From 8137aa1b330cd450279a5674f3caad1c532ad989 Mon Sep 17 00:00:00 2001
From: Amim Knabben <amim.knabben@gmail.com>
Date: Fri, 21 Feb 2020 08:34:50 -0500
Subject: [PATCH] Exclude read_only fields from input

---
 graphene_django/rest_framework/mutation.py    | 13 +++++++------
 .../rest_framework/tests/test_mutation.py     | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/graphene_django/rest_framework/mutation.py b/graphene_django/rest_framework/mutation.py
index cba6b4741..c98831b05 100644
--- a/graphene_django/rest_framework/mutation.py
+++ b/graphene_django/rest_framework/mutation.py
@@ -29,12 +29,13 @@ def fields_for_serializer(
     fields = OrderedDict()
     for name, field in serializer.fields.items():
         is_not_in_only = only_fields and name not in only_fields
-        is_excluded = (
-            name
-            in exclude_fields  # or
-            # name in already_created_fields
-        ) or (
-            field.write_only and not is_input  # don't show write_only fields in Query
+        is_excluded = any(
+            [
+                name in exclude_fields,
+                field.write_only
+                and not is_input,  # don't show write_only fields in Query
+                field.read_only and is_input,  # don't show read_only fields in Input
+            ]
         )
 
         if is_not_in_only or is_excluded:
diff --git a/graphene_django/rest_framework/tests/test_mutation.py b/graphene_django/rest_framework/tests/test_mutation.py
index bfb247da6..0678d5dcb 100644
--- a/graphene_django/rest_framework/tests/test_mutation.py
+++ b/graphene_django/rest_framework/tests/test_mutation.py
@@ -132,6 +132,25 @@ class Meta:
     ), "'password' is write_only field and shouldn't be visible"
 
 
+@mark.django_db
+def test_read_only_fields():
+    class ReadOnlyFieldModelSerializer(serializers.ModelSerializer):
+        cool_name = serializers.CharField(read_only=True)
+
+        class Meta:
+            model = MyFakeModelWithPassword
+            fields = ["cool_name", "password"]
+
+    class MyMutation(SerializerMutation):
+        class Meta:
+            serializer_class = ReadOnlyFieldModelSerializer
+
+    assert "password" in MyMutation.Input._meta.fields
+    assert (
+        "cool_name" not in MyMutation.Input._meta.fields
+    ), "'cool_name' is read_only field and shouldn't be on arguments"
+
+
 def test_nested_model():
     class MyFakeModelGrapheneType(DjangoObjectType):
         class Meta: