Enforce conflict response when requested PATCH resource object is unequal to endpoint

example/tests/test_model_viewsets.py

@@ -185,6 +185,24 @@ def test_patch_requires_id(self):
 
         self.assertEqual(response.status_code, 400)
 
+    def test_patch_requires_correct_id(self):
+        """
+        Verify that 'id' is required to be passed in an update request.
+        """
+        data = {
+            'data': {
+                'type': 'users',
+                'id': 3,
+                'attributes': {
+                    'first-name': 'DifferentName'
+                }
+            }
+        }
+
+        response = self.client.patch(self.detail_url, data=data)
+
+        self.assertEqual(response.status_code, 409)
+
     def test_key_in_post(self):
         """
         Ensure a key is in the post.

rest_framework_json_api/parsers.py

@@ -139,6 +139,16 @@ def parse(self, stream, media_type=None, parser_context=None):
         if not data.get('id') and request.method in ('PATCH', 'PUT'):
             raise ParseError("The resource identifier object must contain an 'id' member")
 
+        if request.method in ('PATCH', 'PUT'):
+            kwarg_name = view.lookup_url_kwarg if view.lookup_url_kwarg else view.lookup_field
+            if str(data.get('id')) != str(view.kwargs[kwarg_name]):
+                raise exceptions.Conflict(
+                    "The resource object's id ({data_id}) does not match url ({url_id})".format(
+                        data_id=data.get('id'),
+                        url_id=view.kwargs[view.lookup_field]
+                    )
+                )
+
         # Construct the return data
         serializer_class = getattr(view, 'serializer_class', None)
         parsed_data = {'id': data.get('id')} if 'id' in data else {}