This is one of the most important parts of the series.

Before moving ahead, refer to Part 1 where we created prefixed IDs for each model. We will reuse those prefixes here.

Step 1 - Model Prefix Mapping 

We need to map out prefix with the model names. and it should be in the format of appname.modelname

```
FLAT_PREFIX_MAP= {
"ic" : "myapp.ItemCat",
"isc" :"myapp.ItemSubCat"
}
```

Step 2 -  Recursive Tenant Validation

Build a recursive function that maps throws each request and tracks any id available in the request data body, filter that id with the current user tenant to check whether that id belongs to the current user tenant or not.

 so the functions to validate is  - 

```
def validate_recursive_tenant(data, tenant_id):
    found_ids_by_prefix = defaultdict(set)

    def extract_ids(nested_data):
        if isinstance(nested_data, dict):
            for value in nested_data.values():
                if isinstance(value, str) and "_" in value:
                    prefix = value.split("_")[0]
                    if prefix in FLAT_PREFIX_MAP:
                        found_ids_by_prefix[prefix].add(value)
                elif isinstance(value, (dict, list)):
                    extract_ids(value)
        elif isinstance(nested_data, list):
            for item in nested_data:
                extract_ids(item)

    extract_ids(data)


    if not found_ids_by_prefix:
        print("No prefixed IDs found to validate.")

     for prefix, id_set in found_ids_by_prefix.items():
        model_path = FLAT_PREFIX_MAP.get(prefix)
        model = apps.get_model(model_path)

        valid_count = model.objects.filter(
            id__in=id_set,
            tenant_id=tenant_id
        ).count()

        if valid_count != len(id_set):
            raise ValidationError(f"Data integrity violation: One or more {prefix} IDs are invalid.")

```

Step 3 - Base Tenant Security Serializer

Finally we will create a Base Serializer, this is done to wrap this logic inside a base serializer so it can be reused across write operations. The base serializer  uses the above function to validate the data, and we will use that Base Serializer in all our serializer that we need to validate the id.

The Base Serializer - 

```
class BaseTenantSecuritySerializer(ModelSerializer):
    def validate(self, data):
        parent_data = super().validate(data)

        request = self.context.get('request')
        if not request:
            raise ValidationError("Request  is missing.")

        user = request.user
        tenant_id = user_tenant(user.id)

        validate_recursive_tenant(self.initial_data, tenant_id)

        return parent_data

```

Step - Using it in Write Serializer

and finally in our ItemSubCatWriteSerializer, we can do -


```
class ItemSubCatWriteSerializer(BaseTenantSecuritySerializer, serializers.ModelSerializer):
    class Meta:
        model = ItemSubCat
        fields = '__all__'
        read_only_fields = ('tenant',)

```
We do not need BaseTenantSecuritySerializer in read serializers, because read access is already handled by the queryset filter mixin.

I hope this is clear. 


First Part - [Defining Tenant aware Models](https://www.ranuvijay.me/blogs/tenant-aware-model-and-tenant-specific-prefix-models-id)

Second Part - [Always Tenant Specific Read](https://www.ranuvijay.me/blogs/serializer-view-and-tenant-filtered-read-data)


Thanks.


In this part, we will focus on protecting write operations from malicious or cross-tenant data access. We will ensure that only valid tenant-owned data can be created or updated in the system.

Preventing Malicious Writes in Multi-Tenant

Contact Me

I want to hear from you