[BUG] DjangoGetter._convert_result invokes callable model attributes during serialization (can trigger delete()) #1686
Description
Describe the bug
DjangoGetter._convert_result in ninja/schema.py unconditionally calls result() on any callable attribute. If a schema field name matches a model method like delete, save, or full_clean, that method is executed during serialization
Versions (please complete the following information):
- Python version: 3.11.2
- Django version: 5.2.7
- Django-Ninja version: 1.5.3
- Pydantic version: 2.12.5
import os
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "test_settings")
import django
from django.conf import settings
settings.configure(
DATABASES={"default": {"ENGINE": "django.db.backends.sqlite3", "NAME": ":memory:"}},
INSTALLED_APPS=["django.contrib.contenttypes"],
DEFAULT_AUTO_FIELD="django.db.models.BigAutoField",
)
django.setup()
from django.db import models, connection
from ninja import Schema
class Item(models.Model):
name = models.CharField(max_length=100)
class Meta:
app_label = "test"
with connection.schema_editor() as editor:
editor.create_model(Item)
class ItemSchema(Schema):
name: str
delete: str # field name matches Item.delete() method
item = Item.objects.create(name="Widget")
print(f"Before serialization: {Item.objects.count()} item(s)")
try:
ItemSchema.from_orm(item)
except Exception:
pass
print(f"After serialization: {Item.objects.count()} item(s)")
# Expected: 1 — serialization should be read-only
# Actual: 0 — item was deleted by serialization
Output:
Before serialization: 1 item(s)
After serialization: 0 item(s)