Merge pull request #3431 from paolopaolopaolo/issue-3265

Guard against calling `serializer.data` before `serializer.save()`

rest_framework/serializers.py

@@ -166,6 +166,12 @@ def save(self, **kwargs):
             "For example: 'serializer.save(owner=request.user)'.'"
         )
 
+        assert not hasattr(self, '_data'), (
+            "You cannot call `.save()` after accessing `serializer.data`."
+            "If you need to access data before committing to the database then "
+            "inspect 'serializer.validated_data' instead. "
+        )
+
         validated_data = dict(
             list(self.validated_data.items()) +
             list(kwargs.items())

tests/test_serializer.py

@@ -51,6 +51,16 @@ class MissingAttributes:
         with pytest.raises(AttributeError):
             serializer.data
 
+    def test_data_access_before_save_raises_error(self):
+        def create(validated_data):
+            return validated_data
+        serializer = self.Serializer(data={'char': 'abc', 'integer': 123})
+        serializer.create = create
+        assert serializer.is_valid()
+        assert serializer.data == {'char': 'abc', 'integer': 123}
+        with pytest.raises(AssertionError):
+            serializer.save()
+
 
 class TestValidateMethod:
     def test_non_field_error_validate_method(self):