possible bug with POST relation

[Patrick Kranzlmueller]

I've restricted get_queryset with a view (ModelViewSet) for the currently logged–in user.

When viewing the list, everythings fine when I'm trying to access an object bound to another user (404 not found).

However, when doing a POST and trying to add a wrong relation it works ... 

{

    "title":"test title",

    "bank_account":"/api/at/2012/bankaccounts/16/",

}

bank_account with ID 16 is not available with the logged–in user, but I'm able to POST it without getting an error.

Is this a bug or do I need to validate the bank account? If so, how do I validate because the user is not available with the serializer?

thx,

patrick

[Patrick Kranzlmueller]

answering my own questions here.

I'm able to validate the bank_account with checking self.context["request"].user ... however, I'm still not sure POSTing that ressource should be possible in the first place.

patrick