following:

• I need encapsulation, i.e. call my business logic from serializer.
• I need a default validation rules, working everywhere.
• I want to be able to adjust some validation in serializer for different use cases of single scenario.

The idea was:

1. Make serializer calling my business logic layer.
2. Make business logic performing all common validation (this makes validation working in forms, admin, shell)
3. Handle endpoint specific validation in serializers

Now point by point.

1.1. DRF call business logic this for create. I.e. DRF calls Model.objects.create(), which I customize.
1.2. DRF still does not call business logic for update. I suppose, because Django simply does not provide a handy hook to call business logic for update. I.e. Django does provide instance.update(), as it does for Model.objects.create(). @tomchristie I even looked for some Mixin in DRF, so I can add mixin to a model and some DRF setting, which will cause serializer.update() to call method from this Mixin. This way I would have a hook for my update business logic.

2. I set field level validation with field validators like in code above. I.e. Than it goes directly to serializers, so I have single point of truth for serializers. And also I can call full_clean from my Model.objects.create() or instance.updte() methods.

And here it brakes. I have now double validation: one from serializer and much the same from business logic layer. @tomchristie, can you help me to understand this? I greatly appreciate your article and work, but still cannot understand this moment.

[giuseppenovielli]

Hello everyone,
i created this repository -> https://github.com/giuseppenovielli/django_dry_project/
and while I was writing code 😅 i found this choice's design by Django Rest framework developers, to not call model full_clean() method.

---

THE PHILOSOPHY

I think, that, developers must write Model validation into ONE SINGLE PLACE.
The design is: if you want save instance to db, you must pass full_clean validation, by any class: ModelForm, ModelSerializer, Django Admin and any method: create, update, save methods.

---

Django PROBLEM

I know that there is a lot of confusion about Model Validation:

1. https://docs.djangoproject.com/en/3.2/ref/models/instances/#django.db.models.Model.full_clean

Note that full_clean() will not be called automatically when you call your model’s save() method. You’ll need to call it manually when you want to run one-step model validation for your own manually created models.

WORKAROUD:

Django
https://docs.djangoproject.com/en/3.2/ref/signals/#pre-save
https://docs.djangoproject.com/en/3.2/ref/signals/#post-save
Perfect but if i callraise django.core.exceptions.ValidationError() Django Admin will get 500 Server Error.
Perfect but if i use ModelForm full_clean will invoke twice.

Community
https://github.com/fish-ball/django-fullclean
Perfect but if i use ModelForm full_clean will invoke twice.

2. https://docs.djangoproject.com/en/3.2/topics/db/models/#overriding-predefined-model-methods

Overridden model methods are not called on bulk operations
Unfortunately, there isn’t a workaround when creating or updating objects in bulk, since none of save(), pre_save, and post_save are called.

So when i call model.objects.bulk_create or model.objects.filter().update() model validation will not called!

WORKAROUD:
UpdateModelQuerySet

---

Django Rest Framework
https://www.dabapps.com/insights/django-models-and-encapsulation/

He says: don't call never save() model method directly, but use model manager/instance to create methods that calls save().
But we can't known/block developers to call save() method and next popolate db with wrong data!

---

Django Rest Framework PROBLEM
ModelSerializer.validate() method not call Model.full_clean().
So we must rewrite model validation into ModelSerializer.validate() and this BREAK DRY Principle (Don't Repeat Yourself)

WORKAROUND:
I tried to write a class that encapsulate into ModelSerializer the Model.full_clean() validations.

So the idea is that serializer's validation will be failed if Model.full_clean() trown a ValidationException.

PATCH:
ValidateModelSerializer

Sample Implementations:
https://github.com/giuseppenovielli/django_dry_project/blob/main/src/motorizations/serializers.py#L104

So if i do:

s = CarUserValidateModelSerializer(data=request.POST)
s.is_valid(raise_exception=True) #False also if Model.full_clean() raise a ValidationError
s.save()

What do you think about this approach?

[xucian]

can someone eli5 me on this, I'm just getting started and want to make sure my validation goes through.
atm, I understand validation can be done in serializers and in models
and triggered by modifications in admin, manual object creation via code, regular REST calls

what validations aren't run and in which case?
thanks

[james-mchugh]

I also have been struggling with this. Ultimately, I think it makes sense for DRF to perform validation in the views. However, I think the current approach is not yet perfect.

The ModelSerializer is great as it automatically extracts fields and validators from the model to re-use in the serializers. I think it gives a best-of-both-worlds approach. The issue is that ModelSerializers only really work if your representation and model are identical. If your representation uses different field names or nesting that isn't reflected in the model, you'll have to try to come up with some clever workarounds if you still want to use the ModelSerializer.

I've also tried creating a fields.py module with custom Field classes for each of my model fields. This was very verbose, and it got difficult to keep validation logic in the model and Field classes in sync (I noticed I changed max_length in a few spots but forgot to carry the updates over to the others).

I then noticed the ModelField class and thought that would solve a lot of these hurdles, but I was dissapointed to find that ModelFields don't provide all of the niceties that fields generated by the ModelSerializer provide. Of course, this makes sense given the design, as ModelFields are basically just fallbacks in case the proper serializer field class could not be determined. I just wanted some way of having more flexibility with the functionality that the ModelSerializer provides.

I ended up creating this class to try to give me some of that flexibility:

class ModelField(serializers.Field):

    model = ...

    @classmethod
    def serializer(cls):
        """Build a ModelSerializer instance"""

        class _ModelSerializer(serializers.ModelSerializer):

            class Meta:
                model = cls.model
                fields = "__all__"

        return _ModelSerializer()

    def __new__(cls, source: str, **kwargs):
        serializer = cls.serializer()
        model_field = cls.model._meta.get_field(source)
        field_class, field_kwargs = serializer.build_standard_field(source, model_field)
        new_type = type(
            "DynamicModelField",
            (cls, field_class),
            {},
        )
        # noinspection PyTypeChecker
        instance = super().__new__(new_type, source, **kwargs)
        instance._field_kwargs = serializer.include_extra_kwargs(field_kwargs, kwargs)

        return instance

    def __init__(self, source: str, **kwargs):
        kwargs.update(self._field_kwargs)
        kwargs.setdefault("source", source)
        super().__init__(**kwargs)

    def bind(self, field_name, parent):
        # to avoid the assertion error, just set self.source to None if it's the
        # same as the field_name
        if field_name == self.source:
            self.source = None

        return super().bind(field_name, parent)

Then, you can have more flexibility with the ModelSerializer functionality like so

class MyModel(models.Model):
    foo_bar = models.CharField(max_length=32, help_text="Foo bar", validators=[...])

class MyModelField(ModelField):
    model = MyModel

class MyModelSerializer(serializers.ModelSerializer):
    fooBar = MyModelField("foo_bar") # validation, help text, etc. automatically pulled from model

I haven't stress tested this yet and there may be edge cases that weren't accounted for, but I thought others may get some value out of this approach so I wanted to share. There may be existing ways of doing what I'm trying to do that I haven't stumbled upon yet. If you have some alternative approaches that are simpler, please let me know!

[giuseppenovielli]

Hello everyone,
i made this library that invoke Model.full_clean() when ModelSerializer.is_valid is called.

https://github.com/giuseppenovielli/drf-fullclean
giuseppenovielli/drf-fullclean#4

https://github.com/giuseppenovielli/drf-writable-nested-fullclean

[giuseppenovielli]

Hello everyone, i made this library that invoke Model.full_clean() when ModelSerializer.is_valid is called.

https://github.com/giuseppenovielli/drf-fullclean
giuseppenovielli/drf-fullclean#4

https://github.com/giuseppenovielli/drf-writable-nested-fullclean

Guys, if you use some of these packages please give me feedback, what do you think?